Description
Microsoft publishes quarterly email security benchmarking data comparing Microsoft Defender against secure email gateway (SEG) and integrated cloud email security (ICES) vendors using real-world threat telemetry.
A year ago, we set out to change how email security effectiveness is measured. With our first benchmarking report in July 2025, we committed to publishing real-world performance data, not synthetic tests, so security teams could make decisions grounded in evidence. With each quarterly update, we refined our methodology, expanded our analysis, and listened to customer and partner feedback.
Alongside it, we established the Microsoft Defender ICES vendor ecosystem, designed to enable seamless integration with trusted third-party vendors and streamline security operations center (SOC) workflows for organizations who have chosen a multi-vendor email security strategy.
Read the latest Microsoft benchmarking data for email security
## Key insights from a year of email benchmarking
With four consecutive quarters, several findings have proven to be durable insights, highlighting the sustained realities of how layered email security performs in production:
**1\. Defender consistently leads in pre-delivery detection.** Across every benchmarking period since July 2025, Defender has missed fewer high-severity cyberthreats than every SEG vendor evaluated, while the next closest SEG vendor had 2.5 times more misses.
**2\. ICES vendors add the most value in promotional and bulk email filtering.** Promotional filtering uplift has been the clearest area of ICES value with an average uplift of 15% over the four quarters of evaluation. Meanwhile ICES vendor uplift for malicious catch and spam has consistently remained relatively nominal, averaging at 0.29% and 0.68%, respectively. In addition, over the last three quarters we’ve seen a consistent downward trend in these numbers, as we have continued to drive innovation in post-delivery mail detection.
**3\. Defender’s share of post-delivery remediation has grown significantly.** In our second report, we introduced insights on the contribution of Defender to post-delivery malicious catch. Initially, Defender contributed 45% of post-delivery malicious catch, which has since risen to an average of 96%. This trajectory underscores that Microsoft’s post-delivery catch is an increasingly critical backstop, operating even when ICES solutions are in place, and that Defender is delivering the majority of post-delivery remediation.
Figure 1: Malicious catch and spam catch uplift from ICES vendors of the past 12 months.
## SEG vendor benchmarking results
For SEG vendors, a threat is classified as “missed” if it was not detected prior to delivery. Using this definition, Microsoft Defender once again missed fewer high-severity email threats than all other solutions evaluated, consistent with every prior benchmarking period.
Figure 2: High-severity email threats missed by SEG vendors (February 2026-April 2026), measured as threats missed per 1,000 users protected.
This quarter, Defender missed 59% fewer high-severity threats than the next-closest SEG vendor, a gap that has remained consistent across all four benchmarking periods.
## ICES vendor benchmarking results
ICES solutions operating on top of Microsoft Defender continue to provide benefit, particularly in reducing promotional and bulk email, with an average improvement of 16.85% over the last quarter. This helps minimize inbox clutter and improves user productivity in environments where promotional noise is a concern. For malicious messages and spam, the average improvement across vendors was 0.13% for malicious and 0.28% for spam catch, compared to 0.24% and 0.29% in the prior report.
Figure 3: ICES vendor catch contribution (February 2026-April 2026).
Focusing only on malicious messages that reached the inbox, the latest quarter shows Microsoft Defender’s post-delivery catch continues to improve, catching the majority of post‑delivery remediation. It removes an average of 96.03%, up from 70.8% in the previous quarter, highlighting the effectiveness of our continuous investments in this area. Post‑delivery remediation remains a critical backstop when cyberthreats evade initial filtering.
Figure 4: Post‑delivery malicious catch by Microsoft Defender (February 2026-April 2026), shown across vendors and overall average.
## Innovation shaped by benchmarking insights
Benchmarking doesn’t just help customers make better decisions. It shapes what we build. Over the past year we’ve used the insights from our benchmarking reports, as well as insights from the growing ICES vendor ecosystem, to directly shape our innovation and product outcomes. Below are some of the most recent highlights, that we directly attribute to the continued improvements in Microsoft Defender performance.
