Security Center is a centralized security solution that protects your cloud assets from threats such as viruses, cyberattacks, and ransomware. It offers various editions and billing methods to help you build a security system for your cloud assets that fits your business scenarios and budget.
Quick selection guide
Scenario | Recommended plan | Core value and features |
First-time use and feature evaluation | Experience comprehensive host security capabilities at no cost, including vulnerability management and intrusion prevention. | |
Hybrid cloud host security | Subscription:
| Achieve unified security management. It provides consistent mitigation policies and visualization for hosts in the cloud and in data centers to enable centralized management across cloud environments. |
Container security protection | Subscription:
| Obtain full-stack protection from the host to the container runtime. You can add image scanning to shift security left into the CI/CD stage and integrate security throughout lifecycle. |
Major event support | Subscription:
| On top of comprehensive protection, it provides Runtime Application Self-Protection (RASP) and tamper-proofing capabilities. These are key to defending against advanced threats and ensuring the stability of core business services. |
Emergency response for security events | For more information, see Pay-as-you-go service one-click access policy and billing instructions. | This is suitable for responding to security intrusions, such as servers infected with mining malware, viruses, or Trojans, or those affected by website tampering or data extortion. |
Billing
Security Center supports two billing methods: Subscription and Pay-as-you-go. Each method determines your charges and available features.
Regardless of the billing method you choose, you have access to the features of the Basic Edition. For more information, see Introduction to the Basic Edition of Security Center.
Item | Subscription | Pay-as-you-go |
Billing characteristics | Pay a single fee for a monthly or yearly term. The fixed cost makes budgeting simple. | Pay only for what you use, offering flexibility with no upfront investment. |
Cost | Fee = Edition fee + Value-added service fee (optional).
Note For more details, see Subscription billable items. | Fee = Basic service fee + Feature usage fee.
Note For more details, see Pay-as-you-go billable items. |
Use cases | Suitable for scenarios with stable, long-term business needs and a fixed budget. | Ideal for scenarios with elastic, short-term, or frequently changing business demands. |
Feature and service details
Subscription
Edition services
With the subscription method, features are bundled into the edition you purchase. The editions are described below:
Edition | Instructions | Fee |
Basic | Provides only basic security detection, such as identifying abnormal server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It lacks active protection features. | Free |
Anti-virus | Detects and removes common viruses on your hosts. | USD 1 per core-month |
Advanced | Provides host virus detection and removal, vulnerability detection and fixing, and security reports. | USD 9.5 per server-month |
Enterprise | Helps you meet host security requirements for intrusion prevention, identity authentication, and security audit. | USD 23.5 per server-month |
Ultimate | Delivers comprehensive intrusion detection and real-time defense to effectively counter malicious intrusions. | USD 23.5 per server-month + USD 1 per core-month |
The following table compares the main protection capabilities of each edition.
Mitigation capabilities | Basic | Anti-virus | Advanced | Enterprise | Ultimate |
Detection for some malware and cloud product threats | |||||
Virus removal and host intrusion detection | |||||
Brute-force attacks protection | |||||
Host behavior defense | Note Only blocking processes based on malicious MD5 hashes is supported. | ||||
System vulnerability check and fixing | |||||
Malicious network behavior defense | |||||
Trace the source of attacks | |||||
Application vulnerability detection | |||||
Baseline check and fixing | Note Only weak password checks are supported. | ||||
Container security |
Value-added services
With the subscription method, you can purchase additional value-added services. The available services are described below:
Anti-ransomware
Description: Provides anti-ransomware backup and recovery. After a ransomware attack, you can use backup files to recover your servers and databases.
Purchase notes:
The purchase quantity is the anti-ransomware capacity. It is determined by the size of the backup files and the backup retention period, not the number of servers.
This feature is available only in select regions. The amount of data to protect can be set as needed. For a list of supported regions, see Overview of the anti-ransomware service.
If you select Set Recommended Policy, the system automatically backs up important file paths on your existing servers. To adjust the policy, go to the Anti-ransomware page. For more information, see Modify the anti-ransomware policy for a server.
