6.1 Defender for Cloud Purpose and Exam Role

Defender for Cloud as a CNAPP

Microsoft Defender for Cloud is the primary SC-900 service for cloud resource posture and workload protection. Microsoft now describes it as a Cloud-Native Application Protection Platform (CNAPP) — a unified solution that combines multiple cloud security tools to protect applications across their entire lifecycle, from code to runtime. The acronym CNAPP is increasingly tested, so memorize that Defender for Cloud is a CNAPP and that a CNAPP folds posture management, workload protection, and development security into one experience.

Microsoft frames Defender for Cloud around three core components:

• Cloud Security Posture Management (CSPM) — checks and improves the security posture of cloud resources (the pre-breach, hardening side).
• Cloud Workload Protection Platform (CWPP) — defends workloads such as virtual machines, containers, storage, databases, and serverless functions from threats (the active, threat-detection side).
• Development Security Operations (DevSecOps) — manages code-level security across multicloud and multi-pipeline environments (GitHub, Azure DevOps, GitLab).

For SC-900 the two you must know cold are CSPM and CWPP. When a scenario asks how to understand and improve the security state of Azure or multicloud resources, Defender for Cloud is almost always the correct product family.

Recognizing Defender for Cloud Scenarios

The easiest way to spot Defender for Cloud is assessment language. Microsoft documents it as continually assessing resources, subscriptions, and the organization for security issues, then aggregating findings into posture views, recommendations, and a score so teams can decide what to fix first. That makes it different from a single network control (such as a web application firewall) or an identity tool (such as Microsoft Entra Privileged Identity Management).

Defender for Cloud also surfaces a unified portal dashboard that includes security posture, threat protection, asset coverage, critical recommendations, high-severity incidents, attack paths, and workload insights. SC-900 does not expect you to operate every blade — only to connect this dashboard wording to Defender for Cloud.

Common Traps and Product Boundaries

A frequent exam trap is confusing Defender product names. Defender for Cloud protects cloud resources, posture, and workloads. Defender for Cloud Apps is a separate cloud access security broker (CASB) focused on SaaS discovery and control. Defender for Endpoint protects endpoint devices. Defender for Identity protects on-premises Active Directory. If the prompt says cloud posture, subscriptions, resource recommendations, secure score, or workload-protection plans, stay with Defender for Cloud.

Use product purpose to eliminate distractors:

• Azure Firewall, NSGs, DDoS Protection, and Bastion are infrastructure controls — they do not calculate secure score or assess subscriptions against standards.
• Key Vault stores secrets, keys, and certificates — it does not assess posture.
• Microsoft Sentinel is the cloud-native SIEM and SOAR for collecting, detecting, investigating, and automating across all security data; Defender for Cloud feeds alerts into Sentinel but is not itself the SIEM.
• Microsoft Purview owns compliance, data classification, and governance — not cloud resource posture.

Defender for Cloud spans the timeline: pre-breach it exposes misconfigurations, missing protections, and compliance gaps through CSPM; during or after an attack it raises workload-protection alerts through CWPP. SC-900 may use the phrases pre-breach posture and post-breach threat protection — both live inside Defender for Cloud.

• Choose Defender for Cloud for posture, recommendations, secure score, workload protection, and regulatory compliance views.
• Choose Sentinel for SIEM/SOAR.
• Choose Microsoft Entra services for identity and access.
• Choose Microsoft Purview for compliance, information protection, and audit.

Where Defender for Cloud Fits in the Microsoft Security Story

SC-900's third skill area covers the capabilities of Microsoft security solutions, and Defender for Cloud is one of three pillars there alongside Microsoft Sentinel (the cloud-native SIEM and SOAR) and Microsoft Defender XDR (the extended detection and response suite covering endpoints, email, identity, and apps). A clean mental model: Defender for Cloud secures the cloud infrastructure and workloads, Defender XDR secures the end-user and productivity estate, and Sentinel collects, correlates, and automates across everything.

' questions quickly, because each prompt usually emphasizes one scope — cloud resources, user devices/mail, or organization-wide log analytics and automation.

It also helps to know how Defender for Cloud is enabled and billed, because the exam contrasts free and paid tiers. The moment you turn on Defender for Cloud on an Azure subscription, you get free Foundational CSPM and access to Microsoft Defender XDR at no charge. Layering on any Defender plan (for servers, storage, databases, containers, and so on) or the Defender CSPM plan adds paid, advanced capabilities. This free-then-upgrade structure is exactly why a single product can appear in both 'free posture visibility' and 'paid threat protection' questions.

A Quick Worked Selection Example

• The requirements resolve cleanly: one place across Azure and AWS means multicloud, so Defender for Cloud; seeing misconfigurations and tracking a posture score means CSPM and secure score (free Foundational CSPM); and alerts when a database is attacked means CWPP, so enable Defender for Databases. Every requirement points to Defender for Cloud with one paid Defender plan layered on — the pattern the exam rewards: identify the product from the assessment/protection language, then name the specific capability.