Skip to main content

Copilot for Security

We're deep diving into Copilot for Security

coworkers security
Josh Bates   Headshot

Josh Bates

Technologist - Microsoft Security

Let’s look back to March 2023, when Microsoft first announced that it had developed and was working on Copilot for Security. Over the last 12 months, we’ve seen an abundance of Microsoft’s generative AI products released into the market from Copilot for M365 to GitHub and Azure AI Cognitive Services! As of 1 April, we can add another to that list with Copilot for Security becoming generally available to customers.  

So, what is Copilot for Security? 

Microsoft states that it’s the “industry’s first generative AI solution, which will help security and IT professionals catch what others miss, move faster, and strengthen team expertise”. Although there are alternative vendors that already have AI integrated into their products, Copilot for Security has the potential to change the way IT teams and SOC analysts work. It leverages OpenAI GPT-4’s generative AI alongside Microsoft’s security model which produces more than 65 trillion daily signals.  

The advantage is that it can help safeguard your organisation quickly and efficiently. Copilot for Security can integrate and correlate information from various Microsoft Security products and other software providers. It offers natural language advice to boost team productivity and handles daily tasks. Like Copilot for Microsoft 365, this version is not there to substitute your IT team/analysts, instead it allows the security and IT professionals to access, condense, and act on information from their current tools quicker.  

How does it work? 

Copilot for Security seamlessly integrates with Microsoft’s existing security solutions such as Microsoft Sentinel, Defender XDR, Intune and Defender for Cloud. For this, Copilot uses the on-behalf-of model, meaning that Copilot knows what licenses a customer has and can automatically leverage these.  It’s also important to note that there is the ability for third party plugins, open intelligence feeds and even websites to generate guidance specific to organisations.  

There are two methods of use for Copilot for Security. Standalone, which acts like a Chat GPT4 model where you’re able to query information about your Microsoft security estate - or there’s the embedded version. This acts more like an AI assistant in your Microsoft security estate and can provide guidance, depending on where the security analysts spend most of their time. 


What benefits can it bring? 

Copilot for Security has a wealth of benefits that it can bring to an organisation,  

To begin with, it will simplify, speed up and add context to your incident summaries. Copilot can summarise complex security alerts quickly and clearly, which ultimately helps s teams respond and make decisions faster, enriched by the information Copilot provided. This can help analysts by allowing them to deal with sophisticated threats much faster, rather than manually gathering data and then doing hunting off the back of that. A Microsoft economic study found that it increased speed of response on alerts by 22%, and that the accuracy of results increased by 7%.  

Copilot uses the Natural Language Model and then converts this into code for actions such as threat hunting. In essence, this means IT teams can input a simple query and get KQL code created. Think how helpful this would’ve been when Log4j came about, IT Teams could’ve asked Copilot to ‘create a KQL search for devices with Log4j vulnerability alerts and additional other alert related contexts’.  

After just a few seconds, you’d get: 

It’s not just the speed of the response which is advantageous to businesses. If we take a step back and look at the advantages this can bring for the development of analysts, IT staff and especially junior team members, in being able to skip the time it takes to learn KQL and start actioning cyber responses quickly. 

Some other advantageous that Copilot for Security can bring include:  

  • Custom promptbooks to allow the creation of natural language prompts for common security workstreams. 

  • Guided responses for incident responses, investigations, remediation and more  

  • Multi-language support integrated for Copilot to process and respond to prompts in eight different languages 

  • Third party integrations 

  • Microsoft Entra Audit Logs and Diagnostic Logs summarised in natural language 


Discover the power of Microsoft Security Copilot: AI demo


Licensing and pricing 

You’re probably thinking, it all sounds great, but what’s the cost? That’s where things get interesting. Microsoft has yet to 100% confirm the pricing model, so this is subject to change. What is confirmed is that it can be purchased through an Azure subscription, and available on both CSP and EA agreements. However, Microsoft has announced that Copilot for Security will be on a new pay-as-you-go pricing model based off Security Compute Unit’s (SCU’s). This will be billed per hour, per SCU resource.   

Monthly bill = (SCUs p/hour) x (Hourly SCU Price) x 730 Hours 

The advantage of this, flexible, consumption-based approach from Microsoft is that it allows organisations to use Copilot for Security quickly and then allow for easy scaling to meet usage requirements and budgetary.  

If you’re interested in finding out more about the exciting capabilities of Copilot for Security, or want to understand how it  can benefit your organisation, please reach out to your aligned Softcat Account Manager or get in touch with our Sales team.