CSPM (CSPM)
Description: Provides identity and access management, automated compliance checks, and cloud product configuration baseline detection. It lets you centrally manage configuration risks across multiple cloud products.
Purchase notes: Billing is based on the service authorization quota. Service authorization quota = Scan count (Number of cloud products × Number of asset instances × Number of check items) + Verification count + Successful fix count.
WarningUnused quota is cleared at the end of each month. For more information about billing, see Subscription - Cloud Security Posture Management.
Cloud Threat Detection and Response (CTDR)
Description: Supports unified log collection from multiple clouds, accounts, and products such as Web Application Firewall, Cloud Firewall, and VPC. It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps you meet MLPS 2.0 log audit requirements.
Purchase notes:
Uses modular billing. Log Ingestion Traffic and Log Storage Capacity are billed independently and can be purchased separately as needed.
Log Ingestion Traffic (GB/day)
Purpose: Used for core security operations such as real-time threat detection, attack source tracing, and alert analysis. After purchasing, you can use most core CTDR features, including threat detection and investigation response.
Capacity estimation:
Based on existing logs
Daily traffic (GB) = Total log storage capacity (GB) / Log retention period (TTL).
For example, if you have 10,000 GB of logs stored for 90 days, the daily traffic is approximately 10,000 / 90 ≈ 111 GB. We recommend purchasing a 200 GB/day plan.
Based on log generation rate (EPS)
Daily traffic (GB) = EPS (log entries per second) × 86,400 × Average log size (KB) / 1,024
EPS: The number of log entries generated per second.Average log size: Typically between 3 KB and 7 KB.
Log Storage Capacity (GB)
Purpose: Used for long-term storage of logs for queries and audits. This helps you meet the compliance requirement of the Cybersecurity Law (MLPS 2.0) to retain logs for at least 180 days and lets you trace historical events.
Capacity estimation:
By server count: We recommend configuring 120 GB of log storage capacity for each server.
By existing Log Analysis capacity: Set this to three times the capacity you purchased for the Security Center-Log Analysis feature.
If you select Access Policy, the system automatically connects to some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail under your current Alibaba Cloud account.
Vulnerability Fixing
Description: Allows you to fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.
Purchase notes: Enter the number of vulnerability fixes you need to purchase per month.
NoteThe number of vulnerability fixes is the sum of all vulnerabilities fixed across all servers. For example, if the same vulnerability exists on 10 servers, using the one-click fix feature in Security Center consumes 10 fixes.
Container Image Scan
Description: Allows you to scan your images for system vulnerabilities, application vulnerabilities, viruses, and malicious samples with a single click, and receive remediation advice.
Purchase notes:
Enter the number of scan authorizations you need to purchase per month.
NoteA scan authorization is consumed the first time an image digest is scanned. Subsequent scans of the same digest do not consume additional authorizations. If the image digest changes, a new authorization is required.
This feature can be purchased only if you select the Premium Edition, Enterprise Edition, Ultimate Edition, or Value-added Plan.
Web Tamper Proofing
Description: Monitors website directories in real time and restores tampered files or directories from backups to protect your critical systems from malicious modification.
Purchase notes: Select the quantity based on the number of servers you need to protect.
Malicious File Detection
Description: Performs deep scans to detect malware, WebShells, viruses, and other potential risk files hidden in your server's file system.
Purchase notes: Set the quantity to the number of files you need to scan each month.
Application Protection (RASP)
Description: Based on Runtime Application Self-Protection (RASP) technology, this feature enables applications to protect themselves by detecting and blocking attacks in real time.
Purchase notes: We recommend purchasing a quantity equal to the total number of Java processes you plan to protect.
NoteFor example, if you have 2 servers, and each runs 3 Java applications that require protection, you should purchase 6 authorizations.
Cloud Honeypot
Description: Deploys decoys to lure and trap attackers, enhancing threat detection and protection for your core assets in adversarial scenarios.
Purchase notes: Cloud Honeypot is billed based on the number of probes. You must purchase a minimum of 20 probes and a maximum of 500.
NoteTo increase your quota beyond 500 probes, contact technical support.
Security Dashboard
Description: Provides multiple visualization dashboards to provide a high-level overview of your asset security posture.
