Security Center supports subscription and pay-as-you-go billing. This topic explains how each method works, what each costs, and what happens to your data when a service expires or is shut down.
To estimate costs before purchasing, use the Alibaba Cloud Price Calculator and configure the Security Center parameters for your expected usage.
Billing methods
Security Center supports two billing methods. Choose based on whether you prefer predictable upfront costs or usage-based daily billing.
| Subscription | Pay-as-you-go | |
|---|---|---|
| How it works | Pay upfront for a fixed monthly or yearly term | Pay daily based on actual usage (billed on T+1) |
| Best for | Steady, predictable workloads | Variable workloads or feature trials |
| Cost structure | Edition fee + optional value-added service fees | Basic service fee + per-feature usage fees |
Both billing methods include Free Edition capabilities. For details, see Introduction to the Free Edition of Security Center.
Both methods can be active simultaneously, but only for different feature modules. For example, you can use subscription for Vulnerability Fixing and pay-as-you-go for Agentic SOC. You cannot combine a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) with pay-as-you-go Host and Container Security, and you cannot purchase the same value-added feature under both methods at once. See FAQ for details.
Supported features
Subscription includes:
Editions: Anti-virus, Advanced, Enterprise, Ultimate, and Value-added Plan
Value-added services (optional add-ons): Vulnerability Fixing, Agentic SOC, Anti-ransomware, Cloud Security Posture Management (CSPM), and others
Pay-as-you-go includes:
Basic features (included automatically): DingTalk Robot, security reports, and Task Hub. To use Task Hub, first enable or purchase Vulnerability Fixing.
Billable features (enabled individually): Host and Container Security, Vulnerability Fixing, Serverless Asset Protection, Log Management, Agentic SOC, and others
For the full feature comparison, see Features and Purchase Security Center.
Subscription
Billing formula
| Edition | Formula |
|---|---|
| Anti-virus | (Number of cores × edition fee + value-added feature fees) × subscription duration |
| Advanced | (Number of protected servers × edition fee + value-added feature fees) × subscription duration |
| Enterprise | (Number of protected servers × edition fee + value-added feature fees) × subscription duration |
| Ultimate | (Number of protected servers × edition fee + number of server cores × edition fee + value-added feature fees) × subscription duration |
| Value-added Plan | Value-added feature fees × subscription duration |
"Number of cores" is the total virtual CPUs (vCPUs) across all servers in your assets. "Number of protected servers" includes both Alibaba Cloud ECS instances and non-Alibaba Cloud servers with the Security Center client installed.
Edition fees
| Edition | PriceUSD 0.00013 per GB per hourUSD 0.03 per GBUSD 7.2 per 1,000 GBUSD 0.0002 per requestUSD 0.00045 per requestUSD 0.0007 per requestUSD 0.0009 per requestUSD 0.3 per useUSD 0.0072 per hour |
|---|---|
| Anti-virus | USD 1 per core per month |
| Advanced | USD 9.5 per instance per month |
| Enterprise | USD 23.5 per instance per month |
| Ultimate | USD 23.5 per instance per month + USD 1 per core per month |
| Value-added Plan | No base fee (pay only for value-added features) |
Value-added feature fees
The prices below are for reference. For actual prices, see the Security Center purchase page.
Vulnerability Fixing
Billing is based on the number of fixes purchased. One fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota.
| Edition | Price |
|---|---|
| Anti-virus | USD 0.3 per fix (minimum 20 fixes) |
| Advanced, Enterprise, Ultimate | No extra charge — unlimited fixes included |
| Value-added Plan | USD 0.3 per fix (minimum 20 fixes) |
CSPM
Billing is based on the number of successful scans, verifications, and fixes performed for each check item on each cloud product instance. An instance is a specific network device or application instance, such as an OSS bucket or an ECS security group. For details, see Cloud Security Posture Management overview.
Tiered pricing applies across all editions. The minimum purchase is 15,000 checks, with increments of 55,000 checks.
| Volume | Price per request |
|---|---|
| 0–100,000 | USD 0.0009 |
| 100,001–500,000 | USD 0.00069 |
| Over 500,000 | USD 0.000625 |
Application Protection
Billing is based on the number of quotas (protected application instances) purchased. One quota covers one protected application process or pod using Runtime Application Self-Protection (RASP).
| Quota range | Price per quota per month |
|---|---|
| 1–50 | USD 6 |
| 51–200 | USD 4.5 |
| Over 200 | USD 3 |
Web Tamper Proofing
USD 165 per instance per month (all editions). Billing is based on the number of protected websites.
