Do Son 
Microsoft has published the second report on the progress of its Secure Future Initiative (SFI) — the most ambitious cybersecurity undertaking in the company’s history. Under the leadership of Charlie Bell, Executive Vice President of Microsoft Security, the initiative has harnessed the collective effort equivalent to 34,000 engineers over the span of 11 months, dedicated to strengthening defenses not only for Microsoft itself, but for its customers and the industry at large.
Launched in response to escalating cyber threats, the initiative prompted a fundamental overhaul of Microsoft’s security philosophy, elevating protection to a top priority for every employee. Today, 99% of Microsoft’s workforce has completed mandatory training in information security and trusted software development, while over 50,000 employees have advanced their skills through the Microsoft Security Academy.
Transformative changes to development culture lie at the heart of the initiative. Microsoft introduced the Secure by Design UX Toolkit, a suite of tools that has already been tested and implemented by 20 product teams. Now available to 22,000 employees and open to external users, this toolkit is driving the adoption of secure development practices. Additionally, 11 new security features — enabled by default — have been deployed across Azure, Microsoft 365, Windows, and Microsoft Security.
Special emphasis has been placed on secure development for AI systems. The internal Artificial Generative Intelligence Safety and Security division now oversees the integrity of AI-based solutions. Newly instituted policies and protocols have successfully prevented an estimated $4 billion in fraudulent activity.
Significant progress has also been made in the wake of the Storm-0558 attack in 2023. In response, Microsoft transitioned token-signing keys for Entra ID and Microsoft Account to hardware security modules and Azure confidential virtual machines. These keys now rotate automatically and are protected through a layered Defense-in-Depth strategy. Currently, 90% of Microsoft tokens utilize the updated secure SDK, and 92% of internal accounts are safeguarded by phishing-resistant multi-factor authentication.
Substantial efforts have been directed toward limiting lateral movement by attackers within the infrastructure. To that end, 88% of resources have been migrated to Azure Resource Manager, 6.3 million unused tenants have been removed, and access to 4.4 million managed identities has been restricted via network-based controls.
Microsoft also reports near-complete visibility of its network assets (99%), the implementation of enhanced perimeter and DNS-layer protections, and the integration of over 200 new threat detection rules, soon to be included in Microsoft Defender. At present, 97% of Microsoft’s infrastructure is monitored centrally, and security logs are retained for no less than two years.
To uncover vulnerabilities before they are exploited, Microsoft continues to lead its Zero Day Quest, which has already identified 180 issues across cloud and AI systems. The company’s risk assessment program now encompasses a broader range of products. In a further organizational refinement, Microsoft created the role of Deputy CISO for Business Applications, consolidating security oversight for Microsoft 365 and other divisions. All 14 deputies have completed a risk inventory, facilitating the creation of a unified, prioritized security roadmap.
Of the 28 strategic objectives outlined in the SFI, five are nearing completion, with another eleven making significant strides. Microsoft underscores that its platforms have become materially more resilient, and its threat detection capabilities demonstrably more effective. By openly sharing tools like the UX Toolkit with the broader community, Microsoft is actively fostering a culture of security across the entire technology ecosystem.
