Vendor Decoder: Dragos/Microsoft Partnership Turns OT Security Into Cloud Workload Telemetry

This artifact examines structural pressure created by a significant vendor action.

In partnership with:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ operates as an External Cybersecurity Judgment of Record.
Vendor Pressure artifacts examine structural control shifts and decision exposure created by major vendor moves. These analyses inform, but do not themselves constitute, published judgments.

Dragos Inc. announced an expanded collaboration with Microsoft on February 3, 2026. The partnership integrates the Dragos Platform with Microsoft Azure, Microsoft Sentinel, and Microsoft Marketplace across four pillars: SaaS deployment of Dragos on Azure (beginning Q1 2026), native telemetry flow from Dragos into Microsoft Sentinel for unified IT/OT detection, procurement through Microsoft Marketplace with Azure consumption commitment (MACC) alignment, and coordinated go-to-market execution.

Dragos is the dominant OT cybersecurity vendor. Founded by former NSA/ICS-CERT operator Robert M. Lee, it serves energy, manufacturing, defense, utilities, and critical infrastructure. The global OT security market is projected to grow from $23.5 billion (2025) to $50.3 billion (2030), a 16.5% CAGR. Microsoft Sentinel is Microsoft's cloud SIEM. Azure is the second-largest public cloud. Microsoft Defender for IoT is Microsoft's existing OT security offering, inherited from the CyberX acquisition in 2020.

This is not an acquisition. It is a platform dependency agreement.

1. Vendor Move

An OT security specialist embedded itself inside the dominant enterprise cloud and SIEM ecosystem. Not a reseller agreement. Not a connector published to a marketplace. A structural integration where OT telemetry flows natively into Microsoft's detection and response pipeline, where Dragos is procured through Microsoft's commercial engine, and where OT security spend is counted against Azure consumption commitments.

Dragos built its reputation on air-gapped credibility: OT networks are different, IT security tools fail in industrial environments, specialized visibility requires specialized vendors. This partnership routes OT telemetry directly into an IT security platform. The signal that built the company now flows into the system the company was built to distinguish itself from.

2. Strategic Bet Being Placed

The standalone OT vendor category just admitted distribution insolvency. The addressable customer base for pure-play OT security is structurally limited by the number of organizations that operate industrial control systems and have budget authority to buy specialized security tooling. The remaining 80% of industrial organizations that lack OT visibility will never issue a standalone OT security purchase order. They will add it to their cloud commitment, or they will not buy it at all.

Dragos is wagering that Microsoft's distribution solves its growth constraint. Azure consumption commitments let OT security purchases come from existing cloud budgets rather than new security line items. Marketplace procurement eliminates the specialized sales cycle that OT security historically required. Sentinel integration means OT alerts appear in the same console where IT SOC analysts already work.

The secondary bet: OT security is being financially reclassified as cloud workload telemetry. This is not IT/OT convergence. Convergence implies two systems merging. This is one system absorbing the other's budget line. When OT telemetry flows into Sentinel and the spend counts against Azure consumption, OT security ceases to be a security category and becomes a cloud platform feature. The CISO's SOC sees OT alerts. The SOC's playbooks run against OT data. The budget comes from cloud commit. The separation was always operational, never architectural. This partnership makes the absorption explicit.

Once a CISO can fund OT security from existing Azure consumption commitments instead of fighting for a separate OT budget, the standalone OT purchasing cycle is permanently closed. No CISO reopens a budget fight they already won by reclassification. If this model succeeds, OT security will not exist as an independent budget category by 2030. It will be a line item inside cloud platform spend, indistinguishable from any other workload telemetry fee.

The tertiary bet: Microsoft needs OT credibility it cannot build. Microsoft acquired CyberX in 2020 and rebranded it as Defender for IoT. Market reception has been mixed. Industrial operators trust vendors with operational technology lineage, not cloud platform vendors extending sensor coverage into protocols they did not design. Dragos gives Microsoft what CyberX could not: an OT brand that critical infrastructure operators actually deploy. Microsoft gives Dragos what it could not build alone: a global sales channel, procurement infrastructure, and the budget line item that makes OT security a cloud expense rather than a capital request.

3. Who Loses Structural Position

Microsoft Defender for IoT. Microsoft is letting Dragos inside the commercial engine while its own OT product exists. Only three explanations survive: Defender for IoT failed to achieve enterprise OT credibility, and Microsoft is outsourcing the trust layer it could not build from the CyberX acquisition. Or Microsoft needs OT signal flowing through Sentinel fast enough that the internal product's timeline is unacceptable. Or Microsoft intends to absorb the telemetry, learn the detection patterns, and compress the OT security category into a platform feature once Dragos has educated the install base. The third option is the one Dragos cannot price into the partnership. It is also the one most consistent with Microsoft's historical pattern in adjacent categories: partner, learn, absorb, bundle.