Purchase notes: This feature is available for purchase only with the Premium Edition, Enterprise Edition, or Ultimate Edition.
Log Analysis
Description: Aggregates security logs from your cloud assets, including hosts and security events. It provides powerful SQL search and visual reporting to simplify event investigation, attack source tracing, and compliance audits.
ImportantIf you also purchase the pay-as-you-go Log Management service, Security Center logs are stored twice. To avoid duplicate charges, go to the Security Center console and turn off the relevant log delivery switches in the Log Analysis module.
Purchase notes: The Cybersecurity Law requires logs to be stored for at least 180 days. We recommend configuring at least 50 GB of storage capacity for each server.
Pay-as-you-go
Default features
Enabling any pay-as-you-go feature incurs a base service fee. This fee includes the following default services:
DingTalk Chatbot: After you configure DingTalk Robot notifications, you can receive real-time threat alerts from Security Center in your DingTalk group.
Security Report: Allows you to customize the security data you want to track and have reports sent periodically to your security team's mailbox. This enables more effective real-time monitoring of your asset security status.
Playbook: Provides automated response orchestration. You can orchestrate repetitive tasks in your security incident response process into automated handling policies to help you efficiently harden your system security.
ImportantYou must first enable or purchase the vulnerability fixing feature.
Billable features
In the pay-as-you-go model, all features are billed independently and can be enabled on demand. The following features are available for purchase:
Host and Container Security
If you have already purchased a subscription for the Anti-virus, Advanced, Enterprise, or Ultimate, you cannot enable the Host and Container Security pay-as-you-go service.
Description: Provides comprehensive detection and protection for host and container assets. After purchase, you must bind a Protection Level to your assets. The protection levels are described below:
Protection level
Description
Monthly fee (30-day reference price)
Unprotected
Provides only basic security detection, such as identifying abnormal server logons, DDoS, common server vulnerabilities, and some cloud product configuration risks. It does not include active protection features.
Free
Antivirus
Detects and removes common viruses on your hosts.
USD 1.5 per core-month
Advanced
New purchases and changes are no longer supported.
USD 14.25 per server-month
Host Protection
Helps you meet host security requirements for intrusion prevention, identity authentication, and security audit.
USD 35.25 per server-month
Hosts and Container Protection
Provides full-stack security for hosts, containers, and Intelligent Computing LINGJUN servers. Capabilities include K8s threat detection, Container Asset Overview, security alerts, virus removal, vulnerability detection, Asset Fingerprints, and attack chain analysis.
USD 35.25 per server-month+USD 1.5 per core-month
The main protection capabilities for each level are as follows:
Mitigation capabilities
Unprotected
Antivirus
Host Protection
Hosts and Container Protection
Detection for some malware and cloud product threats
Virus removal and host intrusion detection
Brute-force attacks protection
Host behavior defense
NoteOnly blocking processes based on malicious MD5 hashes is supported.
Malicious network behavior defense
Trace the source of attacks
Application vulnerability detection
Container security
Purchase notes: For the feature to take effect, you must apply its authorization to specific assets after enabling it. You can bind assets manually during purchase.
ImportantThe system uses the following default binding rules:
Server assets running container environments, including Alibaba Cloud ACK cluster nodes, Intelligent Computing LINGJUN, and servers connected to self-managed K8s clusters: Host and Container Protection.
All other assets: Host Protection.
New servers added later: Host Protection.
CSPM (CSPM)
Description: Provides identity and access management, automated compliance checks, and cloud product configuration baseline detection. It lets you centrally manage configuration risks across multiple cloud products.
Purchase notes: Billing is based on the service authorization quota. Service authorization quota = Scan count (Number of cloud products × Number of asset instances × Number of check items) + Verification count + Successful fix count.
Vulnerability Fixing
Description: Allows you to fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.
Purchase notes: Enter the number of vulnerability fixes you need to purchase per month.
NoteThe number of vulnerability fixes is the sum of all vulnerabilities fixed across all servers. For example, if the same vulnerability exists on 10 servers, using the one-click fix feature in Security Center consumes 10 fixes.
