Skip to main content

Microsoft Defender for IoT

Unified threat protection for all your IoT/OT devices.

Unified threat protection for all your IoT/OT devices

Accelerate digital transformation with comprehensive security across your IoT/OT infrastructure. Microsoft Defender for IoT offers agentless network detection and response (NDR) that is rapidly deployed, works with diverse IoT, OT, and industrial control system (ICS) devices, and interoperates with Microsoft 365 DefenderMicrosoft Sentinel, and external security operations center (SOC) tools. Deploy on-premises or via cloud. For IoT device builders, Defender for IoT offers lightweight agents for stronger device-layer security.

Full visibility into assets and risk across your entire IoT/OT environment

Continuous monitoring for threats and vulnerabilities, with IoT/OT-aware behavioral analytics and threat intelligence

Interoperability with Microsoft SIEM/SOAR and XDR to stop attacks with automated, cross-domain security and built-in AI

Flexible deployment options including on-premises, Azure-connected, or hybrid

Protect IoT and OT environments with agentless monitoring

Discover all your IoT/OT devices

Use passive, agentless network monitoring to safely gain a complete inventory of all your IoT/OT assets, with zero impact on IoT/OT performance. Analyze diverse and proprietary industrial protocols to visualize your IoT/OT network topology and see communication paths, and then use that information to accelerate network segmentation and zero trust initiatives. Identify equipment details such as manufacturer, device type, serial number, firmware level, and backplane layouts. Quickly identify the root cause of operational issues such as misconfigured devices and networks.

An asset map in Microsoft Defender for IoT
Risks for Rockwell Automation being identified and explained

Protect devices with a risk-based approach

Proactively address vulnerabilities in your IoT/OT environment. Identify risks such as missing patches, open ports, unauthorized applications, and unauthorized subnet connections. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling, which identifies and visualizes the most likely attack paths for adversaries to compromise your most critical or crown jewel assets.

Detect threats with IoT/OT behavioral analytics

Monitor for anomalous or unauthorized activity using IoT/OT-aware behavioral analytics and threat intelligence. Strengthen IoT/OT zero trust security by instantly detecting unauthorized remote access and unauthorized or compromised devices. Rapidly triage real-time alerts, investigate historical traffic, and hunt for threats. Catch modern threats like zero-day malware and living-off-the-land tactics missed by static indicators of compromise (IOCs). Explore full-fidelity packet captures (PCAPs) for deeper analysis.

A firmware version being updated and managed
An investigation of an incident in Microsoft Sentinel

Unify IT/OT security with SIEM/SOAR and XDR

Get a bird's-eye view across IT/OT boundaries with interoperability with Microsoft Sentinel, cloud-native SIEM/SOAR. Automate response with IoT/OT playbooks. Use machine learning and threat intelligence from trillions of signals collected daily across the global Microsoft ecosystem (such as endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT/OT-specific intelligence collected by a specialized Microsoft Section 52 security research team. Prevent attacks with extended detection and response (XDR) from Microsoft 365 Defender. Plus, get interoperability with other SOC tools such as Splunk, IBM QRadar, and ServiceNow.

For device manufacturers and solution operators: Build security into new IoT initiatives

Built-in security for new IoT projects

Help protect new IoT devices and Azure IoT projects from day one by deploying Defender for IoT security micro-agents. Reduce risk with real-time security posture monitoring across standard IoT operating systems. Support policies and compliance with continuous visibility into your IoT security, directly from the endpoint. Use Microsoft threat intelligence to detect evolving threats. Create custom alerts to define the most critical threats to your environment.

Protect IoT devices with minimal endpoint impact

Deploy endpoint security with minimal impact to your IoT devices—the Defender for IoT security micro-agent has a small footprint and no OS kernel dependencies. Deploy with the distribution model that works best for your devices, and modify source code to further customize the agent to your needs. Micro-agents are available for standard IoT operating systems, including Linux and Azure RTOS.

