The urgency for a unified AI governance strategy is being driven by stricter regulatory demands, the sheer complexity of managing AI systems across multiple AI platforms and multicloud and hybrid environments, and leadership concerns for risk related to negative brand impact. Centralized, end-to-end governance platforms help organizations reduce compliance bottlenecks, lower operational risks, and turn governance into a strategic driver for responsible AI innovation. In today’s landscape, unified AI governance is not just a compliance obligation—it is critical infrastructure for trust, transparency, and sustainable business transformation.

Our own approach to AI is anchored to Microsoft’s Responsible AI standard, backed by a dedicated Office of Responsible AI. Drawing from our internal experience in building, securing, and governing AI systems, we translate these learnings directly into our AI management tools and security platform. As a result, customers benefit from features such as transparency notes, fairness analysis, explainability tools, safety guardrails, regulatory compliance assessments, agent identity, data security, vulnerability identification, and protection against cyberthreats like prompt-injection attacks. These tools enable them to develop, secure, and govern AI that aligns with ethical principles and is built to help support compliance with regulatory requirements. By integrating these capabilities, we empower organizations to make ethical decisions and safeguard their business processes throughout the entire AI lifecycle.

Microsoft’s AI Governance capabilities aim to provide integrated and centralized control for observability, management, and security across IT, developer, and security teams, ensuring integrated governance within their existing tools. Microsoft Foundry acts as our main control point for model development, evaluation, deployment, and monitoring, featuring a curated model catalog, machine learning oeprations, robust evaluation, and embedded content safety guardrails. Microsoft Agent 365, which was not yet available at the time of the IDC publication, provides a centralized control plane for IT, helping teams confidently deploy, manage, and secure their agentic AI published through Microsoft 365 Copilot, Microsoft Copilot Studio, and Microsoft Foundry.

Deeply embedded security systems are integral to Microsoft’s AI governance solution. Integrations with Microsoft Purview provide real-time data security, compliance, and governance tools, while Microsoft Entra provides agent identity and controls to manage agent sprawl and prevent unauthorized access to confidential resources. Microsoft Defender offers AI-specific posture management, threat detection, and runtime protection. Microsoft Purview Compliance Manager automates adherence to more than 100 regulatory frameworks. Granular audit logging and automated documentation bolster regulatory and forensic capabilities, enabling organizations in regulated industries to innovate with AI while maintaining oversight, secure collaboration, and consistent policy enforcement.

Guidance for security and governance leaders and CISOs

To empower organizations in advancing their AI transformation initiatives, it is crucial to focus on the following priorities for establishing a secure, well-governed, and scalable AI framework. The guidance below provides Microsoft’s recommendations for fulfilling these best practices:

We believe we are differentiated in the AI governance space by delivering a unified, end-to-end platform that embeds responsible AI principles and robust security at every layer—from agents and applications to underlying infrastructure. Through native integration of Microsoft Foundry, Microsoft Agent 365, Purview, Entra, and Defender, organizations benefit from centralized oversight and observability across the layers of the organization with consistent protection and operationalized compliance across the AI lifecycle. Our comprehensive approach removes disparate and disconnected tooling, enabling organizations to build trustworthy, transparent, and secure AI solutions that can start secure and stay secure. We believe this approach uniquely differentiates Microsoft as a leader in operationalizing responsible, secure, and auditable AI at scale.

Strengthen your security strategy with Microsoft AI governance solutions

Agentic and generative AI are reshaping business processes, creating a new frontier for security and governance. Organizations that act early and prioritize governance best practices—unified governance platforms, build-in responsible AI tooling, and integrated security—will be best positioned to innovate confidently and maintain trust.

Microsoft approaches AI governance with a commitment to embedding responsible practices and robust security at every layer of the AI ecosystem. Our AI governance and security solutions empower customers with built-in transparency, fairness, and compliance tools throughout engineering and operations. We believe this approach allows organizations to benefit from centralized oversight, enforce policies consistently across the entire AI lifecycle, and achieve audit readiness—even in the rapidly changing landscape of generative and agentic AI.

Explore more

• Read the IDC MarketScape excerpt.
• Learn more about AI Security, Governance and Compliance.
• Read our latest Security for AI blog to learn more about our latest capabilities

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft named a Leader in IDC MarketScape for Unified AI Governance Platforms appeared first on Microsoft Security Blog.

Staying ahead of the evolving email threat landscape

Email remains the most exploited gateway for cyberattacks and the threat landscape is evolving fast. Cyberattackers are increasingly leveraging AI to automate and amplify their campaigns, making each attack vector more sophisticated and harder to detect. Our latest Microsoft Digital Defense Report reveals how business email compromise (BEC) has evolved from a low-volume scam into a professionalized, service-driven economy.

This industrialization of email-based crime and the growing use of AI by threat actors is one reason why we’ve doubled down on strengthening protections for our customers. Over the past year, we’ve introduced advanced defenses against emerging attack types, enhanced social engineering safeguards, and expanded coverage across collaboration tools like Microsoft Teams.

This growing cyberthreat landscape is why we need to fight AI with AI and lead with a unified platform approach to defend against sophisticated, multimodal attacks holistically.