Cloud Threat Detection and Response (CTDR)
Description: Supports unified log collection from multiple clouds, accounts, and products such as Web Application Firewall, Cloud Firewall, and VPC. It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps you meet MLPS 2.0 log audit requirements.
Purchase notes:
Billing is tiered based on Log Ingestion Traffic. The more you use, the lower the unit price. For more information about billing, see Threat Analysis and Response - Pay-as-you-go.
ImportantThe pay-as-you-go method does not support purchasing Log Storage Capacity, which means you cannot store logs for queries and audits.
If you select Access Policy, the system automatically connects to some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail under your current Alibaba Cloud account.
Anti-ransomware
Description: Provides anti-ransomware backup and recovery. After a ransomware attack, you can use backup files to recover your servers and databases.
Purchase notes:
Billed based on backup file size and data storage duration. For more information about billing, see Anti-ransomware Service - Pay-as-you-go.
This feature is available only in select regions. The amount of data to protect can be set as needed. For a list of supported regions, see Overview of the anti-ransomware service.
If you select Set Recommended Policy, the system automatically backs up important file paths on your existing servers. To adjust the policy, go to the Anti-ransomware page. For more information, see Modify the anti-ransomware policy for a server.
Application Protection
Description: Based on Runtime Application Self-Protection (RASP) technology, this feature enables applications to protect themselves by detecting and blocking attacks in real time.
Purchase notes: For this feature to take effect, you must apply its authorization to specific assets after enabling it. You can connect assets manually during purchase.
ImportantBy default, all assets are protected and connected using the slow onboarding method.
Agentless Detection
Description: Performs lightweight vulnerability scans and comprehensive risk assessments without needing to install a client (Agent) on your servers.
Purchase notes: Billed based on the volume of data scanned.
Serverless Asset Protection
Description: Provides intrusion detection and vulnerability scanning for serverless assets such as Function Compute (FC) and Elastic Container Instance (ECI).
Purchase notes: For this feature to take effect, you must apply its authorization to specific assets after enabling it. You can bind assets manually during purchase.
ImportantBy default, Serverless Asset Protection protection is enabled for all serverless assets.
Malicious File Detection
Description: Monitors website directories in real time and restores tampered files or directories from backups to protect your critical systems from malicious modification.
Purchase notes: Billed based on the number of files scanned. For more information about billing, see Malicious File Detection - Pay-as-you-go.
Log Management
Description: Log Management, which is based on Alibaba Cloud Simple Log Service (SLS), is a log audit and analysis feature. It leverages the detection and defense capabilities of Security Center and the product integration capabilities of the Threat Analysis and Response (CTDR) module to provide unified log auditing, built-in security reports, SQL-based analysis and tracing, and flexible storage policies.
ImportantIf you also purchase the subscription Log Analysis service, Security Center logs are stored twice. To avoid duplicate charges, go to the Security Center console and turn off the relevant log delivery switches in the Log Analysis module.
Purchase notes: You need to configure the log storage region.
How to purchase
Subscription
Log on and go to the purchase page
Log on to your Alibaba Cloud account and go to the Security Center purchase page.
Select an edition
ImportantIf you have already enabled the Host and Container Security pay-as-you-go service, you can only select Value-added Plan.
Billing Method: Select Subscription.
Protection Scenario: The system automatically recommends an edition and value-added features based on the selected scenario.
Edition: For more information about the basic mitigation capabilities of each edition, see .
Protected Servers: Specify the total number of servers to protect. By default, this shows the Alibaba Cloud ECS instances and connected non-Alibaba Cloud servers under your account.
NoteThis parameter is not required if you select the Anti-virus or Value-added Plan.
Cores: The number of vCPUs on your servers. By default, this shows the total number of cores for ECS instances and connected non-Alibaba Cloud servers under your account.
NoteThis parameter is required only if you select the Anti-virus Edition or Ultimate Edition.
Configure asset authorization
To activate protection, you must apply the purchased edition authorization to specific servers.
System automatic binding (default):
The system automatically assigns authorizations to unprotected servers under your account based on the default policy. You can unbind or rebind them later. For more information, see Manage authorizations for Host and Container Security.
Custom binding:
Click Custom Quota Binding and select the region where your servers are located.
