Copilot for Security Technical Journey & Resources

What is the Copilot for Security Technical Journey? CfS Logo

The Microsoft Copilot for Security Technical Journey will guide you through how to learn, extend, and drive customer adoption for Microsoft Copilot for Security, the first security product to enable defenders to move at the speed and scale of AI by leveraging the most advanced large language models (LLMs) from OpenAI with large-scale data and threat intelligence, including more than 78 trillion daily security signals.

Table of Contents

This page is organized into three parts – Learn Copilot for Security, Extend Copilot for Security, and Driving Customer Adoption.

Table of Contents
Learn Copilot for Security
Extend Copilot for Security
Driving Customer Adoption


Several colleagues have created comprehensive on-demand Technical Workshops for Microsoft Copilot for Security. They’re well worth your time and cater specifically to security professionals, administrators, and all others interested in leveraging the power of AI to bolster security infrastructure.

May 15th, 2024 Update📰

Copilot for Security is globally available as of April-1! Despite the April Fools’ Day launch, we’re serious about Copilot for Security’s GA and transformative power. With all of the recent developments, my colleague Sameh Younis and I created this Copilot for Security Technical Journey. We will update the Journey weekly.

Recent Update (May 15th): Extensibility Features, Events, and 3P Plugins

Learn Copilot for Security

Are you ready to get started? Dive into onboarding guidance, prompt engineering best practices and templates, use cases, demos, roles, community resources, and other relevant documentation.



You can provision Copilot for Security within the standalone experience or in Azure. If your organization requires tags to deploy Azure resources, use this ARM template to add tags during deployment. When provisioning Copilot for Security, you can purchase capacity in these four regions: East US, West Europe, UK South, and Australia East.

While there are technically no prerequisites, you’ll need an Azure subscription and Microsoft Entra ID (Entra ID is required to authenticate your users). We also recommend allowing prompt evaluation anywhere with available GPU capacity for optimal results. By default, all users are “Copilot contributors” (this may vary according to existing user permissions) and the provisioning user is the “Copilot owner.” Contributors cannot update data sharing options, manage SCUs, view the usage dashboard, and may only manage and publish custom plugins or upload files when allowed. Also by default, all security administrators and global administrators inherit Copilot for Security access.

Copilot for Security will not elevate your level of access (e.g., to use the Microsoft Sentinel plugin, you will need the Microsoft Sentinel Reader role). However, plugin settings are managed at the user level, requiring each user to enable/disable plugins and configure authentication methods. Unfortunately, there is no existing option to set plugin configurations at the Tenant level.

I recommend starting with Promptbooks. You can easily add tags, edit, share, run, and set the level of access to “Just me” or “Anyone in my organization.” You can even create your own. Learn more about how to create your own Promptbooks here. It’s also critical to monitor SCU usage to manage costs and avoid disruptions. Learn more about how to monitor your usage here. Also, if you’re beginning with the embedded experiences, I recommend starting with Defender XDR.

Lastly, experiment with uploading your organizations own DOCX, MD, PDF, and TXT files. You can upload files up to 20 MB in total. Copilot for Security reasons over files to generate more relevant and specific responses. Learn more about uploading your own files here.

Get Started


  • Incident Response — Summarize incidents, assess impact, and receive tailored remediation guidance, including for triage, investigation, and containment.
  • Security Reports — Summarize investigations, incidents, vulnerabilities, or threats in minutes and prepare the information in ready-to-share reports.
  • Security Posture Management — Learn if your organization is at risk from vulnerabilities and examine resources in your environment for signs of a breach.
  • Reverse Script Engineering — Analyze complex command line scripts and translate them into natural language with clear explanations of actions.

How does Copilot for Security increase efficiency?

-> Reference

  • Threat Hunting: Assists in building hunting queries by reasoning over MDTI.
  • Speed: Improves security teams’ response time, with up to a 26% reduction in randomized control trials.
  • Efficiency: Enhances responses with contextual summaries, reduces routine tasks, and offers Natural Language to KQL conversion (NL2KQL).
  • More Proactive Threat Hunting: Empowers teams with AI-powered recommendations.
  • Empowering Staff: Frees senior staff for strategic work and strengthens junior staff expertise.

Use Cases



We recommend watching the following videos created by Microsoft Security and the Global Partner Solutions (GPS) Technical Team:

How Microsoft Copilot for Security works How Microsoft Copilot for Security works

Ryan Munsch, from the Copilot for Security team, joins host Jeremy Chapman to share how Copilot for Security is an enterprise-grade natural language interface for your organization's security data.
Prepare for New Threats with Microsoft Copilot for Security Prepare for New Threats with Microsoft Copilot for Security

Join Dave and Zach as they discuss how to prepare for new threats in an era of increasingly complex cyberattacks with Microsoft Copilot for Security. Explore Copilot for Security’s interface, how a partner gains access, the power of plugins and Promptbooks, data security and privacy, AI threats and how we at Microsoft defeat them, and our Responsible AI story.

Also explore Microsoft’s Copilot for Security YouTube Playlist📹

Roles beyond SOC Analysts​

  • DLP​ Analysts:​ Summarize DLP alerts and analyze DLP policy configurations.
  • Insider​ Risk Analysts:​ Summarize Insider Risk Management alerts and gain context around users with risky behavior​.
  • IT​ Admins: Create device configuration profiles in Intune and leverage data-driven configuration troubleshooting and remediation​.
  • eDiscovery​ Analysts​: Generate Keyword Query Language from NL in eDiscovery and summarize evidence collected.
  • Identity Access Management​ Admins: Discover high risk users, overprivileged access, suspicious sign-ins in Entra.

