A long-form deep dive into Microsoft Defender for Business for Australian small and mid-sized businesses. Covers EDR versus antivirus, what Defender actually detects, attack surface reduction rules, automated investigation, AUD pricing, deployment best practice, and a side-by-side scenario showing what an attack looks like with and without Defender for Business configured.
Microsoft Defender for Business: what real threat protection looks like for a 50-person company
62 per cent of Australian SMEs have experienced a cyberattack. Most were running antivirus when it happened. Antivirus stopped being enough around 2015. Here is what endpoint detection and response actually does, and why the difference matters for your business.
The short version
Microsoft Defender for Business is not antivirus. It is an endpoint detection and response (EDR) platform using the same detection engine as Microsoft Defender for Endpoint Plan 2, which protects enterprise organisations globally.
It monitors behaviour, not just files. It records a six-month timeline of every action on every managed device. When something suspicious happens, it investigates automatically and contains the threat, including at 2am on a Sunday when no one is watching.
It is included in Microsoft 365 Business Premium at no extra cost, or available as a standalone product for approximately A$4.40 per device per month. This guide covers what it actually does, what it sees that antivirus misses, and what a properly configured deployment looks like.
Prices in this guide are indicative AUD figures current as of May 2026 and are subject to change. Always confirm with your licensing partner before purchase.
EDR, not just antivirus
Microsoft Defender for Business is an enterprise-grade endpoint detection and response (EDR) platform scaled for businesses with up to 300 users. It monitors every device in your environment, detects threats that traditional antivirus cannot see, investigates automatically, and can contain an attack before it spreads.
The key distinction is what it watches. Traditional antivirus watches files. Defender for Business watches behaviour. It monitors running processes, network connections, memory activity, user logons, registry changes and script execution in real time across every managed device simultaneously. When a pattern of behaviour matches a known attack technique, or looks suspicious even if it has never been seen before, Defender flags it, investigates it, and in many cases contains it automatically.
Who it is for: Perth businesses with 1 to 300 employees running Windows, macOS, iOS or Android devices. Particularly important for businesses handling client data, subject to the Essential Eight, cyber insurance requirements, or recovering from a previous incident.
Who it is not for: Businesses over 300 users (move to Defender for Endpoint Plan 2 via E5 licensing). Businesses that rely solely on Linux servers will need additional tooling.
Where it sits in the Microsoft security lineup
| Product | What it is | Who it is for |
|---|---|---|
| Windows Security (built-in antivirus) | Basic signature-based antivirus. No EDR, no central management, no cross-device visibility. | Home users. Not adequate for business use. |
| Microsoft Defender Antivirus (M365 managed) | Antivirus managed from the M365 admin centre. Better than unmanaged, still no EDR. | Small businesses on Basic or Standard wanting managed AV only. |
| Microsoft Defender for Business | Full EDR platform: behavioural detection, automated investigation, threat hunting, six-month device timeline. Included in M365 Business Premium. | SMBs up to 300 users. The focus of this article. |
| Microsoft Defender for Endpoint Plan 2 | Enterprise EDR: advanced threat hunting, custom detections, deception, sandbox analysis. | Businesses over 300 users or those needing enterprise-grade hunting. |
The jump from managed antivirus to Defender for Business is the most important security upgrade most Perth SMBs can make. It is not a marginal improvement. It is a fundamentally different level of visibility into what is happening on your devices.
What you actually get
Stripped of the marketing language, here is what Microsoft Defender for Business puts in your hands.
Next-generation antivirus
Cloud-delivered malware protection that goes beyond signature matching. Defender uses machine learning models trained on Microsoft's global threat intelligence (65 trillion signals per day) to detect and block threats it has never seen before, including fileless and polymorphic malware.
Endpoint detection & response
Continuous monitoring of device behaviour, with a six-month timeline of every process, network connection, file change, and user action recorded per device. When an alert fires, you can rewind the timeline and see exactly what happened, when, and what was touched.
Automated investigation & remediation
When Defender detects a threat, it automatically investigates related alerts, traces the attack path, and in many cases remediates without human intervention. For a 50-person business without a dedicated security team, this is what contains an attack at 2am on a Sunday.
Attack surface reduction (ASR) rules
Configurable rules that block the techniques attackers use most often: scripts from email attachments, unsigned executables from downloads, abusing Office macros, and using PowerShell or WMI for malicious purposes. ASR blocks the technique before it can be used.
Threat & vulnerability management
Continuous assessment of every managed device: which applications are unpatched, which OS versions are out of support, which misconfigurations are present. Prioritised by real-world exploitation risk, not just CVE score.
Microsoft Secure Score
A measurable security score for your device fleet, with specific recommended actions to improve it. Useful for reporting to leadership, cyber insurers, or clients who ask about your security programme.