Innovating to defend email with agentic AI

Our research shows that phishing attacks remain one of the most persistent and damaging threats to organizations worldwide. Security teams are under constant pressure to investigate a growing number of user-reported phishing emails daily, aiming for accurate verdicts and timely responses. Defender for Office 365 is focused on protecting against this evolving email and collaboration threat landscape by infusing AI agents and agentic workflows into the core of our security solution and security operations center (SOC) operations to strengthen our defenses, automate repetitive tasks, and accelerate investigations. Our recent innovations to defend against phishing attacks and more include:

• Agentic email grading system uses advanced, AI-powered analysis when admins or users submit phishing emails to Microsoft for review. By integrating language models and agentic workflows into Defender for Office 365, the system delivers rapid, transparent verdicts and provides the submitter with context-rich explanations for each reported message. This approach reduces reliance on manual reviews, thereby shortening Microsoft’s response times, and it helps deliver consistent, high-quality outcomes. A built-in feedback loop enables continuous learning for both humans and models and adapts based on new cyberthreats, so that our evaluation considers the latest threat landscape.
• Microsoft Security Copilot Phishing Triage Agent is designed to autonomously handle user-submitted phishing reports at scale in Defender for Office 365. The agent enables SOC teams by classifying incoming alerts, resolving false positives, and escalating only malicious cases that require human expertise. It automates repetitive tasks, accelerates investigations, and provides full transparency in every decision, allowing security teams to focus on what matters most—investigating real cyberthreats and strengthening the overall security posture. Early results prove how it is transforming analyst showing measurable impact of 40% reduction in time to resolution and significant decrease in manual triage workload. To make it easier than ever for organizations to harness the power of Security Copilot agents to protect at the speed and scale of AI, Security Copilot will be included for all Microsoft 365 E5 customers.*
• Email bombing protection—Email bombs send large volumes of emails to overflow a mailbox, overwhelm the user and distract attention from important email messages indicating a security breach. Defender for Office 365 now intelligently tracks message volumes across different sources and leverages historical patterns of the sender and signals related to spam content to identify these types of attacks. It automatically sends them straight to the junk folder, keeping the user’s inbox clean and the organization protected.

Driving transparency in the industry across ICES and SEG vendor effectiveness

At Microsoft, we believe that transparency is foundational to trust, and we are committed to delivering it through clear, actionable insights. By providing in-product transparency reports, we give customers visibility into security performance and outcomes. As both an email platform and a security provider, we want to work together with our ecosystem and do more to empower customers to understand email security effectiveness. That’s why earlier this year we introduced comparative benchmarking reports designed to assist customers in evaluating the benefits of integrating multiple email security solutions.

Testing these benchmarks relies on real-world email threats observed across the Microsoft ecosystem, rather than synthetic data or artificial testing environments. The study compares environments protected exclusively by Defender for Office 365 with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender.

The future of email security

As email-based attacks continue to grow in sophistication and are increasingly fueled by AI, the need for AI-powered defenses and end-to-end AI security platforms becomes more urgent. Microsoft is committed to leading this transformation by:

• Investing in agentic AI to empower defenders with autonomous capabilities.
• Using the latest AI technology in our technology stack to defend against emerging cyberthreats.
• Expand our capabilities to new attack surfaces like Microsoft Teams and attack patterns like deepfakes.

We’re not just building tools; we’re shaping the future of cybersecurity. Our roadmap is guided by the real-world challenges faced by security teams and the outcomes they strive for: effective protection, fast detection, and smarter response.

We’re honored by the Gartner recognition and deeply grateful to our customers, partners, and the analyst community for their continued trust and collaboration.

Learn more

You can learn more by reading the full 2025 Gartner® Magic Quadrant™ for Email Security report. To learn more about Microsoft Defender for Office 365, visit our website. 

Are you a regular user of Microsoft Defender for Office 365? Share your insights on Microsoft Defender for Office 365 and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

*Eligible Microsoft 365 E5 customers will have 400 Security Compute Units (SCUs) per month for every 1,000 user licenses, up to 10,000 SCUs per month. This included capacity is expected to support typical scenarios. Customers will have an option to pay for scaling beyond the allocated amount at a future date with $6 per SCU on a pay-as-you-go basis, and will get a 30-day advanced notification when this option is available. Learn more.

**This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Gartner, Magic Quadrant for Email Security, 1 December 2025, By Max Taggett, Nikul Patel

The post Microsoft named a leader in the 2025 Gartner® Magic Quadrant™ for Email Security appeared first on Microsoft Security Blog.

Staying ahead of the evolving cyberthreat landscape

Every day, Microsoft processes more than 100 trillion signals from our services. Together with insights from researchers, law enforcement, and cybersecurity teams, these signals reveal how quickly the threat landscape continues to evolve.

We’ve observed nation-state actors and organized cybercrime groups joining forces to deploy generative AI that automates cyberattacks at unprecedented scale. With password spray or brute force attacks still accounting for more than 97% of identity-related alerts we see, more customers are turning on multifactor authentication to defend themselves.¹ Multifactor authentication also reduces the risk of identity compromise by more than 99%, making it the single most important security measure an organization can implement.¹ This is forcing bad actors to evolve their tactics.

Using sophisticated phishing attacks, they trick users into authenticating on fake sites so they can intercept multifactor authentication codes and session tokens. And now they’re even using generative AI to impersonate colleagues and help desk personnel in fraudulent emails and Microsoft Teams chats, luring users into authenticating on their behalf or into granting broad permissions to malicious applications. They’re also targeting workloads, such as AI agents, which use non-human identities that may not have the same level of protection as human users.

This growing cyberthreat landscape is why a comprehensive, integrated identity and access management (IAM) strategy with strong identity governance and agentic AI controls is vital to every organization’s security posture.

A unified solution to simplify and strengthen security

Microsoft Entra is our unified secure access solution that simplifies IAM and consumer IAM (CIAM) for organizations and applications of all sizes across all industries. Instead of having to assemble multiple tools or rely on fragmented processes, security teams get a streamlined experience with centralized visibility and control.

And since we have fully integrated generative AI into the Microsoft Entra admin center, strengthening security posture is as simple as chatting with Microsoft Security Copilot, for example, to create and troubleshoot lifecycle workflows that automate joiner, mover, and leaver scenarios. Security teams can also use natural language prompting to investigate and respond to cyberthreats to any kind of identity.

We’ve also made it easier for developers to integrate authentication into their apps with Microsoft Entra External ID. These include AI-based tools for creating highly customized sign-up/sign-in flows and automated tools for migrating apps from Azure AD B2C or a third-party platform to External ID.

Investing to secure identities for the AI era

A comprehensive IAM solution for non-human identities requires visibility to your organization’s AI agents. We introduced Microsoft Entra Agent ID, which creates enterprise identities for AI agents. Now identity admins can manage and govern agents using the same granular access controls and lifecycle workflows they already use to manage and govern users and applications.

