Microsoft Sentinel is entering a new era defined by AI-driven security operations and agentic intelligence. Learn how these updates transform detection, response, and cost optimization across your Microsoft ecosystem.
The Evolution of Microsoft Sentinel
Microsoft Sentinel has been a foundational tool for building cloud-native security operations. It started with leading the cloud-native SIEM charge, but the September 2025 announcements lay out how Sentinel will function and where it fits within Microsoft’s broader security strategy going forward.
This isn’t just a product update, this evolution matters because it redefines how security teams will detect, respond, and adapt to threats today and in the future.
Understanding the Agentic Era
The concept of the “agentic era” refers to a transition from traditional automation to intelligent agents that can reason, act, and adapt. In short, we have and want agents that can not only alert but take actions. In Sentinel, this means the introduction of AI copilots, natural language interaction, and context-aware recommendations. These features are designed to reduce the burden on analysts, improve detection accuracy, and accelerate response times. Think of it this way, instead of complex queries to correlate events and data we can simply say, “what was the issue and what areas were impacted”. Now, that doesn’t mean we don’t need security teams, but it does allow those security teams (or agents they create) to identify, react, and respond faster.
This shift also introduces new architectural considerations. Organizations will need to rethink how they structure their data, workflows, and integrations to support these capabilities. Sentinel is no longer just a log collector. It is becoming a decision-making partner. Sentinel Graph maps all entities and uses orchestration capabilities to help AI agents understand the relationships between assets, identities, and activities. The Model Context Protocol (MCP) provides a structured way for AI and human analysts to query security data contextually. Following a similar foundation to Microsoft Copilot.
A simple example of this would be the creation of an agent that is solely focused on phishing attempts. Taking actions to notify the user that phishing attempts have been detected against their mailbox and warning for extra caution. However, these agents go beyond alerting. They can perform a wide range of actions to separate false positives to focus in on the real threats.
As Chris Stegh, CTO of eGroup Enabling Technologies, explains:
“The most relevant AI Agents in SecOps are the Security Copilots. Clients with large enough SOC teams can optimize the time of those valuable professionals by providing natural-language interfaces to information that can simply reduce risk faster. Due to the cost and people involved, smaller SecOps teams might still benefit from having a managed security partner.”
Sentinel’s Migration to the Microsoft Defender Portal
One of the most visible changes that have been announced is the migration of Sentinel into the Microsoft Defender portal. This move consolidates Microsoft’s security tools into a single interface, making it easier to correlate signals across endpoints, identities, cloud workloads, and more. This simplifies visibility for security teams by pulling together disparate tools into one central location.
For organizations already using Defender for Endpoint, Identity, or Cloud, this integration simplifies operations. The migration to the Defender portal is not automatic. Organizations will need to create a plan for the migration as well as replace any legacy capabilities that will not be making the move to the new, consolidated, platform. Businesses should plan on completing the migration by March 31st, 2026.
Sentinel Data Lake: Preparing for AI Workloads
Microsoft also introduced the Sentinel Data Lake, a new storage layer that separates compute from storage. The primary benefit organizations will see is reduced costs for storage, something that is a BIG benefit.
In addition to cost savings, it will allow organizations to retain data for longer periods at that lower cost, while also enabling advanced analytics and machine learning. The result? Significant cost reduction as well as less administrative time fine tuning storage retention.
It’s not just about cost savings. The Data Lake is important for making those agentic AI scenarios a reality. Agents require historical context to make informed decisions. By storing years of data efficiently, organizations can support forensic investigations, compliance audits, and proactive threat hunting without overwhelming their budgets.
Cost Optimization: New Pricing Models
Microsoft introduced new Sentinel pricing tiers designed for flThe cost savings don’t stop with optimizing storage with Sentinel Data Lake, Microsoft rolled out new pricing options for Sentinel. These include a new 50GB daily ingestion commitment tier and pre-purchase plans that offer predictable billing and volume discounts.
For organizations scaling up their Sentinel usage, these models provide more flexibility and better cost control. For most organizations, this presents a clear opportunity to reduce costs. Allowing for savings of 5-45% based on the tier.
For our ThreatDefender clients, these changes allow us to offer more competitive packages by reducing your Sentinel costs in storing data. After all, our platform is built on you owning your data without vendor lock-in. Optimizing that cost makes managed and co-managed security even more affordable. Whether clients are building their own SOC or partnering with a provider, understanding these pricing options is key to maximizing value.
ThreatDefender: Accelerate Your Sentinel Journey
As a Microsoft Verified MSSP, we’ve built our ThreatDefender solution to help clients operationalize Sentinel quickly and effectively. For some, the best approach is to build their own environment with our guidance. For others, a co-managed or fully managed model delivers faster results and lower overhead.
We offer Sentinel Optimization Workshops to assess readiness, design future-state architectures, and support migration efforts. Our managed detection and response services are built around Microsoft security with Microsoft best practices in mind. Enabling you to own your data and access security experts to extend your team or act as your team. e extending your security team with Microsoft-certified experts.
Final Thoughts
Agentic AI is a powerful tool in the evolution of threat detection and response. It doesn’t replace your security team; it makes them better (and faster) at securing your business. The evolution of Sentinel from a technical standpoint as well as timely cost optimizations is making this capability an affordable reality.
Whether you are building your own Sentinel environment or evaluating a managed solution, we can help. ThreatDefender is designed to deliver 24×7 security with Microsoft Sentinel at its core. Let’s talk about how we can support your security journey and stay out in front of the evolution of these platforms.
Secure Your Organization in the Agentic Era
Modernize your Microsoft Sentinel environment with AI-driven visibility, automation, and cost control.
Whether you’re building your own SOC or exploring managed options, our experts can help you stay ahead of evolving threats.