Microsoft Defender XDR — SKU Constellation Map

What a CISO needs to know about Defender XDR as a SKU — the licence floor (M365 E5 or E5 Security add-on), the four-product umbrella, the unified incident queue, and how it pairs with Sentinel.

ForCISO · CIO

Compass

Businesspersona, use case, outcome
Capabilitywhat the org needs to do
Technologythe technology choices

Guided journey · Step 1 of 4

Microsoft Defender XDR — SKU Anchor

Confirm the licence floor and bundle choice. M365 E5 wins at scale; E5 Security add-on is the right shape on top of E3 estates.

~ 2 weeks

Search any SKU, capability, risk, or source on this map.

Filter by type

All maps

Narrative intro

Defender XDR is an umbrella SKU rather than a single product — four sibling Defenders correlated into one investigation graph. The CISO question this map answers is: what does the bundle actually contain, what does the licence floor look like, and how does it sit alongside Sentinel? The answer is that they're complements, not alternatives — and the cost difference between buying components piecemeal and buying the bundle is material.

Key takeaways

XDR is four products correlated into one queue — endpoint, identity, email, and SaaS
Licence floor is M365 E5 or the E5 Security add-on; piecemeal pricing rarely wins
Defender XDR and Sentinel are complements, not alternatives — the integration is canonical
Onboarding sequence matters: endpoint, then identity, then email, then cloud apps

Programme shape

Estimated duration: 6–14 weeks
Estimated FTE: 0.5 FTE SecOps lead + endpoint, identity, and email SMEs for the onboarding sequence
Spend tier: significant
Risk level: moderate

Licence cost is the bigger commitment than the deployment effort. The decision is M365 E5 (full stack) vs E5 Security add-on (XDR only) at the bundle level.

Back to all maps