All Products
Search
Document Center

:Pay-as-you-go onboarding policies and billing

Last Updated:Jun 29, 2026

When you enable pay-as-you-go, Security Center automatically activates multiple protection and scanning features at once, each with its own billing model. This topic describes the default strategies and billing rules for each feature, so you can estimate costs and avoid unexpected charges.

Important

After you select Enable the one-click policy to automatically receive your bill the next day. and click Activate and Authorize, the system performs the following actions by default: it assigns a protection level—Host Protection or Hosts and Container Protection—to all servers, authorizes all Serverless assets, applies the recommended log onboarding strategy for Agentic SOC, enables periodic scanning for Cloud security posture management (CSPM) and Agentless detection, activates the application protection onboarding strategy, and enables the periodic detection strategy for the Malicious file detection SDK.

Security Center enables protection, assigns the corresponding licenses, ingests the required logs, and runs the specified scanning and detection tasks based on the one-click onboarding strategy.

Security Center generates billing statements on a daily basis according to the the billing rules of each feature. To avoid unexpected charges, carefully review and understand the one-click onboarding strategy before enabling this feature.

One-click onboarding strategies

Host and container security

After you enable and authorize the service, the host and container security feature of Security Center automatically assigns a protection level to all servers under your Alibaba Cloud account: either Host Protection or Hosts and Container Protection.

Important

Server assets that run container environments (including Alibaba Cloud ACK cluster nodes, Lingjun nodes, and servers connected from self-managed Kubernetes clusters) are automatically assigned to the Hosts and Container Protection protection level. All other assets are assigned to Host Protection.

Later, you can change the protection level assigned to a server on the Security Center consoleOverview page by using the Quota Management entry. For more information, see Manage host and container protection levels.

Newly added hosts are assigned to the Unprotected protection level by default. We recommend that you use the Quota Management feature to configure the automatic protection level for newly added hosts.

Serverless security

After you enable and authorize the service, the Serverless security feature of Security Center automatically authorizes all Serverless assets under your Alibaba Cloud account.

Important

For ECI assets created by managed or dedicated ACK clusters, ACK Serverless clusters, or ACS clusters, you must install and start the Security Center agent before you can use the Serverless security protection capabilities provided by Security Center. For more information, see Install the Security Center agent.

Later, you can manage the authorization status of assets on the Security Center consoleAssets > Serverless Asset page. For more information, see Manage Serverless asset authorization.

Application protection

After you enable and authorize the service, the application protection feature of Security Center automatically enables full protection (Java processes only) and onboards using the slow rollout method.

Note

You can later adjust the servers and processes to be onboarded on the Application Protection > Application Configurations tab. For more information about automatic full onboarding, see Automatic full onboarding for application protection.

Malicious file detection SDK

After you enable and authorize the malicious file detection feature, the system automatically creates and enables a default detection policy named Auto_Create_Config. To modify the policy, navigate to the Malicious File Detection > OSS File Check tab, and click Policy Management in the Policy Configuration section to view and modify the policy. The policy details are as follows:

  • Detection scope: All OSS buckets under your Alibaba Cloud account.

  • Detection objects: All newly added or updated files after the feature is enabled.

  • Execution cycle: Once per day.

  • Detection method: No decompression or decryption by default.

Important

On the day you enable the service, a detection task is executed once based on the preceding policy.

Cloud security posture management (CSPM)

  • Users who have never enabled the CSPM periodic scanning policy:

    • Scan frequency: Once per day. The specific scan time is randomly generated by the system.

    • Scan scope:

      The system checks for common high-risk configuration issues in security best practices, including misconfigured security protection settings, exposed high-risk ports, public network access via whitelists, public read/write access to data, and risks related to identity authentication and privileged permissions. These checks help improve the security of cloud products and the cloud platform.

      You can view the default scan check items in the Policy Management panel on the Risk Governance > CSPM page of the Security Center console. The selected check items represent the scan scope of the recommended strategy.

  • Users who have previously enabled the CSPM periodic scanning policy:

    • Scan frequency: Consistent with the historical configuration.

    • Scan scope: The union of the historically configured check items and the check items included in the recommended scan scope described above.

Vulnerability remediation

  • After you enable and authorize the service, the vulnerability remediation pay-as-you-go feature is activated.

  • Security Center configures an automatic vulnerability remediation strategy. Every day between 00:00 and 06:00, it automatically remediates high-severity vulnerabilities on all affected assets (including newly added hosts). Before remediation, a snapshot is created and retained for one day. For more information, see Automatic vulnerability remediation.

Agentless detection

  • Scan frequency: Once every 5 days.

  • Scan scope: All machines, with Default Scan for New Assets selected by default.

Important

On the day after you enable the service, a detection task is executed once based on the preceding policy.

Agentic SOC

After you enable and authorize the service, the Agentic SOC feature of Security Center automatically connects to the following Alibaba Cloud services and log sources.

Important

If your Security Center edition is Free Edition or you have only purchased value-added services, ActionTrail event logs are not ingested.

