Security Center is a centralized security solution that protects your cloud assets from persistent threats such as viruses, cyberattacks, and ransomware. It offers various billing methods and editions to help you build a security system that is tailored to your business needs and budget.
Quick selection guide
Use case | Recommended plan | Core value and features |
First-time use and feature evaluation | Experience comprehensive host security capabilities at no cost, including vulnerability management and intrusion prevention. | |
Hybrid cloud host security | Subscription:
| Achieve unified security management. You can apply consistent mitigation policies and gain visibility across your cloud and on-premises data centers for centralized control over hybrid environments. |
Container security | Subscription:
| Obtain full-stack protection from the host to the container runtime. You can add image scanning to shift security left into your CI/CD pipeline and build security into the entire lifecycle. |
Major event support | Subscription:
| Build on comprehensive protection with Runtime Application Self-Protection (RASP) and tamper-proofing capabilities. These features are key to defending against advanced threats and ensuring the stability of core business services. |
Security incident response | For more information, see One-click provisioning policies and billing for pay-as-you-go services. | This is suitable for urgent security incidents, such as servers infected with mining malware, viruses, or trojans, or those affected by website tampering or ransomware. |
Billing
Security Center supports two billing methods: Subscription and Pay-as-you-go. Each method determines your charges and available features.
Regardless of the billing method you choose, you have access to the features of the Basic Edition. For more information, see Introduction to the Basic Edition of Security Center.
Item | Subscription | Pay-as-you-go |
Billing characteristics | Pay a single fee for a monthly or yearly term. The fixed cost makes budgeting simple. | Pay only for what you use, offering flexibility with no upfront investment. |
Cost | Fee = Edition fee + Value-added service fee (optional).
Note For more details, see Subscription billable items. | Fee = Basic service fee + Feature usage fee.
Note For more details, see Pay-as-you-go billable items. |
Use cases | Suitable for scenarios with stable, long-term business needs and a fixed budget. | Ideal for scenarios with elastic, short-term, or frequently changing business demands. |
Explore features and services
Subscription
Edition services
With a subscription, features are bundled into the edition you purchase. The editions are described below:
Edition | Description | Fee |
Basic | Provides only basic security detection, such as identifying unusual server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It lacks active protection features. | Free |
Anti-virus | Detects and removes common viruses on your hosts. | USD 1 per core per month |
Advanced | Provides host virus detection and removal, vulnerability detection and fixing, and security reports. | USD 9.5 per server per month |
Enterprise | Meets host security requirements for intrusion prevention, identity authentication, and security audit. | USD 23.5 per server per month |
Ultimate | Provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. Capabilities include K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. | USD 23.5 per server per month + USD 1 per core per month |
The following table compares the main protection capabilities of each edition:
Protection capability | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Basic malware and cloud product threat detection | |||||
Virus removal and host intrusion detection | |||||
Brute-force attacks protection | |||||
Host behavior defense | Note Only supports blocking processes based on malicious MD5 hashes. | ||||
System vulnerability scanning and fixing | |||||
Malicious network behavior defense | |||||
Trace the source of attacks | |||||
Application vulnerability detection | |||||
Baseline check and remediation | Note Only supports weak password checks. | ||||
Container security |
Value-added services
With a subscription, you can purchase additional value-added services. The available services are described below:
Anti-ransomware
Description: This feature provides backup and recovery capabilities to protect against ransomware. After an attack, you can use backup files to recover your servers and databases.
Purchase notes:
The purchased quantity is the anti-ransomware capacity. This capacity depends on the size of your backup files and the retention period, not on the number of servers.
This service is supported only in specific regions. You can set the data protection volume as needed. For a list of these regions, see Anti-ransomware service overview.
If you select Set Recommended Policy, important file paths on your existing servers are automatically backed up periodically. To modify the policy, go to the Anti-ransomware page. For more information, see Modify the anti-ransomware policy for a server.
CSPM
Description: This feature provides identity and access management, automated compliance checks, and cloud product configuration baseline detection. It enables you to centrally manage configuration risks across multiple cloud products.
Purchase notes: Billing is based on the service quota. Service quota = Scan count (Number of cloud products × Number of asset instances × Number of check items) + Number of verifications + Number of successful fixes.
WarningUnused quota is cleared at the end of each month. For more information about billing, see Subscription - Cloud Security Posture Management.
Cloud Threat Detection and Response (CTDR)
Description: This feature supports unified log collection from multiple clouds, accounts, and products such as Web Application Firewall (WAF), Cloud Firewall, and Virtual Private Cloud (VPC). It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps you meet log audit requirements for classified protection compliance.
Purchase notes:
This feature uses modular billing. Log Ingestion Traffic and Log Storage Capacity are billed independently and can be purchased separately based on your needs.
Log Ingestion Traffic (GB/day)
Purpose: This is used for core security operational activities such as real-time threat detection, attack source tracing, and alert analysis. After purchase, you can use most core CTDR features, including threat detection and investigation response.
Estimate capacity:
Based on existing logs
Daily traffic (GB) = Total log storage capacity (GB) / Log retention period (TTL).
For example, if you have 10,000 GB of logs stored for 90 days, the daily traffic is approximately 10,000 / 90 ≈ 111 GB. We recommend purchasing a 200 GB/day plan.
Based on log generation rate (EPS)
Daily traffic (GB) = EPS (log entries per second) × 86,400 × Average log size (KB) / 1,024
EPS: The number of log entries generated per second.Average log size: Typically between 3 KB and 7 KB.
Log Storage Capacity (GB)
Purpose: This is used for long-term storage of logs for queries and audits. This helps you meet the MLPS 2.0 requirement of the Cybersecurity Law to retain logs for at least 180 days and enables you to trace historical events.
Estimate capacity:
By server count: We recommend configuring 120 GB of log storage capacity for each server.
By existing Log Analysis capacity: Set this to three times your purchased capacity for the Security Center - Log Analysis feature.
If you select Access Policy, some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail in your Alibaba Cloud account are automatically connected.
Vulnerability Fixing
Description: You can fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.
Purchase notes: Enter the number of vulnerability fixes you need to purchase per month.
NoteThe number of vulnerability fixes is the sum of all vulnerabilities fixed across all servers. For example, if the same vulnerability exists on 10 servers, using the one-click fix feature in Security Center consumes 10 fixes.
Container Image Scan
Description: You can scan your images for system vulnerabilities, application vulnerabilities, viruses, and malicious samples with a single click, and receive remediation advice.
Purchase notes:
Enter the number of scan quotas you need to purchase per month.
NoteA scan quota is consumed the first time an image digest is scanned. Subsequent scans of the same digest do not consume additional quotas. If the image digest changes, a new quota is required.
This feature can be purchased only if you select the Advanced Edition, Enterprise Edition, Ultimate Edition, or Purchase only value-added services.
Web Tamper Proofing
Description: This feature monitors website directories in real time and restores tampered files or directories from backups to protect your critical systems from malicious modification.
Purchase notes: Select the quantity based on the number of servers you need to protect.
Malicious File Detection
Description: This feature performs deep scans to detect malware, WebShells, viruses, and other risk files hidden in your server's file system.
Purchase notes: Set the quantity to the number of files you need to scan each month.
Application Protection (RASP)
Description: Based on Runtime Application Self-Protection (RASP) technology, this feature enables applications to protect themselves by detecting and blocking attacks in real time.
Purchase notes: We recommend purchasing a quantity equal to the total number of Java processes you plan to protect.
NoteFor example, if you have 2 servers, and each runs 3 Java applications that require protection, you should purchase 6 quotas.
Cloud Honeypot
Description: This feature deploys decoys to lure and trap attackers, enhancing threat detection and protection for your core assets in adversarial scenarios.
Purchase notes: Cloud Honeypot is billed based on the number of probes. You must purchase a minimum of 20 probes and a maximum of 500.
NoteTo increase your quota beyond 500 probes, contact technical support.
Security Dashboard
Description: This feature provides multiple dashboards that offer a high-level, visual overview of your asset security posture.
