6.2 CSPM, Foundational Posture, and Defender CSPM

Understand CSPM as Posture Management

Cloud Security Posture Management is one of the most important Defender for Cloud phrases for SC-900. CSPM is not a single firewall rule or a single alert. It is a set of capabilities that provide visibility into the current security situation, assess cloud resources, and guide hardening. Microsoft documentation describes Defender CSPM as providing hardening guidance and visibility that help improve security.

When Microsoft Defender for Cloud is enabled, foundational CSPM capabilities are enabled automatically. These foundational capabilities support basic posture visibility and recommendations. A separate Defender CSPM plan can add more protections and analysis capabilities for environments that need deeper posture management.

The Defender CSPM plan includes extra capabilities such as governance, regulatory compliance, cloud security explorer, attack path analysis, and agentless scanning for machines. For SC-900, focus on what those capabilities are for: better visibility, prioritization, and remediation planning. Do not turn this into a deployment exam. You are expected to identify the service and concept, not configure every component.

CSPM is primarily pre-breach. It helps teams answer questions such as which resources are exposed, which resources violate security standards, which issues are most important, and which recommendations should be fixed. It does not replace incident investigation in Sentinel, endpoint response in Defender for Endpoint, or access reviews in Microsoft Entra ID Governance.

The multicloud wording is also important. Defender for Cloud can work across Azure, Amazon Web Services, and Google Cloud Platform environments when those environments are connected. CSPM features for AWS and GCP assess multicloud workloads against industry standards and report on security posture. This is why the exam may describe posture across more than Azure subscriptions.

CSPM and cloud workload protection are related but different. CSPM asks whether resources are configured securely and how the environment scores against standards. Workload protection asks whether protected resources have threat detection and protection features enabled. Defender for Cloud contains both areas, which is why the product appears in several types of questions.

A good exam strategy is to classify the prompt. If it asks for hardening guidance, configuration assessment, attack paths, standards, or secure score, think CSPM. If it asks for alerts for protected VMs, SQL databases, containers, or web applications, think workload protection. If it asks to collect security events and automate response across sources, think Sentinel.

• CSPM is about posture and hardening.
• Defender CSPM extends baseline posture capabilities with deeper analysis features.
• Defender for Cloud can assess connected Azure, AWS, and GCP resources.
• CSPM is not the same as SIEM or data governance.