Security Center offers a range of features, from basic protection to value-added services, to meet various security needs. This topic describes the billing methods, billing rules, and cost structure of Security Center. This information can help you make the best purchase decision based on your requirements.
Billing overview
Billing methods and billable items
Security Center supports two billing methods: subscription and pay-as-you-go. The billing method defines how Alibaba Cloud settles your fees. Different billing methods support different features.
Regardless of the billing method you choose, you have the capabilities of the Basic Edition. For more information, see Introduction to the Basic Edition of Security Center.
Criteria | Subscription (upfront) | Pay-as-you-go |
Billing characteristics | Pay a fixed cost monthly or yearly. This makes budget management easier. | Pay for what you use. This method is flexible and requires no upfront investment. |
Billable items | Fee = Edition fee + Value-added service fee (optional).
| Fee = Basic service fee + Feature usage fee.
|
Supported features
Subscription
Edition services:
Anti-virus: Provides detection and removal of common host viruses.
Advanced: Provides host virus detection, virus removal, vulnerability detection and fixing, and security reports.
Enterprise: Meets the requirements for host security intrusion prevention, identity authentication, and security audits.
Ultimate: Provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. This edition includes K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis.
Value-added services: You can also purchase value-added services such as Vulnerability Fixing, Cloud Threat Detection and Response (CTDR), Anti-ransomware, and CSPM (CSPM).
Pay-as-you-go
Basic features: By default, this billing method supports DingTalk Robot, security reports, and Task Hub. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billable features: You can purchase pay-as-you-go features such as Host and Container Security, Vulnerability Fixing, Serverless Asset Protection, Log Management, and Cloud Threat Detection and Response (CTDR).
For more information about features, see Functions and features and Purchase Security Center.
Detailed billing information
The billable items for Security Center vary based on the edition and value-added services you purchase. The prices in this topic are for reference only. For the actual prices, see the Security Center purchase page.
Subscription
Billing formula
Edition | Billing method |
Anti-virus | (Number of cores × Edition fee + Value-added feature fee) × Subscription duration Note The number of cores is the total number of virtual CPUs (vCPUs) of all servers in your assets. |
Advanced | (Number of protected servers × Edition fee + Value-added feature fee) × Subscription duration Note The number of protected servers is the total number of servers protected by Security Center. This includes purchased Alibaba Cloud ECS instances and non-Alibaba Cloud servers with the Security Center client installed. |
Enterprise | |
Ultimate | (Number of protected servers × Edition fee + Number of server cores × Edition fee + Value-added feature fee) × Subscription duration Note The Ultimate Edition provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. This includes K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. |
Value-added Plan | Value-added feature fee × Subscription duration |
Edition fees
Billable item | Anti-virus | Advanced | Enterprise | Ultimate | Value-added Plan | |
Edition fee | USD 1 per core per month | USD 9.5/unit/month | 23.5 USD per instance per month | USD 23.50/instance/month + USD 1.00/core/month | No fee is charged if you do not purchase basic features. | |
Value-added feature fees
Vulnerability Fixing
Billing method: This feature is billed based on the number of vulnerability fixes that you purchase.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota.
Billing rules:
Anti-virus: USD 0.3 per scan per month (Minimum purchase of 20 scans).
Advanced, Enterprise, and Ultimate: No extra fee is charged. You can use this feature an unlimited number of times.
Value-added Plan: USD 0.3/unit/month (Minimum purchase of 20 units).
CSPM:
Billing method: This feature is billed based on the number of successful scans, verifications, and fixes that are performed for each check item on cloud product instances.
Billing rules: All editions have the same billing standard. Tiered pricing is used based on the total number of successful scans, verifications, and fixes for each check item on each cloud product instance. The minimum purchase is 15,000 checks, with a step size of 55,000 checks. The prices are as follows:
0 to 100,000 requests: USD 0.0009 per request.
100,001-500,000: USD 0.00069 per request.
Over 500,000: USD 0.000625 per request.
NoteAn instance refers to a specific network device or application instance, such as a bucket in Object Storage Service (OSS) or a security group for an ECS server. For more information, see Cloud Security Posture Management overview.
Application Protection:
Billing method: This feature is billed based on the number of quotas that you purchase.
NoteA quota count refers to the number of instances that are protected by the Runtime Application Self-Protection (RASP) feature. For example, in Application Protection, one protected application process (pod) is counted as oneuota.
Billing rules: All editions are billed based on the number of purchased quotas. The more quotas you buy, the lower the unit price.
For 50 or fewer authorizations: 6 USD/unit/month.
For 51 to 200 authorizations: USD 4.50 per unit per month.
