Deep dive on Microsoft's security business as a CRWD competitor. FY2025 data (fiscal year ended June 30, 2025).
Microsoft sells an integrated security platform — endpoint protection, identity management, cloud security, SIEM, compliance, and AI-powered security operations — primarily as a bundled part of Microsoft 365 and Azure, turning every enterprise already using Windows or Office into a security customer by default.
Microsoft's security portfolio spans 50+ categories consolidated into six product families:
| Product Family | What It Does | Key Competitor |
|---|---|---|
| Microsoft Defender | Endpoint protection (Windows, macOS, Linux, iOS, Android), cloud workload protection, XDR (extended detection & response), threat intelligence | CrowdStrike Falcon, SentinelOne |
| Microsoft Sentinel | Cloud-native SIEM (security information & event management) + SOAR (security orchestration, automation & response) | Splunk (Cisco), Palo Alto XSIAM |
| Microsoft Entra | Identity & access management, conditional access, identity governance, identity protection | Okta, Ping Identity |
| Microsoft Intune | Device management, endpoint management, mobile device management | VMware Workspace ONE, Jamf |
| Microsoft Purview | Data security, data governance, compliance, insider risk management | Varonis, BigID |
| Security Copilot | GenAI layer across all security products — autonomous alert triage, incident correlation, remediation | New category; CRWD Charlotte AI, PANW XSIAM AI |
Bundled in Microsoft 365 E5 (~$57/user/month). The security stack — Defender for Endpoint, Entra ID P2, Purview compliance features — is the primary reason enterprises upgrade from E3 (~$36/user/month) to E5. This is the core distribution engine.
Azure consumption — Sentinel charges by data ingestion volume. Customers pay per GB ingested and analyzed. This makes Sentinel revenue scale with the customer's cloud and security footprint.
Standalone add-ons — Organizations on lower-tier M365 plans can buy E5 Security and E5 Compliance as add-ons (introduced 2025). Defender for Endpoint P1 starts at ~$3/user/month standalone.
Security Copilot — Consumption-based pricing (~$4/user/hour for the embedded experience). Standalone Security Copilot is also available for non-Microsoft environments.
Revenue model: Predominantly SaaS subscription (per-user, per-month) for the M365-bundled security products; consumption-based for Sentinel and Security Copilot.
Scale: Microsoft disclosed security surpassed $20 billion in trailing-12-month revenue in January 2023 — doubling from $10B in January 2021, a ~33% CAGR. As of August 2025 (Deutsche Bank conference), Microsoft confirmed security was "more than $20 billion." Sentinel alone accounts for $1 billion. Given the ~33% historical CAGR, the actual annual run rate is likely in the $25-30B+ range as of mid-2025, though Microsoft has not updated the milestone figure publicly.
Who pays and why: - ~1.5 million security customers (FY2025 Q4), from small business to Fortune 500 - 15,000+ security partners in the ecosystem - 400M+ M365 commercial seats represent the addressable base for upsell
Revenue concentration: None. The 1.5M+ customer base is extremely diversified across industries, geographies, and organization sizes.
Microsoft's value-add is integration. No other vendor can offer: - Identity + endpoint + cloud + data + SIEM from a single platform - Signals from the OS kernel all the way to the cloud application layer - Built-in deployment on 1.5B+ Windows devices
The integration reduces customer tool sprawl — from an average of 40-75 tools down to a single vendor stack. Microsoft claims up to 60% cost savings vs. multi-vendor setups.
At the platform layer. Microsoft doesn't need to win on every individual feature (CRWD may have better detection in some areas). It wins because the security tools come with the productivity suite every enterprise already uses. The bundling turns security from a separate procurement decision into an upgrade decision, which is far easier.
One "unit" = one M365 E5 seat. The incremental revenue from moving a user from E3 to E5 is ~$21/user/month (~$252/year). Much of that value proposition is security. Microsoft's marginal cost to deliver security features to one more E5 user is near zero — the R&D is fixed, the cloud infrastructure is already built. This is a high-fixed-cost, near-zero-marginal-cost business, which means operating leverage improves dramatically as the base scales.
For Sentinel, the unit is data ingested. Azure's infrastructure cost to store and process security logs is shared across the entire Azure platform. As ingestion volumes grow, Microsoft benefits from the same cloud-scale economics that drive Azure margins.
Big cost buckets: - R&D: 34,000 engineers dedicated to the Secure Future Initiative (cross-MSFT, not all security-product-specific) - Cloud infrastructure for Sentinel ingestion and Security Copilot inference - Threat intelligence operations (hunting, tracking, takedowns) - Partner ecosystem and support
Security revenue is not reported as a separate segment. It's embedded across:
Microsoft Cloud revenue ($168.9B, +23%) includes both segments' cloud components. Security is a significant and growing portion of this.