Cross-platform coverage
Covers Windows 10 and 11, macOS (Monterey and later), iOS and Android. One platform, one portal, one security policy for every device regardless of operating system.
Sentinel & Entra ID integration
Defender alerts feed into Microsoft Sentinel for centralised monitoring, and integrate with Entra ID Conditional Access. A device flagged as compromised by Defender can automatically trigger a policy in Entra ID to block the user's sign-in until remediated.
Pros and cons
No vendor is perfect. Here is what works and what doesn't.
What works well
- Included in M365 Business Premium. If you are already on Business Premium, you are paying for this. The question is whether it is deployed and configured.
- Same engine as enterprise Defender for Endpoint. The detection intelligence is the same as what protects Fortune 500 companies, not a cut-down SMB version.
- Automated investigation and response. For a business without a 24/7 security team, automated response is what contains an attack outside business hours.
- Six-month device timeline. When something goes wrong, you can see exactly what happened, when, and in what order.
- Essential Eight aligned. Directly addresses malicious code prevention, patch applications and restrict admin privileges controls.
- Threat and vulnerability management built in. No separate vulnerability scanner needed. Continuously assesses your fleet and prioritises by real-world risk.
Where it falls short
- Standalone licence is per-device, not per-user. At ~A$4.40/device/month, shared devices count as one licence per device. Worth confirming with your licensing partner.
- Advanced hunting requires Endpoint Plan 2. Custom detection rules and deception technology require an upgrade to Defender for Endpoint Plan 2 (E5 licensing).
- macOS features lag behind Windows. Some ASR rules and automated response capabilities are more limited on macOS. Coverage is improving but Windows remains the stronger platform.
- Value depends on configuration. An unconfigured deployment misses most of the value. ASR rules, automated response and vulnerability management must be properly configured.StartCloud configures all of this as part of our Microsoft 365 setup.
- Alerts require someone to act on them. Automated response handles many threats, but high-severity alerts still need a human to investigate.Without an internal SOC, our Managed Security service covers alert review and response.
Pricing in real Perth dollars
Microsoft Defender for Business is available two ways: included in Microsoft 365 Business Premium, or as a standalone product for businesses that need enterprise-grade endpoint protection without the full Microsoft 365 stack.
| Option | Approximate AUD cost | What you get |
|---|---|---|
| Included in M365 Business Premium | ≈ $37/user/month (full licence) | Defender for Business plus Intune, Entra ID P1, Defender for Office 365 and the full M365 productivity stack. |
| Defender for Business standalone | ≈ A$4.40/device/month | Defender for Business only. Up to 300 devices. No M365 productivity apps included. |
| Defender for Endpoint Plan 2 (enterprise) | ≈ A$9.90/user/month add-on | Full enterprise EDR: advanced hunting, custom detections, deception, sandbox. Requires E3 or E5 base. |
For most Perth SMBs already on Microsoft 365 Business Premium, there is no additional cost for Defender for Business. The investment is in deployment and configuration. Compare the standalone option at A$4.40/device/month against typical third-party EDR products at A$8 to A$15 per endpoint per month, with a weaker threat intelligence feed and no Microsoft 365 integration.
Indicative figures only. Prices are current as of May 2026 and subject to change. Always confirm with your licensing partner before purchase.
Who gets the most from it
Professional services firms handling client data
Law firms, accounting practices and financial advisers face Privacy Act obligations and client confidentiality requirements. Defender for Business provides detection and response capability to catch an intrusion before data is exfiltrated, and timeline evidence to demonstrate exactly what was and was not accessed if an incident does occur.
Businesses with high-value targets on devices
Finance teams with banking credentials. HR teams with payroll system access. Directors with board documents and M&A information. These users are targeted specifically because compromising their device gives an attacker high-value access. Defender's EDR means that even if an attacker gets onto a device, their behaviour is detected and contained before they reach the data they are after.
Remote and hybrid workforces
Devices that leave the office and connect to home networks, client WiFi and public hotspots face a different threat profile than devices on a managed corporate network. Defender for Business protects the device regardless of where it connects, and integrates with Intune to ensure only compliant devices can access corporate resources.
Businesses recovering from a previous incident
After a breach, insurers, auditors and clients ask: what have you done to prevent this happening again? Defender for Business with documented configuration, a Secure Score improvement plan and a managed security service is a credible, demonstrable answer.
Businesses pursuing Essential Eight compliance
The ACSC Essential Eight includes malicious code prevention, application control and patch applications as core controls. Defender for Business addresses all three directly. For businesses with clients, government contracts or cyber insurance policies requiring Essential Eight alignment, see our Essential Eight assessment.
