Generative AI, AI/ML, Channel partner programs, MSSP, Managed Security Services

Microsoft Copilot for Security: The MSSP Opportunity

Microsoft Copilot AI chatbot brand

Microsoft’s bold ambitions fusing generative artificial intelligence into its security offerings began Monday with the general availability of Microsoft Copilot for Security in all commerce channels, including Cloud Solution Provider channel. Will MSSPs see the big returns Microsoft is promising for partners?

The artificial intelligence chatbot pairs Microsoft’s Copilot technology with cybersecurity giving users and partners a tool for boosting productivity, accuracy and efficiency in their security operations, according to Nicole Dezen, chief partner officer and corporate vice president of Global Partner Solutions.

“For Microsoft and our partners across industries, AI offers a generational moment to reimagine the capabilities that software and services can provide,” Dezen said.

AI is an opportunity for partners which is far greater than the sum of AI technologies themselves, she said in a blog post. 

Copilot Security Chatbot: All Talk or Game Changer?

The reaction to the year-long rollout has been mostly hopeful among partners that Microsoft Copilot for Security (MCS) will drive new reoccurring revenue. But business and technical questions remain such as its consumption-based pricing model versus a per-license pricing.

Partners had complained that Copilot 365 was not offered to partners as an NFR license, and it's unclear whether MSSPs will have the same complaints about Copilot for Security. Other issues include integrating Microsoft Copilot for Security with existing toolsets and a possible impact of over reliance on AI versus the human value that MSSP and managed service providers (MSPs) offer.

“MCS is certainly an innovative technology that will make a massive impact and continue to iterate with additional functionality given the potential of GPT and LLMs (large language models),” said Randy Watkins, chief technology at Critical Start, one of the MSSPs involved in the preview program. “[However,] I don’t view it as a ‘brand-new way of doing security’, but rather a better way to augment security, which will almost certainly evolve over time.”

Alex Berger, product marketing vice president at Ontinue, a managed SecOps provider for Microsoft customers that participated in an early trial use of MCS, said generative AI’s potential as a security tool went beyond the initial focus on detection analytics.

“Working with it (MCS) thus far, we see tremendous applications to making security operations more efficient and effective," he said. "That’s not only critical for managed security service providers, but also their customers, some of whom simultaneously run some security operations for themselves.

“Copilot can offer tremendous value on that front. The key for MDR players is to consider how they structure their service to enable the two to be coordinated. In the end, it creates better security, a better experience, and new opportunities for managing security providers.”

Getting the Most Out of GenAI

In a blog post, analyst firm Forrester said early indications suggested senior security staff would experience the most productivity gains using Microsoft Copilot for Security:

“We asked an SOC leader who had been in the beta if Copilot for Security had uncovered threats that his investigations would have missed. He said no, he would have found them all, but it would have taken longer. He added, ‘But it helps the junior analyst, because they would have gotten stuck much earlier and would have had to escalate to us’.”

Forrester said the capabilities of the solution early users reported being most impressed by included making script analysis easier, accelerating threat hunting by helping write queries based on adversary methodologies, speeding up the analysis of phishing submissions, and the automated creation of report summaries.

Opportunities for MSSPs

Berger said Microsoft Copilot for Security gave MSSPs that had not developed AI-powered tools of their own the ability to quickly implement an AI solution to help augment their own SOC capabilities to streamline daily operations.

“There are also questions about how MCS fits into the overall MSSP model, for example, questions related to multi-tenancy and cost prediction, key considerations for MSSPs," Berger said.

A second opportunity for MSSPs is to leverage their customers’ Microsoft Copilot for Security implementations on their behalf, as they would with Microsoft Defender for Endpoint or Microsoft Sentinel.

“By training their SOC how to use MCS effectively, the MSSP can better leverage the tools their customers already own, which in turn helps maximize the customer’s return on investment for those tools," Berger said. "This opportunity is interesting, but it begs the question of whether a customer is willing to pay for a tool just so their MSSP can use it on their behalf.”