**Native promotion and bulk mail filtering in Outlook** : A dedicated Promotions folder, natively provisioned in Outlook, now keeps legitimate bulk mail out of the primary inbox. Promotional content is separated from priority emails without being sent to Junk, which means users can still access and browse newsletters and updates at their own pace. The folder appears at the top level of the mailbox for easy discovery and is visible across all Outlook experiences. Once generally available it will be on by default, improving the native promotional filtering. Learn more.
**System-level AI advancements** : Among other AI enhancements, in November 2025 we introduced an agentic grading system that reduces the reliance on manual review in the submission and analysis pipeline. It helps deliver lower wait times, faster responses, and higher-quality results when emails are submitted to Microsoft for review. That means security teams can investigate reported messages more efficiently, respond more promptly, and act with greater confidence against phishing threats. Learn more.
**Accelerating investigation with AI** : The growing role of post-delivery remediation in our benchmarking data highlights a related challenge: when threats reach users and get reported, SOC teams need to triage those submissions quickly and accurately. The Microsoft Security Copilot Alert Triage Agent uses language model-powered reasoning to classify user-reported phishing emails, resolve false positives, and escalate confirmed threats for analyst review. Results show analysts identify 6.5 times more malicious alerts, improve verdict accuracy by 77%, and spend 53% more time investigating real cyberthreats. Security Copilot’s Email Summary further speeds investigations by turning email detection data into clear, actionable insights in the Email entity page. Learn more.
A year into this effort, our commitment to transparent benchmarking remains unchanged. We’ll continue using these insights to shape product innovation, share real-world performance data with customers, and invest in a strong ecosystem that meets organizations where they are—supporting the layered email security strategies that work best for their environments.
Read the latest Microsoft Defender benchmarking data
## Learn more
Learn more about Microsoft Defender.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
The post Microsoft Defender email security benchmarking: Key insights from one year of data appeared first on Microsoft Security Blog.
A year ago, we set out to change how email security effectiveness is measured. With our first benchmarking report in July 2025, we committed to publishing real-world performance data, not synthetic tests, so security teams could make decisions grounded in evidence. With each quarterly update, we refined our methodology, expanded our analysis, and listened to customer and partner feedback.
Alongside it, we established the Microsoft Defender ICES vendor ecosystem, designed to enable seamless integration with trusted third-party vendors and streamline security operations center (SOC) workflows for organizations who have chosen a multi-vendor email security strategy.
Read the latest Microsoft benchmarking data for email security
## Key insights from a year of email benchmarking
With four consecutive quarters, several findings have proven to be durable insights, highlighting the sustained realities of how layered email security performs in production:
**1\. Defender consistently leads in pre-delivery detection.** Across every benchmarking period since July 2025, Defender has missed fewer high-severity cyberthreats than every SEG vendor evaluated, while the next closest SEG vendor had 2.5 times more misses.
**2\. ICES vendors add the most value in promotional and bulk email filtering.** Promotional filtering uplift has been the clearest area of ICES value with an average uplift of 15% over the four quarters of evaluation. Meanwhile ICES vendor uplift for malicious catch and spam has consistently remained relatively nominal, averaging at 0.29% and 0.68%, respectively. In addition, over the last three quarters we’ve seen a consistent downward trend in these numbers, as we have continued to drive innovation in post-delivery mail detection.
**3\. Defender’s share of post-delivery remediation has grown significantly.** In our second report, we introduced insights on the contribution of Defender to post-delivery malicious catch. Initially, Defender contributed 45% of post-delivery malicious catch, which has since risen to an average of 96%. This trajectory underscores that Microsoft’s post-delivery catch is an increasingly critical backstop, operating even when ICES solutions are in place, and that Defender is delivering the majority of post-delivery remediation.
Figure 1: Malicious catch and spam catch uplift from ICES vendors of the past 12 months.
