This is the Trace Id: 6c28596548c920ba584e7adbbb3a7a4d
Image
Secure Future Initiative

July 2026 SFI progress report

The Microsoft Secure Future Initiative (SFI) is how we embed security across culture, governance, and engineering, and strengthen our ability to adapt as quickly as adversaries do.
 A blue and purple gradient background with white text that reads Microsoft Secure Future Initiative Security above all else.
AI has reshaped both sides of cybersecurity. Attackers use frontier models to discover vulnerabilities, chain attack paths, and scale exploitation faster than manual approaches allow. Every defensive improvement drives attacker adaptation: close one path, attackers move to the next.

The same capabilities are accelerating the defense. AI lets us detect, evaluate, and remediate faster than manual review ever could, turning the shift into an advantage. Whether defending against traditional attacks, or AI-led attacks, security is continuous, not a destination. It cannot be treated as a milestone or a point-in-time investment. It is a discipline: designed in, enabled by default, continuously validated, and re-evaluated as the threat landscape evolves.

The Secure Future Initiative (SFI) is how we operationalize that discipline at Microsoft: embedding security across culture, governance, and engineering, and strengthening our ability to adapt as quickly as attackers do.

SFI stringently applies Zero Trust principles as controls embedded directly into platforms, engineering pipelines, and governance systems. The goal is that every identity is verified, every access is governed, every resource is protected through consistent policy enforcement, and controls are standardized, measured, and enforced across services so that protections persist as environments evolve and new threats emerge.

In this fourth SFI report, the updates reflect meaningful progress that has improved security for Microsoft and our customers: three objectives have reached their target state, three are nearing completion, and twelve have made significant progress.

Read more about our progress.
We’re sharing progress made against SFI pillars and objectives through three themes that make it easier to see how individual controls contribute to broader security outcomes.

Secure Foundations
: Reduced risk through hardening, secure engineering baselines, asset inventory, segmentation, security boundary isolation, and enforcement-by-default.

Proactive Defense: Used AI, high-quality telemetry, security signals, and behavior-based detection to identify real risk earlier, prioritize what matters, and respond decisively.

Future Readiness: Preparing for emerging risks including post-quantum cryptography.
  • SFI was created to improve the security posture of Microsoft, not incrementally, but systemically. We have made significant progress strengthening our foundation: hardening identity controls, defining explicit tenant boundaries, enforcing engineering defaults, and applying continuous validation across layers.

    Read more about our secure foundations
  • Traditional defenses remain essential, but alone cannot keep pace with AI-accelerated threats. As attackers use AI and agentic techniques to discover and exploit vulnerabilities faster, defense must shift from reactive controls to proactive, continuous assessment.

    Read more about our proactive defense
  • Emerging threats are evolving faster than traditional planning cycles. Future-ready security is about anticipating structural risks early and building resilience before those risks become operational incidents.

    Read more about our future readiness

 

Culture

The progress we have made is the result of daily security work done by our employees. We continue to reinforce a culture that puts security first, strengthening performance expectations, engineering practices, and training and enablement. Read more about how security is embedded in how we work, lead, and how we measure impact in the full report.

Governance

We continue to evolve our governance model to address the threat landscape and growing regulatory complexity. Read more about how our governance approach is designed to strengthen accountability, reduce silos, and ensure cybersecurity risk decisions reflect both technical reality and business impact in the full report.

Secure by Design, Secure by Default, and Secure Operations

Our approach to security continues to build on the established principles of Secure by Design, Secure by Default, and Secure in Operations.
  • Azure Integrated HSM strengthens hardware-rooted trust for cloud and AI workloads through hardware-backed cryptographic key protection with increased transparency across published firmware, drivers, and software components.

    Read more about Azure in the full report
  • Baseline security mode enforces secure-by-default configurations by reducing exposure from legacy settings. Microsoft Entra managed identities enable scoped authentication, policy enforcement, and lifecycle governance for enterprise AI agents.

    Read more about Microsoft 365 in the full report
  • Windows authentication modernization advances platform trust by combining PQC capabilities for certificates, digital signatures, and TLS. A default kernel trust policy in Windows 11 ensures only drivers signed through the Windows Hardware Compatibility Program can load by default, and Surface for Business new devices incorporate memory-safe Rust-based firmware.

    Read more about Windows in the full report

  • Microsoft Security multi-model agentic scanning system (codename MDASH) strengthens vulnerability management through multi-model AI-driven scanning capability and Nation State Notifications in Microsoft Defender surfaces actionable nation-state, ransomware, and fraud intelligence, including attributed threat actor context, directly within Microsoft Defender.

    Read more about Microsoft Security in the full report
Image
Engineering Pillars

The six SFI pillars include objectives that define our approach to security

The work evolves continuously as the risk landscape changes. 
A person sitting at a desk using a laptop.
SFI Progress Report

Read the full July 2026 SFI Progress Report

We look forward to sharing continued progress, lessons learned, and practical guidance as we work together to build a safer digital future.
Image
Resources

Explore Secure Future Initiative resources

 A person using a laptop displaying a 'Secure Future Initiative' presentation while working at a wooden desk with a coffee mug.
SFI progress report

Hear from our Engineering leaders

Read Salim Chawro's thoughts on the July 2026 SFI Progress Report
 A presenter pointing to a world map during a conference.
SFI patterns and practices

Scale securely following SFI patterns and practices

Each pattern offers practical, repeatable guidance to address real-world risks.
 Two persons have a cheerful conversation
Secure Future Initiative

Join in Microsoft’s commitment to security above all else

Security is never finished. Every advance in technology creates new opportunities, new risks, and new responsibilities.
 A blue and purple gradient background with white text that reads Microsoft Secure Future Initiative Security above all else.
SFI Progress Report

November 2025 SFI Progress Report

See the snapshot of where we were in November.

Follow Microsoft

English (United States) Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads