Security Center offers a range of features—from basic protection to value-added services—to meet various security needs. This topic describes the billing methods, billing rules, and cost structure of Security Center. This information helps you make the best purchase decision based on your requirements.
Billing overview
Billing methods and billable items
Security Center supports two billing methods: subscription and pay-as-you-go. The billing method defines how Alibaba Cloud settles your fees. Different billing methods support different features.
Regardless of the billing method you choose, you have the capabilities of the Free Edition. For more information, see Introduction to the Free Edition of Security Center.
Criteria | Subscription (upfront) | Pay-as-you-go |
Billing characteristics | Pay a fixed cost monthly or yearly. This makes budget management easier. | Pay for what you use. This method is flexible and requires no upfront investment. |
Billable items | Fee = Edition fee + Value-added service fee (optional).
| Fee = Basic service fee + Feature usage fee.
|
Supported features
Subscription
Version Service:
Anti-virus: Provides detection and removal of common host viruses.
Advanced: Provides host virus detection, anti-virus scanning, vulnerability detection and fixing, and security reports.
Enterprise: Meets the requirements for host intrusion prevention, identity authentication, and security audits.
Ultimate: Provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers, including K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis.
Value-added services: You can also purchase value-added services such as Vulnerability Fixing, Agentic SOC, Anti-ransomware, and CSPM.
Pay-as-you-go
Basic features: By default, this billing method supports DingTalk Robot, security reports, and Task Hub. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billable features: You can purchase pay-as-you-go features such as Host and Container Security, Vulnerability Fixing, Serverless Asset Protection, Log Management, Agentic SOC.
For more information about features, see Features and Purchase Security Center.
Detailed billing information
The billable items for Security Center vary based on the edition and value-added services you purchase. The prices in this topic are for reference only. For the actual prices, see the Security Center purchase page.
Subscription
Billing formula
Edition | Billing method |
Anti-virus | (Number of cores × Edition fee + Value-added feature fee) × Subscription duration Note The number of cores is the total number of virtual CPUs (vCPUs) of all servers in your assets. |
Advanced | (Number of protected servers × Edition fee + Value-added feature fee) × Subscription duration Note The number of protected servers is the total number of servers protected by Security Center. This includes purchased Alibaba Cloud ECS instances and non-Alibaba Cloud servers with the Security Center client installed. |
Enterprise | |
Ultimate | (Number of protected servers × Edition fee + Number of server cores × Edition fee + Value-added feature fee) × Subscription duration Note The Ultimate Edition provides full-stack security protection for hosts, containers, and Intelligent Computing LINGJUN servers. This includes K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis. |
Value-added Plan | Value-added feature fee × Subscription duration |
Edition fees
Billable item | Anti-virus | Advanced | Enterprise | Ultimate | Value-added Plan | |
Edition fee | USD 1 per core per month | USD 9.5 per instance per month | USD 23.5 per instance per month | USD 23.5 per instance per month + USD 1 per core per month | No fee is charged if you do not purchase basic features. | |
Value-added feature fees
Vulnerability Fixing
Billing method: This feature is billed based on the number of vulnerability fixes that you purchase.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota.
Billing rules:
Anti-virus: USD 0.3 per scan per month (Minimum purchase of 20 scans).
Advanced, Enterprise, and Ultimate: No extra fee is charged. You can use this feature an unlimited number of times.
Value-added Plan: USD 0.3 per unit per month (Minimum purchase of 20 units).
CSPM
Billing method: This feature is billed based on the number of successful scans, verifications, and fixes that are performed for each check item on cloud product instances.
Billing rules: All editions have the same billing standard. Tiered pricing is used based on the total number of successful scans, verifications, and fixes for each check item on each cloud product instance. The minimum purchase is 15,000 checks, with a step size of 55,000 checks. The prices are as follows:
0 to 100,000 requests: USD 0.0009 per request.
100,001 to 500,000: USD 0.00069 per request.
Over 500,000: USD 0.000625 per request.
NoteAn instance refers to a specific network device or application instance, such as a bucket in Object Storage Service (OSS) or a security group for an ECS server. For more information, see Cloud Security Posture Management overview.
Application Protection:
Billing method: This feature is billed based on the number of quotas that you purchase.
NoteA quota count refers to the number of instances that are protected by the Runtime Application Self-Protection (RASP) feature. For example, in Application Protection, one protected application process (pod) is counted as one quota.
Billing rules: All editions are billed based on the number of purchased quotas. The more quotas you buy, the lower the unit price.
For 50 or fewer authorizations: USD 6 per unit per month.
For 51 to 200 authorizations: USD 4.5 per unit per month.
More than 200 authorizations: USD 3 per unit per month.
Web Tamper Proofing:
Billing method: This feature is billed based on the number of tamper-proofing services (websites to be protected) that you purchase.
Billing rules: The fee is USD 165 per instance per month for all versions.
Agentic SOC:
Billing method: Billing varies depending on your selection.
Agentic SOC: billed based on the purchased Log Ingestion Traffic and Log Storage Capacity.
Security Operations Agent: In addition to purchasing Log Ingestion Traffic and Log Storage Capacity, you also need to purchase Intelligent Usage Analysis and Number of Managed Instances.
Billing rules: All editions have the same billing standard. The fees are as follows:
Log Ingestion Traffic: Tiered pricing is used. The minimum purchase is 100 GB/day, with a step size of 100 GB/day. The prices are as follows (where X is the traffic ingested per day):
X = 100 GB: USD 0.45 per GB per day.
200 GB <= X < 9,999,999,999 GB: USD 0.42 per GB per day.
Log Storage Capacity: USD 100 per 1,000 GB per month. A minimum of 1,000 GB is required, with a step size of 1,000 GB.
Intelligent Usage Analysis:
The minimum purchase quantity is 100 GB per day. The purchase quantity does not support auto-filling and must match the Log Ingestion Traffic.
Pricing: USD 9.6 per 100 GB per day.
NoteUsage resets at midnight daily. After exceeding the limit, the system automatically applies rate limiting.
Number of Managed Instances:
Minimum purchase is 10 instances per month, with a step size of 10 instances per month.
USD 1.434 per instance per month.
NoteEach instance is counted only once. Duplicate entries are automatically removed.
Anti-ransomware:
Billing method: This feature is billed based on the purchased anti-ransomware capacity.
Billing rules: All editions are priced at USD 0.045 per GB per month.
Log Analysis:
Billing method: This feature is billed based on the purchased log storage capacity.
Billing rules:
Anti-virus, Advanced, Enterprise, and Ultimate: USD 0.1 per GB per month.
Value-added Plan: This feature is not available for purchase.
Container Image Scan:
Billing method: This feature is billed based on the number of purchased quotas, which is based on the number of image digests.
Billing rules:
Anti-virus: This edition is not available for purchase.
Advanced, Enterprise, Ultimate, and Value-added Plan: USD 0.1 per image per month.
Cloud Honeypot:
Billing method: This feature is billed based on the number of purchased cloud honeypot probes.
Billing rules: All editions have the same billing standard: USD 333.33 per probe per month (Minimum purchase of 20 probes).
Malicious File Detection:
Billing method: This feature is billed based on the number of purchased file detections.
Billing rules: All editions have the same billing standard: USD 1.5 per 10,000 detections per month (Minimum purchase of 100,000 detections).
Pay-as-you-go
Billing formula
Total usage fee for enabled billable features + Basic service fee
The system generates a bill on the next day (T+1) based on your actual usage from the previous day.
Basic service fee
When you enable any pay-as-you-go feature of Security Center, the system charges a basic service fee. The billing rules are as follows:
After you enable the service, DingTalk Robot, security reports, and Task Hub are supported by default. To use Task Hub, you must first enable or purchase the vulnerability fixing feature.
Billing method: This fee is billed based on the duration for which the pay-as-you-go service is enabled.
ImportantThe minimum billing unit is one hour. If the duration is less than one hour, it is billed as one hour.
Billing cycle: Billed daily.
Price: USD 0.0072 per hour.
Feature usage fees
The following table describes the features that can be enabled in pay-as-you-go mode and their billing details:
Host and Container Security:
Billing method: This feature is billed based on the protection level, the number of attached servers, and the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: The following table shows the prices for different protection levels.
