Security Center provides a range of features, from basic protection to value-added services, to meet various security needs. This topic describes the billing methods, billing rules, and cost structure of Security Center to help you make an informed purchase decision based on your requirements.
Billing overview
Billing methods and billable items
Security Center supports two billing methods: subscription and pay-as-you-go. The billing method determines how Alibaba Cloud settles your fees. Different features are available depending on the billing method.
Regardless of the billing method you choose, you have access to the features of the Free Edition. For more information, see Introduction to the Free Edition of Security Center.
Criteria | Subscription (upfront) | Pay-as-you-go |
Billing characteristics | Pay a fixed cost monthly or yearly. This makes budget management easier. | Pay for what you use. This method is flexible and requires no upfront investment. |
Billable items | Fee = Edition fee + Value-added service fee (optional).
| Fee = Basic service fee + Feature usage fee.
|
Supported features
Subscription
Version Service:
Anti-virus: Provides detection and removal of common host viruses.
Advanced: Provides host virus detection, virus removal, vulnerability detection and fixing, and security reports.
Enterprise: Meets the requirements for host intrusion prevention, identity authentication, and security audits.
Ultimate: Provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. This edition includes K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis.
Value-added services: You can also purchase value-added services such as Vulnerability Fixing, Agentic SOC, Anti-ransomware, and CSPM (CSPM).
Pay-as-you-go
Basic features: By default, this billing method supports DingTalk Robot, security reports, and Task Hub. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billable features: You can purchase pay-as-you-go features such as Host and Container Security, Vulnerability Fixing, Serverless Asset Protection, Log Management, and Agentic SOC.
For more information about the features, see Features and Purchase Security Center.
Detailed billing information
The billable items for Security Center vary based on the edition and value-added services that you purchase. The prices in this topic are for reference only. For the actual prices, see the Security Center purchase page.
Subscription
Billing formula
Edition | Billing method |
Anti-virus | (Number of cores × Edition fee + Value-added feature fee) × Subscription duration Note The number of cores is the total number of virtual CPUs (vCPUs) of all servers in your assets. |
Advanced | (Number of protected servers × Edition fee + Value-added feature fee) × Subscription duration Note The number of protected servers is the total number of servers protected by Security Center. This includes purchased Alibaba Cloud ECS instances and non-Alibaba Cloud servers with the Security Center client installed. |
Enterprise | |
Ultimate | (Number of protected servers × Edition fee + Number of server cores × Edition fee + Value-added feature fee) × Subscription duration Note The Ultimate Edition provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. This includes K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. |
Value-added Plan | Value-added feature fee × Subscription duration |
Edition fees
Billable item | Anti-virus | Advanced | Enterprise | Ultimate | Value-added Plan | |
Edition fee | USD 1 per core per month | USD 9.5 per server per month | USD 23.5 per server per month | USD 23.5 per server per month + USD 1 per core per month | No fee is charged if you do not purchase basic features. | |
Value-added feature fees
Vulnerability Fixing
Billing method: This feature is billed based on the number of vulnerability fixes that you purchase.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota.
Billing rules:
Anti-virus: USD 0.3 per fix per month (Minimum purchase of 20 fixes).
Advanced, Enterprise, and Ultimate: No extra fee is charged. You can use this feature an unlimited number of times.
Value-added Plan: USD 0.3 per fix per month (Minimum purchase of 20 fixes).
CSPM (CSPM):
Billing method: This feature is billed based on the number of successful scans, verifications, and fixes that are performed for each check item on cloud product instances.
Billing rules: All editions have the same pricing. Tiered pricing is used based on the total number of successful scans, verifications, and fixes for each check item on each cloud product instance. The minimum purchase is 15,000 checks, with a step size of 55,000 checks. The prices are as follows:
0 to 100,000: USD 0.0009 per check.
100,001 to 500,000: USD 0.00069 per check.
More than 500,000: USD 0.000625 per check.