## SEG vendor benchmarking results
For SEG vendors, a threat is classified as “missed” if it was not detected prior to delivery. Using this definition, Microsoft Defender once again missed fewer high-severity email threats than all other solutions evaluated, consistent with every prior benchmarking period.
Figure 2: High-severity email threats missed by SEG vendors (February 2026-April 2026), measured as threats missed per 1,000 users protected.
This quarter, Defender missed 59% fewer high-severity threats than the next-closest SEG vendor, a gap that has remained consistent across all four benchmarking periods.
## ICES vendor benchmarking results
ICES solutions operating on top of Microsoft Defender continue to provide benefit, particularly in reducing promotional and bulk email, with an average improvement of 16.85% over the last quarter. This helps minimize inbox clutter and improves user productivity in environments where promotional noise is a concern. For malicious messages and spam, the average improvement across vendors was 0.13% for malicious and 0.28% for spam catch, compared to 0.24% and 0.29% in the prior report.
Figure 3: ICES vendor catch contribution (February 2026-April 2026).
Focusing only on malicious messages that reached the inbox, the latest quarter shows Microsoft Defender’s post-delivery catch continues to improve, catching the majority of post‑delivery remediation. It removes an average of 96.03%, up from 70.8% in the previous quarter, highlighting the effectiveness of our continuous investments in this area. Post‑delivery remediation remains a critical backstop when cyberthreats evade initial filtering.
Figure 4: Post‑delivery malicious catch by Microsoft Defender (February 2026-April 2026), shown across vendors and overall average.
## Innovation shaped by benchmarking insights
Benchmarking doesn’t just help customers make better decisions. It shapes what we build. Over the past year we’ve used the insights from our benchmarking reports, as well as insights from the growing ICES vendor ecosystem, to directly shape our innovation and product outcomes. Below are some of the most recent highlights, that we directly attribute to the continued improvements in Microsoft Defender performance.
**Native promotion and bulk mail filtering in Outlook** : A dedicated Promotions folder, natively provisioned in Outlook, now keeps legitimate bulk mail out of the primary inbox. Promotional content is separated from priority emails without being sent to Junk, which means users can still access and browse newsletters and updates at their own pace. The folder appears at the top level of the mailbox for easy discovery and is visible across all Outlook experiences. Once generally available it will be on by default, improving the native promotional filtering. Learn more.
**System-level AI advancements** : Among other AI enhancements, in November 2025 we introduced an agentic grading system that reduces the reliance on manual review in the submission and analysis pipeline. It helps deliver lower wait times, faster responses, and higher-quality results when emails are submitted to Microsoft for review. That means security teams can investigate reported messages more efficiently, respond more promptly, and act with greater confidence against phishing threats. Learn more.
**Accelerating investigation with AI** : The growing role of post-delivery remediation in our benchmarking data highlights a related challenge: when threats reach users and get reported, SOC teams need to triage those submissions quickly and accurately. The Microsoft Security Copilot Alert Triage Agent uses language model-powered reasoning to classify user-reported phishing emails, resolve false positives, and escalate confirmed threats for analyst review. Results show analysts identify 6.5 times more malicious alerts, improve verdict accuracy by 77%, and spend 53% more time investigating real cyberthreats. Security Copilot’s Email Summary further speeds investigations by turning email detection data into clear, actionable insights in the Email entity page. Learn more.
A year into this effort, our commitment to transparent benchmarking remains unchanged. We’ll continue using these insights to shape product innovation, share real-world performance data with customers, and invest in a strong ecosystem that meets organizations where they are—supporting the layered email security strategies that work best for their environments.
Read the latest Microsoft Defender benchmarking data
## Learn more
Learn more about Microsoft Defender.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
The post Microsoft Defender email security benchmarking: Key insights from one year of data appeared first on Microsoft Security Blog.
Basic Information
ID
MSSECURE:A650500D4863A9781E2203D208A89002
Published
Jun 15, 2026 at 16:00