Secure your Azure IoT projects from edge to cloud

Use Defender for IoT with solutions like Azure IoT Edge and Azure RTOS to help secure your projects from edge to cloud, with security recommendations and alerts directly in Azure IoT Hub. Unify cloud security posture management and help protect those workloads using extended detection and response (XDR) from Microsoft Defender for Cloud. Connect to Microsoft Sentinel to feed IoT security alerts into your view across your entire enterprise.

Comprehensive security and compliance, built in

  • Microsoft invests more than USD$1 billion annually on cybersecurity research and development.

  • We employ more than 3,500 security experts who are dedicated to data security and privacy.

  • Azure has more certifications than any other cloud provider. View the comprehensive list.

  • Microsoft Defender for IoT pricing

    Defender for IoT offers two solutions: agentless monitoring for IoT/OT end-user organizations, and agent-based security for device builders and solution operators.

    • Agentless monitoring is free of charge for the first 1,000 committed devices for the first 30 days. After that, you'll automatically be charged by device commitment.
    • Security for agent-based devices provisioned and managed via IoT Hub is free of charge for 30 days. After that, you pay per device or per message.

Get started with an Azure free account


Start free. Get USD$200 credit to use within 30 days. While you have your credit, get free amounts of many of our most popular services, plus free amounts of 55+ other services that are always free.


After your credit, move to pay as you go to keep building with the same free services. Pay only if you use more than your free monthly amounts.


After 12 months, you'll keep getting 55+ always-free services—and still pay only for what you use beyond your free monthly amounts.

Frequently asked questions about Defender for IoT

  • Defender for IoT offers two sets of capabilities. One is agentless monitoring via passive network traffic analysis (NTA), and the other is an additional layer of security delivered via endpoint micro-agents. Agentless monitoring is ideal for all end-user IoT/OT environments, while the security micro-agent is intended for device builders and solution operators who want to build a higher level of security into new devices. End-user organizations can also use a combination of the two for defense in depth.

  • Defender for IoT uses an on-premises network sensor (edge device) that connects to the SPAN port of a switch or to a TAP. It analyzes a copy of the traffic using passive monitoring with zero network impact. All analysis is performed at the edge, making it ideal for sites with low-bandwidth connections. Additionally, the traffic flows unidirectionally, from the switch to the sensor, for enhanced security and ISA-95 compliance. Deploy fully on premises or in the cloud, or in a hybrid architecture with an on-premises console, using the cloud to centrally manage network sensors and deliver continuously updated threat intelligence to them. Forward alerts to cloud-based SIEM/SOAR systems like Microsoft Sentinel.

  • Yes, selective probing is an optional discovery capability that may be helpful in highly segmented environments where deploying network sensors to all segments is impractical. Selective probing uses safe, native vendor-approved queries that can be scheduled to occur as often or as little as required.

  • Defender for IoT supports more than 100 protocols across diverse industrial equipment, including Modbus, DNP3, BACnet, EtherNet/IP, DeltaV, ROC, Siemens S7, Yokogawa, IEC 61850, and GOOSE. For custom or proprietary protocols, Microsoft offers an open SDK for easy development, testing, and deployment of custom protocol dissectors as plug-ins, without the need to divulge proprietary information about how protocols are designed or share PCAPs that may contain sensitive information.

  • Microsoft Sentinel is a cloud-native SIEM/SOAR platform with advanced AI and security analytics to help you detect, hunt, prevent, and respond to threats across your enterprise. Microsoft Defender for IoT is a specialized asset discovery, vulnerability management, and threat monitoring solution for IoT/OT environments. While Defender for IoT shares deep contextual information with Microsoft Sentinel about IoT/OT assets and threats to accelerate enterprise-wide detection and response, Sentinel isn't required. Defender for IoT is an open system that also works with tools such as Splunk, IBM QRadar, and ServiceNow.

Ready when you are—let’s set up your Azure free account

Try Azure for free

Chat with sales