TL;DR
If you’re using Microsoft Defender for Cloud, you’re probably overpaying. There’s a commitment-based pricing model that can save you up to 22% annually.
But Azure won’t recommend it, and third-party tools ignore it. This blog breaks down how Defender Commit Units (DCUs) work, why they’re a blind spot, and what you need to do about it.
The Moment I Realized What We’re Missing
Azure’s Cost Management and Advisor love to surface savings tips: reserved instances, right-sizing, and idle resources. But for all their helpful optimization tips, they never mention one of the most obvious candidates for commitment pricing: Microsoft Defender for Cloud (formerly Azure Defender).
That’s a FinOps red flag.
Defender for Cloud is often a baseline service enabled across subscriptions, running 24/7, with minimal month-to-month variation. In other words: predictable spend.
So, why isn’t it part of Azure’s standard recommendation flow? And do external tools like VMware Tanzu CloudHealth or Umbrella Cost pick it up?
Let’s dig in.
DCUs: Azure’s Hidden Discount
Microsoft Defender for Cloud supports annual pre-purchase commitments using Defender Commit Units (DCUs).
Here’s the deal:
- Instead of paying monthly via Pay-As-You-Go (PAYG), you can commit to a fixed spend level in DCUs for a year.
- You receive discounted rates, typically ranging from 10% to 22%.
- The DCUs apply across Defender for Cloud plans and subscriptions.
It works like reserved capacity for compute or databases, just for security. You get predictable billing and discounted rates.
And yet, it’s buried.
Why It Doesn’t Show Up in Recommendations
Azure Advisor typically suggests:
– “Buy reserved VM instances to save up to 72%.”
– “Resize or shut down underutilized databases.”
But you won’t see a suggestion like this:
– “Your Defender for Cloud spend is stable – pre-purchase DCUs to save 15%.”
Here are a few likely reasons:
- Usage variability – Security workloads fluctuate (alerts, ingestion rates), making ROI harder to predict.
- Complex scope – DCUs can span multiple subscriptions, which complicates recommendation logic.
- Infra bias – Azure’s optimization tooling focuses on compute and storage.
- Telemetry gaps – Security consumption data may not flow through standard cost analysis pipelines.
- Resilience bias – Microsoft may prefer customers to over-provision on security for safety.
Regardless of the reason, the absence of this recommendation is a missed opportunity.
It’s Not Just Azure: Industry-Wide Blind Spot
CloudHealth by VMware Tanzu provides commitment recommendations, but only for infrastructure (compute, storage, databases). Defender for Cloud commitments are not yet modeled.
Umbrella Cost offers generic commitment recommendations (e.g., RIs, Savings Plans), but does not explicitly support Defender for Cloud DCUs.
They do a great job with infrastructure commitments, but security commitments are still off their radar.
That means this isn’t just a Microsoft issue. It’s a broader industry-wide oversight.
The Quick Playbook to Stop Overpaying
If you manage cloud costs, security posture, or both, DCUs should be on your radar.
Here’s how to act:
- Pull 6-12 Months of Usage
Defender logs are in Cost Management. Look for usage patterns and monthly spend.
- Model the Commitment
Use Microsoft’s DCU calculator or your own spreadsheet to estimate break-even points.
- Look for 10-22% Savings
Depending on volume, that’s what you’ll unlock. Real money, especially at scale.
- Push Your Tools and Partners
Ask your FinOps platform or CSP to support DCU modeling. The more we ask, the sooner the ecosystem catches up.
- Act Before Your Next Renewal
Timing matters. Align commitments with fiscal cycles or upcoming expansions.
Security Spend Is the Next Optimization Frontier
FinOps has historically centered around infrastructure. But that’s changing fast.
We’re starting to see cost optimization extend into security, observability, and platform services – areas once considered off-limits.
The lack of Defender commitment recommendations isn’t just a gap. It’s an opportunity. For better tooling, better practices, and better ROI.
Imagine a FinOps dashboard that says:
“Your Defender for Cloud baseline is $800/month. Commit $9,600/year to save $1,600.”
What This Means for Cloud Leaders
If you’re a VP R&D, CTO, or DevOps lead, this isn’t just about squeezing out some savings. It’s about advancing your FinOps maturity.
Microsoft already offers a commitment-based discount for Defender for Cloud.
But their recommendation tooling hasn’t caught up – leaving FinOps teams to find savings manually.
Third-party tools like CloudHealth and Umbrella help model infrastructure commitments, but haven’t yet embraced security-service commitments.
Until the ecosystem evolves, it’s up to FinOps analysts to:
– Spot under-recommended commitment levers.
– Integrate security spend into cost optimization cycles.
– Challenge cloud providers to make commitment logic consistent across all services
An Expert Thought
Security is table stakes. But paying full price for it doesn’t have to be.
If you’re running Defender for Cloud today, check your usage. Model the commitment. Start the internal conversation.
The easiest Azure discount is the one no one told you about.
If you have any questions, feel free to reach out:
— Udi Limor, FinOps Engineer @ 2bcloud
[email protected]