We’ve also expanded Security Copilot to include agents. For example, the Conditional Access Optimization Agent detects policy gaps and provides actionable recommendations to strengthen Zero Trust enforcement and eliminate blind spots.

The Access Review agent, currently in preview, surfaces intelligent recommendations directly in Microsoft Teams. By using AI to analyze sign-in activity, peer group changes, and unusual access patterns making access reviews faster and more secure.

Innovations such as these represent the continued commitment to securing all identities and access points. Stay tuned for more exciting advancements coming your way at Microsoft Ignite.

Explore more

• Read the full 2025 Gartner® Magic Quadrant™ for Access Management report.
• Learn more about Microsoft Entra and our identity solutions.
• Visit the Microsoft Security site for the latest innovations.

Are you a regular user of Microsoft Entra ID? Share your insights on Microsoft Entra ID and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹Microsoft Digital Defense Report 2025

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft. 

Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. 

Gartner, Magic Quadrant for Access Management, 11, November 2025, By Brian Guthrie, Nathan Harris, Yemi Davies, Steve Wessels

The post Microsoft named a Leader in the Gartner® Magic Quadrant™ for Access Management for the ninth consecutive year appeared first on Microsoft Security Blog.

Strengthening cyber defense in the age of agentic AI with Microsoft Sentinel

Microsoft Sentinel has now evolved beyond a cloud-native SIEM into a unified, AI-powered security platform, connecting analytics and context across ecosystems at scale. With a centralized, purpose-built security data lake and graph capabilities, organizations gain deeper insights and richer context for more effective cyberthreat detection and investigation. The Model Context Protocol (MCP) server and agentic tools make data agent-ready, paving the way for seamless integration with autonomous security agents and unlocking new possibilities for proactive defense.

We realized that we needed to uplift our capability in the security operations center. We wanted a platform that could help us face the challenges of offensive use of AI so we could defend at machine speed.

—David Boda, Chief Security and Resilience Officer, Nationwide

Optimizing costs and coverage

Now generally available, the Microsoft Sentinel data lake serves as the foundation for modern, AI-powered security operations. Purpose-built for security, it features a cloud-native architecture that centralizes all security data from more than 350 sources across platforms and clouds. The Microsoft Sentinel data lake simplifies data management, eliminating silos, and enables cost-effective long-term retention, empowering organizations to maintain strong security postures while optimizing budget. By unifying historical and real-time security data, the data lake helps AI agents and automation perform advanced analytics, detect anomalies, and execute autonomous cyberthreat responses with precision and speed.

To further help organizations optimize their security operations, Microsoft Sentinel has native features like:

• SOC optimization helps security teams improve coverage, reduce costs, and streamline operations by providing AI-powered recommendations on data usage, cyberthreat detection gaps, and analytics efficiency. These insights empower defenders to make smarter decisions and maximize return on investment.
• New cost management features in preview help customers with cost predictability, billing transparency, and operational efficiency.

Accelerating the SOC with advanced analytics and AI

Microsoft Sentinel is transforming security operations with advanced analytics, agentic AI, and MCP server. Microsoft Sentinel data lake centralizes security data from hundreds of sources, enabling real-time detection, contextual analysis, and autonomous response. The integration of agentic AI and Microsoft Security Copilot allows defenders to automate investigations, correlate complex signals, and respond to cyberthreats at machine speed. The MCP server further enhances these capabilities by making security data agent-ready. Support for tools like Kusto Query Language (KQL) queries, Spark notebooks, and machine learning models within the Microsoft Sentinel data lake empowers agentic systems to continuously learn, adapt, and act on emerging cyberthreats, driving smarter, faster, and more contextual security operations across the SOC. This AI-powered approach reduces alert fatigue and accelerates decision-making, strengthening security posture across the SOC.

Together, these capabilities empower SOC teams to operate at the speed of AI, reduce noise, and focus on high-impact investigations, driving clarity, efficiency, and resilience across the security lifecycle.

Empowering defenders with industry-leading SIEM

Microsoft Sentinel enhances security operations by unifying SIEM, security orchestration, automation, and response (SOAR), user and entity behavior analytics (UEBA), and threat intelligence into a single, integrated experience. With full integration into the Microsoft Defender portal, Microsoft Sentinel delivers a consolidated view for detection, investigation, and response across endpoints, identities, cloud, and network—streamlining workflows and enhancing efficiency for SOC teams.

• Advanced correlation algorithms combine behavioral analytics, machine learning, and threat intelligence to connect events and deliver comprehensive security insights.
• Custom rules and MITRE ATT&CK® mapping allow defenders to tailor detection strategies for their specific needs.
• Built-in orchestration and automation capabilities reduce manual effort, accelerate incident response, and free analysts to focus on high-value tasks.
• UEBA powered by AI provide deep behavioral insights to detect anomalies and insider threats.
• Integrated threat intelligence enriches investigations with real-time insights, enabling faster detection, deeper context, and more accurate response across the SOC.
• Embedded AI and machine learning accelerate threat detection, reduce false positives, and enable advanced hunting and automated investigations—helping SOC teams respond faster and with precision.

Microsoft Sentinel has comprehensive machine learning threat analytics models that allow us to hunt and detect any security threat, no matter how sophisticated or hidden they are. Microsoft Sentinel has intelligent security event management features which help us to accurately investigate security threats to understand the origin, making it easy to identify the most appropriate way to handle them.

—Software Development Project Manager, Software Industry (Source: Gartner Peer Insights™)

Download the report

To learn more about why Microsoft was named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM, download the full report.

Looking forward

As cyberthreats grow in sophistication, the need for intelligent, adaptive, and end-to-end AI security platforms becomes more urgent. Microsoft is committed to leading this transformation by:

• Investing in agentic AI to empower defenders with autonomous capabilities.
• Empowering defenders with a cost-effective data lake for deeper insights and scalable analytics.
• Enhancing cross-platform integrations for holistic protection.
• Driving community collaboration through open content hubs and shared analytics.

