Independent reference. Not affiliated with any vendor named on this site. Some links may be affiliate links. Expand full disclaimer.

This site is an independent technical reference. It is not affiliated with or endorsed by Recorded Future, Mandiant, Google Cloud, CrowdStrike, Microsoft, Anomali, ThreatConnect, EclecticIQ, Intel 471, Flashpoint, Palo Alto Networks, Unit 42, Cisco, Fortinet, SentinelOne, IBM, Dropzone AI, Prophet Security, Torq, Cyware, Radiant Security, Tenable, Qualys, Rapid7, DomainTools, SOCRadar, or any other vendor, project, or framework named on this site. MISP, OpenCTI, TheHive, and YARA are trademarks of their respective maintainers. All other trademarks belong to their respective owners. Pricing, feature, and platform-capability information was verified in April 2026 and may have changed since publication.

Some outbound links on this site may be affiliate links. Affiliate relationships do not influence ranking, verdicts, pricing data, or editorial positions. Where a verdict or comparison could be paid-placement-adjacent we mark it explicitly; otherwise assume zero vendor input.

COMPARISON / VENDOR REVIEW

Microsoft Defender Threat Intelligence in 2026

A reference review of MDTI, Security Copilot integration, the agentic SOC manifesto, and how the bundle compares to standalone alternatives for Microsoft-centric SOCs.

Last verified: May 2026. Independent. No vendor input.

What MDTI delivers in 2026

Microsoft Defender Threat Intelligence is the rebranded and integrated continuation of the RiskIQ portfolio Microsoft acquired in 2021, plus curated content from the Microsoft Threat Intelligence Center (MSTIC). The platform combines an internet-observation dataset (passive DNS, SSL certificates, web crawl, host-pair relationships, screenshot history) with MSTIC actor profiles, named threat actor activity tracking, and tooling for analyst investigation and pivoting.

The integration story is the major differentiator. MDTI data flows natively into Microsoft Sentinel as a threat intelligence source, into Microsoft Defender XDR for endpoint correlation, and into Security Copilot as the intelligence corpus the LLM reasons over. For a customer already on the Microsoft security stack, MDTI is the most efficient marginal investment in formal threat intelligence; the integration tax is near zero.

The free tier accessible at ti.defender.microsoft.com provides limited search capability and is useful for occasional one-off investigation. The paid standalone tier unlocks the full investigation workbench, the curated MSTIC content library, infrastructure search, and the analytics pivots that make MDTI productive for full-time SOC use. The paid tier is licensed separately from Microsoft 365 E5 in most configurations as of 2026.

For Microsoft Sentinel integration specifically, see AI threat intel with Microsoft Sentinel. The patterns there cover MDTI as the primary intelligence source plus complementary commercial feeds for depth.

Security Copilot is the agentic layer

Microsoft Security Copilot is the agentic AI layer built on top of MDTI plus Defender XDR plus Sentinel plus the broader Microsoft security graph. The product was generally available in April 2024 and has expanded in 2025 and 2026 to incorporate the multi-agent architecture described in the April 2026 agentic SOC manifesto.

The pricing model is consumption-based, denominated in Security Compute Units (SCU). The list rate of approximately $4 per SCU per hour means a Security Copilot session that runs for several minutes typically costs a few dollars; an active SOC running it for daily triage and investigation tends to consume 10-50 SCU per day per active analyst. For a 20-analyst SOC, expect to budget in the $50,000 to $200,000 per year range for Security Copilot alone, in addition to MDTI and Sentinel ingestion costs.

The capability is genuinely useful for natural-language querying against the security graph, for drafting incident summaries, for alert triage, and for generating Sentinel KQL queries. It is less reliable for autonomous decision-making and for novel attribution; the human-in-the-loop pattern remains the operationally correct deployment in 2026.

The competitive alternatives in the agentic SOC space include Dropzone AI, Prophet Security, Torq HyperSOC, and Radiant Security. See agentic SOC buildout for the multi-vendor capability matrix.

Pricing context, April 2026

Microsoft publishes more pricing than most CTI vendors but the bundle is complex. The ranges below reflect a Microsoft-centric SOC with E5 baseline plus standalone MDTI plus Sentinel plus Security Copilot.

ComponentList rate or typical contractWhat is included
M365 E5 baseline (incl. Defender XDR)$57 / user / moDefender for Endpoint, Office, Identity, Cloud Apps. Limited MDTI capability included.
MDTI standalone (paid tier)~$20 / user / moFull investigation workbench, MSTIC actor catalogue, infrastructure search.
Microsoft Sentinel$2-4 / GB ingestedPay-as-you-go or commitment tier. SIEM with MDTI as native intel source.
Security Copilot$4 / SCU / hrAgentic AI layer. Consumption-based; 10-50 SCU/day/active-analyst typical.
Combined typical 20-analyst SOC$200,000 - $500,000+ / yrFull Microsoft-centric stack including Sentinel ingestion, MDTI standalone, Security Copilot.

