Microsoft Defender for Endpoint Pricing 2026
Defender for Endpoint Plan 2 (full EDR) costs $5.20/user/month standalone, or included free in Microsoft 365 E5. The best-value EDR for Microsoft shops.
Defender for Endpoint Plans — 2026 Pricing
- ✓Next-gen antivirus (Defender AV)
- ✓Attack surface reduction rules
- ✓Device control (USB etc.)
- ✓Web content filtering
- ✓Network protection
- ✓Centralized management (Intune)
- ✓Everything in Plan 1
- ✓Full EDR telemetry and response
- ✓Automated investigation (AIR)
- ✓Advanced hunting (KQL queries)
- ✓Threat and vulnerability management
- ✓180-day data retention
- ✓Microsoft Threat Experts (managed hunting)
- ✓Device discovery and inventory
Defender for Endpoint in Microsoft 365 Bundles
| Bundle | Price/user/mo | Defender Plan |
|---|---|---|
| M365 Business Basic | $6 | None |
| M365 Business Premium | $22 | Plan 1 (NGAV) |
| M365 E3 | $36 | Plan 1 (NGAV) |
| M365 E5 Security (add-on to E3) | $12 add-on | Plan 2 (EDR) |
| M365 E5 | $57 | Plan 2 (EDR) |
Microsoft Defender Pricing FAQ
How much does Microsoft Defender for Endpoint cost?
Microsoft Defender for Endpoint is available in two standalone plans. Plan 1 (NGAV + attack surface reduction) costs $3 per user per month. Plan 2 (full EDR, threat hunting, and vulnerability management) costs $5.20 per user per month. Both plans are included at no additional cost in Microsoft 365 E3 (Plan 1) and Microsoft 365 E5 (Plan 2). Defender for Endpoint is licensed per user, not per device, and covers up to 5 devices per user.
Is Microsoft Defender for Endpoint included in Microsoft 365?
Yes. Defender for Endpoint Plan 1 is included in Microsoft 365 Business Premium ($22/user/month) and Microsoft 365 E3 ($36/user/month). Defender for Endpoint Plan 2 (full EDR with threat hunting) is included in Microsoft 365 E5 ($57/user/month) and Microsoft 365 E5 Security ($12/user/month as an add-on to E3). If you are already paying for E5, you have enterprise-grade EDR at no additional cost - a compelling reason to consolidate on Microsoft.
What is the difference between Defender for Endpoint Plan 1 and Plan 2?
Plan 1 provides next-gen antivirus, attack surface reduction rules, device control, and web content filtering. Plan 2 adds the full EDR capability: endpoint detection and response telemetry, automated investigation and remediation, Microsoft Threat Experts managed hunting, 180-day data retention, advanced hunting (KQL queries), threat and vulnerability management, and device discovery. Plan 2 is what security teams refer to as EDR - Plan 1 is effectively advanced antivirus.
How does Microsoft Defender for Endpoint compare to CrowdStrike?
In independent MITRE ATT&CK evaluations, Defender for Endpoint performs comparably to CrowdStrike in detection coverage. The primary differences are: CrowdStrike has lower false positive rates, lighter agent performance impact, and faster detection of novel threats using its threat intelligence network. Microsoft Defender has deeper integration with Entra ID (Azure AD), Microsoft 365, and Azure Sentinel, making it significantly more powerful in all-Microsoft environments. For pure detection accuracy, CrowdStrike edges Microsoft. For total ecosystem integration and value (especially if already on E5), Microsoft wins.
Can I use Microsoft Defender for Endpoint on non-Windows devices?
Yes. Defender for Endpoint supports Windows 10/11, Windows Server 2008 R2 and later, macOS 11 and later, iOS, Android, and selected Linux distributions. The macOS and Linux agents are mature for Plan 2. Coverage on iOS and Android is limited to mobile threat defence and app management. For Linux server environments, coverage is solid but narrower than Windows - some older distributions and kernel versions are not supported. This is a consideration for DevOps environments with diverse Linux distributions.