We’re not just building tools; we’re shaping the future of cybersecurity. Our roadmap is guided by the real-world challenges faced by SOCs and the outcomes they strive for: faster detection, smarter response, and stronger resilience.

We’re honored by the Gartner recognition and deeply grateful to our customers, partners, and the analyst community for their continued trust and collaboration.

Are you a regular user of Microsoft Sentinel? Share your insights and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Eric Ahlm, Angel Berrios, Darren Livingstone, 8 October 2025

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, Magic Quadrant and Peer Insights are registered trademarks of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

The post Microsoft named a Leader in the 2025 Gartner® Magic Quadrant™ for SIEM appeared first on Microsoft Security Blog.

Comprehensive visibility across the enterprise

Defender XDR has the broadest signal coverage across the enterprise spanning endpoints, identities, email and collaboration tools, software as a service (SaaS) apps, cloud workloads, and data security—which enables security leaders to consolidate visibility, automate response, and outperform siloed tools. It combines native capabilities in threat detection, prevention, and response backed by AI-powered automation, rich telemetry, and seamless security information and event management (SIEM) integration to deliver a comprehensive and proactive defense strategy for modern enterprises. But Microsoft’s advantage goes beyond coverage. As one of the Big Three public cloud providers—and the originator of widely adopted platforms like Microsoft 365 and Microsoft Entra ID—Microsoft has unparalleled insight into the very technologies it secures.

Driving AI innovation in cybersecurity

Microsoft also stands out for its use of AI in cybersecurity through Microsoft Security Copilot. First introduced in March 2023 with generative AI capabilities, these digital assistants have evolved into a suite of autonomous AI agents announced in 2025, each designed to support specific use cases such as triaging user-reported phishing emails. This agentic approach enhances operational efficiency and empowers security teams with intelligent, task-specific automation. In fact, the phishing triage agent examines thousands of alerts each day—typically within 15 minutes of detection—which saves time, accelerates threat response, and allows security operations center (SOC) teams to focus on more meaningful tasks.   

Complementing this agentic approach, IDC specifically highlighted Microsoft Defender’s automatic attack disruption, an AI-powered capability that disrupts in-progress cyberattacks like ransomware by containing compromised assets to prevent lateral movement—often within an average of just three minutes. Together, these innovations show how Microsoft is redefining the modern SOC to infuse AI throughout standard SOC workflows and rapidly respond to sophisticated cyberattacks.

Microsoft provides a full life cycle offering from preemptive and prevention technologies to detection and response.

—IDC MarketScape: Worldwide XDR Software 2025 report

Preemptive posture that reduces risk

In their report, IDC shared that one key Microsoft strength lies in its ability to unify proactive defense with intelligent response. Defender XDR natively integrates exposure management, attack surface reduction, secure configuration monitoring, and data loss prevention—giving security teams the tools to identify and mitigate vulnerabilities before they’re exploited. This preemptive posture and built-in attack disruption not only reduces risk but also enhances the fidelity of alerts, enabling faster, more accurate threat detection.

Defender script analysis and threat hunting

Sophisticated cyberattacks often evade detection using cloaked scripts and PowerShell commands. Defender XDR includes built-in script analysis, allowing analysts to inspect and classify scripts without external tools—reducing complexity and accelerating response. And for deeper threat hunting, Defender XDR supports Kusto Query Language (KQL), enabling analysts to parse telemetry, discover patterns, and identify outliers. Novice users can leverage a guided user interface experience to build and customize queries with ease while building their skillset.

Seamless integration and correlation between SIEM and XDR

IDC also noted that what sets Microsoft apart is its seamless correlation between SIEM and XDR, allowing insights from threat actor behavior and anomalies to flow across platforms without requiring customers to deploy both. With all this, plus powerful visualizations, KQL-based threat hunting, and deep identity threat detection, Microsoft delivers a strongly competitive, comprehensive, and adaptive security operations experience.

Learn more

Read the complete IDC MarketScape: Worldwide Extended Detection and Response (XDR) Software 2025 report and visit the Microsoft Defender XDR webpage to learn how you can elevate your security with unified visibility, investigation, and response across the cyberattack chain with an industry-leading XDR solution.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

IDC MarketScape vendor assessment model is designed to provide an overview of the competitive fitness of technology and service suppliers in a given market. The research utilizes a rigorous scoring methodology based on both qualitative and quantitative criteria that results in a single graphical illustration of each supplier’s position within a given market. IDC MarketScape provides a clear framework in which the product and service offerings, capabilities and strategies, and current and future market success factors of technology suppliers can be meaningfully compared. The framework also provides technology buyers with a 360-degree assessment of the strengths and weaknesses of current and prospective suppliers. 

The post Microsoft named a Leader in the IDC MarketScape for XDR appeared first on Microsoft Security Blog.

A recent Total Economic Impact™ (TEI) of Microsoft Purview study by Forrester Consulting, commissioned by Microsoft, offers valuable insights into how organizations are modernizing their data protection strategies.¹ The study covers the tangible benefits of unifying data security, data governance, and data compliance under a single platform—an approach exemplified by Microsoft Purview.

Why data security is a strategic imperative

In an era where data is the lifeblood of digital operations, the importance of securing that data cannot be overstated. Organizations are increasingly reliant on data to drive decision-making, customer engagement, and innovation. However, this reliance also makes them prime targets for cyberattacks, insider threats, and accidental data leaks. The complexity of hybrid and multi-cloud environments further complicates visibility and control, making a unified data security strategy essential.

Moreover, regulatory bodies around the world are tightening data protection laws, such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and the California Consumer Privacy Act (CCPA). Non-compliance can result in hefty fines and reputational damage. For organizations, this means that data security is not just a technical requirement but a business-critical function that supports organizational resilience and trust.

The composite organization in the study faces a 70% annual likelihood of experiencing a data breach, with potential costs exceeding $3.3 million. Yet many enterprises still operate with fragmented tools, manual processes, and limited visibility into where sensitive data resides or how it’s accessed. This lack of visibility increases the risk of insider threats, non-compliance, and operational inefficiencies.