More than 200 authorizations: 3 USD/unit/month.
Web Tamper Proofing:
Billing method: This feature is billed based on the number of tamper-proofing services (websites to be protected) that you purchase.
Billing: The fee is 165 USD per instance per month for all versions.
Cloud Threat Detection and Response (CTDR):
Billing method: This feature is billed based on the purchased Log Ingestion Traffic and Log Storage Capacity.
Billing rules: All editions have the same billing standard. The fees are as follows:
Log Ingestion Traffic: Tiered pricing is used. The minimum purchase is 100 GB/day, with a step size of 100 GB/day. The prices are as follows (where X is the traffic ingested per day):
X=100 GB: USD 0.45/GB/day.
200 GB=<X<9,999,999,999 GB: USD 0.42/GB/day.
Log Storage Capacity: USD 100/1,000 GB/month. A minimum of 1,000 GB is required, with a step size of 1,000 GB.
Anti-ransomware:
Billing method: This feature is billed based on the purchased anti-ransomware capacity.
Pricing: All versions are priced at USD 0.045 per GB per month.
Log Analysis:
Billing method: This feature is billed based on the purchased log storage capacity.
Billing rules:
Anti-virus, Advanced, Enterprise, and Ultimate: USD 0.1/GB/month.
Value-added Plan: This feature is not available for purchase.
Container Image Scan:
Billing method: This feature is billed based on the number of purchased quotas, which is based on the number of image digests.
Billing rules:
Anti-virus: This feature is not available for purchase.
Advanced, Enterprise, Ultimate, and Value-added Plan: USD 0.1/image/month.
Cloud Honeypot:
Billing method: This feature is billed based on the number of purchased cloud honeypot probes.
Billing rules: All editions have the same billing standard: USD 333.33/probe/month. A minimum of 20 probes is required.
Malicious File Detection:
Billing method: This feature is billed based on the number of purchased file detections.
Billing rules: All editions have the same billing standard: USD 1.5/10,000 detections/month. A minimum of 100,000 detections is required.
Pay-as-you-go
Billing formula
Total usage fee for enabled billable features + Basic service fee
The system generates a bill on the next day (T+1) based on your actual usage from the previous day.
Basic service fee
When you enable any pay-as-you-go feature of Security Center, the system charges a basic service fee. The billing rules are as follows:
After you enable the service, DingTalk Robot, security reports, and Task Hub are supported by default. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billing method: This fee is billed based on the duration for which the pay-as-you-go service is enabled.
ImportantThe minimum billing unit is one hour. If the duration is less than one hour, it is billed as one hour.
Billing cycle: Billed daily.
Price: or USD 0.0072/hour.
Feature usage fees
The following table describes the features that can be enabled in pay-as-you-go mode and their billing details:
Host and Container Security:
Billing method: This feature is billed based on the protection level, the number of attached servers, and the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: The following table shows the prices for different protection levels.
Protection level
Price
Monthly fee (30-day reference)
Antivirus
0.000000578 USD per core per second
USD 1.5 per core per month
Advanced
USD 0.000005497 per instance per second
USD 14.25 per instance per month
Host Protection
0.000013599 USD per instance per second
35.25 USD per instance per month
Hosts and Container Protection
USD 0.000013599/instance/second + USD 0.000000578/core/second
USD 35.25/instance/month + USD 1.5/core/month
Vulnerability Fixing:
Billing method: This feature is billed based on the number of vulnerability fixes.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota. For more information, see Vulnerability fix counting rules.
Billing cycle: Billed daily.
Price: USD 0.3 per use
Cloud Threat Detection and Response (CTDR):
Billing method: This feature is billed based on a tiered pricing model for daily ingested log traffic in GB. The daily fee is the sum of the fees for each tier.
ImportantThe minimum billing unit is 1 GB. If the data volume is less than 1 GB, it is billed as 1 GB.
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the daily ingested log traffic in GB.
Log ingestion traffic tier
Price
Fee calculation formula (Y is the traffic ingested per day in GB)
1 to 10 (GB/day)
USD 2.20/GB
2.2×Y (USD)
11 to 50 (GB/day)
1.6 USD/GB
2.2 × 10 + 1.6 × (Y - 10) (USD)
51 to 100 (GB/day)
USD 1.4/GB
2.2 × 10 + 1.6 × 40 + 1.4 × (Y - 50) (USD)
>100 (GB/day)
USD 1.2/GB
2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y - 100) (USD)
Cloud Security Posture Management (CSPM):
Billing method: This feature is billed based on a tiered pricing model for the daily number of quotas used, which includes scans, verifications, and successful fixes. The daily fee is the sum of the fees for each tier.
