6.6 Cloud Workload Protection and Defender Plans

Protect Workloads with Defender for Cloud Plans

Cloud Workload Protection Platform, or CWPP, is the workload protection side of Defender for Cloud. If CSPM asks whether cloud resources are configured securely, CWPP asks whether workloads are protected against threats and whether alerts are generated for protected resources. Microsoft documentation describes workload protections in Defender for Cloud as advanced, intelligent protection for workloads running on Azure, on-premises machines, or other cloud providers.

The workload protection dashboard gives a unified view into threat detection and protection for protected resources. It can show coverage for resource types that are eligible for protection, security alerts, advanced protection status, and insights. When Defender for Cloud detects a threat, it generates an alert with details, suggested remediation steps, and in some cases a response option such as triggering a logic app.

Defender plans map protection to resource types. Microsoft documentation describes plans such as Defender for Servers, Defender for Containers, and Defender for SQL in multicloud planning guidance. Defender for Servers protects Windows and Linux machines in Azure, AWS, GCP, and on-premises when connected to Defender for Cloud. It can integrate with Defender for Endpoint and Microsoft Defender Vulnerability Management for endpoint detection, response, and vulnerability capabilities.

The point for SC-900 is not to memorize every plan feature. The point is to know that Defender for Cloud can protect workloads, not just score posture. If the question says a team wants threat detection for protected virtual machines, containers, SQL databases, web applications, or network resources, workload protection in Defender for Cloud is the relevant concept.

CWPP and CSPM often appear together because they are both in Defender for Cloud. A resource could have a posture recommendation about configuration and a workload protection alert about suspicious activity. A subscription could have a secure score showing posture progress and a workload protection dashboard showing alert trends. These are different views of cloud security, not competing products.

Do not confuse Defender for Cloud workload protection with Microsoft Sentinel. Sentinel collects security data, provides SIEM and SOAR capabilities, supports analytics rules, incidents, hunting, workbooks, and playbooks. Defender for Cloud generates cloud workload alerts and posture findings; Sentinel can ingest and correlate security data across sources. In product-selection questions, choose Defender for Cloud when the prompt centers on protected cloud workloads and plans.

Also avoid confusing Defender for Cloud with Azure infrastructure controls. DDoS Protection, Azure Firewall, WAF, NSGs, Bastion, and Key Vault protect specific network, administration, or secret-management needs. Defender for Cloud evaluates and protects cloud resources at a management and detection layer.

• CWPP means workload protection and threat detection.
• Defender plans enable protections for specific resource types.
• Alerts describe detected threats and remediation guidance.
• CSPM and CWPP are complementary parts of Defender for Cloud.