TL;DR
If you’re using Microsoft Defender for Cloud, you’re probably overpaying. There’s a commitment-based pricing model that can save you up to 22% annually.
But Azure won’t recommend it, and third-party tools ignore it. This blog breaks down how Defender Commit Units (DCUs) work, why they’re a blind spot, and what you need to do about it.
The Moment I Realized What We’re Missing
Azure’s Cost Management and Advisor love to surface savings tips: reserved instances, right-sizing, and idle resources. But for all their helpful optimization tips, they never mention one of the most obvious candidates for commitment pricing: Microsoft Defender for Cloud (formerly Azure Defender).
Thatโs a FinOps red flag.
Defender for Cloud is often a baseline service enabled across subscriptions, running 24/7, with minimal month-to-month variation. In other words: predictable spend.
So, why isnโt it part of Azureโs standard recommendation flow? And do external tools like VMware Tanzu CloudHealth or Umbrella Cost pick it up?
Letโs dig in.
DCUs: Azure’s Hidden Discount
Microsoft Defender for Cloud supports annual pre-purchase commitments using Defender Commit Units (DCUs).
Hereโs the deal:
- Instead of paying monthly via Pay-As-You-Go (PAYG), you can commit to a fixed spend level in DCUs for a year.
- You receive discounted rates, typically ranging from 10% to 22%.
- The DCUs apply across Defender for Cloud plans and subscriptions.
It works like reserved capacity for compute or databases, just for security. You get predictable billing and discounted rates.
And yet, itโs buried.
Why It Doesnโt Show Up in Recommendations
Azure Advisor typically suggests:
– โBuy reserved VM instances to save up to 72%.โ
– โResize or shut down underutilized databases.โ
But you wonโt see a suggestion like this:
– โYour Defender for Cloud spend is stable – pre-purchase DCUs to save 15%.โ
Here are a few likely reasons:
- Usage variability โ Security workloads fluctuate (alerts, ingestion rates), making ROI harder to predict.
- Complex scope โ DCUs can span multiple subscriptions, which complicates recommendation logic.
- Infra bias โ Azure’s optimization tooling focuses on compute and storage.
- Telemetry gaps โ Security consumption data may not flow through standard cost analysis pipelines.
- Resilience bias โ Microsoft may prefer customers to over-provision on security for safety.
Regardless of the reason, the absence of this recommendation is a missed opportunity.
It’s Not Just Azure: Industry-Wide Blind Spot
CloudHealth by VMware Tanzu provides commitment recommendations, but only for infrastructure (compute, storage, databases). Defender for Cloud commitments are not yet modeled.
Umbrella Cost offers generic commitment recommendations (e.g., RIs, Savings Plans), but does not explicitly support Defender for Cloud DCUs.
They do a great job with infrastructure commitments, but security commitments are still off their radar.
That means this isnโt just a Microsoft issue. Itโs a broader industry-wide oversight.
The Quick Playbook to Stop Overpaying
If you manage cloud costs, security posture, or both, DCUs should be on your radar.
Hereโs how to act:
- Pull 6-12 Months of Usage
Defender logs are in Cost Management. Look for usage patterns and monthly spend.
- Model the Commitment
Use Microsoftโs DCU calculator or your own spreadsheet to estimate break-even points.
- Look for 10-22% Savings
Depending on volume, thatโs what youโll unlock. Real money, especially at scale.
- Push Your Tools and Partners
Ask your FinOps platform or CSP to support DCU modeling. The more we ask, the sooner the ecosystem catches up.
- Act Before Your Next Renewal
Timing matters. Align commitments with fiscal cycles or upcoming expansions.
Security Spend Is the Next Optimization Frontier
FinOps has historically centered around infrastructure. But thatโs changing fast.
Weโre starting to see cost optimization extend into security, observability, and platform services – areas once considered off-limits.
The lack of Defender commitment recommendations isnโt just a gap. Itโs an opportunity. For better tooling, better practices, and better ROI.
Imagine a FinOps dashboard that says:
โYour Defender for Cloud baseline is $800/month. Commit $9,600/year to save $1,600.โ
What This Means for Cloud Leaders
If you’re a VP R&D, CTO, or DevOps lead, this isnโt just about squeezing out some savings. Itโs about advancing your FinOps maturity.
Microsoft already offers a commitment-based discount for Defender for Cloud.
But their recommendation tooling hasnโt caught up – leaving FinOps teams to find savings manually.
Third-party tools like CloudHealth and Umbrella help model infrastructure commitments, but havenโt yet embraced security-service commitments.
Until the ecosystem evolves, itโs up to FinOps analysts to:
– Spot under-recommended commitment levers.
– Integrate security spend into cost optimization cycles.
– Challenge cloud providers to make commitment logic consistent across all services
An Expert Thought
Security is table stakes. But paying full price for it doesnโt have to be.
If youโre running Defender for Cloud today, check your usage. Model the commitment. Start the internal conversation.
The easiest Azure discount is the one no one told you about.
If you have any questions, feel free to reach out:
โโฏUdi Limor, FinOps Engineer @โฏ2bcloud
[email protected]