Announcements & Whitepapers

Community Resources

AI Security

Back to Table of Contents. Are you ready to extend Copilot for Security?


Extend Copilot for Security

Learn how to grant an MSSP access to your Copilot for Security environment and how to use and create plugins. Copilot for Security plugins enhance the platform’s capabilities by acting as connectors, enabling seamless integration with infinite partners and third parties, allowing for custom functionality. To first create a plugin, you will need the correct instance URL and API token.




3P Plugins

  • Computer Incident Response Center Luxembourg (CIRCL) – CIRCL is a government initiative that provides systematic responses to incidents
  • CrowdSec Threat Intelligence – CrowdSec provides information about IPs and identification and verification of potentially malicious IPs
  • NEW: CyberArk – CyberArk Privilege Cloud is a SaaS solution that helps to securely store, rotate, and isolate credentials
  • Cyware Respond – Cyware is an end-to-end incident management and threat response platform
  • NEW: Darktrace – Darktrace offers cybersecurity AI services
  • GreyNoise – GreyNoise collects and analyzes Internet-wide scan and attack data
  • NEW: Jamf – Jamf Pro provides comprehensive MDM data
  • Netskope – Netskope combines security and networking services, enabling Secure Access Services Edge (SASE) and Zero Trust
  • NEW: Red Canary – Red Canary provides managed detection and response (MDR) services
  • NEW: ReversingLabs – ReversingLabs helps SOC teams understand file-based threats
  • NEW: SGNL – SGNL provides Zero Standing Privilege (ZSP) initiatives to protect user sessions and credentials
  • NEW: Shodan – Shodan is a search engine that allows users to find specific types of devices connected to the internet
  • Tanium – Tanium is a converged endpoint management (XEM) reference platform
  • UrlScan – UrlScan allows users to scan and analyze potentially malicious URLs
  • Valence Security – Valence combines SaaS security posture management (SSPM) and advanced remediation

Extensibility Features

CfS Reference Architecture

Community Plugins

Disclaimer: Some of these plugins were developed and are maintained by the community and are not owned or managed by Microsoft.

Back to Table of Contents. Are you ready to drive customer adoption?


Driving Customer Adoption

Microsoft Copilot for Security enables customers and partners to proactively defend against cyber threats, streamline security workflows, and protect critical assets. Learn how to drive customer adoption below.


Microsoft Security Integration Reference Architecture

CfS Reference Architecture

Address Concerns

Technical Considerations

  • Assist a Human in Completing Work – It’s a Copilot, integrations are driven by/drive human engagement, not background runtime processing of substantial amounts of data.
  • Have High Customer Value — The cost of Generative AI is orders of magnitude higher per transaction than your average feature today and depends on a constrained hardware supply (GPUs).
  • Will be Regularly Used — The best integrations will be used regularly so it is ongoing value, not a one-time value (like a configuration assistant).

Multi-tenant & Delegation Models


Copilot for Security pricing is consumption-based and costs approximately $4 per SCU per hr. A Security Compute Unit (SCU) is Copilot for Security’s unit of measurement of computing capacity to run a Copilot workload. The amount of SCUs needed depends on the complexity of the given workload. The pricing is consistent across the standalone experience and the embedded experiences as well as regions.

Why is it consumption-based and not per user? The idea is that the flexibility will allow more customers and partners to try it! That said, the output is only as good as the input, and the more plugins you may use to contextually enrich complex investigations, the better (think Microsoft Sentinel pricing; the more telemetry ingested = the more coverage and insights, so long as it’s not too much noise). There are no prerequisites, but for the best experience, we recommend that customers have MDE P2 and/or Microsoft Sentinel.

To use Copilot for Security, you will need to provision at least one SCU per hr 24x7. Therefore, the minimum annual price is $35,040 USD ($4 * 24hr per day * 365day per yr). Your monthly bill is calculated as (SCUs per hr) x $4 x 730/month or you can leverage the Azure Pricing Calculator. Customers and partners can purchase SCUs in the standalone experience or in Azure and can manually provision SCUs up or down so long as there is at least one SCU/hr. Once an analyst is nearing the capacity limit, they will receive a warning and the option to increase the capacity.

If you delete Copilot for Security (zero SCUs per hr), we will retain your data for 90 days. Tenant-level MDTI workbench is included with Copilot for Security and while it’s not the standalone API, the TI information is easy to read and in the context of your investigations. From a licensing perspective, this is also significant cost savings.

Since computing capacity and token usage is variable (quantifying a specific # of tokens or SCUs/workflows needed per prompt/Promptbook is difficult), it’s important for partners to know what they can do now:

  • Measure SCU usage between different use cases (SOC analysts, Purview admins, identity/access admins, etc.)
  • Measure SCU usage between different levels of expertise (Junior analysts vs Senior analysts)
  • Measure SCU usage across different types of investigations (incident triage, threat actor investigation, reverse engineering a malicious script, etc.)

I’m assuming beyond the EAP, we’re also collecting this data and in good time, will provide more guidance and standards on SCU usage patterns and what is and isn’t a SCU/workflow.

Back to Table of Contents.