Forrester added that partners would have a major role to play in training customers to use the solution, something MSSPs are eager to deliver.

“Like any data-based tool, MCS is only as powerful as the data that you feed it," Berger said. "Customers who attempt to implement MCS into environments where Microsoft Defender for Endpoint, Sentinel, and Intune are improperly deployed, tuned, and configured will struggle to achieve their desired outcomes."

Forrester added, “MSSPs with Microsoft security domain expertise can offer professional services to help customers ensure their environments are optimized before implementing MCS.”

Navigating a new pricing model

Microsoft Copilot for 365 came with a $30 per seat monthly licensing fee and a minimum purchase of 300 seats. Microsoft Copilot for Security is offered as a provisioned pay-as-you-go licensing model.

Microsoft said the consumption-based model, under which it charges $4 per “security compute unit,” would make it easier for customers to get started quickly and on a small scale. The lack of upfront per-device or per-user charges would also make it easier for customers to experiment and learn how to use the solution, the company said.

Microsoft Copilot for Security consumption-based pricing is determined by the complexity and number of queries a business requests. Traditional pricing for Copilot for M365 is based on the number of licensed seats or users and devices. Another difference between Copilot for M365 and Microsoft Copilot for Security is that Copilot for M365 required M365 E3, E5, Business Standard or Business Premium or Office 365 E3, O365 E5. The only thing businesses need for Copilot for Security is an Azure account.

“There is a significant degree of unpredictability in the cost and pricing models for generative AI across vendors. Striking the balance of what to charge, and how to charge, for generative AI is still a struggle,” Forrester said.

Critical Start’s Watkins added: “While the real-time consumption pricing model falls in line with many newer cybersecurity solutions, we still see some trepidation in customers due to the lack of predictability.”

Microsoft Copilot for Security Alternatives

While competitors including CrowdStrike, Cloudflare, SentinelOne, and others have also launched AI-enabled security assistant solutions, Microsoft’s investment in OpenAI, combined with its substantial share of the security market have given it a ready base of potential Microsoft Copilot for Security customers.

“Many organizations are starting to build GPTs and leverage LLMs, but the scale of Microsoft’s compute, investment, and signals to process gives them the edge on maintaining maturity in this area,” said Watkins. “Microsoft’s completeness in portfolio across the three major security signals: identity, email, and endpoint, and broad deployment across organizations of every size and vertical, gives them visibility and enforcement points that other competitors don’t have. For MCS, this means more data to train on and pull context from to produce a more complete picture of an attack.”

Forrester said the value Microsoft Copilot for Security offered an organization would largely depend on how Microsoft-heavy their present security stack was.

“For security teams already leaning on Microsoft Sentinel, Defender, Entra, Priva, Intune, and Purview, this is a no-brainer add-on that will help their teams become more productive.”

However, organizations in that situation would still need to ensure their budgets could absorb “some unknowns” in the form of Microsoft Copilot for Security’s consumption-based pricing model, and the solution would also require additional investment in the form of money and time set aside for training.

“For teams that depend on other technologies, it may not be worth sinking much investment into secure compute units (for now); instead, turn to whatever your current portfolio player vendor calls its generative AI solution,” Watkins said.

Other potential downsides included that integrations were currently limited.

“Copilot can call Power Automate, and vice versa, but in neither case are the calls bidirectional. Copilot cannot auto-quarantine an infected host today. But Microsoft has plans to add more integrations in the future, and customer adoption will accelerate this,” Forrester said. “For now, given that it’s an MVP, Copilot for Security will require multiple instances for companies that want to silo data between business units, operating companies, or geographies.

"Those instances do not roll into a single interface at launch. Not only is that problematic for multinationals or complex corporations, but it’s also a challenge for service provider partners offering MDR, SOCaaS, or managed SIEM services on Copilot for Security.”

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.