Protection level
Price
Monthly fee (30-day reference)
Antivirus
USD 0.000000578 per core per second
USD 1.5 per core per month
Advanced
USD 0.000005497 per instance per second
USD 14.25 per instance per month
Host Protection
USD 0.000013599 per instance per second
USD 35.25 per instance per month
Hosts and Container Protection
USD 0.000013599 per instance per second + USD 0.000000578 per core per second
USD 35.25 per instance per month + USD 1.5 per core per month
Vulnerability Fixing:
Billing method: This feature is billed based on the number of vulnerability fixes.
NoteOne fix is consumed when a vulnerability bulletin is successfully fixed on a single server. Failed fixes do not consume your quota. For more information, see Vulnerability fix counting rules.
Billing cycle: Billed daily.
Price: USD 0.3 per use
Agentic SOC:
Billing method:
Agentic SOC: Billed on a tiered basis according to the daily ingested log traffic (in GB). The daily fee is the sum of the fees for each tier.
ImportantThe minimum billing unit is 1 GB. If the data volume is less than 1 GB, it is billed as 1 GB.
Security Operations Agent: In addition to cumulative tiered billing for daily ingested log traffic (GB), billing also includes the following items:
Intelligent Usage Analysis: Billing is based on the analysis usage (in GB) consumed by the AI security digital human for alert analysis, event investigation, traceability, attribution, and security report generation for risk events.
Number of Managed Instances: You are billed based on the number of Agent instance invocations. Products such as ECS, WAF, ALB, cross-cloud products, and on-premises security vendor products are all counted as instances.
ImportantEach instance is counted only once. Duplicate entries are automatically removed.
Billing cycle: Billed daily.
Price:
Log Ingestion Traffic: Tiered pricing is applied based on the daily log ingestion traffic (in GB).
Log ingestion traffic tier
Price
Fee calculation formula (Y is the traffic ingested per day in GB)
1 to 10 (GB/day)
USD 2.20/GB
2.2 × Y (USD)
11 to 50 (GB/day)
USD 1.6/GB
2.2 × 10 + 1.6 × (Y - 10) (USD)
51 to 100 (GB/day)
USD 1.4/GB
2.2 × 10 + 1.6 × 40 + 1.4 × (Y - 50) (USD)
>100 (GB/day)
USD 1.2/GB
2.2 × 10 + 1.6 × 40 + 1.4 × 50 + 1.2 × (Y - 100) (USD)
Intelligent Usage Analysis: USD 0.144 per GB per day.
Number of Managed Instances: USD 2.15 per instance per month.
Log Management:
Billing method: This feature is billed based on the cumulative daily log storage in GB.
ImportantThe minimum billing unit is 1,000 GB. If the storage is less than 1,000 GB, it is billed as 1,000 GB. For example, if the daily usage is 1,900 GB, you are charged for 2,000 GB.
Billing cycle: Billed daily.
Price: USD 7.2 per 1,000 GB.
Cloud Security Posture Management:
Billing method: This feature is billed based on a tiered pricing model for the daily number of quotas used, which includes scans, verifications, and successful fixes. The daily fee is the sum of the fees for each tier.
NoteFor more information about how quotas are consumed, see quota consumption (pay-as-you-go).
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the number of quotas used per day.
Authorization Count
Price
Fee calculation formula (Z is the number of quotas used per day)
0 to 100,000
USD 0.0009 per request
0.0009 × Z (USD)
100,001 to 500,000
USD 0.0007 per request
0.0009 × 100,000 + 0.0007 × (Z - 100,000) (USD)
Over 500,000
USD 0.00045 per request
0.0009 × 100,000 + 0.0007 × 400,000 + 0.00045 × (Z - 500,000) (USD)
Agentless Detection:
Billing method: This feature is billed based on the volume of scanned data in GB.
Billing cycle: Billed daily.
Price: USD 0.03 per GB.
Serverless Asset Protection:
Billing method: This feature is billed based on the number of bound server cores multiplied by the actual protection duration in seconds.
ImportantThe actual protection duration is calculated based on the online duration of the client.
Billing cycle: Billed daily.
Price: Tiered pricing is used based on the cumulative monthly usage.