For organizations, this means more time spent reacting to incidents, less time proactively managing risk, and slower access to trusted data, hindering digital transformation.

Key areas of impact

These areas of impact are not isolated; they are interconnected and reinforce one another. For example, improved data classification enhances both breach prevention and compliance automation. Similarly, streamlined investigations reduce the time to respond to incidents, which in turn minimizes potential damage and supports regulatory reporting requirements.

1. Data breach prevention and risk reduction

The 2025 Forrester TEI study of Purview found that organizations achieved a 30% reduction in the likelihood of data breaches by implementing fine-tuned data loss prevention (DLP) policies and gaining visibility into sensitive data across clouds, devices, and applications. This translated into more than $225,000 in annual savings from avoided security incidents and regulatory fines.

Purview helps us determine our data loss prevention (DLP) rules. Now we get alerts to any possible threats to data loss for our privileged information.

—Interviewee, Global Risk and Compliance Director, Food Processing Organization

2. Streamlined security investigations

Security teams reduced investigation time by 75%, freeing up resources to focus on higher-value tasks. With centralized audit logs, automated alerts, and machine learning-informed policies, teams could detect and respond to cyberthreats faster and more effectively.

With Purview, we get alerts for those types of activities so my team and I are notified and can investigate them further.

—Chief Commercial Officer, Financial Services

3. User productivity gains

Users saved 75% of the time previously spent searching for and classifying data. With automated data classification and centralized access, employees could find the data they needed without relying on manual tagging or risking non-compliance.

Compliance teams benefit from simplification of previously manual data classification, compliance, and audit tasks.

4. Compliance automation and audit readiness

Compliance teams reduced manual effort by 60%, thanks to tools that automated classification, retention, and audit workflows. This not only improved regulatory compliance but also elevated the role of compliance from a cost center to a strategic enabler of business agility.

Our records and information management team has gone from being stuck in the corner to now where we get invited to strategic planning meetings.

—Records and Information Management Lead, Government

5. Legacy cost avoidance

By consolidating data security and governance tools, organizations eliminated redundant systems and infrastructure, saving nearly $500,000 over three years. This simplification also reduced IT complexity and improved system interoperability.

Cultural and strategic benefits

Organizations interviewed in the study also reported a cultural shift where data security became a shared responsibility rather than a siloed function. This cultural evolution is critical in fostering a proactive security posture. Employees began to see themselves as stewards of data, leading to more mindful data handling practices and fewer accidental breaches.

Strategically, this shift enabled security and compliance teams to participate in broader business planning. Their insights into data usage and risk became valuable inputs for product development, customer engagement strategies, and operational improvements.

Beyond the numbers, organizations reported a shift in culture and strategy. Security and compliance teams became more integrated with business units. Users became more engaged in protecting data. And leadership gained confidence in their ability to support innovation without compromising security.

The role of unified information governance

Unified information governance simplifies the management of data across its lifecycle—from creation and storage to sharing and deletion. It ensures that policies are consistently applied, reducing the risk of human error and policy drift. This consistency is particularly important in large organizations with diverse teams and global operations.

By integrating governance with security and compliance, organizations can create a more agile data environment. This agility supports faster innovation cycles, as teams can access the data they need without compromising on security or compliance.

A key takeaway from the Total Economic Impact™ (TEI) study is the importance of unified information governance. By consolidating data classification, access control, and compliance monitoring into a single platform, organizations can reduce risk, improve efficiency, and unlock new business value.

Solutions like Microsoft Purview exemplify this unified approach. While not the only option, it demonstrates how integrating data security, compliance, and governance into a single ecosystem can yield measurable business outcomes into a single ecosystem can yield measurable business outcomes.

Next steps for your organization

If you’re looking to modernize your data security and governance strategy, here are three actionable steps:

1. Protect and govern your data estate: Conduct a thorough assessment of your current data landscape to identify and classify sensitive data across your organization.
2. Safeguard your data for AI innovation: Protect sensitive data used in all applications by implementing encryption and rights management controls.
3. Support compliance and regulatory requirements: Stay up to date with evolving regulatory requirements. Microsoft Purview Compliance Manager helps you to stay current with regulations and certifications, and reporting to auditors.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

*Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders. Results are for a composite organization based on interviewed customers.  

¹The financial results calculated in the Benefits and Costs sections can be used to determine the return on investment (ROI), net present value (NPV), and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.  

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.  

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. Present value (PV) calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.  

The post Microsoft Purview delivered 30% reduction in data breach likelihood appeared first on Microsoft Security Blog.

We know security teams today are navigating a landscape of escalating cyberthreats and operational complexity. But the real opportunity lies in transformation—not just defense. At Microsoft, our mission is to help organizations consolidate fragmented security capabilities and apply intelligence to deliver better outcomes. With integrated tools and AI-powered insights, Microsoft Defender, powered by Microsoft Sentinel, empowers SecOps teams to strengthen their security posture, accelerate response, and build lasting resiliency across hybrid and multicloud environments.

The Forrester Total Economic Impact™ (TEI) study also shows the consequences of under-equipped and disconnected security teams are costly. Toxic team dynamics and insufficient tooling correlate to higher breach rates and inflated incident costs. Organizations without robust incident response capabilities spend an average of $204,000 more per breach and suffer nearly one additional breach annually, on average. These findings underscore the critical need for integrated, intelligent security solutions—which can unify detection, investigation, and response—empowering SecOps teams to operate with resilience, precision, and speed.

Organizations face increasing security challenges

Many organizations have already made significant investments in cybersecurity to keep pace with evolving cyberthreats. Despite these efforts, they continue to face persistent challenges. One major issue—the proliferation of security tools across hybrid and multicloud environments—has led to excess costs, complexity, and risk. Additionally, legacy on-premises infrastructure demands high overhead and convoluted workflows, often resulting in poor visibility and inefficient threat detection. Security teams also struggle with alert fatigue and false positives, delaying incident response and increasing the likelihood of breaches. Security operations center (SOC) engineering teams are stretched thin and some lack the advanced coding skills needed to build effective detections. These gaps leave organizations vulnerable to cyberthreats like ransomware and phishing, with some experiencing costly breaches that disrupt operations and erode profitability.