Microsoft's decision to not separately disclose security revenue is strategically interesting — it forces analysts to estimate, and it keeps competitors guessing. But it also means security's exact size and growth rate remains a black box to outside observers.
Why Microsoft's security business is positioned to take share from pure-play competitors like CrowdStrike — and what could stop it.
Microsoft's security business has a moat that no other cybersecurity company can replicate: the product is already on the device and already in the IT budget.
Every Windows PC ships with Microsoft Defender Antivirus turned on by default. Every enterprise using Office 365 already has Entra ID (formerly Azure AD) managing their identities. The security stack is pre-installed and pre-integrated into the productivity tools that 400M+ commercial users already use every day.
The mechanism is the Microsoft 365 E5 upgrade path: - E3 (~$36/user/month): Office apps, email, basic security - E5 (~$57/user/month): Adds Defender for Endpoint, Entra ID P2, Purview compliance, advanced threat protection, Power BI, Teams Phone
For the CISO, E5 means you get a full security stack without a separate vendor RFP, separate budget line, or separate deployment. For the CFO, it's incremental cost on an existing contract, not a new vendor with new terms.
This bundling fundamentally changes the competitive dynamic vs. CrowdStrike: CrowdStrike has to win every deal from scratch — convince the CISO, navigate procurement, deploy agents. Microsoft just has to convince existing E3 customers to click "upgrade."
The signal network creates a data flywheel: more customers → more threat signals → better AI detection → more effective security → more customers.
Once an enterprise standardizes on the Microsoft security stack (Entra for identity, Defender for endpoints, Sentinel for SIEM, Purview for compliance), switching any single component means re-architecting the entire security operations workflow. The integrations are the lock-in — Defender XDR correlates signals across endpoint, email, identity, and cloud apps automatically. A competitor can't replicate that correlation without replacing the entire stack.
Microsoft E5 pricing has been stable, but the bundling structure gives them indirect pricing power. The more security features they add to E5, the more the upgrade becomes a no-brainer. In 2025, Microsoft started making E5 Security and E5 Compliance available as add-ons to lower-tier plans — monetizing security even from customers who won't go full E5.
| Company | Security ARR | Growth |
|---|---|---|
| Microsoft | >$20B (likely $25-30B+) | ~33% CAGR (2021-2023 pace) |
| Palo Alto Networks (NGS) | $5.6B | Strong |
| CrowdStrike | $4.24B | +23% |
Microsoft's security business is ~5-7x the size of CrowdStrike's. That scale funds R&D that pure-play competitors can't match, and allows aggressive bundling/pricing that competitors can't undercut.
Yes, in two ways:
The kernel argument. The CRWD outage (8.5M Windows devices crashed by a faulty Falcon update) made Microsoft's architectural argument concrete. Microsoft has been pushing security vendors to operate outside the Windows kernel — and the outage proved why. Microsoft's own Defender runs with kernel access, but Microsoft controls the update cadence and testing pipeline for its own OS. Third-party kernel-level agents now carry visible risk.
The consolidation narrative. The outage made enterprises question single-vendor dependency on any one security tool. But that questioning cuts both ways: some enterprises diversified, others accelerated consolidation onto Microsoft (which they already trust to not crash Windows). Microsoft's blog post — "Helping our customers through the CrowdStrike outage" — was a masterclass in not gloating while making the point obvious.
However, CrowdStrike's gross retention is 97% — very few customers actually left. The outage was a scare, not a mass exodus. But it weakened CRWD's negotiating position in deals where the incumbent evaluation was close.
For most enterprises: yes. The Gartner Leader designation, the #1 IDC market share, and the 28.2% YoY growth say Defender is not just "good enough" — it's winning the mainstream market.
For the most demanding security teams: CRWD still has an edge. CrowdStrike scored 100% protection and detection in MITRE ATT&CK evaluations (2025). Defender is competitive but not always at that level. The enterprises that need best-in-class threat hunting (financial services, defense, critical infrastructure) may still prefer CrowdStrike or SentinelOne.
But "good enough" plus "already paid for" beats "best" plus "new procurement" in most IT buying decisions. The bar for CRWD to win is getting higher as Defender improves.
The bundling of security into M365 E5 is exactly the kind of behavior that attracts antitrust scrutiny — especially in the EU, which has already forced Microsoft to unbundle Teams and address cloud licensing complaints. A regulatory mandate to sell Defender separately on equal terms could weaken the bundling moat, at least in Europe. Google Cloud and AWS have filed complaints about Microsoft's cloud licensing practices; security bundling could be next.
Defender wins on distribution and integration. It doesn't win on pure detection efficacy vs. the best competitors. If threat actors escalate faster than Microsoft's detection improves, the "good enough" positioning becomes a liability. A high-profile breach that Defender missed but CrowdStrike would have caught could reset the narrative.
