6.2 CSPM, Foundational Posture, and Defender CSPM

CSPM as Posture Management

Cloud Security Posture Management (CSPM) is one of the most important Defender for Cloud phrases for SC-900. CSPM is not a single firewall rule or alert; it is a set of capabilities that provide visibility into the current security situation, assess cloud resources against standards, and guide hardening through recommendations. Microsoft describes CSPM as helping you check and improve the security posture of cloud resources, using a dashboard to see weaknesses in your posture.

CSPM is primarily pre-breach. It answers questions like: which resources are exposed to the internet, which violate security standards, which issues are most important, and which recommendations to fix first. It does not replace incident investigation in Microsoft Sentinel, endpoint response in Defender for Endpoint, or access reviews in Microsoft Entra ID Governance.

Foundational CSPM (Free) vs the Defender CSPM Plan

The single most tested CSPM distinction is free vs paid. Microsoft states plainly: Defender for Cloud includes free Foundational CSPM capabilities. Enable advanced CSPM capabilities by using the Defender CSPM plan. Foundational CSPM turns on automatically the moment Defender for Cloud is enabled on a subscription — no extra cost.

*Data security posture management is available with Defender CSPM or Defender for Storage. Note that the regulatory compliance dashboard is a Defender CSPM (paid) feature — a classic trap, because the Microsoft Cloud Security Benchmark policy itself is free, but the broader compliance dashboard with additional frameworks requires the paid plan.

What Defender CSPM Adds

The Defender CSPM plan layers contextual, graph-based analysis on top of basic posture. Microsoft describes its advanced tools as including governance (driving actions to improve posture by assigning tasks to resource owners), regulatory compliance (verifying compliance with security standards), and the cloud security explorer (building a comprehensive view of your environment). Two flagship Defender CSPM features:

• Attack path analysis — models how an attacker could chain exploitable weaknesses (for example, an internet-exposed VM with a high-severity vulnerability and a path to sensitive data) so teams fix the choke points first.
• Cloud security graph / cloud security explorer — a queryable map of resources, configurations, and relationships used to surface risks that simple per-resource checks miss.

Multicloud and CSPM vs CWPP

The multicloud wording matters. Defender for Cloud can connect Amazon Web Services (AWS) accounts and Google Cloud Platform (GCP) projects using agentless methods, then deliver CSPM insight and CWPP protection across them. This is why the exam may describe posture across more than just Azure subscriptions, and multicloud coverage is part of free Foundational CSPM.

Finally, do not blur CSPM and CWPP. CSPM asks whether resources are configured securely and how they score against standards; CWPP asks whether protected resources have threat detection enabled and generates alerts. Defender for Cloud contains both, which is why it appears in several question types.

• CSPM = posture, hardening, and recommendations.
• Foundational CSPM is free and automatic; Defender CSPM is the paid upgrade.
• Defender CSPM adds governance, regulatory compliance, attack paths, the cloud security graph, and agentless scanning.
• Multicloud (AWS/GCP) posture is included in free Foundational CSPM.

Why Agentless Scanning Matters

A distinctive Defender CSPM capability is agentless vulnerability scanning for machines. Traditional posture tools require installing an agent or extension on every VM, which slows coverage and leaves gaps when machines are unmanaged. Agentless scanning instead takes a snapshot of the machine's disk and analyzes it out-of-band, so Defender CSPM can surface operating-system and software vulnerabilities without deploying anything onto the workload. For SC-900 you only need the concept — agentless means broad coverage with no per-machine agent — and that it is a paid Defender CSPM feature, not part of free Foundational CSPM.

The related data-aware security posture (data security posture management, or DSPM) is another Defender CSPM differentiator. It automatically discovers datastores that contain sensitive data, then highlights resources where a breach would be most damaging, feeding that sensitivity context into attack path analysis. This is available with Defender CSPM or Defender for Storage, and it is why the exam may describe 'finding where sensitive data lives in the cloud' as a posture capability.

Classifying the Prompt: A Decision Drill

The fastest way to handle CSPM questions is to classify the verb in the prompt:

• If it asks for hardening guidance, configuration assessment, attack paths, standards, or secure score → think CSPM.
• If it asks for alerts for protected VMs, SQL databases, containers, or web apps → think CWPP / Defender plans.
• If it asks to collect security events and automate response across many sources → think Microsoft Sentinel.
• If it asks who is allowed to do something → think Azure RBAC, not CSPM.

Keeping the free-vs-paid line straight — secure score, recommendations, and multicloud coverage are free; governance, regulatory compliance, attack paths, the cloud security graph, and agentless scanning are paid — resolves the majority of CSPM exam items on its own.