What your devices look like to an attacker
A staff member at a 50-person Perth business clicks a link in a phishing email. Here is what happens next, with and without Defender for Business configured.
| Stage | Without Defender for Business | With Defender for Business configured |
|---|---|---|
| Malicious link clicked, payload downloads | Traditional antivirus scans the file against known signatures. The payload is new and obfuscated. It passes. The payload executes. | Defender's cloud protection checks the file against real-time threat intelligence. If seen anywhere in Microsoft's global network, blocked instantly. If novel, behaviour monitoring activates. |
| Payload runs in memory (fileless attack) | Antivirus has nothing to scan, no file was written to disk. The attacker has a foothold. No alert has fired. | EDR detects the anomalous process behaviour: a browser spawning a PowerShell child process is flagged immediately. Automated investigation begins. |
| Attacker establishes persistence | Registry keys are modified to survive a reboot. Antivirus still has nothing to detect. The attacker is now resident on the device. | ASR rules block common persistence techniques. Registry modification by the suspicious process is flagged and automated remediation rolls back the changes. |
| Lateral movement attempted | The attacker probes the network, attempting to move to a file server or workstation with higher privileges. No visibility. | Network traffic analysis detects the internal port scanning. The device is automatically isolated from the network. The IT partner receives an alert within minutes. |
| Data accessed or exfiltrated | The attacker accesses the file server, copies client data, and begins exfiltration. Discovery may take weeks, if it happens at all. | Device isolation prevented network access. Exfiltration is blocked. The full attack path is recorded in the six-month device timeline. |
| Business discovers the incident | Often via a ransom note, a client notification, or a bank flagging suspicious activity. Days or weeks after the fact. No forensic trail. | Alert generated within minutes. IT partner reviews the timeline, confirms scope, and closes the incident. Client informed within hours with a clear account of what was contained. |
Malicious link clicked, payload downloads
Without Defender
Traditional antivirus scans the file against known signatures. The payload is new and obfuscated. It passes. The payload executes.
With Defender
Defender's cloud protection checks the file against real-time threat intelligence. If seen anywhere in Microsoft's global network, blocked instantly. If novel, behaviour monitoring activates.
Payload runs in memory (fileless attack)
Without Defender
Antivirus has nothing to scan, no file was written to disk. The attacker has a foothold. No alert has fired.
With Defender
EDR detects the anomalous process behaviour: a browser spawning a PowerShell child process is flagged immediately. Automated investigation begins.
Attacker establishes persistence
Without Defender
Registry keys are modified to survive a reboot. Antivirus still has nothing to detect. The attacker is now resident on the device.
With Defender
ASR rules block common persistence techniques. Registry modification by the suspicious process is flagged and automated remediation rolls back the changes.
Lateral movement attempted
Without Defender
The attacker probes the network, attempting to move to a file server or workstation with higher privileges. No visibility.
With Defender
Network traffic analysis detects the internal port scanning. The device is automatically isolated from the network. The IT partner receives an alert within minutes.
Data accessed or exfiltrated
Without Defender
The attacker accesses the file server, copies client data, and begins exfiltration. Discovery may take weeks, if it happens at all.
With Defender
Device isolation prevented network access. Exfiltration is blocked. The full attack path is recorded in the six-month device timeline.
Business discovers the incident
Without Defender
Often via a ransom note, a client notification, or a bank flagging suspicious activity. Days or weeks after the fact. No forensic trail.
With Defender
Alert generated within minutes. IT partner reviews the timeline, confirms scope, and closes the incident. Client informed within hours with a clear account of what was contained.
What Defender for Business looks like day-to-day
Once deployed and configured, your team will not see most of it. Security should protect people without disrupting them.
| Who | Their experience |
|---|---|
| Staff member on a managed Windows laptop | Windows Security shows 'Defender is active'. They work normally. If they accidentally download a malicious file, it is quarantined automatically with a brief notification. |
| Staff member on a managed MacBook | Defender runs silently in the background. Network protection blocks connections to known malicious domains. They may never see it act. |
| IT manager or IT partner | The Microsoft 365 Defender portal shows a real-time view of alerts across all devices, a Secure Score with recommended actions, and a vulnerability dashboard showing which devices need patching urgently. |
| StartCloud (managed security) | High and medium severity alerts generate notifications to the StartCloud SOC. Automated investigation results are reviewed, confirmed, and closed. Monthly security review reports pull from Defender data. |
| An attacker who compromises a device | Their behaviour is detected within minutes. Automated response isolates the device. The attack does not spread. The full timeline of their activity is available for investigation. |
From licence to fully configured protection
Deploying Defender for Business is not simply switching it on. The default configuration provides basic protection. Proper configuration, ASR rules, automated response settings and Intune integration, is what delivers the full value.
Step 1. Licence and device inventory
We confirm your Microsoft 365 Business Premium licence (or set up the standalone Defender for Business licence), audit the number and types of devices in your environment, and identify any existing security tools that may conflict with Defender deployment.