Security Copilot could widen the moat (Microsoft has the data and AI infra), but it could also compress it. If AI-driven security operations become commoditized — every vendor has an AI copilot — then Microsoft's signal advantage matters less. The race is on: Security Copilot with agentic capabilities (autonomous triage and remediation) could create a new moat layer if Microsoft executes faster than competitors.
The 15,000+ partner ecosystem is strength but also dependency. If MSSP partners consolidate on multi-vendor strategies (e.g., offering CrowdStrike + Splunk alongside Defender + Sentinel), Microsoft loses the "single vendor" narrative in the managed security market.
Security is currently CEO Satya Nadella's "#1 priority" and every employee's compensation is tied to security goals. That level of executive attention is powerful but potentially fleeting. If a new priority (AI, quantum, gaming) displaces security as the top focus, the engineering intensity could wane.
Microsoft's security moat is widening, not narrowing. The evidence: - Market share growing at 28.2% in endpoint — faster than the market - Bundling advantage increasing as E5 security features expand (Copilot, Exposure Management, Attack Disruption) - Signal advantage compounding (84T to 100T signals/day in a year) - CRWD outage provided a tailwind, even if modest - AI (Security Copilot) is an accelerant because Microsoft controls the AI infrastructure and the data
The primary risk is regulatory — if antitrust action forces unbundling, the distribution moat weakens. But absent that, the structural advantages of default deployment + platform integration + data scale make this one of the most durable security franchises in tech.
What Microsoft leadership says about the security business, competitive positioning, and revenue trajectory. Sources: earnings calls, SEC filings, investor conferences, analyst commentary.
"And in security, we were the first in the industry to introduce agents to help defenders autonomously handle high-volume security and IT tasks."
Context: Nadella mentioned security as one of the key AI deployment areas alongside Copilot and healthcare. Security is now woven into the Microsoft AI narrative — AI-powered security is a differentiator.
Signal: Microsoft is framing security as an AI leadership story, not just a bundling story. Security Copilot agents are the wedge to make this a revenue pillar.
"We have 1.5 million-plus security customers and we are taking share across every major category."
Signal: "Taking share" is the most direct competitive language Nadella uses. This is explicitly about winning from competitors — read CrowdStrike in endpoint, Splunk/Cisco in SIEM, Okta in identity. 1.5M customers suggests the base has nearly doubled from the 860K disclosed in January 2023.
"Security is our top priority, and we have made significant progress across our six product families... Windows 11 commercial deployments increased nearly 75% year-over-year."
Signal: "Top priority" is not casual — it's a defined CEO-level mandate. The Secure Future Initiative (SFI) launched in November 2023 ties compensation for every Microsoft employee to security goals. The Windows 11 stat matters because Windows 11 has enhanced TPM 2.0 and virtualization-based security requirements that strengthen the Defender moat at the hardware level.
"Customers are consolidating on our security stack, in order to reduce risk, complexity and cost... Microsoft is the only company with integrated tools spanning identity, security, compliance, device management and privacy."
Signal: The consolidation thesis — going from 40-75 tools to one vendor — is central to Microsoft's security messaging. Every mention of "risk, complexity, cost" is aimed at CISOs managing tool sprawl.
Key quotes and signals from the most detailed public discussion of Microsoft Security:
On threats: "Password attacks are now 7,000 per second, up from 4,000 last year. That's 600 million attacks per day. Attackers don't break in, they log in."
Signal: Identity attacks are rising fast. This supports Entra's value proposition — identity is the new perimeter, and Microsoft owns the dominant enterprise identity platform.
On AI and security: "We cannot do AI without security. We just can't. Without security, you cannot have trust. Security is the number one priority for Microsoft above all else."
Signal: By tying security to AI (Microsoft's primary growth narrative), Jakkal is positioning security as non-discretionary spend. You cannot adopt AI without securing it — and Microsoft will sell you both.
On the security business size: "Our overall security business is more than $20 billion. And Sentinel, our SIEM product alone, is more than $1 billion."
Signal: Microsoft still uses "$20B+" as the public number, even in mid-2025. If the business grew at the historical 33% CAGR from $20B in January 2023, it would be ~$35B by mid-2025. The reluctance to update suggests either: (a) growth moderated, or (b) Microsoft prefers keeping competitors guessing. The $1B Sentinel disclosure is new granularity.
On consolidation: "Ultimately, security is going to be about simplification. It is going to be about Gen AI. Organizations on average run more than 40 security tools."
Signal: The simplification pitch directly competes with best-of-breed strategies like CrowdStrike's Falcon platform. Microsoft is betting that integration + AI beats point-solution excellence.