Agentic SOC
Agentic SOC has two billing configurations:
Agentic SOC: Billed for Log Ingestion Traffic and Log Storage Capacity.
Security Operations Agent: Billed for Log Ingestion Traffic, Log Storage Capacity, Intelligent Usage Analysis, and Number of Managed Instances.
Prices are the same across all editions:
Log Ingestion Traffic — tiered pricing based on daily ingestion volume (minimum 100 GB/day, increments of 100 GB/day):
| Daily volume (X) | Price |
|---|---|
| X = 100 GB | USD 0.45 per GB per day |
| 200 GB ≤ X < 9,999,999,999 GB | USD 0.42 per GB per day |
X = 100 GB: USD 0.45 per GB per day.
200 GB <= X < 9,999,999,999 GB: USD 0.42 per GB per day.
Log Storage Capacity: USD 100 per 1,000 GB per month (minimum 1,000 GB, increments of 1,000 GB).
Intelligent Usage Analysis: USD 9.6 per 100 GB per day. The minimum purchase is 100 GB/day and must match the Log Ingestion Traffic quantity. Usage resets at midnight daily. After exceeding the limit, the system automatically applies rate limiting.
Number of Managed Instances: USD 1.434 per instance per month (minimum 10 instances, increments of 10). Each instance is counted only once — duplicates are automatically removed.
Anti-ransomware
USD 0.045 per GB per month (all editions). Billing is based on purchased backup capacity.
Log Analysis
| Edition | Price |
|---|---|
| Anti-virus, Advanced, Enterprise, Ultimate | USD 0.1 per GB per month |
| Value-added Plan | Not available |
Container Image Scan
Billing is based on the number of image digests.
| Edition | Price |
|---|---|
| Anti-virus | Not available |
| Advanced, Enterprise, Ultimate, Value-added Plan | USD 0.1 per image per month |
Cloud Honeypot
USD 333.33 per probe per month (minimum 20 probes, all editions). Billing is based on the number of cloud honeypot probes purchased.
Malicious File Detection
USD 1.5 per 10,000 detections per month (minimum 100,000 detections, all editions). Billing is based on the number of file detections purchased.
Pay-as-you-go
How billing works
Total daily fee = Basic service fee + Feature usage fees
Bills are generated on T+1 — the system calculates your previous day's usage and generates the bill the following day.
Tip: Monitor your accumulated spend in real time on the Overview page of the Security Center console, in the Pay-as-you-go section. This lets you track costs before the daily bill is generated.
Basic service fee
A basic service fee applies whenever any pay-as-you-go feature is enabled. It covers DingTalk Robot, security reports, and Task Hub.
Price: USD 0.0072 per hour
Billing cycle: Daily
Minimum unit: 1 hour — durations under one hour are billed as one hour
Feature usage fees
Host and Container Security
Billed daily based on protection level, number of servers, and actual protection duration in seconds. Protection duration is measured by client online time.
| Protection level | Per-second price | Monthly reference (30 days) |
|---|---|---|
| Antivirus | USD 0.000000578 per core | USD 1.5 per core |
| Advanced | USD 0.000005497 per instance | USD 14.25 per instance |
| Host Protection | USD 0.000013599 per instance | USD 35.25 per instance |
| Hosts and Container Protection | USD 0.000013599 per instance + USD 0.000000578 per core | USD 35.25 per instance + USD 1.5 per core |
Vulnerability Fixing
Billed daily based on the number of fixes used. One fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes are not counted. For counting rules, see Vulnerability fix counting rules.
Price: USD 0.3 per fix
Billing cycle: Daily
Agentic SOC
Billed daily. Two configurations are available:
Agentic SOC: Tiered billing based on daily log ingestion traffic (in GB). The minimum billing unit is 1 GB — volumes under 1 GB are billed as 1 GB.
Security Operations Agent: Includes log ingestion tiered billing plus:
Intelligent Usage Analysis: Billed based on GB consumed by the AI security agent for alert analysis, event investigation, traceability, and report generation.
Number of Managed Instances: Billed based on the number of Agent instance invocations. ECS, WAF, Application Load Balancer (ALB), cross-cloud products, and on-premises security products all count as instances. Each instance is counted only once.
