Microsoft recently announced the general availability of Copilot for Security, a generative Artificial Intelligence (AI) security product designed to help security and IT teams with the capabilities to protect their digital assets.
Copilot for Security's general availability introduces several new features, including customizable promptbooks for streamlined security tasks, knowledge base integrations (preview) for proprietary content search, and multi-language support for processing and interface in up to 25 languages. Enhancements include third-party integrations, connection to Microsoft Defender for real-time external attack surface analysis, Microsoft Entra for detailed audit and diagnostic log insights, and usage reporting for optimizing team performance with Copilot.
Microsoft Copilot for Security first receives user prompts from security products, which it then refines through a process known as grounding to enhance prompt specificity. This ensures responses are relevant and actionable. The system employs plugins for initial prompt processing before consulting the language model. After receiving the model's response, Copilot for Security refines this information with post-processing plugins to add context. The final response is then presented to the user for review and assessment.
Microsoft Copilot for Security (Source: Microsoft Learn)
In addition, Microsoft introduces a flexible, consumption-based pricing model with Copilot for Security. Customers can start with minimal investment, experimenting and scaling their usage based on their unique requirements and budget. The pricing is based on Security Compute Units (SCU), with an in-product dashboard providing detailed insights into usage patterns. This feature enables customers to monitor their SCU consumption and adjust their provisioning accordingly, with Microsoft recommending a starting point of 3 SCUs per hour.
In the Tech Community blog post on the GA release of Copilot for Security, Marvl15 states his concerns in a comment:
It's a significant milestone, no doubt, but the cost upfront is just staggering. I'm hesitant to commit $3K without knowing if it's the right fit for our organization. Understanding the tool thoroughly is crucial at that price point. It's baffling they don't offer a trial period.
The SCU calculation is quite complex initially. I mean, how do you accurately gauge our SCU needs? Peak hours demand more computing power, but investing during off-hours seems like an unnecessary expense.
Yet, in an earlier Tech Community blog post on Copilot for Security, Rogier Dijkman, a Microsoft Security MVP, pointed out:
Depending on Copilot for Security usage, customers may need to provision more or less SCUs. There is no simplified mapping between an SCU and number of queries run by the customer because every prompt is different, workflows are of different sizes, scripts that need to be reverse engineered are of different lengths, so they are all going to utilize and burn SCU capacity differently. Customers should leverage the in-product dashboard to observe their usage patterns and adjust provisioned SCUs over time.
Customers can estimate the costs with the newly introduced pricing page and use the calculator to predict the monthly expenses. With the offering, customers can also leverage Microsoft Defender Threat Intelligence (MDTI) capabilities at no extra charge. Yet customers seeking to utilize MDTI's API endpoints for automated enrichment or scripting beyond Copilot's current capabilities will still need to purchase the MDTI API license.
Customers need an Azure subscription to access Copilot for Security. The provisioning process is straightforward, guiding users through initial setup steps such as adding capacity, selecting data-sharing settings, and defining role assignments. Furthermore, the in-product dashboard simplifies monitoring available SCUs and usage patterns.