What a CASB does
A CASB sits between users and cloud apps — either in-line (proxying traffic) or via API (reading SaaS audit logs). It provides discovery (which SaaS apps your staff actually use), risk assessment (how risky each one is), policy enforcement (block, redirect, restrict), and threat protection (anomalous behaviour detection). The four canonical CASB use cases are visibility, compliance, threat protection and data protection.
Defender for Cloud Apps in the AU context
Microsoft Defender for Cloud Apps is the CASB component of E5. It discovers shadow IT from Defender for Endpoint logs, integrates with sanctioned SaaS via API connectors, applies session policies through reverse-proxy in-line, and feeds the Microsoft 365 security graph. For AU organisations consolidating onto E5, it replaces standalone CASBs (Netskope, Palo Alto Prisma, Symantec). The retired CASB licence is typically a meaningful contribution to the E3-vs-E5 maths.