Log Ingestion Traffic — cumulative tiered pricing (Y = daily traffic in GB):
| Daily traffic tier | Price | Fee formula |
|---|---|---|
| 1–10 GB/day | USD 2.20/GB | 2.2 × Y |
| 11–50 GB/day | USD 1.6/GB | 2.2 × 10 + 1.6 × (Y − 10) |
| 51–100 GB/day | USD 1.4/GB | 2.2 × 10 + 1.6 × 40 + 1.4 × (Y − 50) |
| Over 100 GB/day | USD 1.2/GB | 2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y − 100) |
Example: If you ingest 60 GB/day, the daily fee is: 2.2 × 10 + 1.6 × 40 + 1.4 × (60 − 50) = 22 + 64 + 14 = USD 100.
Intelligent Usage Analysis: USD 0.144 per GB per day.
Number of Managed Instances: USD 2.15 per instance per month.USD 0.0002 per instance per minuteUSD 2.15 per instance per monthUSD 1.5 per core per monthUSD 35.25 per instance per monthUSD 0.0000015 per core-secondUSD 0.000002 per core-secondUSD 0.000003 per core-secondUSD 0.000000578 per core per secondUSD 0.000013599 per instance per secondUSD 35.25 per instance per monthUSD 0.000013599 per instance per secondUSD 14.25 per instance per monthUSD 1.5 per core per monthUSD 1.5 per 10,000 detections per monthUSD 333.33 per probe per monthUSD 0.144 per GB per dayUSD 0.1 per image per monthUSD 0.1 per GB per monthUSD 0.045 per GB per monthUSD 0.000005497 per instance per secondUSD 1.434 per instance per monthUSD 9.6 per 100 GB per day.USD 100 per 1,000 GB per monthUSD 165 per instance per monthUSD 3 per unit per monthUSD 4.5 per unit per monthUSD 6 per unit per monthUSD 0.3 per unit per monthUSD 0.3 per scan per monthUSD 23.5 per instance per monthUSD 9.5 per instance per monthUSD 23.5 per instance per month + USD 1 per core per month
Log Management
Billed daily based on cumulative daily log storage in GB. The minimum billing unit is 1,000 GB — for example, 1,900 GB is billed as 2,000 GB.
Price: USD 7.2 per 1,000 GB
Billing cycle: Daily
CSPM
Billed daily using cumulative tiered pricing based on the number of quotas used (scans, verifications, and successful fixes). The daily fee is the sum across all tiers. For quota consumption details, see quota consumption (pay-as-you-go).
Tiered pricing (Z = number of quotas used per day):
| Daily usage tier | Price | Fee formula |
|---|---|---|
| 0–100,000 | USD 0.0009 per request | 0.0009 × Z |
| 100,001–500,000 | USD 0.0007 per request | 0.0009 × 100,000 + 0.0007 × (Z − 100,000) |
| Over 500,000 | USD 0.00045 per request | 0.0009 × 100,000 + 0.0007 × 400,000 + 0.00045 × (Z − 500,000) |
Example: If you use 200,000 quotas on a given day, the fee is: 0.0009 × 100,000 + 0.0007 × (200,000 − 100,000) = 90 + 70 = USD 160.
Agentless Detection
Price: USD 0.03 per GB
Billing cycle: Daily
Billing method: Based on the volume of scanned data in GB
Serverless Asset Protection
Billed daily based on the number of server cores multiplied by protection duration in seconds. Protection duration is measured by client online time.
Tiered pricing based on cumulative monthly usage:
Cumulative monthly usage resets at the start of each calendar month. In the first month of use, the period runs from the day you enable the service to the end of that month.
Cumulative monthly usage for a given day = all prior days' usage in that month + current day's usage.
| Tier | Cumulative monthly usage | Price per core-second |
|---|---|---|
| Tier 1 | 0–200,000,000 core-seconds | USD 0.000003 |
| Tier 2 | 200,000,001–1,000,000,000 core-seconds | USD 0.000002 |
| Tier 3 | Over 1,000,000,000 core-seconds | USD 0.0000015 |
When cumulative monthly usage crosses into a higher tier mid-day, the cross-tier formula applies for that day only. On subsequent days in the same tier, the flat tier rate applies.
