Sign In
MailGuard · 3-Way Comparison

Microsoft Defender or Hornetsecurity — when Conbool is the complementary or better choice.

In the DACH mid-market, the most common question is not „Defender or Conbool“ but „Defender alone, Defender plus a third party such as Hornetsecurity — or a German vendor with modular licensing and DACH-specific DLP“. This page lines up all three options objectively.

Request a demoMailGuard in detailAs of 2026

At a glance

Three vendors, three architectural models.

Microsoft Defender for Office 365 is native to the Microsoft 365 stack and licensed through E5 or as an add-on. Hornetsecurity is a German full suite that bundles mail security, backup and awareness in editions. Conbool MailGuard is a modular four-module package from Germany with EU-only hosting, monthly cancellation, and pre-built DACH DLP detectors.

Five questions, three answers each.

For each question, one answer from the Conbool, Defender, and Hornetsecurity perspective — with a source per column.

1. Hosting and data residency — where does data sit?

Conbool

Conbool MailGuard runs exclusively in EU data centres. The contractual party is Conbool GmbH, based in Germany. There is no failover outside the EU.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 processes data in the Microsoft cloud region of the respective M365 tenant. The exact region depends on tenant configuration, licence and service class; Microsoft documents data residency and subprocessing in the Microsoft Trust Center.

Microsoft Learn / Microsoft 365 Trust Center, learn.microsoft.com

Hornetsecurity

Hornetsecurity operates its own data centres in several regions with a focus on DACH and the EU. Headquarters are in Hannover, Germany. Region and contracting entity are set during the order process.

hornetsecurity.com, corporate and data-centre pages

Relevance: For customers with strict EU data-residency requirements, the contractual „EU-only, no failover“ commitment is clearest with Conbool. With Defender and Hornetsecurity the region is configurable and should be fixed contractually.

2. Licensing — how is it billed?

Conbool

Conbool is billed modularly per function: MailGuard, SecureMail, Disclaimer, SecureFiles — individually or as a bundle, monthly or annually, with monthly cancellation.

Microsoft Defender for Office 365

Microsoft Defender for Office 365 is billed through M365 licences. Plan 1 and Plan 2 are available as add-ons to E3 / Business Premium; Plan 2 is included in E5. Minimum terms and payment terms follow Microsoft EA/MCA.

Microsoft Learn, Microsoft 365 Licensing Guide

Hornetsecurity

Hornetsecurity primarily sells features in edition bundles (e.g. 365 Total Protection in tiers Business / Enterprise / Enterprise Backup). Some add-ons are also licensable separately.

hornetsecurity.com, product and edition pages

Relevance: Customers who want to add one module run cheapest on Conbool; customers already on E5 get Defender Plan 2 „for free“; customers wanting a full suite including backup are better served by a Hornetsecurity bundle.

3. Feature depth — what is included where?

Conbool

Conbool offers a 4-module bundle: MailGuard (inbound/outbound filter, BEC, QR filter, DLP), SecureMail (S/MIME, PGP), Disclaimer and SecureFiles. Features are enabled modularly without a full-suite licence.

Microsoft Defender for Office 365

Defender for Office 365 is M365-native and ships Safe Attachments, Safe Links, anti-phishing policies, Attack Simulation Training (Plan 2) and Threat Explorer. Depth depends on the plan; DLP runs separately through Microsoft Purview.

Microsoft Learn, „Overview of Defender for Office 365“

Hornetsecurity

Hornetsecurity ships a full suite of spam/malware filter, Advanced Threat Protection, Email Archiving, Backup (M365 Backup), Security Awareness Service and Permission Manager — depending on the edition bundle.

hornetsecurity.com, 365 Total Protection product overview

Relevance: Defender is deep inside the M365 stack, Hornetsecurity offers the widest suite including backup and awareness, Conbool focuses on the MailGuard core plus three flanking modules.

4. Defense-in-depth vs. single-vendor — alone or layered?

Conbool

Conbool can run as first layer (pre-filter in front of Defender via MX cut-over) or second layer (post-Defender). Enhanced Filtering for Connectors in Exchange Online remains functional because Conbool does not force any Microsoft-tenant binding.

Microsoft Defender for Office 365

Defender alone is single-vendor: the same cloud, the same threat intelligence, the same vendor as mailbox and identity. That simplifies the stack but provides no vendor diversification on the mail layer.

Microsoft Learn, Best Practices for Configuring Defender

Hornetsecurity

Hornetsecurity is often deployed as a second layer in front of or alongside Defender to gain vendor diversification. The full suite additionally includes backup, which Defender does not cover.

hornetsecurity.com, „Email Security“ solution pages

Relevance: Defense-in-depth strategies (e.g. BSI guidance) rely on two independent vendor stacks. Both Conbool and Hornetsecurity can play this role; choice depends on licence model, DLP needs and existing backup tooling.

5. DACH-specific DLP — how deep do the detectors run?

Conbool

Conbool MailGuard ships pre-built DACH detectors by default: IBAN with checksum, VAT IDs (DE/AT/CH-UID), Swiss AHV number, German tax ID, social-security number. Customers can add their own regex and lookup-list detectors per tenant.

Microsoft Defender for Office 365

DLP for M365 does not run in Defender, but in Microsoft Purview Data Loss Prevention. Microsoft ships predefined sensitive-info types (including DE/AT/CH specifics) that you enable in Purview policies — additional licensing through Compliance/E5 plans applies.