NoteAn instance refers to a specific network device or application instance, such as a bucket in Object Storage Service (OSS) or a security group for an ECS server. For more information, see Cloud Security Posture Management overview.
Application Protection (RASP):
Billing method: This feature is billed based on the number of authorizations that you purchase.
NoteThe number of authorizations refers to the number of instances that are protected by the RASP feature. For example, in Application Protection, one protected application process (pod) is counted as one authorization.
Billing rules: All editions are billed based on the number of purchased authorizations. The more authorizations you buy, the lower the unit price.
50 or fewer authorizations: USD 6 per authorization per month.
51 to 200 authorizations: USD 4.5 per authorization per month.
More than 200 authorizations: USD 3 per authorization per month.
Web Tamper Proofing:
Billing method: This feature is billed based on the number of tamper-proofing services (websites to be protected) that you purchase.
Billing rules: All editions have the same pricing: USD 165 per server per month.
Agentic SOC:
Billing method: Billing items vary based on the purchase option.
Agentic SOC: Billed based on the purchased Log Ingestion Traffic and Log Storage Capacity.
Security Operations Agent: In addition to Log Ingestion Traffic and Log Storage Capacity, you are also billed for Intelligent Usage Analysis and Number of Managed Instances.
Billing rules: All editions have the same pricing. The fees are as follows:
Log Ingestion Traffic: Tiered pricing is used. The minimum purchase is 100 GB/day, with a step size of 100 GB/day. The prices are as follows (where X is the traffic ingested per day):
X=100 GB: USD 0.45/GB/day.
200 GB =< X < 9,999,999,999 GB: USD 0.42/GB/day.
Log Storage Capacity: USD 100/1,000 GB/month (Minimum purchase of 1,000 GB, with a step size of 1,000 GB).
Intelligent Usage Analysis:
The minimum purchase is 100 GB/day. The purchase quantity must be consistent with the Log Ingestion Traffic.
Price: USD 9.6/100 GB/day.
NoteThe usage is reset to zero at 00:00 every day. If the limit is exceeded, the system automatically throttles traffic.
Number of Managed Instances:
The minimum purchase is 10 instances/month, with a step size of 10 instances/month.
USD 1.434/instance/month.
NoteEach instance is counted only once. Duplicates are automatically removed.
Anti-ransomware:
Billing method: This feature is billed based on the purchased anti-ransomware capacity.
Billing rules: All editions have the same pricing: USD 0.045 per GB per month.
Log Analysis:
Billing method: This feature is billed based on the purchased log storage capacity.
Billing rules:
Anti-virus, Advanced, Enterprise, and Ultimate: USD 0.1 per GB per month.
Value-added Plan: This feature is not available for purchase.
Container Image Scan:
Billing method: This feature is billed based on the number of purchased authorizations, which is based on the number of image digests.
Billing rules:
Anti-virus: This feature is not available for purchase.
Advanced, Enterprise, Ultimate, and Value-added Plan: USD 0.1 per image per month.
Cloud Honeypot:
Billing method: This feature is billed based on the number of purchased cloud honeypot probes.
Billing rules: All editions have the same pricing: USD 333.33 per probe per month (Minimum purchase of 20 probes).
Malicious File Detection:
Billing method: This feature is billed based on the number of purchased file detections.
Billing rules: All editions have the same pricing: USD 1.5 per 10,000 detections per month (Minimum purchase of 100,000 detections).
Pay-as-you-go
Billing formula
Total usage fee for enabled billable features + Basic service fee.
The system generates a bill on the next day (T+1) based on your actual usage from the previous day.
Basic service fee
When you enable any pay-as-you-go feature of Security Center, the system charges a basic service fee. The billing rules are as follows:
After you enable the service, DingTalk Robot, security reports, and Task Hub are supported by default. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billing method: This fee is billed based on the duration for which the pay-as-you-go service is enabled.
ImportantThe minimum billing unit is one hour. If the duration is less than one hour, it is billed as one hour.
Billing cycle: Billed daily.
Price: USD 0.0072/hour.
