As our understanding of the cloud and its impact on business continues to evolve, so does our...
A Finance Take on Defender for Cloud Commit Units: Do the Math.
What appears to be a no-brainer might not be
Microsoft recently introduced a new commitment discount program for Microsoft Defender for Cloud, which helps organizations get more value from their cloud security spend. Microsoft also offers near identical programs for Sentinel (CUs) and Synapse Analytics (SCUs). The Defender program allows customers to pre-purchase Defender for Cloud Commit Units (DCUs) at significant savings over traditional retail – or as Microsoft calls it, pay-as-you-go (PayG) pricing. It’s a classic setup: the more you spend, the bigger the discount program.
We started looking into the pre-purchase plan in response to customer requests for DCU purchase recommendations in the Envisor platform. As we started to flesh out the requirements, we quickly realized that providing DCU recommendations didn’t follow existing patterns for commitment discounts. Like anything new, it took a bit of time to digest the nuances and there was an iterative process on visualizing the data.
This blog post, along with a publicly available DCU calculator that I created, is a derivative of that effort. By sharing this information with the FinOps community, I hope to help shorten your learning curve and help you avoid making a costly overcommitment.
I give an overview of the program and illustrate some simple discount scenarios to start. From there I tie in comparisons with your Azure Consumption Discount (ACD) and factor in the time value of money.
Chances are, if you’re reading this blog post, you’ll be more interested in the complex scenarios. And if your ACD is 22% or greater, you can save yourself the time of reading this blog.
A quick word about the FinOps Foundation FOCUSTM specification before we jump into the content. Envisor supports, and is committed to, the FOCUS format, starting with our data model. I’ve chosen to use Azure terminology in this post to be consistent with Microsoft’s DCU program documentation and the Azure Portal. Now let’s get to it.
Defender pre-purchase plan overview
The pre-purchase plan provides a pool of prepaid DCUs, sold in pre-determined tranches, that can be utilized across Microsoft’s Defender for Cloud services portfolio. DCUs are consumed at retail prices, providing flexibility in how they are applied to different Defender workloads. The more DCUs that you commit to, the greater the discount you receive.
For instance, purchasing 5,000 DCUs grants a 10% discount at a cost of $4,500, giving you credits to purchase $5,000 of Defender services. For the most part, it’s like buying a prepaid gift card at a discount that gives you full retail value.
The bigger your commitment, the bigger your discount. Commit to 10,000 units in exchange for a 12% discount. A 25,000 DCU commitment gives you a 14% discount. The tranches become larger and the incremental discount smaller until you reach a maximum discount of 22% at 350,000 DCUs.
Determining the level of DCUs to commit to is straightforward compared to buying a 3-year Azure Reservation. With the Defender plan there’s no need to normalize CPU usage to calculate a waterline or understand generational upgrade plans. The credits can be applied to any Defender for Cloud service. Other things to consider are if you’re committed to using the service and if you expect any material change in your Defender spend during the next 12 months.
Some key facts about the program:
- Demand needs to be assessed/forecasted at PayG rates.
- DCUs are consumed at PayG rates. 1 DCU = $1.00 of Defender PayG spend.
- Azure Commitment Discount (ACD) doesn’t stack. The effective discount needs to be calculated by comparing DCU rates with ACD rates.
- Unlike Azure Reservations and Savings plans that allow you to make an annual commitment and pay upfront or monthly, DCUs are always paid upfront.
- Purchases are final. You cannot cancel, exchange or resell excess DCUs.
Getting started: forecast first
A 12-month forecast of your Defender spend at PayG prices is essential to determining your commitment level. I recommend using your prior 12 months of usage as a baseline and adjusting based on your overall cloud spend forecast. For reasons that I’ll discuss shortly, forecast accuracy is important but not critical. What is critical is that you don’t over-purchase.
Roll-forward purchase strategy
After analyzing a countless number of DCU purchase scenarios, I recommend a roll-forward purchase strategy. That is: purchase one discount tier below your 12-month forecasted demand, then replan and purchase another tier just prior to consuming the balance of the initial purchase. This approach will provide the best balance of risk and savings.
Waste is your enemy with DCUs
Unlike planning for traditional commitment discount purchases where including waste in the purchase decision can yield an overall higher effective savings rate, waste is your enemy with DCUs. Once you reach the 50,000 DCU tier, each tier above only rewards you with a single percentage point discount.
