Security Center:Purchase Security Center

Feature description: Provides anti-ransomware backup and restore capabilities. You can use backup files to recover servers and databases after a ransomware attack.

Purchase instructions:

• The quantity you purchase corresponds to the anti-ransomware capacity. This capacity is determined by the size of the files you need to back up and the backup retention period, not the number of servers.

• This service is available only in specific regions. You can set the protection data volume as needed. For information about the supported regions, see Anti-ransomware service overview.

• If you check Set Recommended Policy, the system automatically backs up important file paths on your existing servers regularly. To adjust the policy, go to the anti-ransomware page. For more information, see Manage an anti-ransomware policy.

Feature description: Provides identity and permission management, automated compliance checks, and cloud product configuration baseline detection. This lets you centrally manage configuration risks across multicloud products.

Purchase instructions: Billing is based on the number of quotas. Number of quotas = Number of scans (Number of cloud products × Number of asset instances × Number of check items) + Number of authentications + Number of successful fixes.

Feature description:

• Agentic SOC: Supports unified log collection from multicloud environments, multiple accounts, and various products such as Web Application Firewall (WAF), Cloud Firewall, and virtual private cloud (VPC). It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps meet the log audit requirements of MLPS 2.0.

• Security Operations Agent: An advanced intelligent value-added service based on Agentic SOC. It uses Agentic AI as its core engine and deeply integrates with Alibaba Cloud's native security data and infrastructure. The service uses the autonomous perception, inference, and execution capabilities of agents to independently analyze security events to help you achieve rapid security event response.

Purchase instructions:

• This service uses a modular billing method. The billable items vary based on the options you purchase. For more information about billing, see Detailed billing information.

  • Agentic SOC: Billed separately for Log Ingestion Traffic and Log Storage Capacity. You can purchase them separately as needed.

    Log Ingestion Traffic (GB/day)

    • Purpose: Used for core security operations such as real-time threat detection, attack attribution, and alert analysis. After purchasing, you can use most of the core features of Agentic SOC, such as threat detection, investigation, and response.

    • Capacity estimation:

      • Estimate based on existing logs

        Daily traffic (GB) = Total log storage capacity (GB) / Log retention period (TTL) in days.

        For example, if you have 10,000 GB of logs with a retention period of 90 days, the daily traffic is approximately 10,000 / 90 ≈ 111 GB. We recommend that you purchase 200 GB/day.

      • Estimate based on log generation rate (EPS)

        Daily traffic (GB) = EPS (log entries per second) × 86,400 × Average size per log entry (KB) / 1,024

        • EPS: The number of log entries generated per second.

        • Average size per log entry: Typically ranges from 3 KB to 7 KB.

    Log Storage Capacity (GB)

    • Purpose: Used for long-term storage of logs for queries and audits. This meets the compliance requirement of China's Cybersecurity Law and MLPS 2.0 that logs must be retained for at least 180 days. It also supports historical event analysis.

    • Capacity estimation:

      • Estimate based on the number of servers: We recommend that you configure 120 GB of log storage capacity for each server.

      • Estimate based on existing log analysis capacity: We recommend that you configure a capacity that is three times the purchased capacity of the Security Center - Log Analysis feature.

  • Security Operations Agent: In addition to purchasing Agentic SOC, you must also purchase Intelligent Usage Analysis and Number of Managed Instances.

    • Intelligent Usage Analysis: The analysis usage consumed by Security Operations Agent to analyze alerts for risk events, investigate events, perform traceability and attribution, and generate security reports. The purchase quantity is not automatically populated and must be the same as the quantity for Log Ingestion Traffic.

      Note

      The quota for Intelligent Usage Analysis is cleared daily. If the quota is exceeded, the system automatically applies rate limiting.

    • Number of Managed Instances: Security Operations Agent supports security operations and automated handling across instances. Billing is based on the number of managed instances, and each invoked instance is billed. Instances can include ECS, WAF, ALB, multicloud products, and third-party security vendor products.

      Note

      The quota is cleared monthly. Each instance is counted only once, and duplicates are automatically removed.

• If you check Access Policy, some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail under the current Alibaba Cloud account are automatically connected.

Feature description: Allows you to fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.

Purchase instructions: Enter the number of vulnerability fixes you want to purchase based on the number of vulnerabilities you need to fix each month.

Feature description: Scans images for system vulnerabilities, application vulnerabilities, viruses, and malicious samples with a single click, and provides repair suggestions.

Purchase instructions:

• Enter the quantity you want to purchase based on the number of scan quotas you need per month.

  Note

  Scan quota: One quota is consumed when an image digest is scanned for the first time. Subsequent scans of the same digest do not consume quotas. If the image digest changes, a new quota is required.

• You can purchase this feature only when you select the Advanced, Enterprise, Ultimate, or Value-added Plan edition.

Feature description: Monitors website directories in real time and restores tampered files or directories from backups. This ensures that the website information of important systems is not maliciously tampered with.

Purchase instructions: Select the quantity based on the number of servers you need to protect.

Feature description: Detects hidden malware, webshells, viruses, and other potential risk files in the server file system through deep scanning.

Purchase instructions: Set the quantity to the number of files you need to detect each month.

Feature description: The application protection feature is based on runtime application self-protection (RASP) technology. It provides applications with self-protection capabilities to detect and block attacks in real time.

Purchase instructions: We recommend that you set the purchase quantity to the total number of Java processes you plan to protect.