Feature usage fees
The following table describes the features that can be enabled in pay-as-you-go mode and their billing details:
Host and Container Security:
Billing method: This feature is billed based on the protection level, the number of attached servers, and the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: The following table shows the prices for different protection levels.
Protection level
Price
Monthly fee (30-day reference)
Antivirus
USD 0.000000578 per core per second
USD 1.5 per core per month
Advanced
USD 0.000005497 per server per second
USD 14.25 per server per month
Host Protection
USD 0.000013599 per server per second
USD 35.25 per server per month
Hosts and Container Protection
USD 0.000013599 per server per second+USD 0.000000578 per core per second
USD 35.25 per server per month+USD 1.5 per core per month
Vulnerability Fixing:
Billing method: This feature is billed based on the number of vulnerability fixes.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota. For more information, see Vulnerability fix counting rules.
Billing cycle: Billed daily.
Price: 0.3 USD per time
Agentic SOC:
Billing method:
Agentic SOC: This feature is billed based on a tiered pricing model for daily ingested log traffic in GB. The daily fee is the sum of the fees for each tier.
ImportantThe minimum billing unit is 1 GB. If the data volume is less than 1 GB, it is billed as 1 GB.
Security Operations Agent: In addition to the tiered billing for daily ingested log traffic (GB), this option also includes the following billable items:
Intelligent Usage Analysis: Billed based on the analysis usage (in GB) that is consumed by the AI security digital human for tasks such as alert analysis, event investigation, traceability, attribution, and security report generation.
Number of Managed Instances: Billed based on the number of agent instance calls. Products such as ECS, WAF, ALB, cross-cloud products, and offline security vendor products are all counted as instances.
ImportantEach instance is counted only once. Duplicates are automatically removed.
Billing cycle: Billed daily.
Price:
Log Ingestion Traffic: Tiered pricing is used based on the daily ingested log traffic in GB.
Log ingestion traffic tier
Price
Fee calculation formula (Y is the traffic ingested per day in GB)
1 to 10 (GB/day)
USD 2.2/GB
2.2 × Y (USD)
11 to 50 (GB/day)
USD 1.6/GB
2.2 × 10 + 1.6 × (Y - 10) (USD)
51 to 100 (GB/day)
USD 1.4/GB
2.2 × 10 + 1.6 × 40 + 1.4 × (Y - 50) (USD)
>100 (GB/day)
USD 1.2/GB
2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y - 100) (USD)
Intelligent Usage Analysis: USD 0.144/GB/day.
Number of Managed Instances: USD 2.15/instance/month.
Cloud Security Posture Management (CSPM):
Billing method: This feature is billed based on a tiered pricing model for the daily number of authorizations used, which includes scans, verifications, and successful fixes. The daily fee is the sum of the fees for each tier.
NoteFor more information about how authorizations are consumed, see Authorization consumption (pay-as-you-go).
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the number of authorizations used per day.
Authorizations
Price
Fee calculation formula (Z is the number of authorizations used per day)
0 to 100,000
USD 0.0009 per authorization
0.0009 × Z (USD)
100,001 to 500,000
USD 0.0007 per authorization
0.0009 × 100,000 + 0.0007 × (Z - 100,000) (USD)
More than 500,000
USD 0.00045 per authorization
0.0009 × 100,000 + 0.0007 × 400,000 + 0.00045 × (Z - 500,000) (USD)
Agentless Detection:
Billing method: This feature is billed based on the volume of scanned data in GB.
Billing cycle: Billed daily.
Price: USD 0.03 per GB.
Serverless Asset Protection:
Billing method: This feature is billed based on the number of authorized server cores multiplied by the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the cumulative monthly usage.
Cumulative monthly usage:
Cumulative monthly usage for the current day = Cumulative monthly usage up to the previous day (0 on the first day) + Usage for the current day.
ImportantIn the first month of use, the statistical period is from the day you enable the service to the end of that month. From the second month onward, the statistical period is a calendar month, from the first to the last day of the month.
Example: The cumulative monthly usage is the sum of the daily usage from the beginning of the statistical period. For example, on the third day, the cumulative monthly usage is the sum of the usage from the first, second, and third days.
Tiered prices:
Cumulative monthly usage
Price
Fee calculation formula (U is the daily usage in core-seconds)
Tier 1: 0 to 200,000,000 core-seconds
USD 0.000003 per core-second
0.000003 × U (USD)
Tier 2: 200,000,001 to 1,000,000,000 core-seconds
USD 0.000002 per core-second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × (U - 200,000,000) (USD)
Each subsequent day: 0.000002 × U (USD)
Tier 3: 1,000,000,001 to 9,999,999,999,999 core-seconds
USD 0.0000015 per core-second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × 800,000,000
+ 0.0000015 × (U - 1,000,000,000) (USD)
Each subsequent day: 0.0000015 × U (USD).
Billing example:
Scenario: You have 20,000 cores of serverless assets that are online 24 hours a day (86,400 seconds).
Daily usage (U) = 20,000 cores × 86,400 seconds/day = 1,728,000,000 core-seconds.
First-day fee:
Usage details: The cumulative monthly usage on the first day is 1,728,000,000 core-seconds, which is the same as the first day's usage. This usage reaches Tier 3, so the fee is calculated based on the cross-tier billing rule for entering a new tier.
Fee calculation: First-day fee = 0.000003 (Tier 1 unit price) × 200,000,000 + 0.000002 (Tier 2 unit price) × 800,000,000 + 0.0000015 (Tier 3 unit price) × (1,728,000,000 - 1,000,000,000) = 3,292 (USD).
Fees for the second and subsequent days:
Usage details: Because the cumulative monthly usage reached Tier 3 on the first day, it remains in Tier 3 from the second day to the end of the month. The daily fee is calculated based on the Tier 3 unit price.
Fee calculation: Daily fee = 0.0000015 (Tier 3 unit price) × (20,000 × 86,400) = 2,592 (USD).
Malicious File Detection:
Billing method: This feature is billed based on the number of file detections (number of files detected).
Billing cycle: Billed daily.
Price: USD 0.0002 per detection.
Application Protection (RASP):
Billing method: This feature is billed based on the number of online instances per minute.
Billing cycle: Billed daily.
Price: USD 0.0002 per instance per minute.
Log Management:
Billing method: This feature is billed based on the cumulative daily log storage in GB.
ImportantThe minimum billing unit is 1,000 GB. Storage is billed in increments of 1,000 GB. For example, if the daily usage is 1,900 GB, you are charged for 2,000 GB.
Billing cycle: Billed daily.
Price: USD 7.2/1,000 GB.
Anti-ransomware:
Billing method: This feature is billed based on the size of backup files in GB and the storage duration in hours.
Billing cycle: Usage is accumulated hourly and billed daily.
Price: USD 0.00013 per GB per hour.
Service expiration and termination
Subscription (expiration and unsubscription)
Scenario:
Expiration: The subscription service expires and is not renewed in time.
Unsubscription: You unsubscribe from the entire Security Center instance. For the steps to unsubscribe, see Refund policy.
Impact: The service instance is released. This means the paid edition is downgraded to the Free Edition. Your servers lose the protection offered by the paid edition of Security Center, which increases the risk of malicious intrusions or data leaks. We recommend that you promptly renew your subscription or purchase a new edition.
Data retention:
Expiration: The system provides a grace period of 7 days. After 7 days, the service instance is released, and data is purged according to the rules described in the following table.
NoteSeven days before the service expires, the system sends renewal reminders by email, or internal message.
Unsubscription: The service instance is released immediately, and data is purged according to the rules described in the following table.
Scenario
Data purge details
Within 7 days of expiration
The service authorization information, configuration policies, and service data for all features are retained.
Expires in 7 days
The following authorization information is immediately purged:
Container Protection - Image security scan.
Container Protection - CI/CD integration settings.
Log analysis: The data in the `sas-log` Logstore is immediately purged. This Logstore belongs to the Project that Security Center creates in Simple Log Service (SLS). The Project is named `sas-log-<Alibaba Cloud account ID>-<region ID>`.
Host Protection - Anti-ransomware: All backup policies and backup data are immediately purged.
Unsubscription
After 15 days of unsubscription/expiration
The following Agentic SOC data is immediately purged:
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by Agentic SOC predefined rules and custom rules (Agentic SOC security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
Response orchestration: Custom playbooks and custom response rules.
Log Management: Standardized integration logs and Security Center logs.
Rule management: Custom rules.
Integration Center: Custom items such as standardized integration rules, data sources, watchlists, and integration policies.
Agentic SOC - Response Center: Response policies and response tasks are automatically purged by the system 90 days after they expire. This is not affected by unsubscription.
Pay-as-you-go (overdue payments and service shutdown)
Scenario description
Overdue payment: Pay-as-you-go bills are generated on T+1. An overdue payment occurs if your account balance is insufficient at the time of settlement. To avoid service interruptions, top up your account promptly.
Service shutdown: You can manually shut down the pay-as-you-go service. No new fees are generated after the service is shut down.
NoteOn the Overview page of the Security Center console, in the Pay-as-you-go area, turn off the switch for the relevant service. Alternatively, click the Deactivate button at the top to shut down all pay-as-you-go services.
Impact: You can no longer use the corresponding pay-as-you-go features and lose the related detection and protection capabilities.
Data retention:
Overdue payment: After a payment becomes overdue, a data retention period of 15 days is provided. After 15 days, data is purged according to the rules described in the following table.
Service shutdown: No data retention period is provided. Data is purged immediately according to the rules described in the following table.
Scenario
Data Cleaning Instructions
During the data retention period for an overdue payment
During the retention period, all service authorization information, configuration policies, and pay-as-you-go service data are retained.
After the data retention period for an overdue payment
The following authorization information is immediately purged:
Container Protection - Image security scan.
Container Protection - CI/CD integration settings.
The following Agentic SOC data is immediately purged:
ImportantIf the data retention period for an overdue payment is longer than 15 days, Agentic SOC does not wait for the retention period to end. Instead, it starts the data purge immediately after the 15th day of the overdue payment.
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by Agentic SOC predefined rules and custom rules (Agentic SOC security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
Response orchestration: Custom playbooks and custom response rules.
Log Management: Standardized integration logs and Security Center logs.
Rule management: Custom rules.
Integration Center: Custom items such as standardized integration rules, data sources, watchlists, and integration policies.
Agentic SOC - Response Center: Response policy and response task data is automatically purged by the system 90 days after it expires. This is not affected by overdue payments or service shutdowns.
Service shutdown
FAQ
Can I enable both pay-as-you-go and subscription billing methods at the same time?
Yes, you can, but only for different feature modules. For example, you can choose the subscription method for Vulnerability Fixing and the pay-as-you-go method for Agentic SOC.
You cannot purchase a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) and the pay-as-you-go Host and Container Security service at the same time.
You cannot purchase a subscription-based value-added service, such as Agentic SOC, and the same service on a pay-as-you-go basis at the same time.
How do I shut down pay-as-you-go services?
On the Overview page of the Security Center console, you can go to the Pay-as-you-go area and turn off the switch for the relevant service. Alternatively, you can click the Deactivate button at the top to shut down all pay-as-you-go services.
ImportantIf your service is suspended due to an overdue payment, we recommend that you use the Deactivate feature. This prevents new fees from being generated if the product is automatically re-enabled after you top up your account.
Fees incurred on the day you shut down the service will be settled and included in the final bill on the following day.
How can I avoid service suspension due to overdue payments?
Optimize resource configuration
Select only the assets that require protection to avoid paying for unnecessary resources.
Set balance alerts
Log on to Expenses and Costs and set a balance alert on the Account Overview page. The system automatically sends a notification when your available balance falls below the specified threshold.