In the server list, select the servers you want to bind and choose the corresponding version in the Edition column. For more information about the features of each version, see Edition services.
If you select multiple servers, you can click Batch to bind the same protection version to all selected servers.
(Optional) Select Automatically Add New Servers to Security Center. New servers added later will be automatically bound to the current version to enable protection.
WarningIf you do not select this option, you must bind new servers manually to protect them. For more information, see Manage authorizations for Host and Container Security.
Select value-added services
Based on your needs, find the corresponding value-added service module, set Purchase or Not to Yes, and complete the configuration. For a description of each value-added service, see Value-added services.
Confirm and pay
Read and agree to the Security Center Terms of Service, then click Order Now and complete the payment.
View your purchased service
After the purchase is complete, log on to the console. You can view your current service in the Subscription section of the Overview page.
Pay-as-you-go
Log on and go to the purchase page
Log on to your Alibaba Cloud account and go to the Security Center purchase page.
Select services
Based on your needs, find the corresponding value-added service module, set Purchase or Not to Yes, and complete the configuration. For more information about each feature, see Pay-as-you-go features.
Authorization and binding logic
For some services to take effect, you must apply their authorization to specific assets after enabling them. The configuration steps are as follows:
Host and Container Security: Supports custom binding of host assets. Follow these steps:
ImportantIf you do not configure this, the system binds host assets according to the default rules:
Server assets running container environments, including Alibaba Cloud ACK cluster nodes, Intelligent Computing LINGJUN, and servers connected to self-managed K8s clusters: Host and Container Protection.
All other assets: Host Protection.
New servers added later: Host Protection.
On the purchase page, click Custom Quota Binding and select the region where your servers are located.
In the server list, select the servers you want to bind and choose the corresponding protection level in the Protection Level column.
After selecting multiple servers, you can click Change Protection Level to modify the protection level for all of them at once.
In the Automatically Add New Servers to Security Center section, set the protection level that will be automatically bound to new servers.
Serverless Asset Protection: Supports custom binding of assets. Follow these steps:
ImportantIf you do not configure this, the system enables Serverless Asset Protection protection for all serverless assets by default.
Click Custom Quota Binding, select the region where your servers are located, and select the corresponding assets.
Select Automatically Add New Assets to automatically enable Serverless Asset Protection protection for new serverless assets added later.
WarningIf you do not select this option, you must bind new serverless assets manually. Otherwise, they will not be protected by Security Center. For more information, see Bind or unbind authorized assets.
Application Protection: Supports custom binding of assets. Follow these steps:
ImportantIf you do not configure this, the system protects all assets by default and uses the slow onboarding method.
You can also configure this after purchase by logging on to the console and going to Access Management in .
Click Custom Quota Binding and select the region where your servers are located.
Select the corresponding assets and click OK.
Confirm and pay
Read and agree to the Security Center Terms of Service, then click Order Now and complete the payment.
View your purchased service
After the purchase is complete, log on to the console. You can view your current service in the Pay-as-you-go section of the Overview page.
Limitations
Billing method limitations
Subscription: Each Alibaba Cloud account can have only one active subscription edition at a time. You can upgrade to a higher-tier edition at any time.
Pay-as-you-go: You can choose different protection levels for different assets and purchase multiple value-added features simultaneously.
Switching billing methods: To switch a feature's billing method, you must first unsubscribe from or disable the current service before enabling the new one.
Feature purchase and mode limitations
Feature exclusivity
You can only choose one of the following: a subscription edition (Anti-virus, Advanced, Enterprise, or Ultimate) or the pay-as-you-go Host and Container Security service. They cannot be purchased or used at the same time.
A value-added feature under a subscription (such as Cloud Threat Detection and Response) and the same feature under pay-as-you-go cannot be purchased at the same time.
Flexibility across different modules
A single account can use different billing methods for different feature modules.
NoteFor example, you can choose a subscription for "Vulnerability Fixing" and pay-as-you-go for "Threat Analysis and Response".
Container protection limitations
Asset type: Server assets running container environments, including ACK cluster nodes and self-managed K8s.