In response, organizations set clear investment objectives. They need a solution that scales securely without adding complexity—one that can integrate seamlessly with existing Microsoft and third-party tools and reduce the cognitive load on analysts.

How Microsoft Defender delivers ROI, speed, and simplicity

Microsoft Defender and Microsoft Sentinel integrate to provide a unified security operations platform, delivering cost effective storage for security data with full security information and event management (SIEM) capabilities. The integration allows security teams to correlate incidents, hunt cyberthreats, and respond faster by combining Defender’s deep endpoint and identity insights with Sentinel’s scalable analytics and automation.

The cohesive user experience of Microsoft Defender, lower false-positive rate, and ability to surface meaningful insights with fewer steps makes it a compelling choice for customers. They also value its support for Kusto Query Language (KQL), which enables sophisticated detections without requiring deep engineering expertise. Ultimately, organizations looking at Defender hope it can help them consolidate tooling, improve visibility across their environments, and mitigate the risk and cost of breaches—empowering their security teams to respond faster, smarter, and more effectively.

According to the Forrester Total Economic Impact (TEI) study, organizations using Microsoft Defender realized a 242% return on investment over three years, with a net present value of $12.6 million. That’s not just cost savings—it’s strategic value creation. It’s money for future product innovations or salary for more SecOps team members. Microsoft Defender helps consolidate tools, reduce licensing overhead, and streamline operations, freeing up budget and bandwidth for innovation. Key statistics shared by Forrester include:

• Significantly faster cyberthreat remediation: Speed is the new currency in cybersecurity. The study found that Defender enabled security teams to remediate threats faster, dropping mean time to acknowledge (MTTA) from 30 minutes to 15 minutes and mean time to resolve (MTTR) from up to three hours to less than 1 hour in many cases. That improvement in speed can mean the difference between a contained incident and a costly breach. With built-in automation and AI-driven insights, Microsoft Defender empowers analysts to act decisively—before cyberattackers can gain a foothold. 

• $17.8 million in benefits to the business: A breakdown of the benefits over three years to businesses using Microsoft Defender include up to $12 million in reduced costs from vendor consolidation, $2.4 million in savings from SecOps optimization, and $2.8 million in reduced cost of material breaches. 

• Less than 6 months to investment payback: Organizations that invested in Microsoft Defender found their investment paid off in less than six months, on average. 

What surprised me was how interconnected it is with Microsoft’s tooling, and not just their security tooling but [also in] the way you manage your devices. I can see everything about [Microsoft] Intune. I can see all of the audit logs for everything that happens in [Microsoft] Azure, everything like that—it’s just there. I didn’t have to intentionally turn it on.

—Manager of Cyberdefense, Consumer Packaged Goods

What can security leaders take away from this research?

• Defender delivers measurable ROI and cost efficiencies through consolidation of security tools, reduced licensing and managed security service provider (MSSP) costs, and streamlined operations that can free up both budget and staff time. 

• Defender helps modernize security operations and enables SecOps teams to remediate cyberthreats up to 30% faster, thanks to built-in automation, AI-powered threat detection and response, and close integration with Microsoft Sentinel for coordinated defense. 

• Defender unifies security across multicloud and hybrid environments, helping teams reduce alert fatigue, prioritize cyberthreats effectively, and strengthen security and compliance postures. 

Read more detail about the Forrester Total Economic Impact™ (TEI) study or visit AI-powered security operations to learn more about how Microsoft Defender can help your organization today.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

​​*Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.

¹The financial results calculated in the Benefits and Costs sections can be used to determine the return on investment (ROI), net present value (NPV), and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis. 

These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section. 

The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. Present value (PV) calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur. 

The post Microsoft Defender delivered 242% return on investment over three years​​ appeared first on Microsoft Security Blog.

As IDC notes in their report, the endpoint security market “is growing in response to an increasingly sophisticated threat” powered by AI. Global enterprises like Crocs, Victorionox, and Del Monte Foods are choosing Microsoft Defender more and more to secure their environments because of the value they see not only in our endpoint security, but also our defense-in-depth approach across domains powered by AI. Spanning from the devices to the cloud, the Microsoft Defender platform protects every aspect of their daily operations.

“It was surprisingly simple to enable real-time visibility across our environment. It’s been a leap in our security maturity level, and with the native interoperability of our Microsoft security solutions, we achieved it much faster than we expected.”

—Glauco Sampaio, Chief Information Security Officer, Cielo

Worldwide Modern Endpoint Security 2024 Share Snapshot

Why organizations increasingly prefer Microsoft Defender for endpoint security

Microsoft Defender helps organizations proactively secure their digital estate with AI-powered endpoint protection across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT). It empowers security operations center (SOC) analysts with unique capabilities spanning pre-breach exposure management to post-breach attack disruption.

A key driver behind Microsoft Defender’s growing market share is its deep investment in cross-platform support, especially for Linux. Over the last three years, Microsoft has reengineered its Linux security for zero workload disruption, using eBPF sensor technology for greater visibility with minimal reliance on the kernel mode. This innovation has led to significant performance gains, with the solution consuming less than 1% CPU across 95% of deployments. Defender now supports a broader range of Linux distributions, including ARM64, and is optimized for low-resource environments such as single-core servers. At the same time, we’ve continued to drive cross-platform innovation to further expand comprehensive endpoint security across Windows, macOS, iOS, Android, and IoT.

An organization’s best offense against the rapidly evolving threat landscape is a secure defense, where Microsoft Defender’s next-generation protection and then built-in exposure management capabilities are critical. To help you manage your risk, you get a dynamic risk score that continuously measures vulnerabilities and misconfigurations in your environment and provides actionable recommendations for resolution. In the case of a cyberattack, you immediately see the most critical junctions in your network with attack path analysis. Our unique visibility into your environment provides a risk-based map of the potential devices that adversaries can exploit so you can proactively harden your environment, cutting them off from progressing further.