Cumulative monthly usage:
Cumulative monthly usage for the current day = Cumulative monthly usage up to the previous day (0 on the first day) + Usage for the current day.
ImportantIn the first month of use, the statistical period is from the day you enable the service to the end of that month. From the second month onward, the statistical period is a calendar month, from the first to the last day of the month.
Example: On the first day, the cumulative monthly usage is the usage of the first day. On the second day, the cumulative monthly usage is the usage of the first day + the usage of the second day. On the third day, the cumulative monthly usage is the usage of the first day + the usage of the second day + the usage of the third day, and so on.
Tiered prices:
Cumulative monthly usage
Price
Fee calculation formula (U is the daily usage in core-seconds)
Tier 1: 0 to 200,000,000 core-seconds
USD 0.000003 per core-second
0.000003 × U (USD)
Tier 2: 200,000,001 to 1,000,000,000 core-seconds
USD 0.000002 per core-second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × (U - 200,000,000) (USD)
Each subsequent day: 0.000002 × U (USD)
Tier 3: 1,000,000,001 to 9,999,999,999,999 core-seconds
USD 0.0000015 per core-second
On the first day you enter this tier:
0.000003 × 200,000,000 + 0.000002 × 800,000,000
+ 0.0000015 × (U - 1,000,000,000) (USD)
Subsequent daily fee: 0.0000015 × U (USD).
Billing example:
Scenario: You have 20,000 cores of serverless assets that are online 24 hours a day (86,400 seconds).
Daily usage (U) = 20,000 cores × 86,400 seconds/day = 1,728,000,000 core-seconds.
First-day fee:
Usage details: The cumulative monthly usage on the first day is equal to the first day's usage, which is 1,728,000,000 core-seconds. The cumulative monthly usage has reached Tier 3. The fee is calculated based on the cross-tier billing rule for the first time that the usage enters Tier 3.
Cost calculation for the first day: 0.000003 (Tier 1 unit price) × 200,000,000 + 0.000002 (Tier 2 unit price) × 800,000,000 + 0.0000015 (Tier 3 unit price) × (1,728,000,000 - 1,000,000,000) = 3,292 (USD).
Fees for the second and subsequent days:
Usage details: Because the cumulative monthly usage reached Tier 3 on the first day, the cumulative monthly usage remains in Tier 3 from the second day to the end of the month. The daily fee is calculated based on the Tier 3 unit price.
Cost calculation: Daily cost = 0.0000015 (unit price for Tier 3) × (20,000 × 86,400) = 2,592 (USD).
Malicious File Detection:
Billing method: This feature is billed based on the number of file detections (number of files detected).
Billing cycle: Billed daily.
Price: USD 0.0002 per request.
Application Protection:
Billing method: This feature is billed based on the number of online instances per minute (0 to 60 seconds).
Billing cycle: Billed daily.
Price: USD 0.0002 per instance per minute.
Anti-ransomware:
Billing method: This feature is billed based on the size of backup files in GB and the storage duration in hours.
Billing cycle: Usage is accumulated hourly and billed daily.
Price: USD 0.00013 per GB per hour.
Service expiration and termination
Subscription (expiration and unsubscription)
Scenario description:
Expiration: Your subscription expires and is not renewed on time.
Unsubscription: You unsubscribe from the entire Security Center instance. For more information about how to unsubscribe, see Refund policy.
Impact: The service instance is released. This downgrades your paid edition to the Free Edition. For more information, see Introduction to Security Center Free Edition. Your servers will lose the protection of Security Center, which increases the risk of malicious intrusions and data leaks. We recommend that you promptly renew your subscription or purchase a new edition.
Data retention:
Expiration: The system provides a grace period of 7 days. After 7 days, the service instance is released, and data is purged according to the rules described in the following table.
NoteSeven days before the service expires, the system sends renewal reminders by email, or internal message.
Unsubscription: The service instance is released immediately, and data is purged according to the rules described in the following table.
Scenario
Data Cleaning Instructions
Within 7 days of expiration
The service authorization information, configuration policies, and service data for all features are retained.
7 days after expiration
The following authorization information is immediately purged:
Container Protection - Image security scan.
Container Protection - CI/CD integration settings.
