As email threats grow more sophisticated and layered security architectures become more common, organizations need clear, data-driven insights to evaluate how their security solutions perform together. Benchmarking plays a critical role in helping security leaders understand not just individual product efficacy, but how integrated solutions contribute to overall protection.

Microsoft’s commitment to transparency continues with the release of our second email security benchmarking report, informed by valuable customer and partner feedback. Continuing our prior benchmarking analysis, this testing relies on real-world email threats observed across the Microsoft ecosystem, rather than synthetic data or artificial testing environments. The study compares environments protected exclusively by Microsoft Defender with those using a Secure Email Gateway (SEG) positioned in front of Defender, as well as environments where Integrated Cloud Email Security (ICES) solutions add a secondary layer of detection after Defender. In addition, the benchmarking analysis for ICES vendors now includes malicious catch by Defender’s zero-hour-auto purge, which is a post-delivery capability that removes additional malicious emails after filtering is completed by any ICES solution in place, as shown in Figure 1. Throughout this process, we maintain the highest standards of security and privacy, to help ensure all data is aggregated and anonymized, consistent with practices used in the Microsoft Digital Defense Report 2025.

Updated methodology for ICES vendors

In this second report, we updated our testing methodology based on discussions with partners and gaining a deeper understanding of their architectures, to provide a more accurate and transparent view of layered email protection. First, we addressed integration patterns such as journaling and connector-based reinjection, which previously could cause the same cyberthreat to appear as detected by both Microsoft Defender and an ICES vendor even when Defender ultimately blocked it. These scenarios risked inflating or misattributing performance metrics, so our revised approach corrects this. Second, we now include Microsoft Defender zero-hour auto purge post-delivery detections alongside ICES vendor actions. This addition highlights cyberthreats that ICES vendors missed but were later remediated by Microsoft Defender, to help ensure customers see the full picture of real-world protection. Together, these changes make the benchmarking results more representative of how layered defenses operate in practice.

ICES vendors, benchmarking

Microsoft’s quarterly analysis shows that layering ICES solutions with Microsoft Defender continues to provide a benefit in reducing marketing and bulk email, with an average improvement of 9.4% across specific vendors. This helps minimize inbox clutter and improves user productivity in environments where promotional noise is a concern. For filtering of spam and malicious messages, the incremental gains remain modest, averaging 1.65% and 0.5% respectively.

When looking only at the subset of malicious messages that reached the inbox, Microsoft Defender’s zero-hour auto purge on average removed 45% of malicious mail post-delivery, while ICES vendors on average contributed 55% in post-delivery filtering of malicious mail. Per vendor details can be found in Figure 3. This highlights why post-delivery remediation is essential, even in a layered approach, for real-world protection.

SEG vendors, benchmarking

For the SEG vendors benchmarking metrics a cyberthreat was considered “missed” if it was not detected pre-delivery, or if it was not removed shortly after delivery (post-delivery).

Defender missed fewer threats in this study compared to other solutions, consistent with trends observed in our prior report.

Empowering security through transparency and data

In the face of increasingly complex email threats, clarity and transparency remain essential for informed decision-making. Our goal is to provide customers with actionable insights based on real-world data, so security leaders can confidently evaluate how layered solutions perform together.

We’ve listened to feedback from customers and partners and refined our methodology to better reflect real-world deployment patterns. These updates help ensure that vendors are more accurately represented than before, and that benchmarking results are fair, comprehensive, and useful for planning.

We will continue publishing quarterly benchmarking updates and evolving our approach in collaboration with our customers and partners, so benchmarking remains a trusted resource for optimizing email security strategies. Access the benchmarking site for more information.

Learn more with Microsoft Security

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.