#

Product

Data source

Standardization method

Security capabilities

1

Security Center

DNS request logs

Scan query

Predefined analysis rules, predefined playbooks

2

Baseline logs

Scan query

Incident investigation and traceability, predefined playbooks

3

Login flow logs

Scan query

Custom analysis rules, incident investigation and traceability, predefined playbooks

4

Network connectivity logs

Scan query

Predefined analysis rules, predefined playbooks

5

Process startup logs

Scan query

Predefined analysis rules, custom analysis rules, incident investigation and traceability, predefined playbooks

6

Security alert logs

Real-time consumption

Predefined playbooks

7

Vulnerability logs

Scan query

Incident investigation and traceability, predefined playbooks

8

Web Application Firewall

WAF alert logs

Real-time consumption

Predefined analysis rules, custom analysis rules, predefined playbooks

9

WAF full, block, and block-and-observe logs

Real-time consumption

Predefined analysis rules, custom analysis rules, incident investigation and traceability, predefined playbooks

10

Cloud Firewall

Cloud Firewall alert logs

Real-time consumption

Predefined analysis rules, custom analysis rules, predefined playbooks

11

ActionTrail

ActionTrail event logs

Real-time consumption

Custom analysis rules, incident investigation and traceability

Anti-ransomware

Regularly backs up important file paths on servers. If a ransomware attack occurs, you can use the backup files for fallback recovery. To adjust the protection scope, go to the anti-ransomware policy management page.

Log analysis

Security Center logs are delivered to the log store. By default, logs in mainland China are delivered to China (Shanghai), and logs outside mainland China are delivered to Singapore.

Billing

Basic service fee

When you enable any pay-as-you-go feature of Security Center, the system charges a basic service fee. The billing rules are as follows:

Note

After you enable the service, DingTalk Robot, security reports, and Task Hub are supported by default. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.

  • Billing method: Billed based on the duration for which the pay-as-you-go service is enabled.

    Important

    The minimum billing unit is one hour. If the duration is less than one hour, it is billed as one hour.

  • Billing cycle: Billed daily.

  • Price: USD 0.0072 per hour.

Host and container security

After you enable pay-as-you-go for host and container security, charges are calculated based on the number of servers assigned to the protection level and the actual protection duration (calculated only when the agent is online), billed per second and settled on a daily basis.

Protection level

Price

Monthly fee (30-day reference)

Antivirus

USD 0.000000578 per core per second

USD 1.5 per core per month

Advanced

USD 0.000005497 per instance per second

USD 14.25 per instance per month

Host Protection

USD 0.000013599 per instance per second

USD 35.25 per instance per month

Hosts and Container Protection

USD 0.000013599 per instance per second + USD 0.000000578 per core per second

USD 35.25 per instance per month + USD 1.5 per core per month

Serverless security

erverless security uses a pay-as-you-go, tiered pricing model based on cumulative monthly usage. Billing starts after you activate and authorize your serverless assets.

Cumulative monthly usage

Price

Fee calculation formula (U is the daily usage in core-seconds)

Tier 1: 0 to 200,000,000 core-seconds

USD 0.000003 per core-second

0.000003 × U (USD)

Tier 2: 200,000,001 to 1,000,000,000 core-seconds

USD 0.000002 per core-second

  • On the first day you enter this tier:

    0.000003 × 200,000,000 + 0.000002 × (U - 200,000,000) (USD)

  • Each subsequent day: 0.000002 × U (USD)

Tier 3: 1,000,000,001 to 9,999,999,999,999 core-seconds

USD 0.0000015 per core-second

  • On the first day you enter this tier:

    0.000003 × 200,000,000 + 0.000002 × 800,000,000

    + 0.0000015 × (U - 1,000,000,000) (USD)

  • Subsequent daily fee: 0.0000015 × U (USD).

Application protection

After you enable pay-as-you-go for application protection, the system counts the number of online instances per minute (0–60 seconds) and charges USD 0.0002 per instance per minute, billed on a daily basis.

Malicious file detection SDK

The Malicious file detection SDK feature is billed based on the number of files scanned. After you enable pay-as-you-go for malicious file detection, charges are USD 0.0002 per scan, billed on a daily basis.

Cloud security posture management (CSPM)

  • Authorization: The billing unit for paid cloud security posture management (CSPM) features. One authorization is consumed for each successful billable operation (scan, verification, or remediation) on an asset instance.

    For example, if you have 10 products, each with 15 instances, and you use 5 check items to scan all instances, the task will consume 10 * 15 * 5 = 750 authorizations.

  • Asset instance: A specific cloud resource, such as an OSS bucket or an ECS security group.

  • Check item: Check items are categorized as free or paid.

    • Free check items: The Cloud Service Configuration Risk feature provides some free check items for basic risk awareness. You can perform an unlimited number of scans and verifications, and authorizations are consumed only for repairs.

      Important

      Users who authorized CSPM (formerly cloud product configuration check) before July 7, 2023, can continue to receive the number of free check items corresponding to their Security Center edition (Anti-virus: 80+, Advanced: 90+, and Enterprise/Ultimate: 250+) until their current edition expires.

    • Paid check items: You must purchase the corresponding edition or separately enable the CSPM service. The fees are included in the edition's service or consume authorizations.