Log analysis: The data in the `sas-log` Logstore is immediately purged. This Logstore belongs to the Project that Security Center creates in Simple Log Service (SLS). The Project is named `sas-log-<Alibaba Cloud account ID>-<region ID>`.
Host Protection - Anti-ransomware: All backup policies and backup data are immediately purged.
Unsubscription
15 days after unsubscription or expiration
The following Agentic SOC data is immediately purged:
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by Agentic SOC predefined rules and custom rules (Agentic SOC security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
Response orchestration: Custom playbooks and custom response rules.
Log Management: Standardized integration logs and Security Center logs.
Rule management: Custom rules.
Integration Center: Custom items such as standardized integration rules, data sources, watchlists, and integration policies.
Agentic SOC - Response Center: Response policies and response tasks are automatically purged by the system 90 days after they expire. This is not affected by unsubscription.
Pay-as-you-go (overdue payments and service shutdown)
Scenario description:
Overdue payment: Pay-as-you-go bills are generated on T+1. An overdue payment occurs if your account balance is insufficient at the time of settlement. To avoid service interruptions, top up your account promptly.
Service shutdown: You can manually shut down the pay-as-you-go service. No new fees are generated after the service is shut down.
NoteOn the Overview page of the Security Center console, in the Pay-as-you-go area, you can turn off the switch for the relevant service. Alternatively, you can click the Deactivate button at the top to shut down all pay-as-you-go services.
Impact: You can no longer use the corresponding pay-as-you-go features and will lose the related detection and protection capabilities.
Data retention:
Overdue payment: After a payment becomes overdue, the system provides a data retention period of 15 days. After 15 days, data is purged according to the rules described in the following table.
Service shutdown: No data retention period is provided. Data is purged immediately according to the rules described in the following table.
Scenario
Data Cleanup
During the data retention period for an overdue payment
During the retention period, all service authorization information, configuration policies, and pay-as-you-go service data are retained.
Overdue payments after the retention period
The following authorization information is immediately purged:
Container Protection - Image security scan.
Container Protection - CI/CD integration settings.
The following Agentic SOC data is immediately purged:
ImportantIf the data retention period for an overdue payment is longer than 15 days, Agentic SOC does not wait for the retention period to end. Instead, it starts the data purge immediately after the 15th day of the overdue payment.
Security alerts: All alert information except for alerts under CWPP.
Security event handling: Event information generated by Agentic SOC predefined rules and custom rules (Agentic SOC security events).
NoteSecurity events generated from alerts under CWPP (CWPP security events) are retained.
Response orchestration: Custom playbooks and custom response rules.
Log Management: Standardized integration logs and Security Center logs.
Rule management: Custom rules.
Integration Center: Custom items such as standardized integration rules, data sources, watchlists, and integration policies.
Agentic SOC - Response Center: Response policy and response task data is automatically purged by the system 90 days after it expires. This is not affected by overdue payments or service shutdowns.
Service shutdown
FAQ
Can I enable both pay-as-you-go and subscription billing methods at the same time?
Yes, you can, but only for different feature modules. For example, you can choose the subscription method for Vulnerability Fixing and the pay-as-you-go method for Agentic SOC.
You cannot purchase both a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) and the pay-as-you-go Host and Container Security service.
You cannot simultaneously purchase a value-added feature, such as Agentic SOC, on both a subscription and a pay-as-you-go basis.
How do I shut down pay-as-you-go services?
On the Overview page of the Security Center console, in the Pay-as-you-go section, you can turn off the switches for the relevant services. Alternatively, you can click the Deactivate button at the top to shut down all pay-as-you-go services.
ImportantIf your service is suspended due to an overdue payment, we recommend that you use the Deactivate feature to prevent new fees from being generated if the product is automatically re-enabled after you add funds to your account.
Fees incurred on the day you shut down the service are settled and included in the final bill on the following day.
How can I avoid service suspension due to overdue payments?
Optimize resource configuration
You can select only the assets that require protection to avoid paying for unnecessary resources.
Set balance alerts
You can log on to Expenses and Costs and set a balance alert on the Account Overview page. The system automatically sends a notification when your available balance falls below the specified threshold.