Skip Navigation

Microsoft Defender for IoT

Unified threat protection for all your IoT/OT devices

Unified threat protection for all your IoT/OT devices

Accelerate digital transformation with comprehensive security across your IoT/OT infrastructure. Microsoft Defender for IoT offers agentless network detection and response (NDR) that is rapidly deployed, works with diverse IoT, OT, and industrial control system (ICS) devices, and interoperates with Microsoft 365 Defender, Microsoft Sentinel, and external security operations center (SOC) tools. Deploy on-premises or via cloud. For IoT device builders, Defender for IoT offers lightweight agents for stronger device-layer security.

Full visibility into assets and risk across your entire IoT/OT environment

Continuous monitoring for threats and vulnerabilities, with IoT/OT-aware behavioral analytics and threat intelligence

Interoperability with Microsoft SIEM/SOAR and XDR to stop attacks with automated, cross-domain security and built-in AI

Flexible deployment options including on-premises, Azure-connected, or hybrid

Protect IoT and OT environments with agentless monitoring

Discover all your IoT/OT devices

Use passive, agentless network monitoring to safely gain a complete inventory of all your IoT/OT assets, with zero impact on IoT/OT performance. Analyze diverse and proprietary industrial protocols to visualize your IoT/OT network topology and see communication paths, and then use that information to accelerate network segmentation and zero trust initiatives. Identify equipment details such as manufacturer, device type, serial number, firmware level, and backplane layouts. Quickly identify the root cause of operational issues such as misconfigured devices and networks.

Protect devices with a risk-based approach

Proactively address vulnerabilities in your IoT/OT environment. Identify risks such as missing patches, open ports, unauthorized applications, and unauthorized subnet connections. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling, which identifies and visualizes the most likely attack paths for adversaries to compromise your most critical or crown jewel assets.

Detect threats with IoT/OT behavioral analytics

Monitor for anomalous or unauthorized activity using IoT/OT-aware behavioral analytics and threat intelligence. Strengthen IoT/OT zero trust security by instantly detecting unauthorized remote access and unauthorized or compromised devices. Rapidly triage real-time alerts, investigate historical traffic, and hunt for threats. Catch modern threats like zero-day malware and living-off-the-land tactics missed by static indicators of compromise (IOCs). Explore full-fidelity packet captures (PCAPs) for deeper analysis.

Unify IT/OT security with SIEM/SOAR and XDR

Get a bird's-eye view across IT/OT boundaries with interoperability with Microsoft Sentinel, cloud-native SIEM/SOAR. Automate response with IoT/OT playbooks. Use machine learning and threat intelligence from trillions of signals collected daily across the global Microsoft ecosystem (such as endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT/OT-specific intelligence collected by a specialized Microsoft Section 52 security research team. Prevent attacks with extended detection and response (XDR) from Microsoft 365 Defender. Plus, get interoperability with other SOC tools such as Splunk, IBM QRadar, and ServiceNow.

Learn why Microsoft Sentinel is a Leader in The Forrester WaveTM: Security Analytics Platforms, Q4 2020

For device manufacturers and solution operators: Build security into new IoT initiatives

Built-in security for new IoT projects

Help protect new IoT devices and Azure IoT projects from day one by deploying Defender for IoT security micro-agents. Reduce risk with real-time security posture monitoring across standard IoT operating systems. Support policies and compliance with continuous visibility into your IoT security, directly from the endpoint. Use Microsoft threat intelligence to detect evolving threats. Create custom alerts to define the most critical threats to your environment.

Learn more about security micro-agents

Protect IoT devices with minimal endpoint impact

Deploy endpoint security with minimal impact to your IoT devices—the Defender for IoT security micro-agent has a small footprint and no OS kernel dependencies. Deploy with the distribution model that works best for your devices, and modify source code to further customize the agent to your needs. Micro-agents are available for standard IoT operating systems, including Linux and Azure RTOS.

Secure your Azure IoT projects from edge to cloud

Use Defender for IoT with solutions like Azure IoT Edge and Azure RTOS to help secure your projects from edge to cloud, with security recommendations and alerts directly in Azure IoT Hub. Unify cloud security posture management and help protect those workloads using extended detection and response (XDR) from Microsoft Defender for Cloud. Connect to Microsoft Sentinel to feed IoT security alerts into your view across your entire enterprise.

Get intelligent security, powered by AI and human expertise, with Microsoft

  • Benefit from Microsoft cybersecurity expertise, with more than $1 billion invested annually on research and development.
  • Learn about the Microsoft Security Response Center, part of the defender community and on the front line of security response evolution.
  • Help prevent breaches across your entire organization with integrated threat protection.

Microsoft Defender for IoT pricing

Defender for IoT offers two solutions: agentless monitoring for IoT/OT end-user organizations, and agent-based security for device builders and solution operators.

  • Agentless monitoring is free of charge for the first 1,000 committed devices for the first 30 days. After that, you'll automatically be charged by device commitment.
  • Security for agent-based devices provisioned and managed via IoT Hub is free of charge for 30 days. After that, you pay per device or per message.

Frequently asked questions about Defender for IoT

  • Defender for IoT offers two sets of capabilities. One is agentless monitoring via passive network traffic analysis (NTA), and the other is an additional layer of security delivered via endpoint micro-agents. Agentless monitoring is ideal for all end-user IoT/OT environments, while the security micro-agent is intended for device builders and solution operators who want to build a higher level of security into new devices. End-user organizations can also use a combination of the two for defense in depth.
  • Defender for IoT uses an on-premises network sensor (edge device) that connects to the SPAN port of a switch or to a TAP. It analyzes a copy of the traffic using passive monitoring with zero network impact. All analysis is performed at the edge, making it ideal for sites with low-bandwidth connections. Additionally, the traffic flows unidirectionally, from the switch to the sensor, for enhanced security and ISA-95 compliance. Deploy fully on premises or in the cloud, or in a hybrid architecture with an on-premises console, using the cloud to centrally manage network sensors and deliver continuously updated threat intelligence to them. Forward alerts to cloud-based SIEM/SOAR systems like Microsoft Sentinel.
  • Yes, selective probing is an optional discovery capability that may be helpful in highly segmented environments where deploying network sensors to all segments is impractical. Selective probing uses safe, native vendor-approved queries that can be scheduled to occur as often or as little as required.
  • Defender for IoT supports more than 100 protocols across diverse industrial equipment, including Modbus, DNP3, BACnet, EtherNet/IP, DeltaV, ROC, Siemens S7, Yokogawa, IEC 61850, and GOOSE. For custom or proprietary protocols, Microsoft offers an open SDK for easy development, testing, and deployment of custom protocol dissectors as plug-ins, without the need to divulge proprietary information about how protocols are designed or share PCAPs that may contain sensitive information.
  • Microsoft Sentinel is a cloud-native SIEM/SOAR platform with advanced AI and security analytics to help you detect, hunt, prevent, and respond to threats across your enterprise. Microsoft Defender for IoT is a specialized asset discovery, vulnerability management, and threat monitoring solution for IoT/OT environments. While Defender for IoT shares deep contextual information with Microsoft Sentinel about IoT/OT assets and threats to accelerate enterprise-wide detection and response, Sentinel isn't required. Defender for IoT is an open system that also works with tools such as Splunk, IBM QRadar, and ServiceNow.

Ready when you are—let's set up your Azure free account

Can we help you?