Microsoft Active Protections Program

The Microsoft Active Protections Program (MAPP), led by the Microsoft Security Response Center (MSRC) is a trusted partnership designed to help defensive security providers deliver timely, effective protections to customers following Microsoft’s Update Tuesday. 

By sharing detection guidance ahead of Microsoft’s Update Tuesday, MAPP enables partners to proactively develop protections against vulnerabilities and deploy those to endpoint security agents, intrusion prevention systems, and managed services before threats can be exploited in the wild. 

As a MAPP partner, you’ll receive: 

• Early access to guidance before Microsoft’s Update Tuesday

• Technical details to help you build protections quickly and accurately

• Occasional tools like proof-of-concept code or system artifacts to support testing

• Access to including malicious URLs, file hashes

• Opportunities to share telemetry and threat data with Microsoft to strengthen collective defense

Microsoft’s goal is to help partners deliver meaningful protections to customers quickly, reliably, and responsibly. The eligibility criteria for MAPP are designed to ensure that participating organizations are well-positioned to contribute to this mission.

These criteria help us work with a diverse range of security providers who can effectively use early guidance to protect customers across cloud and on-premises environments. We continuously review and refine the criteria based on partner feedback and evolving security needs, so the program remains inclusive, impactful, and aligned with our shared commitment to customer safety.

To be eligible for MAPP, your organization must: 

• Sign a Non-Disclosure Agreement (NDA) with Microsoft

• Strictly follow Coordinated Vulnerability Disclosure practices

• Strictly adhere to the Security Testing Rules of Engagement

• Provide commercial security products or services that actively protect Microsoft customers

• Do not engage, sell, or create products used to attack or weaken the security posture of networks or applications. For example, penetrating testing tools or exploit frameworks.

• Actively create security protections based on MAPP guidance (not rely on third-party signatures)

• Demonstrated ability to protect Microsoft’s data prior to public release 

• Disclose any obligations to report vulnerabilities to third-parties

• Be able to send and receive data via an API

You can reach out to us directly at MAPP@microsoft.com.

MAPP offers four tiers to support partners at different levels of maturity and capability:

Tier	Access Timing	Who It’s For
MAPP Entry	6 hours before Patch Tuesday	All new partners start here. Ideal for organizations beginning their MAPP Journey
MAPP Entry+	24 hours before Patch Tuesday	For partners with a proven track record and no mandatory disclosure obligations
MAPP ANS	5 days before Patch Tuesday	For experienced partners who actively share threat data and deploy protections effectively.
MAPP Validate	Invite-Only	For select, highly Trusted partners who help test and validate Microsoft’s protection guidance

MAPP Entry is the starting point for all new MAPP partners. It provides access to general information six hours before Microsoft’s Update Tuesday release.

This tier is designed to help new partners begin building protections with Microsoft’s support. It’s a great way to get familiar with the program, demonstrate value, and grow into deeper levels of collaboration over time.

MAPP Entry+ is a foundational tier for defensive security vendors who are ready to take a more active role in customer protection. Partners in this tier receive guidance 24 hours before Microsoft’s Update Tuesday release.

Entry+ is ideal for organizations that do not have mandatory disclosure requirements and are committed to using Microsoft’s guidance to build timely, effective protections. It’s a great next step for partners who have successfully participated in the Entry tier and are ready for a deeper engagement.  

MAPP ANS (Advance Notification Service) is the second tier of MAPP, offering qualified partners access to guidance five days before Microsoft’s Update Tuesday release. 

This tier is designed for experienced security providers who have demonstrated consistent participation, effective deployment of customer protections, and a commitment to sharing threat intelligence with Microsoft. Like other advanced tiers, MAPP ANS requires that partners do not have a mandatory disclosure obligation, ensuring that sensitive information remains protected until public release. 

MAPP Validate is a specialized, invite-only tier of MAPP designed for highly trusted partners who want to go a step further in shaping protective guidance. Members of this community help test Microsoft’s guidance providing valuable feedback to improve the quality and effectiveness. 

Participation is limited and selective, ensuring a high level of engagement and impact. Partners in MAPP Validate are expected to maintain a strong reputation in the security ecosystem, actively contribute to threat intelligence sharing, and operate without mandatory disclosure obligations. This tier is ideal for organizations that want to collaborate deeply with Microsoft to refine and validate protections before they reach customers. 

MAPP for Responders is an extension of MAPP designed for organizations that may not meet the criteria for MAPP but are still deeply committed to detecting and hunting threats.

The program is tailored for incident responders, CERTs, and other trusted security organizations that play a critical role in identifying, analyzing and responding to threats in real time.

While MAPP for Responders does not provide the same early access to guidance. It offers access to the Clean File Metadata Feed (CFMD) which provides hashes of Microsoft binaries to help reduce false positive detections and access to the Bing Malicious URL feed for enhanced threat detection.

If your organization is interested in joining MAPP for Responders, we’d love to hear from you. Reach out to mapp@microsoft.com to explore whether this program is the right fit.  

To remain in good standing, MAPP Partners must: 

• Use Microsoft’s guidance to create active protections

• Submit a report 10 days after Update Tuesday providing feedback on the data Microsoft provided during the release cycle to allow for future improvements.

• Submit a second report 30 days after Patch Tuesday detailing which CVEs received protections and telemetry on those protections 

• Meet all reporting and protection creation requirements

• Practice CVD at all times

All MAPP partners must demonstrate value in protecting customers by sharing telemetry on deployed signatures.  

For partners located in countries with mandatory disclosure requirements, Microsoft limits participation to MAPP Entry tier. These organizations receive general security information six hours prior to Update Tuesday but do not receive proof-of-concept (PoC) code. This approach ensures compliance with local regulations while maintaining responsible disclosure standards and protecting customer security.

Microsoft believes in equitable sharing of security information. There is no one formula for what can be shared, but the data should generally help raise awareness of possible threats in the ecosystem. Some examples of shared data are File Hashes, Malicious IP Addresses, File Names Associated with Known Attacks, Detonation Data, Indicators of Compromise (all types).

In MAPP, active security protections refer to the proactive defenses that security providers build to detect and block threats, before a Microsoft security update is deployed.

These protections are designed to help prevent exploitation attempts in real time. For example, security endpoint definitions that alert on malicious behavior or intrusion prevention system (IPS) signatures that prevent attacks are considered active protections. Security solutions that only focus on detection (e.g. intrusion detection systems) do not qualify.  

You can locate the GSPSUP PGP key here.