Source: Microsoft 365 pricing page (Apr 2026), Microsoft Sentinel pricing page (Apr 2026), Microsoft Security Copilot pricing page (Apr 2026), composite of Vendr customer contracts. Last verified May 2026.

Best fit and avoid

Strong fit

  • +Microsoft-centric SOC already on E5 or Defender XDR
  • +Sentinel is or will be the primary SIEM
  • +Buyer wants integrated agentic capability without point-product assembly
  • +Federal or regulated customer on Azure Government (MDTI is FedRAMP High via Gov)
  • +Stack consolidation pressure from procurement (one vendor, one bill)
  • +Need for RiskIQ-derived infrastructure intelligence dataset

Look elsewhere if

  • xNon-Microsoft SOC (Splunk, Chronicle, Sumo Logic primary SIEM)
  • xNeed broader commercial feed coverage (Recorded Future, Mandiant)
  • xNeed underground depth (Intel 471, Flashpoint)
  • xCost optimisation pressure (OSS plus one commercial feed cheaper)
  • xMulti-cloud security strategy not centred on Azure
  • xNeed single-vendor brand-protect plus geopolitical (Flashpoint broader)

Verdict for 2026

For a Microsoft-centric SOC, MDTI plus Sentinel plus Security Copilot is the natural and operationally defensible choice. The integration story is real, the per-marginal-cost is low (most of the spend is already committed to Microsoft licensing), and the agentic SOC capability is at parity with the better point-product vendors as of 2026. The strategic risk is platform lock-in; the strategic reward is operational efficiency.

For a non-Microsoft SOC, MDTI standalone alone is less compelling. The intelligence is good but the integration tax to non-Microsoft platforms is meaningful, and the per-user pricing favours Microsoft-licence-bundled deployments. Most customers in this position end up choosing Recorded Future or Mandiant for their CTI primary, with MDTI as a complementary source if budget permits.

For organisations evaluating the agentic SOC architecture more broadly, the Microsoft manifesto provides a useful framing language even if Security Copilot is not the chosen product. See agentic SOC buildout for the multi-vendor architecture overview.

FAQ

What is Microsoft Defender Threat Intelligence?

Microsoft Defender Threat Intelligence (MDTI) is Microsoft's standalone threat intelligence platform, built primarily on the dataset acquired with RiskIQ in 2021. The platform combines internet-wide observations (passive DNS, SSL certificates, infrastructure relationships, host pairs, web scraping) with curated threat-actor profiles and infrastructure intelligence published by Microsoft Threat Intelligence Center (MSTIC). MDTI is integrated with Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Security Copilot.

Is MDTI included in Microsoft 365 E5?

Limited MDTI capabilities are included in Microsoft 365 E5 Security through Defender XDR. The standalone MDTI product (additional intelligence pivots, the full MSTIC actor profile catalogue, advanced infrastructure search) is licensed separately at additional cost. The free tier accessible to all Microsoft customers (ti.defender.microsoft.com) provides limited search capabilities; the paid tier (per-user or per-tenant licensing) unlocks the full investigation platform.

What does MDTI standalone cost in 2026?

Microsoft has historically published MDTI standalone pricing in Microsoft 365 admin centre context. As of April 2026, the per-user list price is reported around $20 per user per month for the paid MDTI tier, with enterprise volume discounts. For a 50-analyst SOC the list cost is approximately $12,000 per year before discounts. Standalone purchase via Microsoft Sentinel-based ingestion is licensed per-GB through the Sentinel pricing model. Combined with Security Copilot at $4 per SCU per hour, a Microsoft-centric SOC stack including MDTI, Sentinel, and Security Copilot commonly lands in the $200,000 to $500,000 per year range.

What is the agentic SOC manifesto?

Microsoft published an agentic SOC manifesto in April 2026 articulating a vision for autonomous and semi-autonomous SOC agents built on Security Copilot. The manifesto describes a multi-agent architecture where Triage Agents perform first-pass alert filtering, Enrichment Agents add context and MITRE ATT&CK mapping, Hunting Agents generate hypotheses from threat intelligence, and Response Agents execute SOAR-style remediation. The vision is influential because Microsoft is the largest security vendor by revenue; expect competing vendors to either align with or react against the agentic SOC framing throughout 2026 and 2027.

How does MDTI compare to Recorded Future?

Recorded Future has broader commercial feed coverage, curated Insikt Group research depth, and stronger SIEM integration across non-Microsoft platforms. MDTI has tighter integration with the Microsoft Defender XDR ecosystem, the RiskIQ-derived internet observation dataset (passive DNS, SSL, web crawl), and meaningfully lower marginal cost for customers already on E5. For Microsoft-centric SOCs already invested in Sentinel and Defender, MDTI plus Security Copilot is the natural choice. For multi-platform SOCs or customers with no Microsoft licensing investment, Recorded Future remains the broader-fit choice.

Sentinel integration →Agentic SOC buildout →Recorded Future →DomainTools →

Updated 2026-05-11