NoteFor more information about how quotas are consumed, see quota consumption (pay-as-you-go).
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the number of quotas used per day.
Quotas
Price
Fee calculation formula (Z is the number of quotas used per day)
0 to 100,000
0.0009 USD per request
0.0009 × Z (USD)
100,001 to 500,000
USD 0.0007/request
0.0009 × 100,000 + 0.0007 × (Z - 100,000) (USD)
More than 500,000
USD 0.00045 per call
0.0009 × 100,000 + 0.0007 × 400,000 + 0.00045 × (Z - 500,000) (USD)
Agentless Detection:
Billing method: This feature is billed based on the volume of scanned data in GB.
Billing cycle: Billed daily.
Price: USD 0.03 per GB.
Serverless Asset Protection:
Billing method: This feature is billed based on the number of bound server cores multiplied by the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the cumulative monthly usage.
Cumulative monthly usage:
Cumulative monthly usage for the current day = Cumulative monthly usage up to the previous day (0 on the first day) + Usage for the current day.
ImportantIn the first month of use, the statistical period is from the day you enable the service to the end of that month. From the second month onward, the statistical period is a calendar month, from the first to the last day of the month.
Example: On the first day, the cumulative monthly usage is the usage of the first day. On the second day, the cumulative monthly usage is the usage of the first day + the usage of the second day. On the third day, the cumulative monthly usage is the usage of the first day + the usage of the second day + the usage of the third day, and so on.
Tiered prices:
Cumulative monthly usage
Price
Fee calculation formula (U is the daily usage in core-seconds)
Tier 1: 0 to 200,000,000 core-seconds
0.000003 USD per core-second
0.000003 × U (USD)
Tier 2: 200,000,001 to 1,000,000,000 core-seconds
0.000002 USD per core per second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × (U - 200,000,000) (USD)
Each subsequent day: 0.000002 × U (USD)
Tier 3: 1,000,000,001 to 9,999,999,999,999 core-seconds
0.0000015 USD per core per second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × 800,000,000
+ 0.0000015 × (U - 1,000,000,000) (USD)
Subsequent daily fee: 0.0000015 × U (USD).
Billing example:
Scenario: You have 20,000 cores of serverless assets that are online 24 hours a day (86,400 seconds).
Daily usage (U) = 20,000 cores × 86,400 seconds/day = 1,728,000,000 core-seconds.
First-day fee:
Usage details: The cumulative monthly usage on the first day is equal to the first day's usage, which is 1,728,000,000 core-seconds. The cumulative monthly usage has reached Tier 3. The fee is calculated based on the cross-tier billing rule for the first time that the usage enters Tier 3.
Cost calculation for the first day: 0.000003 (Tier 1 unit price) × 200,000,000 + 0.000002 (Tier 2 unit price) × 800,000,000 + 0.0000015 (Tier 3 unit price) × (1,728,000,000 - 1,000,000,000) = 3,292 (USD).
Fees for the second and subsequent days:
Usage details: Because the cumulative monthly usage reached Tier 3 on the first day, the cumulative monthly usage remains in Tier 3 from the second day to the end of the month. The daily fee is calculated based on the Tier 3 unit price.
Cost calculation: Daily cost = 0.0000015 (unit price for Tier 3) × (20,000 × 86,400) = 2,592 (USD).
SDK for Malicious File Detection:
Billing method: This feature is billed based on the number of file detections (number of files detected).
Billing cycle: Billed daily.
Price: 0.0002 USD per request.
Application Protection (RASP):
Billing method: This feature is billed based on the number of online instances per minute (0 to 60 seconds).
Billing cycle: Billed daily.
Price: 0.0002 USD per instance per minute.
Log Management:
Billing method: This feature is billed based on the cumulative daily log storage in GB.
ImportantThe minimum billing unit is 1,000 GB. If the storage is less than 1,000 GB, it is billed as 1,000 GB. For example, if the daily usage is 1,900 GB, you are charged for 2,000 GB.
Billing cycle: Billed daily.
Price: 7.2 USD / 1000 GB.
Anti-ransomware:
Billing method: This feature is billed based on the size of backup files in GB and the storage duration in hours.
Billing cycle: Usage is accumulated hourly and billed daily.
Price: USD 0.00013 per GB/hour.
Service expiration and termination
Subscription (expiration and unsubscription)
Scenarios:
Expiration: The subscription service expires and is not renewed in time.
Unsubscription: You unsubscribe from the entire Security Center instance. For the steps to unsubscribe, see Refund policy.
Impact: The service instance is released. This means the paid edition is downgraded to the Basic EditionIntroduction to Security Center Free Edition. Your servers lose the protection of Security Center, which increases the risk of malicious intrusions or data leaks. We recommend that you promptly renew your subscription or purchase a new edition.