Purchase notes: This feature is available for purchase only with the Advanced Edition, Enterprise Edition, or Ultimate Edition.
Log Analysis
Description: This feature aggregates security logs from your cloud assets, including hosts and security events. It provides powerful SQL search and visual reporting to simplify event investigation, attack source tracing, and compliance audits.
ImportantIf you also purchase the pay-as-you-go Log Management service, Security Center logs are stored in two separate locations. To avoid duplicate charges, evaluate your needs and then go to the Security Center console to disable the relevant log delivery switches in the Log Analysis module.
Purchase notes: To meet the requirements of the Cybersecurity Law, logs must be stored for at least 180 days. We recommend configuring at least 50 GB of storage capacity for each server.
Pay-as-you-go
Default features
Enabling any pay-as-you-go feature incurs a base service fee. This fee includes the following default services:
DingTalk Chatbot: After you configure DingTalk robot notifications, you can receive real-time threat alerts from Security Center in your DingTalk group.
Security Report: Customize the security data you want to track and have reports sent periodically to your security support staff's mailbox. This enables more effective real-time monitoring of your asset security status.
Playbook: This feature provides automated response orchestration. You can orchestrate repetitive tasks in your security incident response process into automated handling policies to help you efficiently harden your system security.
NoteYou must first enable or purchase the Vulnerability Fixing feature.
Billable features
In the pay-as-you-go model, all features are billed independently and can be enabled on demand. The following features are available for purchase:
Host and Container Security
If you have already purchased a subscription for the Anti-virus, Advanced, Enterprise, or Ultimate, you cannot enable the Host and Container Security pay-as-you-go service.
Description: This feature provides comprehensive detection and protection for host and container assets. After purchase, you must bind a Protection Level to your assets. The protection levels are described below:
Protection level
Description
Monthly fee (30-day reference price)
Unprotected
Provides only basic security detection, such as identifying unusual server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It does not include active protection features.
Free
Antivirus
Detects and removes common viruses on your hosts.
1.5 USD/core/month
Advanced
New purchases and changes are no longer supported.
USD 14.25/instance/month
Host Protection
Meets host security requirements for intrusion prevention, identity authentication, and security audit.
USD 35.25/host/month
Hosts and Container Protection
Provides full-stack security for hosts, containers, and Intelligent Computing LINGJUN servers. Capabilities include K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis.
USD 35.25/instance/month+USD 1.5/core/month
The main protection capabilities for each level are as follows:
Protection capability
Unprotected
Antivirus
Host Protection
Hosts and Container Protection
Basic malware and cloud product threat detection
Virus removal and host intrusion detection
Brute-force attacks protection
Host behavior defense
NoteOnly supports blocking processes based on malicious MD5 hashes.
Malicious network behavior defense
Trace the source of attacks
Application vulnerability detection
Container security
Purchase notes: For the feature to take effect, you must assign the quota to specific assets after you enable it. You can during purchase.
ImportantThe system uses the following default binding rules:
Server assets that run container environments, including Alibaba Cloud ACK cluster nodes, Intelligent Computing LINGJUN, and servers connected to self-managed K8s clusters: Host and Container Protection.
All other assets: Host Protection.
New servers added later: Host Protection.
CSPM
Description: This feature provides identity and access management, automated compliance checks, and cloud product configuration baseline detection. It enables you to centrally manage configuration risks across multiple cloud products.
Purchase notes: Billing is based on the service quota. Service quota = Scan count (Number of cloud products × Number of asset instances × Number of check items) + Number of verifications + Number of successful fixes.
Vulnerability Fixing
Description: You can fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.
Purchase notes: Enter the number of vulnerability fixes you need to purchase per month.
NoteThe number of vulnerability fixes is the sum of all vulnerabilities fixed across all servers. For example, if the same vulnerability exists on 10 servers, using the one-click fix feature in Security Center consumes 10 fixes.
Cloud Threat Detection and Response (CTDR)
Description: This feature supports unified log collection from multiple clouds, accounts, and products such as Web Application Firewall (WAF), Cloud Firewall, and Virtual Private Cloud (VPC). It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps you meet log audit requirements for classified protection compliance.
