6.6 Cloud Workload Protection and Defender Plans

CWPP and the Defender Plans

Cloud Workload Protection Platform (CWPP) is the workload-protection side of Defender for Cloud. Where CSPM asks whether resources are configured securely, CWPP asks whether workloads are protected against threats and generates security alerts for protected resources. Microsoft describes CWPP as providing workload-specific protections for workloads running on Azure, on-premises, and other clouds, with alerts that immediately indicate the nature and severity of a threat.

Protection is turned on by enabling Defender plans at the subscription (or connector) level — each plan targets a specific resource type. The current Defender plans are:

For SC-900 you should recognize that workload protection is plan-based and per-resource-type, and be able to map a workload (a VM, a database, a container cluster, a key vault) to the plan that protects it. You do not need to memorize every feature inside each plan.

Alerts, Incidents, and the Workload Dashboard

When Defender for Cloud detects a threat against a protected resource, it raises a security alert with details, a severity level, and suggested remediation; related alerts are correlated into security incidents. The workload protections dashboard gives a unified view of coverage (which eligible resources are protected), active alerts, advanced-protection status, and insights. Alerts and incidents can be exported to SIEM, SOAR, and ITSM systems — most importantly to Microsoft Sentinel — which is how posture and detection data reach the SOC.

A couple of details worth knowing: Defender for Servers comes in Plan 1 and Plan 2 (Plan 2 adds capabilities such as the bundled DNS alerts, just-in-time VM access, and file integrity monitoring). Defender for Databases is an umbrella over Azure SQL, SQL on machines, open-source relational DBs, and Cosmos DB. These nuances reinforce that CWPP is granular and resource-aware.

CWPP vs CSPM, Sentinel, and Infra Controls

CWPP and CSPM appear together because both live in Defender for Cloud, but they answer different questions:

• CSPM → posture, hardening recommendations, secure score, compliance (pre-breach).
• CWPP → workload threat detection, security alerts, Defender plans (active / post-breach).

A single resource can simultaneously have a CSPM recommendation (a misconfiguration to fix) and a CWPP alert (suspicious activity right now) — different views, not competing products.

Do not confuse Defender for Cloud CWPP with Microsoft Sentinel. Sentinel is the SIEM/SOAR that ingests and correlates security data across many sources (including Defender for Cloud alerts) and automates response with playbooks. Defender for Cloud generates the cloud workload alerts; Sentinel can centralize them. Likewise, do not confuse it with infrastructure controls — DDoS Protection, Azure Firewall, WAF, NSGs, Bastion, and Key Vault each address a specific network, admin, or secret need, while Defender plans add a detection and protection layer over the resources themselves.

• CWPP = workload threat detection via per-resource Defender plans.
• Plans cover Servers, Storage, Databases, Containers, App Service, Key Vault, Resource Manager, DNS, APIs, and AI.
• Alerts and incidents can be exported to Microsoft Sentinel.
• CSPM and CWPP are complementary halves of Defender for Cloud.

Mapping Workloads to Plans (Exam Drill)

The single most useful skill for CWPP questions is mapping a described workload to the right plan. Practice the mapping until it is automatic:

Notice that several plans protect things people forget are attack surfaces — the management plane (Resource Manager), DNS, key vaults, and APIs. The exam likes these because they test whether you understand that CWPP is granular and resource-aware rather than a single on/off switch.

Alerts, Severity, and the Response Path

When a Defender plan detects malicious activity, it raises a security alert carrying the threat description, a severity (informational, low, medium, high), the affected resource, and remediation guidance. Alerts about a single attack are correlated into a security incident so analysts see the whole campaign. From there alerts and incidents can be exported to a SIEM, SOAR, or ITSM system — in a Microsoft shop, Microsoft Sentinel, where playbooks automate containment.

This export relationship is the cleanest way to remember how Defender for Cloud (detection at the cloud-resource layer) and Sentinel (centralized correlation and automation) divide the work.

Final Boundaries to Keep Straight

Two last distinctions close out the chapter. First, CWPP is not CSPM: a resource can carry a CSPM recommendation (fix a misconfiguration) and a CWPP alert (respond to an active threat) at the same time — complementary views inside one product. Second, Defender for Cloud is not an infrastructure control: DDoS Protection, Azure Firewall, Web Application Firewall, NSGs, Bastion, and Key Vault each solve a narrow network, administrative, or secret need, whereas Defender plans add a detection and protection layer over the resources themselves.

When a prompt centers on protected cloud workloads, security alerts, and per-resource plans, the answer is Defender for Cloud cloud workload protection.