Microsoft Defender Family: Endpoint P1, P2, Business and XDR — Which One?
Data Security “Defender” is not one product — Microsoft’s security portfolio carries the same brand on multiple SKUs. To make the right choice you need to know the difference: Defender for Endpoint Plan 1, Defender for Endpoint Plan 2, Defender for Business and Defender XDR (formerly Microsoft 365 Defender) deliver different capabilities to different audiences. This article compares all four based on Microsoft’s official documentation.
First the framing: what does the Defender brand cover?
The Microsoft Defender portfolio today (verifiable at the Microsoft Learn security overview):
- Microsoft Defender for Endpoint (MDE): Endpoint — Windows, macOS, Linux, iOS, Android.
- Microsoft Defender for Business: Endpoint protection simplified for SMBs.
- Microsoft Defender for Office 365: Email + Teams + SharePoint security (Safe Links, Safe Attachments, anti-phishing).
- Microsoft Defender for Identity: Identity-based threat detection over on-prem Active Directory.
- Microsoft Defender for Cloud Apps: CASB for SaaS apps (Shadow IT discovery, session control).
- Microsoft Defender XDR: correlated visibility across the above (rebrand from “Microsoft 365 Defender”).
This article focuses on the endpoint side: what do Plan 1, Plan 2, Business and the XDR Suite actually deliver?
Defender for Endpoint Plan 1 — baseline endpoint protection
Per Microsoft’s MDE Plan 1 overview, Plan 1 is essentially modern endpoint antivirus with a few extras:
- Next-generation protection (anti-malware, cloud-based signatures, behaviour-based detection)
- Attack Surface Reduction (ASR) rules
- Device-based Conditional Access integration
- Manual response (isolate device, stop file)
- Limited reporting
Not included: Automated Investigation & Response, EDR, Threat & Vulnerability Management, Advanced Hunting (KQL), Threat Intelligence.
Who it fits: teams without a dedicated security operation that just want a stronger baseline than off-the-shelf AV.
Bundled with: Microsoft 365 E3.
Defender for Endpoint Plan 2 — full EDR
Plan 2 adds everything modern EDR is expected to do, on top of Plan 1. Per MDE Plan 2 documentation:
- EDR: automated investigation & response, real-time detection
- Threat & Vulnerability Management (TVM): prioritised vulnerability triage
- Advanced Hunting: custom queries in KQL (Kusto Query Language)
- Microsoft Threat Intelligence integration
- Live Response — interactive remote shell to a compromised device
- Device timeline — visual reconstruction of attack chains
Who it fits: organisations with at least a small SOC capability, or those running 24/7 MDR through a partner.
Bundled with: Microsoft 365 E5 + Microsoft 365 E5 Security add-on.
Defender for Business — Plan 1 + the parts that matter to SMBs
Defender for Business is a curated subset of Plan 2 packaged for organisations under 300 users. You get most of the meaningful EDR features in a simplified admin console: automated investigation, simplified policies, threat & vulnerability management, mobile threat defence.
Who it fits: SMBs that want EDR-grade protection without staffing for advanced hunting.
Bundled with: Microsoft 365 Business Premium.
Defender XDR (the “Suite”)
XDR is not a single SKU — it’s the correlation layer that connects Endpoint P2 + Office 365 P2 + Identity + Cloud Apps into a single attack-chain view. The killer feature: when a phishing email lands, gets clicked, executes on the endpoint and attempts lateral movement through AD, all four Defender products see a single incident with a single timeline.
Decision matrix
| Profile | Recommendation |
|---|---|
| 5–50 users, no security ops | Defender for Business (via M365 Business Premium) |
| 50–300 users, no SOC | Defender for Business or Defender Plan 1 (M365 E3) + outsourced MDR |
| 300+ users, in-house security ops | Defender Plan 2 + Defender XDR (M365 E5) |
| 300+ users, third-party SIEM/SOC | Defender Plan 1 + integration to existing platform |
| Heavily regulated (finance, healthcare) | Defender XDR (M365 E5) |
| Mixed estate (field + knowledge workers) | Plan 1 for field via E3, Defender for Business for office |
Frequently asked questions
Is Defender for Business “just Plan 1 with a different label”? No. Defender for Business sits between Plan 1 and Plan 2 — it includes most automated EDR features that Plan 1 lacks, but simplifies management for SMB scale.
Can I run Defender for Business alongside a third-party AV? Microsoft supports a “passive mode” — Defender for Business runs as the EDR layer while a third-party AV does prevention. Not recommended long-term; pick one.
Is the Office 365 part included with Defender for Business? No. Defender for Business covers endpoint only. For email + Teams + SharePoint you need Defender for Office 365 (P1 or P2).
Bottom line
For most SMBs in 2026 the right starting point is Microsoft 365 Business Premium, which includes Defender for Business. Mid-market and regulated organisations should evaluate M365 E5 (or E3 + add-ons) for the full XDR experience.
To map your existing licence inventory against the Defender SKUs that actually fit your risk profile, contact us for a free assessment.
Related Posts
Data Security Patch Management for SMBs: The 2026 Guide
Last month a client's accounting PC was locked up by ransomware. The entry point was neither a brilliant hacker nor an unknown zero-day — it was an eight-month-old Windows update that never got installed. The most expensive breaches we've seen almost always started with 'we'll patch it later'.
Read more
Data Security Holistic Protection Against Modern Cyber Threats — Xcitium Default-Deny + ZeroDwell
Most endpoint security tools answer 'is this file malicious?' with a probability. Xcitium answers it with a hard rule: anything unknown runs inside an isolated container until proven safe. Default-Deny + ZeroDwell architecture for SMBs serious about ransomware.
Read more
Data Security Sophos MDR + Xen Bilişim: 24/7 Comprehensive Protection
Managed Detection & Response is the realistic path to enterprise-grade 24/7 monitoring for organisations that can't sustain an internal SOC. Sophos MDR delivered through Xen Bilişim — what it covers, what it doesn't, and the realistic SLA.
Read more