Advanced detection and response capabilities like automatic attack disruption are next in the stack. Informed by the full breadth of Microsoft Defender’s 84 trillion daily signals, it is a built-in self-defense capability that contains in-progress cyberattacks across the organization to prevent further lateral movement and damage. Meanwhile, the security operations team remains in control of investigation, remediation, and restoring asset availability. Even as attack disruption harnesses extended detection and response (XDR) signal, it can stop cyberattacks in a decentralized way across devices with just Defender for Endpoint deployed.

It also surgically protects critical assets like servers by containing compromised IP addresses while allowing the server to continually operate. You can maximize attack disruption’s reach and effectiveness across assets like identities, email, and additional domains by expanding your Microsoft Defender deployment. In addition, Defender provides analysts a rich set of detection and response capabilities such as live response and advanced hunting to further secure their environment. 

Further supporting SOC teams with a global footprint, the Microsoft Defender portal experience comes in more than 100 languages and dialects, and documentation covers more than 60 languages and dialects. This robust coverage means security analysts can quickly and confidently understand, investigate, and remediate without language barriers. Wherever the security analyst operates from, Defender likely speaks their language. 

These capabilities and global approach to securing organizations are just some of the reasons why organizations are increasingly choosing Defender for Endpoint over other vendors in the market. Thank you to our valued customers and partners for your trust and collaboration that empower us to advance our mission and build a more secure future together. 

To learn more

• Read about Microsoft’s leadership in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms.
• Read the Defender for Endpoint e-book.
• Watch the Defender for Endpoint overview video.
• Try out Defender for Endpoint with a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

Worldwide Modern Endpoint Security Market Shares, 2024; (Doc # US53349725, May 2025).

The post Microsoft ranked number one in modern endpoint security market share third year in a row appeared first on Microsoft Security Blog.

Defender for Endpoint’s ability to disrupt ransomware at scale stems from our commitment to empowering security analysts against the most sophisticated cyberthreats. We are honored to be recognized once again as a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms—our sixth consecutive time. Microsoft was recognized for its completeness of vision and ability to execute, which we believe underscores the effectiveness of Defender for Endpoint in the face of an ever-shifting digital threat environment.

Microsoft Defender for Endpoint is an endpoint security solution that helps organizations secure their digital estate using AI-powered, industry-leading endpoint detection and response across Windows, Linux, macOS, Android, iOS, and Internet of Things (IoT) devices. It is core to Microsoft Defender’s unified security operations platform and built on global threat intelligence informed by more than 84 trillion daily signals and more than 10,000 security experts.¹

We thank our customers and partners for their essential role in advancing Microsoft Security.

Over the past year, Microsoft has introduced key advancements to endpoint security that have empowered defenders to stay ahead of evolving cyberthreats, including:

• Proactively securing digital environments with exposure management capabilities spanning pre-to-post breach: Reducing exposure risks like vulnerabilities and misconfigurations is foundational to endpoint security. Defender for Endpoint’s unique visibility into a device estate helps security operations center (SOC) analysts see and harden against their organization’s level of exposure to weaknesses and exploits with an actionable risk score (endpoint security initiative). In the case of a cyberattack, analysts can further protect the organization and accelerate response with potential attack paths embedded into the incident. Analysts gain end-to-end visibility into attack paths bad actors may take across devices to reach high-value assets, enabling fast, informed decisions when it matters most.

• Disrupting ransomware attacks even earlier in the cyberattack chain with automatic attack disruption: Unique to Microsoft, automatic attack disruption is a built-in self-defense capability that contains in-progress cyberattacks to prevent further lateral movement and damage to an organization. The most pervasive cyberthreat to network-connected devices is ransomware, one of the many scenarios covered by attack disruption. Up to 90% of successful ransomware campaigns leverage unmanaged endpoints, which are typically personal devices that people bring to work.¹ Automatic attack disruption now extends to unmanaged shadow IT devices and critical assets. Defender for Endpoint can detect and contain malicious IP addresses associated with unmanaged or undiscovered devices. It stops threat actors from exploiting vulnerable entry points, preventing lateral movement before it starts. Attack disruption now also granularly isolates cyberthreats on critical assets such as domain controllers, helping defenders preserve key network functions and ensure operational continuity during an attack.

• Enhancing Linux support: Microsoft supports even more Linux distributions, including ARM64 and has reduced resource requirements. These releases reflect the continual progress we’ve made for securing Linux servers on top of our strategic shift over a year ago to eBPF sensor technology that improves system control, minimizes resource demands, and boosts security performance. We’ve also continued delivering cross-platform innovation across Windows, macOS, iOS, Android, and IoT for comprehensive endpoint security.

• Unifying our agent across XDR workloads: The single agent makes it faster and easier to activate and manage core capabilities across endpoint, operational technology (OT), identity, and data loss prevention workloads so you can quickly unlock the value of AI-powered protection. Organizations simply deploy it once and then enable each solution as needed. Microsoft applies its long-established safe deployment practices in delivering the latest protections to help organizations outpace evolving cyberthreats without compromising operational stability. As a part of this process, admins have full control over these software updates.

• Accelerating SOC operations with Microsoft Security Copilot: It is the cybersecurity industry’s first generative AI solution, generally available as of April 2024. Built into the Microsoft Defender portal, it helps SOC analysts investigate, contain, and remediate cyberthreats in minutes. It delivers endpoint-specific capabilities such as recommending tailored guided responses related to devices, analyzing suspicious scripts, and translating natural language questions into ready-to-run Kusto Query Language (KQL) queries. Microsoft Security Copilot agents, introduced this year, automate routine tasks by fitting naturally into existing workflows across the security stack. These agents align to Microsoft’s Zero Trust principles, learn from feedback, and remain under SOC control.

