Skip to main content Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Purview Microsoft Security Copilot Microsoft Sentinel View all products AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Small and medium business Unified SecOps Zero Trust Pricing Services Partners Why Microsoft Security Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Software companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap
Microsoft Defender Experts Threat Intelligence
Research 4 min read

Turning threat intelligence into decisive action with Defender Experts

Copilot logo Powered by Microsoft Copilot

Security teams have never had more visibility, yet rarely have they felt more uncertain. Signal pours in from endpoints, identities, cloud workloads, and a sprawling mix of third-party tools. Dashboards are full, alerts keep coming, but the hardest question of the day remains unanswered: of everything happening right now, what actually matters to us, and what do we do about it?

That space between knowing a threat exists and acting on it is the intelligence-to-action gap, and it’s where most breaches are won or lost. It doesn’t close with another feed or another dashboard. It closes with expertise: seasoned defenders who know your environment, interpret what global signal means for your risk, and stay with you from the first indicator to the final response.

Today we’re announcing a new service, Microsoft Defender Experts Threat Intelligence, and we are expanding Microsoft Defender Experts MDR to include new third-party and multi-cloud coverage. Together, these human-led offerings are designed to close the intelligence-to-action gap at the two moments that decide the outcome: before a campaign reaches you, and as it moves through your environment.

Upstream: See the campaign before it reaches you

The earlier you see a campaign forming, the more options you have, and the cheaper every decision becomes. Yet most threat intelligence still arrives as raw feeds or static reports: high in volume, low in context, and disconnected from what’s exposed in your estate. Teams end up with more to read and no more clarity on what to do about it.

Microsoft Defender Experts Threat Intelligence is a new, expert-delivered service that closes that distance. Built on Microsoft’s visibility across endpoints, identity, cloud, and evolving attacker activity, it gives your team periodic, curated insight into the threats most likely to target you. Designated Microsoft experts interpret the global landscape through the lens of your industry, geography, and environment, then translate it into clear, prioritized guidance your team can act on.

As campaigns evolve, experts continuously refine that guidance with newly observed infrastructure, tactics, and targeting patterns, helping your team adjust hunting, hardening, and response activities. The insight is tailored for both leadership and defenders, providing executive-ready context alongside technical recommendations so the entire organization can act from a shared understanding of the threat landscape. The goal is simple: help you reduce risk before an attack reaches your environment, not explain what happened after the fact.

In practice, your team receives:

  • Early-warning alerts on emerging campaigns relevant to you
  • Campaign-evolution updates as activity unfolds
  • Contextualized intelligence tied to your risk profile
  • Recurring briefings from your designated expert, rotating across geopolitical, industry, and global perspectives, on a scheduled basis

Microsoft Defender Threat Intelligence Now Integrated into Defender

While this new expert-delivered service helps customers turn threat intelligence into action through direct engagement with Microsoft analysts, we’re also continuing to bring that same type of insight closer to defenders’ day-to-day workflows. Today we’re announcing that Microsoft Defender Threat Intelligence (MDTI) capabilities are now fully converged into the Defender portal. Intelligence is available real-time across detection, investigation, response, hunting, and automation, reducing context switching and helping teams move more quickly from signal to action within a unified SecOps experience.

In your environment: Follow the threat everywhere it moves

Modern attacks rarely stay in one place. They cross from email to endpoint to identity to cloud, and increasingly traverse disparate security tools. Even when organizations have visibility into those environments, connecting multi-vendor and multi-domain signals into a coherent attack story remains a challenge.

That’s the gap we’re closing on the response side: Microsoft Defender Experts MDR (formerly Microsoft Defender Experts for XDR) is expanding with new third-party and multi-cloud coverage powered by Microsoft Sentinel. Defender Experts MDR provides a fully managed detection and response service that reduces noise, adds expert context, and drives action. With support for leading non-Microsoft sources across cloud, identity, email, network, and endpoint environments, our experts can follow attacks wherever they move, not just where Microsoft products operate.

The service is backed by Microsoft’s vast threat intelligence, and combines expert-authored detections and analytics, investigation and response automation, and ongoing operational guidance to help customers strengthen security outcomes across their environment.

In practice, customers gain:

  • 24/7 monitoring and investigation by Microsoft experts who distil high‑volume telemetry into high‑confidence, prioritized incidents that dramatically reduce analyst fatigue and accelerate response.
  • Cross-platform threat analysis that correlates signals across Microsoft and non-Microsoft environments to deliver a single incident narrative with actionable, vendor‑aware guidance.
  • Ongoing recommendations to optimize security operations, from detection tuning and data integration to content management in Sentinel.
  • Business-aligned summaries of top risks, posture gaps, and recommended improvements across the security estate.

This expanded coverage is available through Microsoft Defender Experts MDR Plan 2. Everything available today as Defender Experts for XDR carries forward unchanged as Microsoft Defender Experts MDR Plan 1, while Plan 2 extends that same expert-led triage, investigation, and response beyond Microsoft’s own estate.

See it live at Black Hat USA

Every one of today’s announcements aims at the same outcome: shrinking the distance between a signal arriving and a decision being made. That’s the measure that matters in the end—not alerts triaged, but decisions made faster and with more confidence.

Come see it at Black Hat. Join our session Mind the Gap: Turning Threat Intelligence into Decisive Action with Expert-Led Defense, where Wes Malaby, General Manager of Customer Success at Microsoft Security, will demonstrate how expert-led intelligence and defense can change the trajectory of a threat campaign from the earliest warning signs through response and remediation. After the session, stop by the Microsoft Security booth to connect with our experts and learn how these services fit into your broader security strategy, or attend our reception on August 5 for a more conversational environment.