Defender O365Estimate
Phishing Triage Agent
Auto-triages user-reported phishing messages, classifying intent and prioritising real threats for the SOC.
Default 100 runs/month · 0.5 SCU/run
Microsoft Security Copilot SCU Calculator — free monthly cost estimator
Use this tool to calculate Microsoft Security Copilot SCU cost in under 60 seconds. The SCU Calculator is a free pricing tool built and maintained by Ugur Koc, a Microsoft MVP. It estimates monthly Security Compute Unit (SCU) cost using formulas published by Microsoft.
A Security Compute Unit (SCU) is the metering unit Microsoft uses to bill Security Copilot consumption. Microsoft auto-includes a free SCU pool for paid Microsoft 365 E5 and E7 tenants at 0.4 SCU per paid license per month, capped at 10,000 SCU/month — the cap is reached at 25,000 paid licenses. The pool resets on the first of each month and does not roll over. Consumption beyond the included pool bills as overage at $6 USD per SCU. Provisioned capacity is committed by the hour at $4 USD per SCU per hour. Microsoft 365 E3 is not part of the inclusion.
The calculator accepts three primary inputs: license profile (E5, E7, or pay-as-you-go), chat administrator workload (number of admins, messages per workday across 22 working days), and selected Security Copilot agents from the published catalogue with documented or estimated SCU per run.
What will Security Copilot cost you?
Microsoft includes a free SCU pool with paid M365 E5 and E7. Enter your numbers to see what you'll pay beyond it.
FX rate (1 USD): 1.0000 USD
Within included pool
Projected monthly cost
$0
$0.00 per hour · 730h month
Fully covered by the included E5 / E7 pool. Add agents or analysts to model overage.
Show calculation
Chat usage8 admins × 5 msgs/admin/workday × 22 days × 0.25 SCU220 SCU/mo
Projected totalsum of above220 SCU/mo
Included pool (E5)min(10,000, 0.4 × 1,000)−400 SCU/mo
Billable overagemax(0, total − included)0 SCU/mo
Monthly cost0 × $6 overage rate$0
- Annual
- $0
- Pool
- 400 SCU
- Overage
- 0 SCU
monthly × 12
from M365 E5
billed at $0/SCU
Planning estimate. Verify at securitycopilot.microsoft.com/usage-monitoring.
Community benchmark
Orgs with 1,000-4,999 paid users
Aggregated from anonymous submissions. No tenant identifiers are stored.
Loading benchmark…
How it works
Why your bill won't surprise you
Your licence
M365 E5 / E7 auto-fills a fresh pool every month
Included pool
0.4 SCU per paid E5 license, capped at 10,000/mo, resets on the 1st
Agents drink
each agent run, prompt or promptbook draws SCUs from the pool
Only then: overage
$6 per consumed SCU — only when the pool is dry
$6 / SCU
Think of SCUs like a prepaid bucket. Your M365 E5 / E7 licence refills the bucket on the first of each month. Every time an agent runs (e.g. someone reports a phishing email and the Phishing Triage Agent investigates), it scoops a small amount of SCU from the bucket — typically around 0.5 SCU per run. Whatever you don't use disappears at month-end. Once the bucket is empty, additional usage bills as overage at $6 per consumed SCU. You only ever pay for runs that actually happen.
In the tenants I've worked with, most agents run well under 0.5 SCU per run. It's a sensible upper bound for planning, but actual usage depends on the entities each run touches.
Pick specific agentsOverride defaults with the agents you actually plan to enable0 of 8 selected
Microsoft has not published per-run SCU rates for most agents. Defaults are calibrated for mid-market usage and anchored to Microsoft's 0.5 SCU incident-summarisation reference. Very large enterprises will see higher runs/month volumes — adjust the runs field per agent. Verify against your tenant's usage dashboard.
Defender XDREstimate
Security Alert Triage Agent
Reviews new alerts, summarises evidence, and proposes a verdict to reduce analyst time per incident.
Default 100 runs/month · 0.5 SCU/run
EntraMicrosoft
Conditional Access Optimization Agent
Scans Conditional Access policy gaps daily and proposes safe optimisations across users and apps.
Default 30 runs/month · 0.5 SCU/run
Entra ID ProtectionMicrosoft
Identity Risk Management Agent
Investigates risky users in batches and recommends remediations such as resets, MFA, or session revocation.
Default 30 runs/month · 0.5 SCU/run
IntuneEstimate
Vulnerability Remediation Agent
Continuously identifies vulnerable devices and drafts remediation tasks for endpoint admins.
Default 100 runs/month · 0.5 SCU/run
StandaloneEstimate
Threat Intelligence Briefing Agent
Generates a tailored threat intelligence briefing for the tenant on a recurring schedule.
Default 4 runs/month · 0.5 SCU/run
Purview IRMEstimate
Insider Risk Triage Agent
Triages insider risk alerts by analysing recent user activity and surfacing the highest-risk cases.
Default 100 runs/month · 0.5 SCU/run
Purview DLPEstimate
DLP Alert Triage Agent
Reviews DLP alerts and prioritises real exposure incidents over noise.
