top of page

The Microsoft Security Stack - Demystified!

John Maton - Microsoft Security Consultant, Satisnet


This post aims to clarify the naming of the Microsoft Security product stack. We recommend bookmarking this page and coming back whenever you need to check something as this comes up a lot and it can take a while to get your head around!

As we all know, Microsoft’s security offerings have been evolving and expanding hugely in the past couple of years. Unfortunately, the names for these products have been evolving just as fast, which can get very confusing.

The good news is Microsoft haven’t just been changing names for no reason lately. The latest changes make the naming more logical and consistent than before – but only if we use them.

Microsoft have broadly rebranded their security products under the term ‘Defender’. The first thing to be clear on is that ‘Defender’ no longer has any implication of Endpoint Detection and Response (EDR) or antivirus (AV) attached as it did in the past. Microsoft Defender for Office 365 and Azure Defender for IoT are examples of non-endpoint products bearing the name ‘Defender’.

Here’s a good time to notice the use of ‘Microsoft’ in one product, and ‘Azure’ in another...

‘Microsoft’ indicates the product is for ‘client-side’ security (Microsoft 365) – think Windows 10, Office 365 and so on. ‘Azure’ indicates the product is for the ‘server side’ (Azure/hybrid cloud) - think Windows Server VMs, SQL databases and so on.

A common problem in security is the continued use of former ‘ATP’ or ‘Advanced Threat Protection’ branding. This primarily referred to the suite of security products now called Microsoft 365 Defender, although many people used (and still use) ‘ATP’ to refer to individual products, usually Defender for Endpoint (formerly Microsoft Defender ATP). This would often leave people wondering which ATP was being talked about and general confusion all round.


  • Defender could mean anything these days – instead of using Defender on its own ask yourself ‘Defender for what?’

  • Security products are split between Microsoft 365 Defender and Azure Defender depending on whether they protect your end users or your cloud/hybrid cloud environment.

  • Advanced Threat Protection (ATP) is no longer in the name of any Microsoft product. It was often used incorrectly so it’s always good to seek clarification if you hear it used.

These are the main points to be aware of, but there are a few others.

  • Microsoft Cloud App Security (MCAS) has not been renamed, but as an important piece of the end user security story, it is considered part of Microsoft 365 Defender.

  • Azure Sentinel, despite having Azure in the name, is not part of either Azure Defender or Microsoft 365 Defender, but rather sits on the same conceptual level as Defender itself, giving us Defender as our XDR platform, and Sentinel as our SIEM platform.


Microsoft still has more portals than it knows what to do with. The individual portals for Microsoft Defender for Endpoint, Microsoft Defender for Office 365 and MCAS still exist and are still widely used.

Microsoft Defender for Identity (formerly Azure ATP) also has its own portal (, although its features have now been combined into the MCAS portal, which is no doubt to distance it from Azure Defender.

If you just want to know what portal to use, it’s becoming a fairly safe bet to use the Microsoft 365 Security portal ( for all four Microsoft 365 Defender products.


Getting your head around the Microsoft stack can be challenging, but it’s very worthwhile as Microsoft offer some fantastic products. If this post has left you more confused than ever, please do reach out to Satisnet, and Microsoft Security Specialist will be in touch.


bottom of page