Microsoft Learn, „Sensitive information types in Purview DLP“

Hornetsecurity

Hornetsecurity offers DLP functionality depending on the edition (e.g. Email Encryption Policy, Content Control). Pre-built DACH detectors are less prominently documented than the focus on Email Encryption and Compliance Filter.

hornetsecurity.com, edition / feature pages

Relevance: Customers who need DACH DLP out of the box, without a separate Purview configuration, find the most direct route at Conbool; Microsoft uses Purview as central DLP layer; Hornetsecurity DLP is part of higher editions without an explicit DACH focus.

Migration

Five steps to a defense-in-depth architecture.

When Defender stays and Hornetsecurity is replaced — or Conbool is added as an additional pre-filter layer — the cut-over follows this pattern.

  1. 1. Document the current setup

    Clarify whether Defender runs alone, Defender plus Hornetsecurity, or Defender plus an on-prem gateway. MX records, connectors and mail-flow rules are captured so the cut-over can be planned.

  2. 2. Switch MX records to Conbool

    Conbool is placed as a pre-filter in front of Defender. MX records point to the Conbool endpoints; Conbool forwards clean mail via outbound connector to Microsoft 365.

  3. 3. Enable Enhanced Filtering for Connectors in Defender

    So that Defender can evaluate the real sender header (rather than the Conbool IP), Enhanced Filtering for Connectors is enabled in Exchange Online. Defender policies (Safe Links, Safe Attachments, anti-phishing) remain functional.

  4. 4. Let the Hornetsecurity licence lapse or cancel it

    If Conbool takes over the Hornetsecurity role (mail filter, DLP, encryption), the Hornetsecurity licence ends at the contract date. Backup functionality (M365 Backup) needs to be addressed separately, as Conbool does not ship a mailbox-backup solution.

  5. 5. Consolidate reporting in a SIEM

    Conbool audit log, Defender alerts and other sources feed into Microsoft Sentinel or another SIEM (e.g. Splunk). End-to-end mail-flow visibility is preserved after the cut-over.

Steps 2 to 5 typically happen inside one maintenance window. The Conbool + Defender defense-in-depth constellation is recommended as a permanent setup.

Decision aid

When to pick which — four bullet points per column.

Conbool MailGuard

  • EU-only hosting, German GmbH, no corporate parent — clear GDPR contracting.
  • Modular billing per function (MailGuard / SecureMail / Disclaimer / SecureFiles), monthly cancellation.
  • Pre-built DACH DLP detectors (IBAN, VAT ID, AHV, tax ID) included by default.
  • Works as first or second layer, compatible with Defender via Enhanced Filtering for Connectors.

Microsoft Defender for Office 365

  • Deeply integrated in the M365 stack — Safe Links, Safe Attachments, Threat Explorer with no extra routing.
  • Included in Microsoft 365 E5; available as Plan 1 or Plan 2 add-on to E3 / Business Premium.
  • Native integration with Microsoft Sentinel, Defender XDR and Purview — one shared security back-end.
  • No additional external contracting party: one vendor, one contract, one cloud.

Hornetsecurity

  • German full-suite vendor headquartered in Hannover with an established DACH sales network.
  • Mail security, email archiving, M365 backup and security awareness from a single source.
  • Established ecosystem with a large MSP/reseller base and a long market history.
  • Edition bundles (Business / Enterprise / Enterprise Backup) cover many requirements with one licence.

Industry and solution

Where the three-way pattern shows up most often.

Microsoft 365 E-Mail-Sicherheit

Defense-in-Depth-Architektur fuer Microsoft 365: Pre-Filter via MX-Switch, Enhanced Filtering for Connectors und Conbool als zweite Schicht.

Learn more

NIS-2 E-Mail-Sicherheit

Schutzmassnahmen nach NIS-2 mit Audit-Log und KRITIS-konformer Dokumentation — unabhaengig vom Microsoft-Stack.

Learn more

E-Mail-Sicherheit fuer die oeffentliche Verwaltung

EU-only-Hosting, DSGVO Art. 28 und DACH-DLP fuer Behoerden und kommunale IT-Dienstleister.

Learn more

Hornetsecurity-Alternative

Deutsche MailGuard-Alternative nach der Proofpoint-Übernahme.

Learn more

Phishing-Schutz

BEC, Spear-Phishing und QR-Code-Phishing erkennen und entfernen.

Learn more

Ransomware-Schutz E-Mail

Mehrstufige Anhang-Filter und URL-Reputation gegen Ransomware-Kampagnen.

Learn more

Spam-Filter Unternehmen

Spam und unerwünschte Massenmail mit DACH-Heuristiken filtern.

Learn more

CEO-Fraud-Schutz

BEC und CEO-Fraud-Attacken über Authentifizierungs-Layer abwehren.

Learn more

Also compared

Related comparisons.

Direct 1-on-1 comparisons or other SEG vendors in the market context.

Frequently asked questions about the 3-way comparison.

Defender, Hornetsecurity, or both plus Conbool?

In 30 minutes we map your defense-in-depth model, licence situation and MX cut-over plan.

Request a demoMailGuard in detail

Sources and version

Statements on Microsoft Defender for Office 365 are based on Microsoft Learn and the Microsoft 365 Trust Center. Statements on Hornetsecurity are based on the product, edition and corporate pages of hornetsecurity.com. Statements on Conbool are based on the company's own product documentation, T&Cs, and ISO 27001 certification of the infrastructure.

As of 2026.

Microsoft, Microsoft 365 and Microsoft Defender are trademarks of Microsoft Corporation. Hornetsecurity is a trademark of Hornetsecurity GmbH. Conbool is a trademark of Conbool GmbH. All statements without warranty of continuing accuracy.