Example: 20,000 cores online 24 hours/day (86,400 seconds/day):
Daily usage: 20,000 × 86,400 = 1,728,000,000 core-seconds
Day 1 (cumulative usage reaches Tier 3 for the first time):
0.000003 × 200,000,000 + 0.000002 × 800,000,000 + 0.0000015 × (1,728,000,000 − 1,000,000,000)0.0007USD0.000450.00090.0007USD0.0009
= 600 + 1,600 + 1,092 = USD 3,292
Day 2 onward (already in Tier 3):
0.0000015 × 1,728,000,000 = USD 2,592 per day0.000003 × 200,000,000 + 0.000002 × 800,000,000
Malicious File Detection
Price: USD 0.0002 per file detected
Billing cycle: Daily
Billing method: Based on the number of files detected
Application Protection
Price: USD 0.0002 per instance per minute
Billing cycle: Daily
Billing method: Based on the number of online instances per minute (0–60 second intervals)
Anti-ransomware
Price: USD 0.00013 per GB per hour
Billing cycle: Daily (usage accumulated hourly, billed daily)
Billing method: Based on backup file size (GB) and storage duration (hours)
Service expiration and termination
Subscription
What triggers this: Your subscription expires without renewal, or you unsubscribe from the Security Center instance.
Immediate impact: The service instance is released and your edition downgrades to the Free Edition. Servers lose Security Center protection, increasing the risk of intrusion and data leaks. To restore protection, renew your subscription or purchase a new edition.
The system sends renewal reminders by email or internal message starting 7 days before expiration.
Data retention after expiration or unsubscription:
| Timeframe | What happens |
|---|---|
| Within 7 days of expiration | All service authorization information, configuration policies, and service data are retained. |
| 7 days after expiration | Container Protection image security scan authorizations and CI/CD integration settings are immediately purged. Log Analysis: data in the sas-log Logstore (in the Simple Log Service (SLS) project named sas-log-<account ID>-<region ID>) is immediately purged. Host Protection Anti-ransomware: all backup policies and backup data are immediately purged. |
| Unsubscription | Same data purge as "7 days after expiration" applies immediately on unsubscription. |
| 15 days after unsubscription or expiration | The following Agentic SOC data is purged: security alerts (except Cloud Workload Protection Platform (CWPP) alerts), Agentic SOC security events, custom playbooks and response rules, Log Management standardized integration and Security Center logs, custom rules, and Integration Center custom items (integration rules, data sources, watchlists, integration policies). |
| 90 days after expiration | Agentic SOC Response Center response policies and tasks are automatically purged. This purge is not affected by unsubscription. |
CWPP security events are retained even after unsubscription or expiration.
Pay-as-you-go
What triggers this: An overdue payment (insufficient account balance at settlement time) or manual service shutdown.
Immediate impact: Pay-as-you-go features are disabled, and the associated detection and protection capabilities are lost.
To shut down pay-as-you-go services, go to the Overview page in the Security Center console. In the Pay-as-you-go section, turn off the switch for the relevant service, or click Deactivate to shut down all pay-as-you-go services at once.
Data retention:
| Timeframe | What happens |
|---|---|
| During the 15-day retention period (overdue payment only) | All service authorization information, configuration policies, and pay-as-you-go service data are retained. |
| After the 15-day retention period (overdue payment) or immediately (service shutdown) | Container Protection image security scan authorizations and CI/CD integration settings are purged. Agentic SOC data (alerts except CWPP, security events, custom playbooks and response rules, Log Management logs, custom rules, Integration Center custom items) is purged. |
| 90 days after expiration | Agentic SOC Response Center data is automatically purged. Not affected by overdue payments or service shutdowns. |
If your service is suspended due to an overdue payment, use Deactivate before adding funds. Otherwise, the service may auto-resume and generate new charges.
For overdue payments: if the Agentic SOC data retention period extends beyond 15 days, Agentic SOC begins purging data immediately on the 15th day — it does not wait for the retention period to end.
CWPP security events are retained even after service shutdown or overdue payment.
FAQ
Can I use both billing methods at the same time?
Yes, but only for different feature modules. For example, you can subscribe to Vulnerability Fixing and use pay-as-you-go for Agentic SOC. Two combinations are not allowed:
A subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) and pay-as-you-go Host and Container Security cannot be active simultaneously.
The same value-added feature, such as Agentic SOC, cannot be purchased under both billing methods at the same time.
How do I shut down pay-as-you-go services?
Go to the Overview page in the Security Center console. In the Pay-as-you-go section, turn off the switch for each service you want to stop. To shut everything down at once, click Deactivate at the top of the page.
Fees incurred on the day you shut down are included in the bill generated the following day.
How do I avoid service suspension from overdue payments?
Right-size your protection scope: Protect only the assets that need it.
Set balance alerts
You can log on to Expenses and Costs and set a balance alert on the Account Overview page. The system automatically sends a notification when your available balance falls below the specified threshold.
Set a balance alert: In Expenses and Costs, go to Account Overview and set a minimum balance threshold. The system sends a notification when your balance drops below it.