Data retention:
Expiration: The system provides a grace period of 7 days. After 7 days, the service instance is released, and data is purged according to the rules described in the following table.
NoteSeven days before the service expires, the system sends renewal reminders by email, or internal message.
Unsubscription: The service instance is released immediately, and data is purged according to the rules described in the following table.
Scenario
Data purge details
Within 7 days of expiration
Service authorization information, configuration policies, and service data for all features are retained.
7 days after expiration
The following authorization information is purged immediately:
Container Registry - Container image scan.
Container Registry - CI/CD integration settings.
Log analysis: Data in the Logstore named sas-log within the Project named sas-log-<Alibaba Cloud account ID>-<Region ID>, which was created by Security Center in Simple Log Service (SLS), is purged immediately.
Host Protection - Anti-ransomware: All backup policies and backup data are purged immediately.
Unsubscription
15 days after unsubscription or expiration
The following Threat Detection and Response (CTDR) data is purged immediately:
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by CTDR predefined and custom rules (CTDR security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
SOAR: Custom playbooks and custom response rules.
Log Management: Logs from standardized integrations and Security Center.
Rule management: Custom rules.
Integration Center: Custom standardized integration rules, custom data sources, custom observation lists, custom integration policies, and more.
CTDR - Disposal Center: Response policies and response tasks are automatically purged by the system 90 days after they expire. This is not affected by unsubscription.
Pay-as-you-go (overdue payments and service shutdown)
Scenarios:
Overdue payment: Pay-as-you-go bills are generated on T+1. An overdue payment occurs if your account balance is insufficient at the time of settlement. To avoid service interruptions, top up your account promptly.
Service shutdown: You can manually shut down the pay-as-you-go service. No new fees are generated after the service is shut down.
NoteOn the Overview page of the Security Center console, in the Pay-as-you-go area, you can turn off the switch for the relevant service. Alternatively, you can click the Deactivate button at the top to shut down all pay-as-you-go services.
Impact: You can no longer use the corresponding pay-as-you-go features and lose the related detection and protection capabilities.
Data retention:
Overdue payment: After a payment becomes overdue, a data retention period of 15 days is provided. After 15 days, data is purged according to the rules described in the following table.
Service shutdown: No data retention period is provided. Data is purged immediately according to the rules described in the following table.
Scenario
Data purge details
During the data retention period for an overdue payment
All service authorizations, configuration policies, and pay-as-you-go service data are retained during the retention period.
Overdue payments after the retention period
The following authorization information is purged immediately:
Container Registry - Container image scan.
Container Registry - CI/CD integration settings.
The following Cloud Threat Detection and Response (CTDR) data is purged immediately:
ImportantIf the data retention period for an overdue payment is longer than 15 days, CTDR does not wait for the retention period to end. Instead, it starts the data purge immediately after the 15th day of the overdue payment.
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by CTDR predefined and custom rules (CTDR security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
SOAR: Custom playbooks and custom response rules.
Log Management: Logs from standardized integrations and Security Center.
Rule management: Custom rules.
Integration Center: Custom standardized integration rules, custom data sources, custom observation lists, custom integration policies, and more.
CTDR - Disposal Center: Response policies and response task data are automatically purged by the system 90 days after they expire. This is not affected by overdue payments or service termination.
Service shutdown
FAQ
Can I enable both pay-as-you-go and subscription billing methods at the same time?
Yes, you can, but only for different feature modules. For example, you can choose the subscription method for Vulnerability Fixing and the pay-as-you-go method for Threat Analysis and Response.
You cannot purchase a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) and the pay-as-you-go Host and Container Security service at the same time.
You cannot purchase a subscription-based value-added service, such as Cloud Threat Detection and Response, and the same service on a pay-as-you-go basis at the same time.
How do I shut down pay-as-you-go services?
On the Overview page of the Security Center console, in the Pay-as-you-go area, you can turn off the switch for the relevant service. Alternatively, you can click the Deactivate button at the top to shut down all pay-as-you-go services.
ImportantIf your service is suspended due to an overdue payment, we recommend that you use the Deactivate feature. This prevents new fees from being generated if the product is automatically re-enabled after you top up your account.
Fees incurred on the day you shut down the service will be settled and included in the final bill on the following day.
How can I avoid service suspension due to overdue payments?
Optimize resource configuration
Select only the assets that require protection to avoid paying for unnecessary resources.
Set balance alerts
Log on to Expenses and Costs and set a balance alert on the Account Overview page. The system automatically sends a notification when your available balance falls below the specified threshold.