Agents
Microsoft Security Copilot agents and SCU consumption
Microsoft has published per-run SCU rates for two agents only. Every other rate on this page is a conservative upper bound drawn from Microsoft billing reference examples. Verify actual consumption in the Security Copilot usage dashboard at securitycopilot.microsoft.com/usage-monitoring.
| Agent | Product | SCU/run | Source |
|---|---|---|---|
| Phishing Triage Agent Auto-triages user-reported phishing messages, classifying intent and prioritising real threats for the SOC. | Microsoft Defender for Office 365 | 0.5 | Estimate Microsoft does not publish a per-run rate; their Phishing Triage docs point to the in-tenant usage dashboard ("cost per email processed"). 0.5 SCU anchors to Microsoft's incident-summarisation reference in their billing-math example. |
| Security Alert Triage Agent Reviews new alerts, summarises evidence, and proposes a verdict to reduce analyst time per incident. | Microsoft Defender XDR | 0.5 | Estimate Microsoft does not publish a per-run rate; their Alert Triage docs point to the in-tenant usage dashboard. 0.5 SCU anchors to Microsoft's incident-summarisation reference (the underlying operation). |
| Conditional Access Optimization Agent Scans Conditional Access policy gaps daily and proposes safe optimisations across users and apps. | Microsoft Entra | 0.5 | Microsoft Microsoft Learn states verbatim: "On average, each agent run consumes less than one SCU." 0.5 used as the midpoint estimate. |
| Identity Risk Management Agent Investigates risky users in batches and recommends remediations such as resets, MFA, or session revocation. | Microsoft Entra ID Protection | 0.5 | Microsoft Microsoft Learn states verbatim: "On average, each agent run consumes less than one SCU." 0.5 used as the midpoint estimate. |
| Vulnerability Remediation Agent Continuously identifies vulnerable devices and drafts remediation tasks for endpoint admins. | Microsoft Intune | 0.5 | Estimate Microsoft does not publish a per-run rate. 0.5 SCU anchors to the incident-summarisation reference; verify against your tenant's usage dashboard. |
| Threat Intelligence Briefing Agent Generates a tailored threat intelligence briefing for the tenant on a recurring schedule. | Microsoft Security Copilot standalone | 0.5 | Estimate Microsoft does not publish a per-run rate. Aligned with the other triage agents at 0.5 SCU; the 3.7 SCU promptbook value in Microsoft's billing-math example is an illustrative scenario, not a benchmark for this agent. |
| Insider Risk Triage Agent Triages insider risk alerts by analysing recent user activity and surfacing the highest-risk cases. | Microsoft Purview Insider Risk Management | 0.5 | Estimate Microsoft documents that consumption depends on alert volume and type and points to the in-tenant usage dashboard. 0.5 SCU anchors to the incident-summarisation reference. |
| DLP Alert Triage Agent Reviews DLP alerts and prioritises real exposure incidents over noise. | Microsoft Purview Data Loss Prevention | 0.5 | Estimate Microsoft documents that consumption depends on alert volume and type and points to the in-tenant usage dashboard. 0.5 SCU anchors to the incident-summarisation reference. |