Purchase notes:
Billing is tiered based on Log Ingestion Traffic. The more you use, the lower the unit price. For billing details, see Threat Analysis and Response - Pay-as-you-go.
ImportantThe pay-as-you-go method does not support purchasing Log Storage Capacity, which means you cannot store logs for queries and audits.
If you select Access Policy, some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail in your Alibaba Cloud account are automatically connected.
Anti-ransomware
Description: This feature provides backup and recovery capabilities to protect against ransomware. After an attack, you can use backup files to recover your servers and databases.
Purchase notes:
This service is billed based on the size of backup files and the data storage duration. For billing details, see Anti-ransomware service - Pay-as-you-go.
This service is available only in select regions. You can set the data protection volume as needed. For a list of supported regions, see Anti-ransomware service overview.
If you select Set Recommended Policy, the system automatically backs up important file paths on your existing servers. To adjust the policy, go to the Anti-ransomware page. For more information, see Modify the anti-ransomware policy for a server.
Application Protection
Description: Based on Runtime Application Self-Protection (RASP) technology, this feature enables applications to protect themselves by detecting and blocking attacks in real time.
Note: This feature takes effect only after you enable it and apply it to specific assets. You can add custom assets during purchase.
ImportantBy default, all assets are protected and connected using the slow onboarding method.
Agentless Detection
Description: This feature performs lightweight vulnerability scans and comprehensive risk assessments without needing to install an agent on your servers.
Purchase notes: This service is billed based on the volume of data scanned.
Serverless Asset Protection
Description: Provides intrusion detection and vulnerability scanning for serverless assets, such as Elastic Container Instance (ECI). For more information, see Serverless security.
Purchase notes: For this feature to take effect, you must assign the quota to specific assets after you enable it. You can during purchase.
ImportantBy default, Serverless Asset Protection protection is enabled for all serverless assets.
Malicious File Detection
Description: This feature monitors website directories in real time and restores tampered files or directories from backups to protect your critical systems from malicious modification.
Purchase notes: This service is billed based on the number of files scanned. For billing details, see Malicious File Detection - Pay-as-you-go.
Log Management
Description: Log Management, which is based on Alibaba Cloud Simple Log Service (SLS), is a log audit and analysis feature. It leverages the detection and defense capabilities of Security Center and the integration capabilities of the CTDR module to provide unified log auditing, built-in security reports, SQL-based analysis, and flexible storage policies.
ImportantIf you also purchase the subscription Log Analysis service, Security Center logs are stored in two separate locations. To avoid duplicate charges, evaluate your needs and then go to the Security Center console to disable the relevant log delivery switches in the Log Analysis module.
Purchase notes: You need to configure the log storage region.
Procedure
Subscription
Log on and go to the purchase page
Log on to your Alibaba Cloud account and go to the Security Center purchase page.
Select an edition
ImportantIf you have already enabled the Host and Container Security pay-as-you-go service, you can only select Value-added Plan.
Billing Method: Select Subscription.
Protection Scenario: The system automatically recommends an edition and value-added services based on the selected scenario.
Edition: For details on the basic protection capabilities of each edition, see .
Protected Servers: Specify the total number of servers to protect. By default, this displays the Alibaba Cloud Elastic Compute Service (ECS) instances and connected third-party servers under your account.
NoteThis parameter is not required if you select the Anti-virus or Value-added Plan.
Cores: The number of vCPUs on your servers. By default, this displays the total number of cores for ECS instances and connected third-party servers under your account.
NoteThis parameter is required only if you select the Anti-virus Edition or Ultimate Edition.
Configure Protection Quota
To activate protection, you must assign the purchased quotas to specific servers.
Automatic binding (default):
The system automatically assigns quotas to unprotected servers under your account based on the default policy. You can unbind or rebind them later. For more information, see Manage quotas for Host and Container Security.
Custom binding:
Click Custom Quota Binding and select the region where your servers are located.
In the server list, select the servers you want to bind and choose the corresponding version in the Edition column. For details on the features of each version, see Edition services.
