8.6 Vulnerability Management and Threat Intelligence

Defender Vulnerability Management (MDVM)

Microsoft Defender Vulnerability Management (MDVM) continuously discovers assets and assesses their vulnerabilities and misconfigurations, then helps remediate them — all prioritized by real-world risk rather than raw CVSS scores. It uses Microsoft threat intelligence, breach-likelihood predictions, and business context so the highest-risk exposures rise to the top. Coverage spans Windows, macOS, Linux, Android, iOS, and network devices.

Core MDVM capabilities:

MDVM grew out of the threat & vulnerability management engine in Defender for Endpoint. It is available as core capabilities in Defender for Endpoint Plan 2, as an add-on, and as a standalone offering. The exam cue is simple: anything about finding, prioritizing, and reducing your own weaknesses and exposure is Defender Vulnerability Management.

Defender Threat Intelligence (Defender TI / MDTI)

Microsoft Defender Threat Intelligence (Defender TI / MDTI) is the other side of the coin: instead of your weaknesses, it provides context about the adversary — threat actors, their tools, indicators of compromise (IOCs), and malicious infrastructure (domains, IPs, host pairs). It maps the global threat landscape so analysts can enrich an investigation: "who is behind this, what infrastructure do they use, what else is connected to this indicator?" Defender TI's intelligence is surfaced through threat analytics in the Microsoft Defender portal and enriches incidents across Defender XDR and Microsoft Sentinel.

Telling the Two Apart (and from Look-alikes)

The two names describe their jobs; let that guide you:

Two traps to avoid:

• Vulnerability management is NOT compliance score. Defender Vulnerability Management (security domain) measures technical exposure; Compliance Manager / compliance score (Purview, compliance domain) measures regulatory posture. Both "reduce risk," but they are different exam answers.
• Threat Intelligence is NOT Sentinel. If the prompt is broad SIEM/SOAR — ingest any log, hunt across everything, run playbooks — that is Microsoft Sentinel. Defender TI specifically means threat actor/indicator/infrastructure context.

Quick cues

• "Discover and prioritize vulnerable software on our devices" → Defender Vulnerability Management.
• "Research a threat actor's tools and malicious infrastructure" → Defender Threat Intelligence.
• "Improve our regulatory compliance score" → Purview Compliance Manager (not vulnerability management).

Risk-Based Prioritization — Why It Matters

The defining idea of Defender Vulnerability Management is that not all vulnerabilities are equal. A typical enterprise has thousands of open vulnerabilities and cannot patch them all at once. MDVM ranks them by real-world risk — combining the vulnerability's exploitability and active-exploitation signals (Microsoft threat intelligence and breach-likelihood predictions) with business context (how exposed and how critical the affected asset is).

The result is a prioritized, finite list of the exposures that actually matter most, with built-in remediation that hands work to IT (integrating with Microsoft Intune) and the option to block vulnerable applications as an interim mitigation while patches are scheduled. It also continuously inventories not just software but certificates, browser extensions, firmware, and hardware, broadening the picture of what could be exploited.

Its packaging is worth a one-line memory note: MDVM's core capabilities are included in Defender for Endpoint Plan 2, and a fuller premium feature set is available as an add-on or as a standalone product — so an organization can get vulnerability management without buying the full endpoint suite.

Threat Intelligence — Knowing the Adversary

Where MDVM looks inward at your exposure, Defender Threat Intelligence looks outward at the adversary. It maps the global threat landscape — profiles of threat actors, their tools and techniques, indicators of compromise, and the malicious infrastructure (domains, IP addresses, host pairs, certificates) they operate. Analysts use it to enrich an investigation: pivot from a suspicious domain to everything connected to it, or read an actor profile to understand intent.

Microsoft surfaces this intelligence through threat analytics in the Defender portal, and it enriches incidents across both Defender XDR and Microsoft Sentinel.

Two Clean Distinctions for Exam Day

Keep these straight: Vulnerability Management = inward, my weaknesses, technical exposure (security domain). Threat Intelligence = outward, the adversary, threat context (security domain). Neither is Microsoft Sentinel — Sentinel is the SIEM/SOAR that consumes this intelligence at scale. And vulnerability management is not the same as Purview's compliance score, which measures regulatory posture in the compliance domain. When a question pairs "risk" with technical weaknesses on devices, answer Defender Vulnerability Management; when it pairs "risk" with regulations and controls, answer Compliance Manager.