Default 100 runs/month · 0.5 SCU/run
Projected monthly$0
In poolSecurity Compute Units meter Microsoft Security Copilot consumption. Microsoft does not publish per-operation SCU rates. Their billing-math examples illustrate with a hypothetical prompt at 3 SCU, an incident summary at 0.5 SCU, and a promptbook at 3.7 SCU — these are teaching scenarios, not benchmarks. Real consumption depends on prompt complexity and is only visible in your tenant's usage dashboard. See our full methodology for the sourcing behind every number.
Microsoft auto-includes a free SCU pool with paid Microsoft 365 E5 and E7 at 0.4 SCU × paid_E5_users per month, capped at 10,000 SCU — the cap is hit at 25,000 paid licenses. (Microsoft's docs phrase the same rate as “400 SCU per 1,000 paid licenses.”) The pool resets on the 1st of each month and unused SCUs do not roll over. Consumption beyond the pool bills as overage at $6 USD per SCU, billed at one-decimal precision. E3 is not part of the inclusion — see the detailed FAQ or the Microsoft Learn inclusion FAQ.
Microsoft has only published per-run rates for the Conditional Access Optimization and Identity Risk Management agents (less than 1 SCU per run on average). For everything else, see the per-agent SCU table — verify against your tenant's usage dashboard.
FAQ
Frequently asked questions
Short answers below — see /faq for the long form.
What is a Security Compute Unit (SCU)?
A Security Compute Unit (SCU) is a unit of compute capacity Microsoft uses to meter Security Copilot consumption. In provisioned mode you commit to N SCUs per hour at a flat rate; in E5/E7 inclusion and overage modes, SCUs are deducted per consumed operation at one-decimal precision. Microsoft does not publish per-operation SCU rates; the figures of 3 SCU per prompt, 0.5 SCU per incident summary, and 3.7 SCU per promptbook appear in Microsoft Learn's billing-math examples as teaching scenarios, not benchmarks. Real consumption depends on operation complexity and is only visible in your tenant's usage dashboard.
How do I calculate SCU cost for Microsoft Security Copilot?
To calculate Security Copilot SCU cost: (1) determine your included pool — paid Microsoft 365 E5 and E7 tenants get 0.4 SCU per license per month, capped at 10,000 SCU/month; (2) estimate monthly consumption by summing chat-administrator usage (admins × messages per workday × ~3 SCU per prompt × 22 working days) and per-agent runs (run count × documented or estimated SCU per run); (3) subtract the included pool from total consumption, then multiply any remainder by $6 USD per SCU for overage, or commit to N SCUs at $4 USD per SCU per hour for provisioned capacity. This calculator runs that math automatically — pick a license profile, enter admin workload, select agents, and the monthly cost appears instantly.
Are SCUs included with Microsoft 365 E5?
Yes. Microsoft began auto-provisioning SCUs to paid Microsoft 365 E5 and E7 subscriptions in November 2025, with global rollout completing by mid-2026. The included pool is 0.4 SCU per paid E5/E7 license per month, capped at 10,000 SCU/month — the cap is reached at exactly 25,000 paid licenses. Microsoft's documentation phrases the same rate as 400 SCUs per 1,000 paid licenses; both produce identical math. A tenant with 5,000 paid E5 users therefore receives 2,000 included SCU per month.
Are SCUs included with Microsoft 365 E3?
No. Microsoft has only announced auto-included SCUs for Microsoft 365 E5 and E7. E3 subscriptions receive no included SCU and consumption is fully billable at the published overage rate.
What is the SCU overage rate?
Microsoft documents an overage rate of $6 USD per SCU on a pay-as-you-go basis once the included pool is exhausted and overage is enabled for the tenant. Overage is billed at one-decimal precision per consumed SCU — not rounded up to whole units.
What does a provisioned SCU cost per hour?
Microsoft's pricing examples use $4 USD per provisioned SCU per hour. A single provisioned SCU running 24/7 costs roughly $2,920 per month — billed flat, regardless of how much capacity you actually consume that hour. E5/E7 inclusion is a separate model with no hourly billing; the two don't stack.
How many SCU does the Phishing Triage Agent consume?
Microsoft has not published a per-run rate for the Phishing Triage Agent. Field reports from Microsoft product teams put it around 0.5 SCU per email triaged — the same as the incident-summarisation reference in Microsoft's billing-math example. This calculator uses 0.5 SCU as the default; verify against your tenant's usage dashboard.
How many SCU does the Conditional Access Optimization Agent consume?
Microsoft documents the Conditional Access Optimization Agent at less than 1 SCU per run on average. A single run can scan up to 300 users and 150 apps.
How many SCU does my organisation need?
Microsoft does not publish a definitive sizing matrix per analyst or per endpoint. The recommended approach is to provision 1 to 3 SCU per hour for evaluation, set overage to unlimited or a budget cap, then size up based on the tenant usage dashboard after the first month.
Sourced from Microsoft Learn