Step 2. Intune integration & device enrolment
Defender for Business is most effective when managed through Microsoft Intune, which is also included in Business Premium. We enrol devices into Intune, apply device compliance policies, and push the Defender configuration to all managed devices at once. No manual agent installation required.
Step 3. Security baseline configuration
We apply Microsoft's recommended security baseline tuned for your business: enabling cloud-delivered protection, configuring attack surface reduction rules, enabling network protection, and setting automated investigation and remediation to the appropriate level.
Step 4. ASR rule deployment (audit mode first)
Attack surface reduction rules are deployed in audit mode first, logging what would have been blocked without actually blocking it. We review the audit output for two weeks, add necessary exclusions for legitimate tools, then switch to enforcement mode. This prevents the most common cause of ASR deployment failures.
Step 5. Alert routing and escalation
We configure alert notifications to route to the appropriate people. High-severity alerts generate immediate notifications to the StartCloud SOC. Medium alerts are reviewed in daily security triage. Low alerts are reviewed weekly.
Step 6. Secure Score baseline & improvement plan
We document your Defender Secure Score as the baseline and produce a prioritised list of recommended actions to improve it: a measurable security metric to report against and a clear roadmap for ongoing improvement.
Common pitfalls
The mistakes we see most often when businesses try to deploy Defender for Business without expert guidance.
-
Defender in the licence but never deployed. The most common situation we encounter. Business Premium includes Defender for Business, but it is not on by default. Many businesses pay for it for months without switching it on.
-
Default configuration only. The default provides basic next-generation antivirus. ASR rules, automated investigation and vulnerability management are not active until configured. The gap between default and fully configured is significant.
-
Running conflicting third-party antivirus. Defender for Business cannot run in active mode alongside another antivirus product. The existing AV tool must be uninstalled before Defender for Business is activated.
-
ASR rules enabled in enforcement mode immediately. ASR rules in enforcement mode can block legitimate business tools if exclusions are not configured first. Always audit for two weeks before enforcing.
-
No one reviewing alerts. Automated response handles many threats, but high-severity alerts still require human review. Without a process for alert review, things slip.
Our Managed Security service provides this oversight.
-
Not integrating with Entra ID Conditional Access. Defender's device risk signal can feed into Entra ID to block sign-ins from compromised devices. Without this integration, a compromised device can still authenticate to Microsoft 365.
See our Entra ID deep dive for the identity side.
Should your Perth business deploy Defender for Business?
Yes, and if you are on Microsoft 365 Business Premium, you should be asking why it is not already deployed.
The question most Perth SMBs ask is "do we really need EDR? We have antivirus." The answer is that 62 per cent of Australian SMEs that experienced a cyberattack had some form of antivirus running at the time. Antivirus detects known threats. EDR detects behaviour. Modern attacks are designed specifically to evade signature-based detection. Defender for Business closes that gap.
The honest caveat is the same as every other security tool: it only works if it is deployed and configured. A properly configured Defender for Business, with ASR rules enforced, automated investigation active, Intune integration done, and alert routing to a managed security partner, protects against the vast majority of attacks that target Perth SMBs today.
Where StartCloud fits in
The licence is the start. Here is where we plug in next.
Deploy and configure Defender for Business
Microsoft 365 security setup
Ongoing alert monitoring and response
Managed Security service
Essential Eight gap assessment
Essential Eight engagement
Pair Defender with identity protection
Microsoft Entra ID deep dive
Sign-in and security reporting
Security reporting service
Talk to the Perth team
Get in touch
Already on Microsoft 365 Business Premium?
Defender for Business is included in your licence. StartCloud checks whether it is deployed and configured correctly, and fixes it if it is not.
Book a security health checkNo obligation. Straight answers. Perth-based team.
References
- Microsoft Defender for Business product page
https://www.microsoft.com/en-au/security/business/endpoint-security/microsoft-defender-business - Microsoft Defender for Business documentation
https://learn.microsoft.com/en-us/defender-business/ - Defender for Business vs Defender for Endpoint comparison
https://learn.microsoft.com/en-us/defender-business/compare-mdb-m365-plans - ACSC Essential Eight Maturity Model
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight - ASD Cyber Threat Report 2022–2023
https://www.cyber.gov.au/about-us/reports-and-statistics/asd-cyber-threat-report-2022-2023 - Attack surface reduction rules reference
https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference - Microsoft Defender for Business setup guide
https://learn.microsoft.com/en-us/defender-business/mdb-setup-configuration
Document prepared May 2026 by StartCloud (Start Technologies Pty Ltd). Pricing and feature information is indicative only and current as of the date of preparation. Microsoft licensing changes frequently, so confirm with your licensing partner before any purchase decision.