Feature description: Provides timely and efficient threat trapping based on attacker behavior. This enhances the detection and protection of core assets in attack and defense scenarios.

Purchase instructions: Cloud Honeypot is billed based on the number of probes. You must purchase at least 20 probes and can purchase up to 500 probes.

Feature description: Aggregates security logs from cloud assets, including hosts and security events. It provides powerful SQL search and visualization reports to help you perform event retrospection, attack attribution, and compliance audits.

Purchase instructions: According to China's Cybersecurity Law, logs must be stored for at least 180 days. We recommend that you configure at least 50 GB of storage capacity for each server.

Feature description: Provides comprehensive detection and protection services for host and container assets. After purchasing, you need to attach a protection level to your assets. The protection levels are described as follows:

The following table describes the main mitigation capabilities of each protection level.

Purchase instructions: After the feature is enabled, you must authorize specific assets for the feature to take effect. You can customize asset attachments during purchase.

Feature description: Provides identity and permission management, automated compliance checks, and cloud product configuration baseline detection. This lets you centrally manage configuration risks across multicloud products.

Purchase instructions: Billing is based on the number of quotas. Number of quotas = Number of scans (Number of cloud products × Number of asset instances × Number of check items) + Number of authentications + Number of successful fixes.

Feature description: Allows you to fix Linux Software Vulnerability and Windows System Vulnerability on your servers with a single click in the console.

Purchase instructions: Enter the number of vulnerability fixes you want to purchase based on the number of vulnerabilities you need to fix each month.

Feature description:

• Agentic SOC: Supports unified log collection from multicloud environments, multiple accounts, and various products such as Web Application Firewall (WAF), Cloud Firewall, and virtual private cloud (VPC). It provides a closed-loop process for detecting, responding to, and handling security alerts and events. This improves security operations efficiency and helps meet the log audit requirements of MLPS 2.0.

• Security Operations Agent: An advanced intelligent value-added service based on Agentic SOC. It uses Agentic AI as its core engine and deeply integrates with Alibaba Cloud's native security data and infrastructure. The service uses the autonomous perception, inference, and execution capabilities of agents to independently analyze security events to help you achieve rapid security event response.

Purchase instructions:

• The billable items vary based on the options you purchase. For more information about billing, see Detailed billing information.

  • Agentic SOC: Billed on a tiered basis for Log Ingestion Traffic. The higher the usage, the lower the unit price.

    Important

    In pay-as-you-go mode, you cannot purchase Log Storage Capacity. Therefore, you cannot store logs for queries and audits.

  • Security Operations Agent: In addition to the basic charge for Log Ingestion Traffic from Agentic SOC, you are also charged for Intelligent Usage Analysis and Number of Managed Instances.

    • Intelligent Usage Analysis: The analysis usage consumed by Security Operations Agent to analyze alerts for risk events, investigate events, perform traceability and attribution, and generate security reports.

    • Number of Managed Instances: Security Operations Agent supports security operations and automated handling across instances. Billing is based on the number of managed instances, and each invoked instance is billed. Instances can include ECS, WAF, ALB, multicloud products, and third-party security vendor products.

      Note

      Each instance is counted only once, and duplicates are automatically removed.

• If you check Access Policy, some log sources from Security Center, Web Application Firewall, Cloud Firewall, and ActionTrail under the current Alibaba Cloud account are automatically connected.

Feature description: Provides anti-ransomware backup and restore capabilities. You can use backup files to recover servers and databases after a ransomware attack.

Purchase instructions:

• Billed based on the size of backup files and the data storage duration. For more information about billing, see Anti-ransomware: Billing method: This feature is billed based on the size of backup files in GB and the storage duration in hours. Billing cycle: Usage is accumulated hourly and billed daily. Price: USD 0.00013 per GB per hour..

• This service is available only in specific regions. You can set the protection data volume as needed. For information about the supported regions, see Anti-ransomware service overview.

• If you check Set Recommended Policy, the system automatically backs up important file paths on your existing servers regularly. To adjust the policy, go to the anti-ransomware page. For more information, see Manage an anti-ransomware policy.

Feature description: The application protection feature is based on runtime application self-protection (RASP) technology. It provides applications with self-protection capabilities to detect and block attacks in real time.

Purchase instructions: After the feature is enabled, you must authorize specific assets for the feature to take effect. You can customize asset connections during purchase.

Feature description: Performs lightweight vulnerability scanning and comprehensive risk investigation without installing a client (agent) on the server.

Purchase instructions: Billed based on the volume of scanned data.

Feature description: Provides intrusion detection and vulnerability scanning for Serverless assets such as Elastic Container Instance (ECI). For more information, see Serverless security.

Purchase instructions: After the feature is enabled, you must authorize specific assets for the feature to take effect. You can customize asset attachments during purchase.

Feature description: Detects hidden malware, webshells, viruses, and other potential risk files in the server file system through deep scanning.

Purchase instructions: Billed based on the number of scanned files. For more information about billing, see Billing details.

Feature description: Log Management is a log audit and analysis feature based on Alibaba Cloud Simple Log Service (SLS). It relies on the rich detection and protection capabilities of Security Center and the product integration capabilities of the Agentic SOC module to provide you with unified log auditing, built-in security reports, SQL-based analysis and traceability, and flexible storage policies.

Purchase instructions: You need to configure a log storage region.