Skip navigation

Microsoft Defender for IoT

Unified threat protection for all your IoT/OT devices

Unified threat protection for all your IoT/OT devices

Accelerate digital transformation with comprehensive security across your IoT/OT infrastructure. Microsoft Defender for IoT offers agentless network detection and response (NDR) that is rapidly deployed, works with diverse IoT, OT and industrial control system (ICS) devices, and inter-operates with Microsoft 365 Defender, Microsoft Sentinel, and external security operations centre (SOC) tools. Deploy on-premises or via cloud. For IoT device builders, Defender for IoT offers lightweight agents for stronger device-layer security.

Full visibility into assets and risk across your entire IoT/OT environment

Continuous monitoring for threats and vulnerabilities, with IoT/OT-aware behavioural analytics and threat intelligence

Interoperability with Microsoft SIEM/SOAR and XDR to stop attacks with automated, cross-domain security and built-in AI

Flexible deployment options including on-premises, Azure-connected, or hybrid

Protect IoT and OT environments with agentless monitoring

Discover all your IoT/OT devices

Use passive, agentless network monitoring to safely gain a complete inventory of all your IoT/OT assets, with zero impact on IoT/OT performance. Analyse diverse and proprietary industrial protocols to visualise your IoT/OT network topology and see communication paths, and then use that information to accelerate network segmentation and zero trust initiatives. Identify equipment details such as manufacturer, device type, serial number, firmware level and backplane layouts. Quickly identify the root cause of operational issues such as misconfigured devices and networks.

Protect devices with a risk-based approach

Proactively address vulnerabilities in your IoT/OT environment. Identify risks such as missing patches, open ports, unauthorised applications and unauthorised subnet connections. Detect changes to device configurations, controller logic and firmware. Prioritise fixes based on risk scoring and automated threat modelling, which identifies and visualises the most likely attack paths for adversaries to compromise your most critical or crown jewel assets.

Detect threats with IoT/OT behavioural analytics

Monitor for anomalous or unauthorised activity using IoT/OT-aware behavioural analytics and threat intelligence. Strengthen IoT/OT zero trust security by instantly detecting unauthorised remote access and unauthorised or compromised devices. Rapidly triage real-time alerts, investigate historical traffic and hunt for threats. Catch modern threats like zero-day malware and living-off-the-land tactics missed by static indicators of compromise (IOCs). Explore full-fidelity packet captures (PCAPs) for deeper analysis.

Unify IT/OT security with SIEM/SOAR and XDR

Get a bird's-eye view across IT/OT boundaries with interoperability with Microsoft Sentinel, cloud-native SIEM/SOAR. Automate response with IoT/OT playbooks. Use machine learning and threat intelligence from trillions of signals collected daily across the global Microsoft ecosystem (such as endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT/OT-specific intelligence collected by a specialised Microsoft Section 52 security research team. Prevent attacks with extended detection and response (XDR) from Microsoft 365 Defender. Plus, get interoperability with other SOC tools such as Splunk, IBM QRadar, and ServiceNow.

Learn why Microsoft Sentinel is a Leader in The Forrester WaveTM: Security Analytics Platforms, Q4 2020

For device manufacturers and solution operators: Build security into new IoT initiatives

Built-in security for new IoT projects

Help protect new IoT devices and Azure IoT projects from day one by deploying Defender for IoT security micro-agents. Reduce risk with real-time security posture monitoring across standard IoT operating systems. Support policies and compliance with continuous visibility into your IoT security, directly from the endpoint. Use Microsoft threat intelligence to detect evolving threats. Create customised alerts to define the most critical threats to your environment.

Learn more about security micro-agents

Protect IoT devices with minimal endpoint impact

Deploy endpoint security with minimal impact to your IoT devices – the Defender for IoT security micro-agent has a small footprint and no OS kernel dependencies. Deploy with the distribution model that works best for your devices, and modify source code to further customise the agent to your needs. Micro-agents are available for standard IoT operating systems, including Linux and Azure RTOS.

Secure your Azure IoT projects from edge to cloud

Use Defender for IoT with solutions like Azure IoT Edge and Azure RTOS to help secure your projects from edge to cloud, with security recommendations and alerts directly in Azure IoT Hub. Unify cloud security posture management and help protect those workloads using extended detection and response (XDR) from Microsoft Defender for Cloud. Connect to Microsoft Sentinel to feed IoT security alerts into your view across your entire enterprise.

Get intelligent security, powered by AI and human expertise, with Microsoft

  • Benefit from Microsoft cybersecurity expertise, with more than $1 billion invested annually on research and development.
  • Learn about the Microsoft Security Response Centre, part of the defender community and on the front line of security response evolution.
  • Help prevent breaches across your entire organisation with integrated threat protection.

Microsoft Defender for IoT pricing

Defender for IoT offers two solutions: agentless monitoring for IoT/OT end-user organisations, and agent-based security for device builders and solution operators.

  • Agentless monitoring is free of charge for the first 1,000 committed devices for the first 30 days. After that, you'll automatically be charged by device commitment.
  • Security for agent-based devices provisioned and managed via IoT Hub is free of charge for 30 days. After that, you pay per device or per message.

Frequently asked questions about Defender for IoT

  • Defender for IoT offers two sets of capabilities. One is agentless monitoring via passive network traffic analysis (NTA), and the other is an additional layer of security delivered via endpoint micro-agents. Agentless monitoring is ideal for all end-user IoT/OT environments, while the security micro-agent is intended for device builders and solution operators who want to build a higher level of security into new devices. End-user organisations can also use a combination of the two for defence in depth.
  • Defender for IoT uses an on-premises network sensor (edge device) that connects to the SPAN port of a switch or to a TAP. It analyses a copy of the traffic using passive monitoring with zero network impact. All analysis is performed at the edge, making it ideal for sites with low-bandwidth connections. Additionally, the traffic flows uni-directionally, from the switch to the sensor, for enhanced security and ISA-95 compliance. Deploy fully on premises or in the cloud, or in a hybrid architecture with an on-premises console, using the cloud to centrally manage network sensors and deliver continuously updated threat intelligence to them. Forward alerts to cloud-based SIEM/SOAR systems like Microsoft Sentinel.
  • Yes, selective probing is an optional discovery capability that may be helpful in highly segmented environments where deploying network sensors to all segments is impractical. Selective probing uses safe, native vendor-approved queries that can be scheduled to occur as often or as little as required.
  • Defender for IoT supports more than 100 protocols across diverse industrial equipment, including Modbus, DNP3, BACnet, EtherNet/IP, DeltaV, ROC, Siemens S7, Yokogawa, IEC 61850 and GOOSE. For customised or proprietary protocols, Microsoft offers an open SDK for easy development, testing and deployment of customised protocol dissectors as plug-ins, without the need to divulge proprietary information about how protocols are designed or share PCAPs that may contain sensitive information.
  • Microsoft Sentinel is a cloud-native SIEM/SOAR platform with advanced AI and security analytics to help you detect, hunt, prevent and respond to threats across your enterprise. Microsoft Defender for IoT is a specialised asset discovery, vulnerability management and threat monitoring solution for IoT/OT environments. While Defender for IoT shares deep contextual information with Microsoft Sentinel about IoT/OT assets and threats to accelerate enterprise-wide detection and response, Sentinel isn't required. Defender for IoT is an open system that also works with tools such as Splunk, IBM QRadar and ServiceNow.

Ready when you are—let's set up your Azure free account

Can we help you?