• Supporting a global SOC: Security analysts navigate many complexities in their daily operations—language barriers should not be one of them. The Microsoft Defender portal provides experiences in more than 100 languages and dialects. Documentation covers more than 60 languages. This extensive language coverage ensures that analysts can easily navigate, understand, and act with confidence in their native tongue. Wherever the analyst is, Defender likely speaks their language. 

• Extending your SOC team with Microsoft Defender Experts for XDR: Sophisticated threats span beyond endpoints. We’ve been continually enhancing the capabilities and improving the efficiencies of Microsoft Defender Experts for XDR, our managed XDR service. Defender Experts for XDR offers around-the-clocl, expert-led managed triage, investigation, and response across domains, along with proactive threat hunting—strengthening SOC capabilities around the clock.

Market leadership isn’t just about responding to current needs—it’s about driving the next wave of innovation. Microsoft is investing significantly in helping SOC teams quickly scale their endpoint defenses through foundational enhancements designed to radically simplify deployment and advanced AI-powered autonomous capabilities spanning pre-to-post breach, to name just a couple of highlights for what’s ahead.

Thank you to all our customers and partners. Your partnership drives our mission forward as we work side by side to build a safer, more secure world.

Learn more

If you’re not yet taking advantage of Microsoft’s leading endpoint security solution, visit Microsoft Defender for Endpoint and start a free trial today to evaluate our leading endpoint protection platform. 

Are you a regular user of Microsoft Defender for Endpoint? Share your insights on Microsoft Defender for Endpoint and get rewarded with a $25 gift card on Gartner Peer Insights™.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Digital Defense Report 2024.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Evgeny Mirolyubov, Deepak Mishra, Franz Hinner. July 14, 2025.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 

The post Microsoft is named a Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms appeared first on Microsoft Security Blog.

With so many strong vendors and solutions in the Zero Trust space, you need solid data to make the right choice for your organization. That’s why Forrester’s analysis matters. They provide detailed comparisons of vendor capabilities and strategic vision, helping security leaders evaluate which platforms are best equipped to meet today’s evolving challenges.

Your decision matters now more than ever. The security landscape is evolving rapidly with the rise of generative and agentic AI—where intelligent agents can create and collaborate with other agents, collaborate autonomously, and scale faster than traditional models can keep up. Systems once built for human identities must now manage a growing web of machine identities, each with its own access and risk profile.

In this landscape, adhering to the principles of Zero Trust is critical for protecting sensitive resources, so you can:

• Expand visibility across your digital environment to reduce security vulnerabilities.
• Secure your most critical assets while ensuring compliance.
• Deploy generative AI with confidence.

Microsoft’s end-to-end, integrated approach to Zero Trust

The Forrester report cited our vision for proactive security architecture powered by innovative AI agents that automate complex security, IT, and productivity tasks. But what we believe really caught their attention was our integrated approach—how we bring together capabilities across security, compliance, identity, device management, and privacy, all informed by more than 84 trillion threat signals a day.¹ As they noted, “Microsoft excels at tool consolidation and integration, helping reduce costs and overhead.”

Customers interviewed for the report recognized that our “deep cross-platform integration” delivers “real business value” without making customers stitch different solutions together manually. This integration spans the entire Microsoft Security portfolio—Microsoft Defender, Microsoft Purview, Microsoft Intune, Microsoft Sentinel, and Microsoft Entra—to provide a unified platform that secures identities, endpoints, data, apps, infrastructure, and AI. At the heart of this integration are the strong identity management capabilities of Microsoft Entra, which Forrester noted for “deliver[ing] effective least-privilege access enforcement” while enabling data security controls and endpoint management.

Picture a typical attack pattern. Malicious activity in an on-premises system might be detected by Defender for Identity, a compromised device flagged by Defender for Endpoint, and risky insider behavior identified by Purview. These signals converge in Entra conditional access, your centralized policy engine, enabling real-time, risk-based access controls that adapt to emerging threats and, when necessary, block access automatically.

Powered by AI and threat intelligence, our unified security platform surfaces high-priority incidents and recommends next actions, transforming security from a collection of tools into a cohesive defense. You can work within our unified platform to prevent, detect, and respond to incidents across a single integrated system—no jumping between dashboards or correlating signals manually. All of this comes together with Microsoft Security Exposure Management to give full visibility into all your assets and help you proactively reduce risk.

An integrated approach doesn’t mean using only Microsoft solutions. We believe security is a team sport. In fact, the Forrester report recognized the maturity and scale of our global partner ecosystem. We’ve invested heavily in these partnerships because they provide additional signals and specialized protections that make the entire security community stronger. The report also cited our standout community, which provides education, training, and guidance on building Zero Trust architectures to ensure customers have the support they need at every step.

Our commitment to customers and the industry

Through our Secure Future Initiative, we continuously evaluate and strengthen our own security posture, improve the security of our products to better protect customers, and share progress and learnings with the industry. We are also committed to standards, guidelines, and best practices from the National Institute of Standards and Technology (NIST), The Open Group, the Cybersecurity and Infrastructure Security Agency (CISA), and MITRE—not as compliance checkboxes, but because they provide proven frameworks and common vocabulary for implementing effective security.

Take action to improve your security posture

Threats are evolving faster than ever, but so are defenses. With the right Zero Trust security strategy, you can embrace AI’s transformative power while keeping your organization secure. Microsoft’s leadership in Zero Trust, as reflected for us in the latest Forrester Wave™, highlights our commitment to helping you meet these security demands.

For more information on this recognition, check out the full Forrester Wave™: Zero Trust Platforms, Q3 2025 report.

Ready to evaluate your Zero Trust readiness for the AI era? Start with our Zero Trust assessment, host an implementation workshop, or dive into our step-by-step implementation guides.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The Forrester Wave™: Zero Trust Platforms, Q3 2025, Joshep Blankenship, Faith Born, and Peter Harrison. July 10, 2025. 

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here .

¹Based on Microsoft internal data. Accurate as of July 2025.

The post ​​Forrester names Microsoft a Leader in the 2025 Zero Trust Platforms Wave™ report appeared first on Microsoft Security Blog.