CSPM & Secure Score
Understanding the Concept
Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud continuously assesses cloud resources against security benchmarks. The foundational CSPM capabilities (free) include security recommendations based on the Microsoft Cloud Security Benchmark (MCSB).
Defender CSPM (paid plan) adds attack path analysis, cloud security explorer, agentless scanning, governance, and regulatory compliance. Attack path analysis identifies exploitable paths from internet-facing resources to sensitive data.
The secure score represents overall cloud security posture as a percentage. Each recommendation has an associated weight, and implementing recommendations increases the score. Resources can be exempted with justification.
Key Points
- CSPM assesses cloud resources against security benchmarks
- Free foundational CSPM vs paid Defender CSPM plan
- Secure score: percentage-based posture metric
- Attack path analysis identifies exploitable paths
- Cloud security explorer queries cloud resource relationships
- MCSB (Microsoft Cloud Security Benchmark) as default standard
Why This Matters in Real Organizations
Cloud misconfigurations are the leading cause of data breaches. CSPM provides continuous visibility into cloud security posture, identifying risks before attackers exploit them. Attack path analysis reveals non-obvious risk combinations.
Common Mistakes to Avoid
Interview Tips
- Explain the difference between foundational and Defender CSPM
- Discuss how attack path analysis adds value beyond traditional recommendations
Exam Tips (SC-200)
- Know foundational vs Defender CSPM capabilities
- Understand secure score calculation and recommendations
- Know how to interpret attack path analysis results
Course Complete!
You've finished all lessons