On Security Copilot adoption: "We have more than 1,000 customers using Security Copilot. We've seen a 30% reduction in mean time to respond. We also see a 75% attach rate of security features with Copilot."
Signal: Security Copilot is still early (1,000 customers out of 1.5M total), but the 30% MTTR reduction and 75% attach rate suggest strong product-market fit once adopted. This could accelerate E5 upgrades.
The 2025 10-K added new risk factor language about security (per riskdiff.com):
New in FY2025 10-K: "Security of our products, services, devices, and customers' data" and "Development and deployment of defensive measures"
Signal: Microsoft now explicitly calls out security as a material risk factor — both from a product liability perspective and an operational requirement. This reflects the heightened threat landscape (attacker groups tracked grew from 300 to 1,500 in one year) and the Central American ("Storm") actor activity Microsoft publicly attributes. The risk disclosure also covers the AI attack surface (prompt injection, LLM model security, AI data risks).
Item 1C (Cybersecurity) — New in FY2025 10-K. The SEC now requires detailed cybersecurity risk management disclosure. Microsoft describes its security governance: CEO bi-weekly reviews, weekly board-level governance, 34,000 engineers on SFI.
| Metric | Value | Source |
|---|---|---|
| MSFT endpoint security market share | 28.6% (#1), +28.2% YoY | IDC Worldwide Modern Endpoint Security Market Shares, 2024 (May 2025) |
| MSFT endpoint share 2023 | 25.8% | IDC |
| Sentinel SIEM market share | 15.34% | 6sense (2025) |
| Gartner EPP Magic Quadrant | Leader | 2025 |
| Gartner SIEM Magic Quadrant | Leader | 2025 |
| Forrester Defender ROI study | 242% ROI over 3 years | Forrester TEI (Sept 2025) |
| Dimension | Microsoft | CrowdStrike | Palo Alto |
|---|---|---|---|
| Security revenue | >$20B (est. $25-30B+) | $4.24B ARR (+23%) | $10B total; $5.6B NGS ARR |
| Endpoint market share | 28.6% (#1) | Not #1 by revenue | Top 5 |
| Platform breadth | 50+ categories, 6 product families | Focused EDR/XDR + cloud | NGS platform + XSIAM |
| Primary distribution | M365 bundle + Windows default | Direct sales + channel | Direct sales + channel |
| AI offering | Security Copilot (1K+ customers) | Charlotte AI | XSIAM AI |
| MITRE ATT&CK | Competitive | 100% protection + detection | Strong |
| Gross retention | Not disclosed (bundled) | 97% | Strong |
The gap that matters: Microsoft's distribution advantage means it can win deals where it's not technically superior. CRWD has to be so much better that it justifies a separate vendor, separate procurement, and separate deployment. That bar keeps rising as Defender improves.
While Microsoft doesn't disclose security as a separate segment, here's the known revenue timeline:
| Date | Security Revenue | Growth | Source |
|---|---|---|---|
| January 2021 | $10B (TTM) | >40% YoY | Microsoft Security Blog |
| January 2023 | $20B (TTM) | ~33% CAGR from 2021 | Nadella earnings call |
| August 2025 | "More than $20B" | Not updated | Deutsche Bank conference |
| Sentinel (Aug 2025) | $1B | Not disclosed | Deutsche Bank conference |
Key question: Why hasn't Microsoft updated the $20B milestone? Two interpretations:
Growth has moderated. The "exercise caution" macro environment Nadella referenced in 2023 may have slowed security spending. If the business is ~$25B now (vs. $20B+ in Jan 2023), that's a ~12% CAGR — good but not the 33% prior pace.
Microsoft is strategically quiet. Revealing the exact size would give competitors a precise target and give analysts a number to model. Microsoft may prefer the "$20B+" ambiguity. The Sentinel disclosure ($1B, growing) suggests the business is healthy.
The Zacks/ Nasdaq article (October 2025) framing security as "the next revenue pillar" suggests external analysts see acceleration potential, not a stalled business.
Confidence level: High and rising. Management talks about security with the same strategic certainty they use for AI and Azure — not as a defensive necessity, but as a growth franchise. Key signals:
What's NOT being said: - No disclosure of security operating margins (likely lower than corporate average given heavy investment) - No update to the $20B revenue milestone (intentional ambiguity or slower growth?) - No direct naming of competitors in public commentary (Microsoft rarely names competitors, but the "consolidation" and "simplification" messaging is targeted at CrowdStrike, Palo Alto, and Splunk/Cisco)
Contradictions to watch: - If Microsoft starts disclosing security revenue separately, that signals they see it as a major standalone franchise (like they eventually did with Azure) - If a major Defender breach occurs, the "good enough" narrative could flip quickly - If antitrust action targets security bundling (EU DMA expansion), the distribution moat weakens materially in a key market