Claroty's platform positioning. Claroty, Dragos's primary OT security competitor, built a multi-cloud, multi-SIEM integration strategy. It connects to Sentinel, Splunk, and AWS Security Hub with roughly equal emphasis. Dragos's native Sentinel integration and Azure SaaS deployment create a preferred-partner advantage in Microsoft-dominant enterprises. Claroty's neutrality becomes a positioning liability in environments where procurement runs through Azure.

CISOs maintaining IT/OT separation. OT telemetry flowing into Sentinel means OT incidents become IT SOC responsibilities by default. Organizations that maintained separate OT security operations, often because plant managers and OT engineers resisted IT governance over industrial systems, now face a platform architecture that unifies the data stream. The separation was a governance choice. The integration makes it a configuration setting.

Nozomi Networks and smaller OT vendors. The partnership reduces the addressable market for OT vendors without equivalent hyperscaler alignment. When OT security is procurable through Azure Marketplace and countable against cloud commitments, procurement teams will favor the option that simplifies vendor management. Every OT vendor without a comparable commercial integration becomes harder to justify on the purchase order.

4. Accountability Surface

Dragos built its authority on the premise that OT environments require specialized security that IT tools cannot provide. The partnership routes OT data into the defining IT security tool. The question: does OT telemetry retain its operational meaning when it enters an IT detection pipeline?

Industrial control system alerts carry context that IT SOC analysts are not trained to interpret. A communication anomaly on a Modbus/TCP link between a PLC and an HMI means something different than a suspicious API call to an Azure resource. When Dragos notifications surface in Sentinel, the analyst triaging the alert may lack the operational context to assess severity. A false positive in IT is wasted time. A false positive in OT can trigger an unnecessary plant shutdown. A missed alert in IT is a breach. A missed alert in OT is a safety incident.

The partnership documentation describes "unified IT/OT detection, investigation, and response." Unified detection requires that the analysts operating the unified console understand both domains. The OT security talent shortage is already acute. Routing OT alerts into IT SOCs does not create OT expertise. It creates IT analysts making OT decisions.

Dragos retains deployment control: the Dragos Platform performs the OT-specific detection and enrichment before telemetry reaches Sentinel. But the response layer, the SOC that acts on the alert, is now Microsoft's environment operating under IT security workflows. The detection is OT-native. The response may not be.

5. Structural Exposure

Platform dependency is irreversible. Once OT telemetry pipelines route through Sentinel, switching costs compound. Detection rules reference Sentinel schemas. Response playbooks trigger Sentinel workflows. Budget categorization assumes Azure consumption alignment. Dragos becomes structurally difficult to extract from Microsoft's ecosystem. This protects Dragos's installed base from competitive displacement. It also makes Dragos's product roadmap dependent on Microsoft's platform decisions.

Microsoft's competitive endgame is visible. The partnership turns Dragos into Microsoft's OT training data layer. Every byte of OT telemetry flowing through Sentinel trains Microsoft's detection models on industrial protocols. Every Marketplace transaction maps the OT buyer persona. Every MACC-aligned deal teaches Microsoft's sales organization how to position OT security. Dragos is embedding inside an ecosystem that is simultaneously a distribution partner and a competitive intelligence pipeline. The trigger for replacement is not technical. It is the moment Microsoft's internal OT detection reaches "good enough" for the 80% of industrial organizations that lack specialized OT expertise. Dragos serves the top of the market. Microsoft only needs the middle.

The deeper exposure is psychological. When OT alerts appear in Sentinel alongside cloud misconfigurations and endpoint detections, the CISO mentally reclassifies OT as another log source. Not a separate domain. Not a safety-critical environment with distinct failure modes. Another row in the alert queue. The day OT looks like any other telemetry feed inside the SOC console, the category has already been absorbed. The technical integration precedes the cognitive integration. Both are irreversible.

SaaS deployment in OT environments contradicts operational constraints. Many industrial environments restrict cloud connectivity for safety and regulatory reasons. Nuclear facilities, classified defense manufacturing, and critical utility operations maintain air-gapped or heavily segmented networks. The Azure SaaS deployment option serves the modernizing segment of Dragos's market. It does not serve the most security-sensitive segment, which is also the segment where Dragos's brand authority is strongest. The partnership optimizes for the growth market at the potential expense of the credibility market.

The go-to-market alignment creates a selection bias. Organizations procuring OT security through Azure Marketplace are, by definition, organizations with significant Microsoft cloud investment. These are not the most challenging OT security environments. They are the most commercially accessible. The partnership optimizes Dragos's revenue growth. Whether it optimizes protection for the environments that need OT security most is a separate question.