Security Center provides 80+ check items free of charge. Free check items are not counted toward scan usage. For the full list of check items in the recommended scanning strategy, see the CSPM periodic scanning recommended strategy section.

CSPM supports both subscription (prepaid) and pay-as-you-go billing models. The specific pricing is as follows:

  • Subscription: Unit price × Number of authorized instances (purchase quantity for CSPM) × Subscription duration (based on the Security Center instance subscription duration).

    Number of authorized instances

    Price (USD/scan)

    0–100,000

    USD 0.0009/scan

    100,001–500,000

    USD 0.00069/scan

    Greater than 500,000

    USD 0.000625/scan

  • Pay-as-you-go: Tiered pricing based on the number of authorized instances, billed on a daily basis.

    Number of authorized instances

    Price

    Cost calculation formula (Z = number of authorized instances used per day, in scans)

    0–100,000

    USD 0.0009/scan

    USD 0.0009 × Z (USD)

    100,001–500,000

    USD 0.0007/scan

    USD 0.0009 × 100,000 + USD 0.0007 × (Z − 100,000) (USD)

    Greater than 500,000

    USD 0.00045/scan

    USD 0.0009 × 100,000 + USD 0.0007 × 400,000 + USD 0.00045 × (Z − 500,000) (USD)

Vulnerability remediation

After you enable pay-as-you-go for vulnerability remediation, charges are USD 0.3 per remediation, billed on a daily basis. For more information, see Vulnerability remediation pricing details.

Agentless detection

  • Agentless detection scan fee

    • Billing method: Pay-as-you-go.

    • Billing cycle: Daily.

    • Unit price: USD 0.03/GB.

    • Billable usage: Calculated based on the actual data volume of the scanned images, not the total disk capacity.

  • ECS resource usage fees

    Important

    We recommend that when you configure host detection tasks, you select Retain Only At-risk Image. The system then automatically deletes risk-free images after the scan to reduce storage costs. For the specific procedure, see Retention time configuration.

    • Image fees: The detection task creates an image for the server. You are charged for the image based on its usage capacity and duration. These fees are charged by ECS. For more information, see Image billing.

    • Encrypted disk scanning resource fees: To scan ECS encrypted disks, we create the following resources in your account for each scan. Some resources incur a small fee and are released immediately after the scan completes.

      • ECS instance: When you select Service Key encryption for the ECS encrypted disks to be scanned, we create a preemptive ECS instance for encrypted disk scanning. These fees are charged by ECS. For more information, see Instance type billing.

      • VPC instance: A Virtual Private Cloud (VPC) instance named alibaba-cloud-security-scan-vpc. Creating this instance does not incur any fees.

      • vSwitch instance: A vSwitch instance named alibaba-cloud-security-scan-subnet. Creating this instance does not incur any fees.

Agentic SOC

Agentic SOC is billed based on the log volume of connected services and the data capacity stored in Log Management.

  • Subscription:

    • Log Ingestion Traffic: Tiered pricing is used. The minimum purchase is 100 GB/day, with a step size of 100 GB/day. The prices are as follows (where X is the traffic ingested per day):

      • X = 100 GB: USD 0.45 per GB per day.

      • 200 GB <= X < 9,999,999,999 GB: USD 0.42 per GB per day.

    • Log Storage Capacity: USD 100 per 1,000 GB per month. A minimum of 1,000 GB is required, with a step size of 1,000 GB.

    • Intelligent Usage Analysis:

      • The minimum purchase quantity is 100 GB per day. The purchase quantity does not support auto-filling and must match the Log Ingestion Traffic.

      • Pricing: USD 9.6 per 100 GB per day.

        Note

        Usage resets at midnight daily. After exceeding the limit, the system automatically applies rate limiting.

    • Number of Managed Instances:

      • Minimum purchase is 10 instances per month, with a step size of 10 instances per month.

      • USD 1.434 per instance per month.

        Note

        Each instance is counted only once. Duplicate entries are automatically removed.

  • Pay-as-you-go: Tiered pricing based on the daily log volume from connected services. The daily bill is the sum of charges across all usage tiers.

    Important

    The minimum billing unit is 1 GB. If the data volume is less than 1 GB, it is billed as 1 GB.

    Log ingestion traffic tier

    Price

    Fee calculation formula (Y is the traffic ingested per day in GB)

    1 to 10 (GB/day)

    USD 2.20/GB

    2.2 × Y (USD)

    11 to 50 (GB/day)

    USD 1.6/GB

    2.2 × 10 + 1.6 × (Y - 10) (USD)

    51 to 100 (GB/day)

    USD 1.4/GB

    2.2 × 10 + 1.6 × 40 + 1.4 × (Y - 50) (USD)

    >100 (GB/day)

    USD 1.2/GB

    2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y - 100) (USD)

Anti-ransomware

Billed based on the backup file size and storage duration. The price is USD 0.00013 per GB per hour.

Log Management

Billed based on the daily cumulative storage volume (GB). The price is USD 7.2 per 1,000 GB.

FAQ

Can I modify the recommended strategies after enabling them?

Yes. You can modify the recommended strategies for each feature on their respective management pages.