Defender Vulnerability Management Australia 2026 — what the standalone SKU adds, the dollar cost, when it pays back

Microsoft Defender Vulnerability Management — confusingly named, often called 'Defender VM' or 'MDVM' — is the paid add-on that sits on top of Defender for Endpoint to deliver the parts of the vulnerability lifecycle that the core licence doesn't. Australian buyers consistently underestimate it because the marketing surfaces it as 'vulnerability management', which sounds like something Defender for Endpoint already provides. The reality is more nuanced.

What's already in Defender for Endpoint

Every Microsoft 365 E5 tenant (or E3 with the Defender for Endpoint P2 add-on) ships with what Microsoft calls Threat and Vulnerability Management (TVM) Core. TVM Core gives you device-level CVE discovery, software inventory, basic risk-based prioritisation, exposure score and Secure Score for Devices. For most AU mid-market tenants that's the vulnerability management most security teams actually use.

What the paid Defender VM add-on adds

The standalone Defender Vulnerability Management add-on layers seven capabilities on top of TVM Core. Each one is a meaningful capability not previously available.

1. 1Security baselines assessment — measures device compliance with Microsoft, CIS and STIG baselines (Windows 10/11, Server, Edge). You get a per-device baseline-compliance score and a remediation queue. The closest standalone product is Tenable Nessus with the CIS-Cat add-on.
2. 2Browser extension assessment — inventories every browser extension across Edge, Chrome, Firefox, with permissions and risk classification. Catches the shadow-IT extension footprint most tenants are blind to.
3. 3Digital certificate inventory — finds every certificate on every device including expiry, signing chain and weak algorithms. The certificate-rot detection problem that drives outage tickets.
4. 4Network share assessment — flags risky SMB shares (anonymous access, overly broad NTFS permissions) on every Defender-onboarded device.
5. 5Authenticated scan for Windows and network devices — privileged scan that finds vulnerabilities invisible to the agent — particularly relevant for unmanaged or third-party devices on the corporate network.
6. 6Block vulnerable applications — push-button policy to block specific vulnerable application versions across the estate from the Defender portal. Bypasses the App Control / WDAC complexity for tactical responses.
7. 7Hardware and firmware assessment — BIOS, processor, network adapter firmware inventory with CVE matching. The hardest vulnerability surface to inventory by any other means.

AUD pricing in 2026

Defender Vulnerability Management is $2.30 AUD per user per month as a standalone add-on (Microsoft public price, billed annually). It's included free in Microsoft Defender for Servers Plan 2 (Azure Defender for Cloud) — so if you're running Defender for Servers P2 on your server estate, the add-on is already paid for, just enable it for users. For a 200-user AU mid-market tenant, the standalone add-on is approximately $5,520 AUD per year.

When the add-on pays back

The break-even calculation isn't simple because the value depends on what the security team would otherwise spend or skip. The five most common AU justifications:

• You currently pay for a standalone vulnerability scanner — Tenable Nessus Professional in AU is approximately $4,500 AUD per scanner per year; for a typical mid-market deployment of 3–5 scanners, MDVM with authenticated scan covers most of the same use case at meaningfully lower cost.
• You're compliance-driven for Essential Eight ML2 — the maturity model expects vulnerability scanning of internet-facing devices weekly and other devices monthly. MDVM with authenticated scan satisfies this without separate tooling.
• Your CIS / STIG baseline assessment is currently manual — most AU mid-market security teams audit baselines once a year via consultant engagement. MDVM continuous baselines replace the engagement.
• Your browser extension footprint is unknown — and increasingly material for Copilot data exfiltration risk and credential theft via malicious extensions.
• Your certificate management is reactive — you find expiring certificates when something breaks. MDVM gives you 90-day visibility ahead of expiry.

When the add-on doesn't pay back

Three patterns where the add-on is not worth it. First, you already operate a mature vulnerability program with Tenable or Qualys integrated into your SIEM and a tuned process — re-platforming is more cost than it saves. Second, you're on Microsoft 365 E3 with Defender P1 only — you need P2 first; without it, the add-on has nothing to layer onto. Third, you're a heavy server-Linux shop — MDVM is strongest on Windows; Linux coverage is improving but still trails Tenable.

Rolling out MDVM in an AU tenant

1. 1Confirm your licensing — Defender for Endpoint P2 must be live on every device you want to assess; MDVM doesn't work on P1 or onboarded-but-unlicensed devices.
2. 2Turn on the add-on in the Microsoft 365 admin centre or as part of your existing volume agreement; assignment is per-user.
3. 3Enable Security Baselines via the Defender portal → Vulnerability Management → Baselines compliance. Start with Windows 11 baselines for endpoints and Windows Server 2022 for servers.
4. 4Schedule authenticated scans of any unmanaged network ranges from your Defender-onboarded servers (no extra agent needed; uses existing creds via Group Policy or stored credentials).
5. 5Wire the vulnerability findings into your existing ticketing/Sentinel as needed — the Defender VM API surfaces findings for any downstream system.
6. 6Review the browser extension inventory in week 2 — usually the highest-impact finding for AU mid-market.