If you select multiple servers, click the Update Version button at the bottom of the list to bind the same protection version to all selected servers.
(Optional) Select Automatically Add New Servers to Security Center. New servers added later will be automatically bound to the version you are purchasing to enable protection.
WarningIf you do not select this option, you must manually bind new servers to protect them. For instructions, see Manage quotas for Host and Container Security.
Select value-added services
Based on your business needs, find the corresponding value-added service module, set Purchase or Not to Yes, and complete the configuration. For a description of each value-added service, see Value-added services.
Confirm and pay
Read and agree to the Security Center Terms of Service, then click Order Now and complete the payment.
View your purchased service
After the purchase is complete, log on to the console. You can view your current service in the Overview page Subscription section.
Pay-as-you-go
Log on and go to the purchase page
Log on to your Alibaba Cloud account and go to the Security Center purchase page.
Select services
Based on your business needs, find the corresponding value-added service module, set Purchase or Not to Yes, and complete the configuration. For details on each feature, see Billable features.
Quota and binding logic
For some services to take effect, you must assign their quota to specific assets after you enable them. The configuration steps are as follows:
Host and Container Security: Supports custom binding of host assets. Follow these steps:
ImportantIf you do not configure this, the system binds host assets according to the default rules:
Server assets that run container environments, including Alibaba Cloud ACK cluster nodes, Intelligent Computing LINGJUN, and servers connected to self-managed K8s clusters: Host and Container Protection.
All other assets: Host Protection.
New servers added later: Host Protection.
On the purchase page, click Custom Quota Binding and select the region where your servers are located.
In the server list, select the servers you want to bind and choose the corresponding protection level in the Protection Level column.
After you select multiple servers, click Change Protection Level to modify the protection level for all of them at once.
In the Automatically Add New Servers to Security Center section, set the protection level that will be automatically bound to new servers.
Serverless Asset Protection: Supports custom binding of assets. Follow these steps:
ImportantIf you do not configure this, the system enables Serverless Asset Protection protection for all serverless assets by default.
Click Custom Quota Binding, select the region where your servers are located, and select the corresponding assets.
Select Automatically Add New Assets to automatically enable Serverless Asset Protection protection for new serverless assets added later.
WarningIf you do not select this option, you must manually bind new serverless assets. Otherwise, they will not be protected by Security Center. For instructions, see Bind or unbind authorized assets.
Application Protection: Supports custom binding of assets. Follow these steps:
ImportantIf you do not configure this, the system protects all assets by default and uses the slow onboarding method.
You can also configure this after purchase by logging on to the console and going to and then Access Management as needed.
Click Custom Quota Binding and select the region where your servers are located.
Select the corresponding assets and click OK.
Confirm and pay
Read and agree to the Security Center Terms of Service, then click Order Now and complete the payment.
View your purchased service
After the purchase is complete, log on to the console. You can view your current service in the Overview page Pay-as-you-go section.
Purchase rules and limitations
Billing method limitations
Subscription: Each Alibaba Cloud account can have only one active subscription edition at a time. You can upgrade to a higher-tier edition at any time.
Pay-as-you-go: You can choose different protection levels for different assets and purchase multiple value-added features simultaneously.
Switching billing methods: To switch a feature's billing method, you must first unsubscribe from or disable the current service before you enable the new one.
Feature purchase mode limitations
Feature exclusivity
You can only choose one of the following: a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) or the pay-as-you-go Host and Container Security service. They cannot be purchased or used at the same time.
A value-added feature under a subscription (such as Cloud Threat Detection and Response) and the same feature under pay-as-you-go cannot be purchased at the same time.
Flexibility across different modules
A single account can use different billing methods for different feature modules.
NoteFor example, you can choose a subscription for Vulnerability Fixing and pay-as-you-go for CTDR.
Edition purchase limitations (Container protection)
For server assets that run container environments, including ACK cluster nodes, self-managed K8s, and LINGJUN assets, you must purchase a specific service edition to obtain protection. The edition limitations are as follows:
Subscription: You must purchase the Ultimate, and the protection version bound to the assets must be the Ultimate.
