![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 64%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Defender | Microsoft Defender for Cloud
A cloud-native solution that protects workloads across hybrid and multi-cloud environments with threat detection and security recommendations
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Several platform behaviors in Microsoft Defender for Cloud (MDC) can cause the number and severity of recommendations to change over time, even when no remediation is performed on the resources:
- Severity model changes by Microsoft
Defender for Cloud periodically reevaluates and updates the severity classification of recommendations. For example, in March 2025 a new Critical severity level was introduced and existing recommendations were reclassified across Low, Medium, High, Critical. Such backend changes can:- Move recommendations from Low to Medium/High/Critical (or vice versa).
- Change how many recommendations appear in each severity bucket on different dates. This can directly explain why the count of Low‑severity recommendations drops without any action on the resources.
- Risk-based calculation and context-aware engine
MDC uses a context-aware risk‑prioritization engine that factors in configuration, network exposure, attack paths, and other environmental context to calculate risk level. As that context changes (for example, network paths, exposure, or related assets change), the risk level and therefore the effective prioritization of recommendations can change, even if the specific resource configuration for a given recommendation was not manually remediated. - Transition from “Not evaluated” to severity-based risk
In March 2026, recommendations that previously appeared as Not evaluated started receiving a risk level derived from their severity. This:- Removed the Not evaluated state for customers without Defender CSPM.
- Caused recommendations to be re‑distributed into severity‑based risk buckets. As a result, historical comparisons (e.g., counts on May 1 vs May 31) can show shifts in the number of recommendations per severity level, even if the underlying issues were unchanged.
- Ongoing tuning of individual recommendation severities
Microsoft also adjusts the severity of specific recommendations over time (for example, the recommendation “Sensitive data in your SQL databases should be classified” was changed from High to Low). Similar tuning for other recommendations can:- Reduce or increase the number of Low‑severity items.
- Move recommendations between severity bands without any customer remediation.
- Impact on Secure Score and reporting
Because both recommendation severity and asset context feed into risk level and Secure Score, any platform‑side change to severity logic or risk evaluation can change:- The risk level assigned to existing recommendations.
- The counts shown in reports filtered by severity or risk.
In combination, these platform updates and context‑aware recalculations are the likely reason the Low‑severity, risk‑based recommendation count decreased from 26,000 to 20,000 over the month, even though no remediation was performed.
References: