Security Center is a cloud-native security platform that unifies asset management, mitigates security risks, and delivers threat detection, response, and source tracing across multicloud environments. It uses lightweight agents and agentless detection to protect servers, containers, and cloud products, and helps you meet classified protection compliance requirements.
Key concepts
| Concept | Description |
|---|---|
| Edition | In the subscription billing model, an edition defines the protection capabilities for a server. Higher editions include more features. |
| Protection level | After you enable the pay-as-you-go Host and Container Security feature, the protection level defines the mitigation capabilities configured for a server. Higher levels include more comprehensive features. |
| Value-added service | In the subscription model, features purchased separately from an edition. Examples: Vulnerability Fix, Agentic SOC, Container Image Scan. |
Billing models
| Criteria | Subscription | Pay-as-you-go |
|---|---|---|
| Payment | Fixed monthly or yearly fee — easier to budget | Pay for what you use — no upfront investment |
| Fee formula | Edition fee + value-added service fee (optional) | Basic service fee + feature usage fee |
| Editions / levels | Anti-virus, Advanced, Enterprise, Ultimate, Value-added Plan | Unprotected, Antivirus, Host Protection, Hosts and Container Protection |
| Basic service fee | N/A | Fixed monthly fee charged when any pay-as-you-go feature is enabled. Includes DingTalk Robot, security reports, and Task Hub (requires the vulnerability fixing feature). |
Feature overview
Security Center is organized into eight functional modules:
| Module | What it does |
|---|---|
| Overview | Calculates a 0–100 security score based on real-time asset status and displays your network security posture on a dashboard. |
| Asset Center | Provides a unified inventory of cloud assets, containers, and servers. Collects asset fingerprints — accounts, ports, processes — for fine-grained visibility. |
| Risk Governance | Scans Internet-facing exposure, detects and manages vulnerabilities across systems, apps, and web CMS, and runs baseline compliance checks. |
| Detection and Response | Monitors and alerts on process anomalies, web shells, malware, unusual logons, and abnormal network connections in real time. Supports attack tracing and event handling. |
| Agentic SOC | Ingests and analyzes logs and alerts from multicloud and multi-account environments. Runs built-in detection rules and AI models, and triggers automated response playbooks. |
| Host Protection | Combines an antivirus engine with malicious behavior defense rules. Includes brute-force attack protection, core file monitoring, anti-ransomware, and web tamper proofing. |
| Container Protection | Provides active runtime defense for containers: blocks risky images, prevents container escapes, and protects against file tampering. Applies network microsegmentation and image signing policies. |
| Application Protection | Uses runtime application self-protection (RASP) technology to detect and block attacks from within applications. |
| System Settings | Configures Task Hub, security reports, client management, access control, alert notifications, and multi-account management. |
Detailed features
Overview
Security score
Calculates a 0–100 health score using data from dual global data centers (China and Global). Points are deducted dynamically based on active security events and configuration issues across your cloud assets. A higher score means a stronger security posture and fewer unresolved risks — so you can prioritize which issues to address first.
Supported editions: All editions and protection levels (no additional purchase required).
Asset Center
Asset overview
Provides a panoramic view of cloud assets, network topology, security score, and asset security risks — a single entry point for managing cloud asset security.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Host Protection or Hosts and Container Protection |
Container asset overview
Visualizes the security status and network topology of container assets — clusters, containers, images, and applications — so you can manage container security from a single view.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate only |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Server list
Shows the protection status, group, region, and VPC statistics for all your servers.
Supported editions: All editions and protection levels (no additional purchase required).
Asset fingerprint investigation
Collects detailed fingerprint data across 12 dimensions so you can inventory assets and detect anomalies:
| Fingerprint type | What it gives you |
|---|---|
| Account | Server account and permission data — spot privileged accounts and detect privilege escalation |
| Port | Port listener information — inventory all open ports |
| Process | Process snapshots — distinguish legitimate processes from abnormal ones |
| Middleware | Middleware inventory on your assets |
| Database | Database inventory on your assets |
| Web service | Web service inventory on your assets |
| Software | Installed software list — quickly find affected assets when a high-risk vulnerability emerges |
| Scheduled task | Scheduled task paths on your assets |
| Startup item | Startup items — locate them quickly when handling vulnerabilities |
| Kernel module | Kernel modules — locate them quickly when handling vulnerabilities |
| Website | Website details on your servers |
| IDC probe finding | Other IDC servers detected within the same data center (requires an IDC probe configured on an IDC server) |
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Host Protection or Hosts and Container Protection |
Security check
Runs one-click checks — vulnerability detection, baseline checks, and more — across specified servers based on your configurations.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Advanced, Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Host Protection or Hosts and Container Protection |
Container assets
Shows security status and risk information for all clusters, pods, containers, and images.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate only |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Cloud products
Provides security status for your cloud products, with statistics by category — including Server Load Balancer and ApsaraDB RDS.
Supported editions: All editions and protection levels (no additional purchase required).
Website
Shows security status for all your websites, including root domain names, subdomains, asset risk status, and alert counts.
Supported editions: All editions and protection levels (no additional purchase required).
Serverless assets
Detects runtime security risks for serverless cloud product instances — Serverless App Engine (SAE) and serverless instances of Container Compute Service (ACS). Provides malicious file detection, vulnerability scanning, and compliance baseline checks.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Not supported |
| Pay-as-you-go | Enable Serverless Asset Protection |
Risk Governance
Asset exposure analysis
Scans your Alibaba Cloud resources — ECS instances, gateway assets, system components, and ports — to identify vulnerabilities and security risks exposed to the Internet, so you can find and resolve issues before attackers can exploit them.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Host Protection or Hosts and Container Protection |
Vulnerability management
Automatically discovers, assesses, and fixes security vulnerabilities on your servers — replacing manual patching with automated scanning and remediation at scale.
Scan methods
Manual scan: Immediately assesses the current vulnerability status of your servers.
Automatic scan (periodic): Sets up recurring tasks for continuous vulnerability monitoring.
Fix methods
One-click fix: Fix vulnerabilities directly from the console without logging on to servers. Not supported for Application Vulnerability or Urgent Vulnerability types.
Automatic fix: Enable Automatic Vulnerability Remediation to periodically fix newly discovered vulnerabilities on a schedule. Depends on the one-click fix feature; supported only for non-kernel Linux system vulnerabilities.
Manual fix: Log on to the server and follow the fix suggestions in the vulnerability details. Use this method when one-click fix is not supported for the current edition or vulnerability type, or when the Vulnerability Fix feature is not enabled.
Vulnerability types and detection
| Vulnerability type | Detection method | Fix support |
|---|---|---|
| Linux software vulnerability | Compares software versions against the official CVE database using the OVAL matching engine | One-click fix; automated snapshots enable one-click rollback |
| Windows system vulnerability | Syncs with the official Microsoft patch source | One-click fix; auto-identifies prerequisite patches; alerts you if a restart is needed |
| Web-CMS vulnerability | Monitors website directories and compares vulnerability files against known CMS software | One-click fix at source code level (file replacement or modification) |
| Urgent vulnerability | Detects emergency vulnerabilities as they emerge on the network | Manual fix only |
| Application vulnerability | Detects weak passwords, system service vulnerabilities, and application service vulnerabilities | Manual fix only |
Edition and protection level support
| Billing model | Edition / protection level | Manual scan | Automatic scan | Vulnerability fixing |
|---|---|---|---|---|
| Subscription | Enterprise, Ultimate | All types | All types | Linux, Windows, Web-CMS |
| Subscription | Advanced | All except Application Vulnerability | All except Application Vulnerability | Linux, Windows |
| Subscription | Free, Value-added Plan, Anti-virus | Urgent Vulnerability only | Linux, Windows, Web-CMS | Requires Vulnerability Fix value-added service; then Linux and Windows |
| Pay-as-you-go | Host Protection, Hosts and Container Protection | All types | All types | — |
| Pay-as-you-go | Unprotected, Antivirus | Urgent Vulnerability only | Linux, Windows, Web-CMS | — |
Cloud Security Posture Management (CSPM)
Cloud Security Posture Management (CSPM) uses automated risk checks, baseline scans, and attack path analysis to discover and manage security risks across your cloud assets — including configuration errors and server configuration defects — and provides remediation suggestions. By correlating vulnerabilities, exposed assets, and misconfigurations, CSPM helps you understand potential attack paths and prioritize which risks to address first.
CSPM includes three capabilities:
Cloud product configuration risk check
Scans cloud asset configurations across three scenarios: identity and permission management, security best practices, and compliance checks. Covers multicloud environments.
Baseline risk check
Dives into the host operating system level to detect and remediate issues based on industry standards:
| Scope | What it checks |
|---|---|
| High-risk exploit | Unauthorized access vulnerabilities in CouchDB and Docker |
| Container security | Docker, Kubernetes master nodes, and Kubernetes nodes |
| Classified protection compliance | MLPS Level 3, MLPS Level 2, and international security best practices |
| Security best practices | Linux, Windows, Redis, and more |
| Weak password | MongoDB, FTP, Linux, and more |
Container baseline checks follow Alibaba Cloud container security best practices for Docker, Kubernetes master nodes, and Kubernetes node nodes.
Attack path analysis
Correlates vulnerabilities, exposed assets, and misconfigurations to visualize potential attack paths through your cloud environment — helping you prioritize which risks to address first.
Edition support
*Subscription without CSPM value-added service:*
| Feature | Advanced | Enterprise | Ultimate |
|---|---|---|---|
| Cloud service configuration check | Free check items; detection and verification only | Free check items; detection and verification only | Free check items (+ KSPM items); detection and verification only |
| Baseline check | Weak password check items only | All items except container security | All items |
| Attack path analysis | Not supported | Not supported | Not supported |
If your current edition is Anti-virus or Value-added Plan and you have not purchased the CSPM value-added service, you can only detect and verify free check items for cloud service configuration. Risk remediation, baseline check, and attack path analysis are not supported.
*Subscription with CSPM value-added service:*
If you purchase a service edition at the same time, baseline check support is determined by your edition (see the table above for Advanced, Enterprise, and Ultimate). Cloud service configuration check and attack path analysis are not affected by edition.
| Feature | Details | Quota consumption |
|---|---|---|
| Cloud service configuration check | All check items (free + paid); detection, verification, and remediation supported | Free items: remediation consumes Quota. Paid items: scanning, verification, or remediation consumes Quota. |
| Baseline check | All items; detection, verification, and remediation supported | Scanning, verification, or remediation consumes Quota |
| Attack path analysis | Supported | Included with the paid CSPM service; no Quota consumed |
*Pay-as-you-go:*
Enable the pay-as-you-go CSPM feature.
If you only purchase the pay-as-you-go Host and Container Security feature, it supports detection and validation of free check items for cloud service configuration risk only. Threat remediation, system baseline risks, and attack path analysis are not supported.
| Feature | Details | Quota consumption |
|---|---|---|
| Cloud service configuration check | All check items (free + paid); detection, verification, and remediation supported | Free items: remediation consumes Quota. Paid items: scanning, verification, or remediation consumes Quota. |
| Baseline check | All items; detection, verification, and remediation supported | Scanning, verification, or remediation consumes Quota |
| Attack path analysis | Supported | Included with the paid CSPM service; no Quota consumed |
AccessKey leak detection
Monitors GitHub in real time to detect whether any publicly available source code contains AccessKey information for your Alibaba Cloud account — so you can act before credentials are misused.
Supported editions: All editions and protection levels (no additional purchase required).
Cloud Honeypot
Deploys honeypots on key attack paths to lure attackers, feed them realistic but fake data, and record complete attack behavior for source tracing. Prolongs attack time, captures advanced unknown attacks, and gives your security team a proactive defense advantage.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Cloud Honeypot value-added service |
| Pay-as-you-go | Not supported |
Malicious file detection
Identifies malicious files across three surfaces:
File Detection SDK: Uses the Security Center multi-engine detection platform. Integrate malicious file detection into your own code with a small amount of SDK code.
OSS file detection: Scans files in Alibaba Cloud Object Storage Service (OSS) buckets for malicious content.
Malicious file handling: When a risk file — web shell, mining program, or Trojan — is detected in an ECS instance or OSS bucket, Security Center generates an alert. Handle detected files with Add to Whitelist, Ignore, or Block Access.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Malicious File Detection value-added service |
| Pay-as-you-go | Enable Malicious File Detection |
Log Analysis
Centralizes and stores security-related logs for unified query and analysis, helping you locate issues quickly and meet compliance audit requirements.
Host logs: Logon activity, process startups, account snapshots, and DNS requests — for monitoring user activity, system events, and application operations.
Security logs: Vulnerabilities, baselines, security alerts, and CSPM data — for observing security trends and identifying system weaknesses.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Anti-virus, Advanced, Enterprise, Ultimate — also purchase the Log Analysis value-added service. For supported log types by edition, see Log types and field descriptions. |
| Pay-as-you-go | Enable Log Management. Log Analysis has been integrated into Log Management. See Migration guide and Log Management. |
Detection and Response
When you enable the Agentic SOC service, the Detection and Response module moves under Agentic SOC.
Security alerts
CWPP (Cloud Workload Protection Platform) security alerts detect threats across hosts, containers, and cloud products in real time — covering process, file, and network activity. Detection and precise defense models cover threats including abnormal process behavior, web shells, malware, vulnerability exploits, and container escapes. High-risk attacks such as ransomware, reverse shells, malicious command execution, loading of high-risk drivers, and planting of malicious files are actively intercepted.
Handle threats with:
Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine
Alert suppression: Add to Whitelist, Ignore
Network Defense Alert (formerly Attack Analysis) — enabled when Network Threat Prevention rules are active in Host Rules - Malicious Behavior Defense and Host Rules - Brute-force Attacks Protection — defends and intercepts high-risk network attacks: malicious DNS requests, web shell uploads, adaptive web attack defense, and brute-force attacks.
Subscription detection scope:
| Edition | Detection scope |
|---|---|
| Basic, Value-added Plan | Common simple attacks: one-line web shells, unusual logons, self-mutating Trojans, DDoS Trojans, mining programs (no container assets) |
| Anti-virus | Basic capabilities + detection and precise defense for suspicious and malicious files, including binaries (no container assets) |
| Advanced | Anti-virus capabilities + detection and precise defense for suspicious/malicious process activities and file operations (no container assets) |
| Enterprise | Advanced capabilities + 380+ detection and precise defense models covering all malicious behaviors: process activities, file operations, and network connections (no container assets) |
| Ultimate | Enterprise capabilities (covering container assets) + detection and active defense for container-specific attacks: container escapes, risky images, non-image program startup |
Pay-as-you-go detection scope:
| Protection level | Detection scope |
|---|---|
| Unprotected | Common simple attacks: one-line web shells, unusual logons, self-mutating Trojans, DDoS Trojans, mining programs (no container assets) |
| Antivirus | Unprotected capabilities + detection and precise defense for suspicious/malicious files, including binaries (no container assets) |
| Host Protection | Antivirus capabilities + 380+ detection and precise defense models for all malicious behaviors: process activities, file operations, and network connectivity (no container assets) |
| Hosts and Container Protection | Host Protection capabilities (covering container assets) + detection and active defense for container-specific attack behaviors |
Security event handling
Uses graph computing technology to aggregate related CWPP alerts — such as those sharing the same MD5 hash or parent process ID — into security events. Assess the impact of an event, contain the threat, and harden the system to prevent recurrence.
Handling methods: Use Recommended Handling Policy, Add to Whitelist, Update Incident Status, Run Playbook.
Supported editions: All editions and protection levels (no additional purchase required). Different editions support different alert types for event aggregation.
Log Management
Stores and displays Security Center logs — vulnerability logs, security alert logs, and client event logs — to help you locate alerts, trace attack sources, and improve response speed.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Threat Analysis value-added service's Log Storage Capacity. Purchasing log ingestion traffic alone does not enable log storage and querying. |
| Pay-as-you-go | Enable Log Management |
Agentic SOC
When you enable Agentic SOC, Detection and Response services move into Agentic SOC. You can also ingest logs from third-party cloud products (such as Tencent Cloud and Huawei Cloud) and on-premises data centers.
Agentic SOC includes the following capabilities:
[Product Integration](https://www.alibabacloud.com/help/en/security-center/user-guide/add-product-to-agentic-soc-2-0): A unified log ingestion center to collect, standardize, and analyze log data from third-party clouds — Fortinet, Chaitin, Microsoft, Sangfor, Tencent Cloud, Huawei Cloud, Hillstone, and Dosin — and on-premises data centers.
[Rule Management](https://www.alibabacloud.com/help/en/security-center/user-guide/detection-rules): Performs in-depth detection and analysis of ingested alerts and logs, reconstructing threat attack chains and timelines to generate fused alerts and detailed security events. Supports custom detection rules to build a threat detection system tailored to your business.
[Security alerts](https://www.alibabacloud.com/help/en/security-center/user-guide/security-alert): Analyzes and processes logs ingested into Agentic SOC to generate alerts and events. The CWPP security alerts feature is incorporated into Agentic SOC security alerts.
[Security event handling](https://www.alibabacloud.com/help/en/security-center/user-guide/security-incident-overview-agentic-soc): Uses predefined or custom Agentic SOC detection rules to analyze the context of multiple security alerts and aggregate them into complete events — reconstructing the attack chain and extracting malicious entities. The feature for aggregating CWPP alerts into security events is incorporated into Agentic SOC. Handling methods: Use Recommended Handling Policy, Update Incident Status, Run Playbook, Add to Whitelist, and Response Orchestration (automatic handling).
[Response Orchestration](https://www.alibabacloud.com/help/en/security-center/user-guide/use-soar/): Security Orchestration, Automation, and Response (SOAR) orchestrates and connects different systems and services to automate operations for security alerts and events, improving response efficiency.
[Log Management](https://www.alibabacloud.com/help/en/security-center/user-guide/log-management-2-0):
*Standardized logs:* Stores standardized alert logs generated by custom rules and standardized logs from real-time consumption via the standardized ingestion policy.
*Security Center logs:* The Detection and Response Log Management feature is incorporated into Agentic SOC Log Management.
Security Operations Agent: An advanced intelligent service powered by Agentic AI, integrating Alibaba Cloud-native security data and infrastructure. Uses autonomous perception-inference-execution to triage security events and enable rapid response.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Threat Analysis value-added service. To support Security Center logs, also purchase Threat Analysis Log Storage Capacity. |
| Pay-as-you-go | Enable Threat Analysis |
Host Protection
Virus scan
Built on the Alibaba Cloud machine learning virus scan engine — trained through automated analysis of massive virus samples, persistence methods, and attack techniques — this feature lets you run one-click virus scanning across your servers.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Anti-virus, Advanced, Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Antivirus, Host Protection, or Hosts and Container Protection |
Host rule management
Three rule types harden your server security:
Malicious Behavior Defense: Built-in and custom defense rules to intercept malicious behaviors on your servers.
Defense Against Brute-force Attacks: Protection policies that prevent brute-force cracking of host account passwords.
Common Logon Management: Define allowed logon locations, IP addresses, times, and accounts — and get alerts when logons fall outside these parameters.
| Billing model | Edition / level | Supported features |
|---|---|---|
| Subscription | Anti-virus | Malicious Behavior Defense: custom rules for process hash whitelisting only. Common Logon Management: Common Logon Location only. |
| Subscription | Advanced | Malicious Behavior Defense: System Defense Rule Process Protection only (no network defense). All features of Defense Against Brute-force Attacks and Common Logon Management. |
| Subscription | Enterprise, Ultimate | All features |
| Pay-as-you-go | Antivirus | Malicious Behavior Defense: custom rules for process hash whitelisting. Common Logon Management: Common Logon Location only. |
| Pay-as-you-go | Host Protection, Hosts and Container Protection | All features |
Core file monitoring
Monitors core files in real time for access, modification, deletion, and renaming operations — reducing the risk of core files being stolen or tampered with.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Enterprise, Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Host Protection or Hosts and Container Protection |
Agentless detection
Scans for ECS vulnerabilities, malicious files, and baseline configuration issues without installing a client agent.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Not supported |
| Pay-as-you-go | Enable Agentless Detection in Host Protection |
Anti-ransomware
Backs up and recovers server and database files to reduce the impact of ransomware attacks.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Anti-ransomware value-added service |
| Pay-as-you-go | Enable Host Protection Anti-ransomware |
Web tamper proofing
Monitors website directories in real time and restores tampered files or directories from backups — preventing the injection of Trojans, black links, or illegal content such as terrorist threats or pornography.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Web Tamper Proofing value-added service |
| Pay-as-you-go | Enable Web Tamper Proofing |
Feature settings - Host Protection settings
Configure how the host protection engine behaves on your servers:
Proactive Defense
| Feature | What it does |
|---|---|
| Malicious Host Behavior Prevention | Automatically intercepts and kills common network viruses — mainstream ransomware, DDoS Trojans, mining programs, Trojans, backdoors, and worms |
| Anti-ransomware (Bait Capture) | Deploys a honeypot to capture new ransomware strains and initiates automated defense based on virus behavior analysis |
| Webshell Prevention | Automatically intercepts abnormal connection behaviors through known web shells |
| User Experience Optimization in Proactive Defense | Collects Kdump data when a server shuts down abnormally to improve Security Center's defense capabilities |
Additional settings
Webshell Detection and Removal: Periodically scans website servers and web page directories for web shells and Trojans.
Adaptive Threat Detection Capability: Automatically enables strict alert mode when a high-risk intrusion event occurs on a server.
Alert Settings:
Balanced Mode (default): Minimizes false positives while detecting more potential risks.
Strict Mode: Broader suspicious behavior alerts with higher false positive rates. Use during major security events.
| Billing model | Edition / level | Supported features |
|---|---|---|
| Subscription | Anti-virus | Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Detection and Removal, Alert Settings |
| Subscription | Advanced | + Webshell Prevention |
| Subscription | Enterprise, Ultimate | All features |
| Pay-as-you-go | Antivirus | Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Detection and Removal, Alert Settings |
| Pay-as-you-go | Host Protection, Hosts and Container Protection | All features |
Container Protection
Active container defense
Three mechanisms protect your container runtime:
Risk Image Blocking: Checks images for security risks and takes intercept, alert, or allow actions on images matching active container defense rules — ensuring only approved images start in the cluster.
Non-image Program Defense: Detects and intercepts programs that start inside a container but are not part of the original image — actively defending against malware intrusion.
Container Escape Prevention: Detects high-risk behaviors across processes, files, and system calls to block container escape attempts and protect the host.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Container file protection
Monitors directories and files within containers in real time, generating alerts or intercepting tampering when a directory or file is maliciously altered — preventing injection of illegal information or malicious code into your applications.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Container Firewall
A firewall service for container environments. When an attacker exploits a vulnerability or malicious image to intrude into a container cluster, Container Firewall generates an alert or intercepts the abnormal behavior.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Container image signing
Signs container images so only approved, signed images can be deployed — preventing unauthorized or unsigned images from starting.
Container image signing is currently available only for Kubernetes clusters in the China (Hong Kong) region.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Image Security Scan
Scans container images for high-risk system vulnerabilities, application vulnerabilities, malicious viruses, web shells, malicious scripts, configuration risks, and sensitive data.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Container Image Scan value-added service. Available for Advanced, Enterprise, Ultimate, and Value-added Plan editions. |
| Pay-as-you-go | Not supported |
CI/CD integration
Integrates with Jenkins or GitHub to detect security risks during the project build phase — high-risk system vulnerabilities, application vulnerabilities, malicious viruses, web shells, malicious execution scripts, configuration risks, and sensitive data in images. Provides vulnerability fix suggestions.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Container Image Scan value-added service. Available for Advanced, Enterprise, Ultimate, and Value-added Plan editions. |
| Pay-as-you-go | Not supported |
Feature settings - Container Protection settings
Configure container security detection behavior:
Threat Detection on Kubernetes containers: Detects security issues in running container clusters in real time. Checks:
Abnormal command execution in K8s API Server
Abnormal directory mounting in pods
Lateral movement using K8s Service Account
Startup of pods with malicious images
Container Escape Prevention: Detects high-risk behaviors across processes, files, and system calls to block escape attempts.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Ultimate |
| Pay-as-you-go | Enable Host and Container Security; set protection level to Hosts and Container Protection |
Application Protection
Uses RASP (Runtime Application Self-Protection) technology to detect and block attacks at application runtime — providing built-in, active security for your business applications. For details, see What is Application Protection?
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Purchase the Application Protection value-added service |
| Pay-as-you-go | Enable Application Protection |
System Settings
Task Hub
Manages and executes batch vulnerability fix tasks across multiple servers.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Enterprise, Ultimate |
| Pay-as-you-go | Enable Vulnerability Fixing |
Security Report
Customize the security data you want to track and have it delivered periodically to the email inboxes of your security team.
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Advanced, Enterprise, Ultimate |
| Pay-as-you-go | Enable any pay-as-you-go service |
Feature settings - Client Capability Configuration
Configure how the Security Center agent runs on your servers:
Agent Protection: Intercepts attempts to uninstall the agent without using the Security Center console — preventing attackers from disabling protection.
Client Resource Management: Adjusts the agent's running mode to limit resource consumption. Modes: Low Consumption Mode, Smooth Mode, Custom Mode.
Local File Detection Engine: Runs security checks on newly created script and binary files, generating alerts when threats are detected.
In-depth Detection Engine: Detects deeper security risks such as rootkits, tunneling, and backdoors.
| Billing model | Edition / level | Supported features |
|---|---|---|
| Subscription | Anti-virus, Advanced | Agent Protection, Client Resource Management (Low Consumption Mode, Smooth Mode) |
| Subscription | Enterprise, Ultimate | All features |
| Pay-as-you-go | Antivirus | Agent Protection, Client Resource Management (Low Consumption Mode, Smooth Mode) |
| Pay-as-you-go | Host Protection, Hosts and Container Protection | All features |
Feature settings - Other Configurations
Data Delivery of ActionTrail: Uses the Security Center service-linked role to ship ActionTrail data to the Security Center logStore. Enables threat detection for abnormal AccessKey calls, unusual RAM account logons, and high-risk command execution. Supported by all editions by default.
Global Log Filter: Deduplicates and filters client logs before reporting to reduce log storage costs. Requires the Log Analysis value-added service (subscription).
| Billing model | Supported editions / levels |
|---|---|
| Subscription | Anti-virus, Advanced, Enterprise, Ultimate: all editions support Data Delivery of ActionTrail by default. Global Log Filter requires the Log Analysis value-added service. For supported log types by edition, see Log types and field descriptions. |
| Pay-as-you-go | Enabling any feature supports Data Delivery of ActionTrail |
Feature settings - Client
View servers with unprotected clients, get security commands, and manage client uninstallation. Supports proxy access client solutions.
Supported editions: All editions and protection levels (no additional purchase required).
Multicloud Configuration Management
Three capabilities for managing assets beyond Alibaba Cloud:
[Multicloud asset integration](https://www.alibabacloud.com/help/en/security-center/user-guide/use-multi-cloud-configuration-management/#task-2092350): Integrates non-Alibaba Cloud servers — third-party cloud servers and IDC servers — into Security Center for unified protection and management.
[IDC asset integration](https://www.alibabacloud.com/help/en/security-center/user-guide/add-a-server-in-a-data-center-to-security-center): Creates an IDC probe to detect and discover IDC servers and synchronize them to Asset Center.
[Asset Management Rules](https://www.alibabacloud.com/help/en/security-center/user-guide/use-the-feature-of-asset-management-rules#task-2113161): Groups or tags servers that meet defined conditions to improve asset management efficiency.
Supported editions: All editions and protection levels (no additional purchase required).
Notification Settings
Configure alert policies for security alerts, vulnerability intelligence, and baseline risks. Delivery channels:
Email / Internal Message
DingTalk Chatbot
Cloud Monitor Push
| Billing model | Edition / level | Supported channels |
|---|---|---|
| Subscription | Anti-virus | Email / Internal Message, Cloud Monitor Push |
| Subscription | Advanced, Enterprise, Ultimate | All channels |
| Pay-as-you-go | Any pay-as-you-go service enabled | All channels |
Multi-account security management
Manages asset security across multiple member accounts within your enterprise — providing a unified view of security risks for all accounts.
Supported editions: All editions and protection levels (no additional purchase required).
Compliance Check
Security Compliance Check: Covers classified protection compliance across communication networks, regional boundaries, computing environments, and Management Hub. Generates classified protection compliance reports.
ISO 27001 Compliance Check: Checks whether your system meets ISO 27001 certification requirements across asset management, access control, cryptography, and operational security.
Supported editions: All editions and protection levels (no additional purchase required).