Version limitations:
Subscription: Ultimate
Pay-as-you-go: Purchase Host and Container Security, and bind assets to the Hosts and Container Protection level.
Edition change limitations
Starting from September 11, 2025, Security Center will no longer support new purchases of or changes to the Premium Edition. Existing Premium Edition users will not be affected.
Unsubscribe from the service
If you no longer need Security Center, you can follow the instructions below based on your billing method.
Subscription service
Unsubscribe from a single value-added service
On the Overview page, in the Subscription section, click . On the order upgrade/downgrade page, on the Order Downgrade tab, set Purchase or Not for the relevant service to No. For more information, see Downgrade.
ImportantThe specific refund amount is subject to the amount displayed on the downgrade page. For more information about where your refund will be sent, see Refund destinations.
Unsubscribe from all services
Contact technical support to cancel the subscription for the Security Center instance.
Pay-as-you-go
On the Overview page of the Security Center console, in the Pay-as-you-go section, turn off the switch for the relevant service. Once disabled, the service will no longer incur charges.
FAQ
Billing questions
Will I be double-billed for subscription and pay-as-you-go services?
No. Security Center has a built-in mechanism to prevent double billing:
Single billing principle for features: Each value-added feature supports only one billing method at any given time. For more information, see Feature exclusivity.
Automatic switchover mechanism: If you purchase a subscription, and the default features included in your selected edition service overlap with a pay-as-you-go service you have already enabled, the system automatically disables the pay-as-you-go service and replaces it with the subscription.
NoteFor example, if you have purchased the pay-as-you-go vulnerability fixing service and then purchase the Premium Edition or higher, Security Center automatically disables the pay-as-you-go mode for vulnerability fixing. You will not be charged for fixing vulnerabilities thereafter.
Can I convert a pay-as-you-go service to a subscription?
No, you cannot. You cannot directly convert a pay-as-you-go service to a subscription. Please disable the relevant service first, and then follow the steps to purchase a subscription.
Can I use subscription and pay-as-you-go services at the same time?
Yes, you can. A single account can use a mix of both billing methods. You can create a flexible payment plan based on the importance and lifecycle of your assets.
Why is the actual amount on the purchase page higher than the product pricing?
The final order amount consists of multiple parts. The base price usually refers to the cost for a single server for one month. The total amount is mainly affected by the following factors:
Number of protected assets: The final fee is multiplied by the total number of protected servers under your account, including cloud ECS instances and non-Alibaba Cloud servers with the client installed.
Value-added service options: The system may pre-select value-added services such as Log Analysis and Anti-ransomware. If you do not need them, set their capacity to
0when placing your order.
Free services and trials
How can I obtain free services?
Free Edition: Automatically enabled after you complete identity verification for your Alibaba Cloud account. For more information, see Introduction to Security Center Free Edition.
Enterprise Edition free trial: Enable the 7-day free trial.
What is the difference between the Free Edition and the Enterprise Edition free trial?
Characteristic
Free Edition
Enterprise Edition Free Trial
Applicable accounts
All Alibaba Cloud accounts that have completed identity verification.
Accounts that have not activated an Enterprise Edition trial or paid edition.
Mitigation capabilities
Provides permanent basic security capabilities.
Provides a short-term experience of the full features of a premium paid edition (Enterprise Edition).
Duration
Permanent.
7 days.
Core capabilities
Abnormal logons, mining/DDoS Trojans, common vulnerability scans, etc.
Includes all Enterprise Edition capabilities, such as virus removal, advanced threat detection, and vulnerability fixing.
Access limitation
Automatically enabled, no request required.
Each account is eligible for this trial only once.
Can I cancel and re-apply for the Enterprise Edition free trial?
Yes, you can. On the Overview page, you can click Release Trial to cancel the Security Center free trial. However, an Alibaba Cloud account is eligible for the free trial only once. After you cancel the trial, you cannot try Security Center again.
Will my configurations be saved after the Enterprise Edition free trial expires?
Your configurations and data are retained for 7 days after the trial expires, after which they are automatically purged.
Why is there no "Free Trial" entrance on the Overview page?
Reason one: Your account has already requested the 7-day free trial.
Reason two: Your account already has an active paid edition.