Pay-as-you-go: You must purchase Host and Container Security, and the protection level bound to the assets must be Hosts and Container Protection.
Edition change limitations
Starting from September 11, 2025, Security Center will no longer support new purchases of or changes to the Advanced Edition. Existing Advanced Edition users will not be affected.
Unsubscribe from the service
If you no longer need Security Center, you can follow the instructions below based on your billing method.
Subscription service
Unsubscribe from a single value-added service
On the Overview page, in the Subscription section, click . On the order upgrade/downgrade page, on the Order Downgrade tab, set Purchase or Not to No for the relevant service. For more information, see Downgrade.
ImportantThe specific refund amount is subject to the amount displayed on the downgrade page. For information on where your refund will be sent, see Refund destinations.
Unsubscribe from all services
You can also contact technical support to unsubscribe from the Security Center instance.
Pay-as-you-go
On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the switch for the relevant service. Once disabled, the service will no longer incur charges.
FAQ
Billing questions
Will I be double-billed for subscription and pay-as-you-go services?
No. Security Center has a built-in mechanism to prevent double billing:
Single billing principle for features: Each value-added feature supports only one billing method at any given time. For more information, see Feature exclusivity.
Automatic switchover mechanism: If you purchase a subscription, and the default features included in your selected edition service overlap with a pay-as-you-go service you have already enabled, the system automatically disables the pay-as-you-go service and replaces it with the subscription.
NoteFor example, if you have purchased the pay-as-you-go Vulnerability Fixing service and then purchase the Advanced Edition or higher, Security Center automatically disables the pay-as-you-go mode for Vulnerability Fixing. You will not be charged for fixing vulnerabilities thereafter.
Can I convert a pay-as-you-go service to a subscription?
No. You cannot directly convert a pay-as-you-go service to a subscription. You must first disable the relevant service and then follow the steps to purchase a subscription.
Can I use subscription and pay-as-you-go services at the same time?
Yes. A single account can use a mix of both billing methods. You can create a flexible payment plan based on the importance and lifecycle of your assets.
Why is the actual amount on the purchase page higher than the product pricing?
The final order amount is composed of multiple parts. The base price usually refers to the cost for a single server for one month. The total amount is primarily affected by the following factors:
Number of protected assets: The final fee is calculated by multiplying the base price by the total number of protected servers under your account. This includes cloud ECS instances and third-party servers with the client installed.
Value-added service options: The system may pre-select value-added services such as Log Analysis and Anti-ransomware. If you do not need them, set their capacity to
0when you place your order.
Free services and trials
How can I obtain free services?
Basic Edition: This edition is automatically enabled after you complete identity verification for your Alibaba Cloud account. For more information, see Introduction to Security Center Basic Edition.
Enterprise Edition free trial: Enable the 7-day free trial.
What is the difference between the Basic Edition and the Enterprise Edition free trial?
Characteristic
Basic Edition
Enterprise Edition Free Trial
Applicable accounts
All Alibaba Cloud accounts that have completed identity verification.
Accounts that have not activated an Enterprise Edition trial or paid edition.
Protection capability
Provides permanent basic security capabilities.
Provides a short-term experience of the full features of a Advanced paid edition (Enterprise Edition).
Duration
Permanent.
7 days.
Core capabilities
Unusual logons, mining/DDoS Trojans, common vulnerability scans, etc.
Includes all Enterprise Edition capabilities, such as virus removal, advanced threat detection, and vulnerability fixing.
Access limitation
Automatically enabled, no application required.
Each account is eligible for this trial only once.
Can I cancel and re-apply for the Enterprise Edition free trial?
Yes. On the Overview page, click Release Trial to cancel the Security Center free trial. An Alibaba Cloud account is eligible for the free trial only once. After you cancel the trial, you cannot try Security Center again.
Will my configurations be saved after the Enterprise Edition free trial expires?
After the trial expires, your configurations and data are automatically deleted after 7 days.
Why is there no "Free Trial" entrance on the Overview page?
Reason 1: Your account has already applied for the 7-day free trial.
Reason 2: Your account already has an active paid edition.