To better understand when a given tier becomes profitable relative to the preceding tier, I calculated the breakeven point in units, which is the cost of the next higher tier divided by unit cost of the preceding tier. If your projected volume is above the breakeven point, select the tier you are evaluating. If below, drop a tier.
In examining the breakeven units for a given discount tier, the margin is razor thin to get an extra percent. For example, at the 75,000-unit price tier, the breakeven point is 74,107 units. If your utilization ends up below that level, you’re better off purchasing the lower tier and replenishing as close to credit depletion as possible.
Take another example where Defender spend for the next 12 months is expected to be $175,000 PayG. If I commit to the 200,000-unit level, I will receive a 20% discount on my purchase, but my effective discount will be a disappointing 8.6% due to the waste of 25,000 DCUs. If I drop to the 150,000 DCU tier and purchase a second tranche of 150,000 DCUs when the initial purchase approaches a zero balance, I’ll save 19%.
Using the above example, let’s see what happens if I don’t make a follow-on DCU purchase to the initial 150,000 DCU commitment to cover $175,000 in planned spend. Waste is so detrimental that If I purchase the uncovered 25,000 units at PayG rates, I’ll still save 16.3% for the year vs. the 8.6% at the 200,000 DCU tier.
Takeaway: Targeting 100% coverage with your initial purchase is a risky strategy. Even a small amount of waste will reduce your effective savings below a roll forward purchase.
Azure Commitment Discount with an MCA/EA
Unfortunately, the ACD doesn’t stack but we still need to compare your expected savings to your ACD pricing to understand your effective discount. For example, the 150,000 DCU tier offers a discount of 19% over PayG. If you have an 8% ACD, the effective discount is 12%. Fortunately, it’s a relatively easy program to administer, so the overall ROI can still be significant when benchmarked against your ACD.
Takeaway: Discounts don’t stack. To accurately state program savings, you’ll need to calculate your savings by comparing DCU pricing with ACD discounted prices.
Time is money
As a former finance guy, I have difficulty discussing discounts without looking at the cost of the money involved. After all, time is money.
When you make a DCU purchase, you’re buying inventory. While virtual, it’s still inventory, which has a carrying cost to it. The more months of coverage that you pre-purchase, the greater the carrying costs. With the U.S. prime rate at 7.75% as of the writing of this blog post, those carrying costs can significantly cut into your savings.
For the most part, if you don’t have an ACD, the program makes financial sense at any level unless you have cash flow issues. If you do have an ACD and are a light user of Defender, understanding the present value might kill the program for you.
As an extreme example, a company needing 10,000 Commit units with an ACD of 8% and borrowing at a prime rate of 7.75% would see a program savings of 0.6%. The numbers obviously improve as you spend more, and the discount grows with each tier. Using the same input parameters as the previous example but for 50,000 DCUs, net savings increase to 5.2%, and at 200,000 DCUs, 9.7% with nearly the same effort to administer as a 5,000-unit commitment.
Takeaway: Carrying costs of holding inventory, even if virtual, are real. With the prime rate bouncing around 8%, you need to account for it.
FOCUS and DCUs
Good news, DCU purchase and consumption flow through the Azure FOCUS files. The bad news is they don’t follow current Azure commitment discount patterns. If you’ve built your own system, you’ll need to rework some of the logic.
Defender Cloud Commit Units. Do the math.
At first glance, the Defender for Cloud Commit Units program looks too good to be true with upwards of a 22% discount. Dig a little deeper, there’s still money to be saved, just nowhere near the first look. When making a purchase decision, remember that waste is your enemy and the marginal benefit of the next higher tier is minimal. The potential upside is 1% in savings to be exact with significant downside risk if your forecast is wrong by even a small amount and you waste credits.
Evaluating optimal DCU commit levels and savings afforded by the program, while not rocket science, does require a firm understanding of the program and some nuanced calculations.
To help FinOps professionals jumpstart this process, I developed a DCU calculator. It will help you find your optimal commit level and run scenarios to see what happens if you over-commit. All you need to calculate your optimal DCU commit level is your 12-month forecast, your ACD and your marginal cost of capital. Go to the calculator (the calculator is ungated).
Want more than a web-based calculator?
Envisor streamlines the DCU purchase process. Building on the same logic used in the calculator, it goes further to provide recommendations that maximize the DCU discount with the least amount of risk. Envisor is a full FinOps platform designed for Run-level maturity and built on an open data lake architecture. Envisor easily accommodates integration with enterprise data sources. Get in touch with us to learn more, we’d love to hear from you.