Azure Security: Secure Score and Recommendations

Overview

The Spotto Security page is a focused view of Azure secure score and the security recommendations that move it. It’s built for the recurring problem of “we have a lot of findings — which fixes actually change our posture?”

Spotto Azure security page showing secure score, security control groups, and security recommendations

Feature overview

Security in Spotto combines:

Your subscription secure score (from Microsoft Defender for Cloud / Azure Security Center)
Security control groups (max score, current score, and potential score increase)
The recommendations inside each control, so you can prioritise the fixes with the most impact
A Spotto Suggested section for Spotto security best-practice recommendations that don’t map to a Defender control (but still matter)

Secure score itself is a percentage: points earned across all security controls divided by the points available for the subscription. Clearing higher-impact controls moves it faster than grinding through low-value fixes.

Why use this? (Jobs, pains, gains)

Jobs to be done

When I’m improving security posture, I want to rank the fixes that raise secure score the most, so I can ship meaningful improvements (not just close tickets).
When I’m working subscription-by-subscription, I want a single control-oriented view, so I can quickly identify the weakest controls and the resources driving them.
When leadership asks “are we safer?”, I want a percentage and a backlog I can point at, so progress isn’t a vibes-based conversation.

Common pains

Secure score is easy to see; it’s harder to see which work items actually move it.
Recommendation lists are noisy, and it’s not obvious which ones are part of the same control.
Platform/Security teams need to translate provider guidance into “what do we fix first?” priorities.

What you gain

A control-group view sorted by potential score increase, so “highest impact first” is the default.
Quick signals for progress: Completed vs Unassigned and resource health (Healthy / Unhealthy / Not applicable).
A separate Spotto Suggested group for best-practice items that improve hygiene even when they don’t change secure score.

Key capabilities

Where to find it

In the Spotto Portal, open your company and navigate to Security in the left-hand navigation.

Select a subscription to scope the view

Use the subscription selector at the top of the page to pick a subscription. The Security page is single-subscription today, because secure score is a subscription-scoped metric and the goal is prioritisation without averaging everything together.

If no subscription is selected, the page stays empty until you pick one.

See secure score, backlog size, and resource health

The summary cards show:

Secure score (0–100%)
Active secure score recommendations (count of active vs total recommendations)
Resource health distribution (Healthy / Unhealthy / Not applicable)

Prioritise by security control impact

The main table groups recommendations by security control. Each group includes:

Max score and current score
Potential score increase (what you’d gain by clearing the control’s remaining findings)
Unhealthy resources count, plus a health bar for quick triage

Groups are sorted by potential score increase (highest first), so you can start with the work that has the biggest material impact.

Expand a control to see the recommendations inside it

Click a security control group row to expand it and see the individual recommendations. Click a recommendation name to open its Recommendation Details page (so you can review affected resources, remediation guidance, and sharing/ticketing actions).

Spotto security best practices (Spotto Suggested)

Not every useful security improvement maps cleanly to a Defender control. The Spotto Suggested group is where Spotto includes security best-practice recommendations that:

May not directly increase secure score
Still reduce risk and improve baseline hygiene
Use the same recommendations workflow as everything else (details, affected resources, and sharing)

Search and export

Search the table by recommendation name or description.
Export the current control list to CSV (this export is control-level summary data, not the expanded recommendation rows).

Technical reference (what the Security page uses)

Component	Details
Inputs	Microsoft Defender for Cloud secure score + control scoring, Azure Advisor / Defender recommendations and security assessment statuses, and Spotto Suggested best-practice recommendations.
Outputs	Summary cards, a grouped control table (expandable into recommendations), navigation into recommendation detail pages, and CSV export.
Defaults	Sorted by potential score increase (highest first). “Spotto Suggested” is pinned at the top. Security is currently single-subscription.

How it differs from Azure-native security views

Defender for Cloud is the source of truth for secure score and control scoring, but Spotto optimizes for the operating question: “what should we fix first, and which resources are involved?”

Spotto’s Security page focuses on:

Control-group prioritisation by potential score increase
A clear split between secure-score-driving work vs best-practice work (Spotto Suggested)
One-click drill-in to the same recommendation detail workflow you use elsewhere in Spotto

How it works (high level)

You pick a subscription.
Spotto loads security recommendations and any control scoring details for that subscription.
Recommendations are grouped under their matching security controls; additional best-practice items appear under Spotto Suggested.
Each control shows scoring and resource health rollups so you can prioritise remediation work.

Troubleshooting

The page is empty / I don’t see any security data

What you’re seeing: Empty state or “No security recommendations found”. Likely causes:

No subscription selected.
The subscription is still onboarding/syncing (not “ready” yet).
The subscription has limited Defender for Cloud coverage, so fewer controls are populated.

How to fix:

Select a subscription in the subscription picker.
If the subscription is still syncing, wait for ingestion to complete and refresh.
Confirm Defender for Cloud is enabled for the subscription if you expect secure score data.

Spotto Suggested items don’t change secure score

What you’re seeing: Best-practice recommendations are listed, but max/current score fields are blank. Likely cause: Spotto Suggested recommendations don’t map to Defender controls, so they don’t contribute to secure score scoring. How to fix: Treat these as “hygiene improvements” rather than secure-score levers; prioritise them based on risk and operational context.

I can’t compare multiple subscriptions on this page

What you’re seeing: You can only select one subscription. Why: Security posture is easiest to prioritise subscription-by-subscription without averaging scores together. How to fix: Use Trend Tracker to compare secure score trends across multiple subscriptions.

Optimize Your Azure Environment

Looking to enhance your cloud setup for cost efficiency, performance, reliability, or security?

Talk to a cloud expert! Email us or schedule a 30-minute consultation and let's optimize your cloud environment together.

Book a Free Consultation

Overview​

Feature overview​

Why use this? (Jobs, pains, gains)​

Jobs to be done​

Common pains​

What you gain​

Key capabilities​

Where to find it​

Select a subscription to scope the view​

See secure score, backlog size, and resource health​

Prioritise by security control impact​

Expand a control to see the recommendations inside it​

Spotto security best practices (Spotto Suggested)​

Search and export​

Technical reference (what the Security page uses)​

How it differs from Azure-native security views​

How it works (high level)​

Troubleshooting​

The page is empty / I don’t see any security data​

Spotto Suggested items don’t change secure score​

I can’t compare multiple subscriptions on this page​