Security Command Center is offered in three service tiers: Standard, Premium, and Enterprise. Each tier determines the features and services that are available to you in Security Command Center. A short description of each service tier follows:
- Standard. Basic security posture management for Google Cloud only. The Standard tier can be activated at the project or organization level. Best for Google Cloud environments with minimal security requirements.
- Premium. Everything in Standard, plus security posture management, attack paths, threat detection, and compliance monitoring for Google Cloud only. The Premium tier can be activated at the project or organization level. Best for Google Cloud customers who need pay-as-you-go billing.
- Enterprise. Complete multi-cloud CNAPP security, plus automated case management and remediation playbooks. Includes most of the services that are in Premium. The Enterprise tier can only be activated at the organization level. Best for helping to protect Google Cloud, AWS, and Azure.
The Standard tier is offered at no additional charge, while the Premium and Enterprise tiers have different pricing structures. For more information, see Security Command Center pricing.
For a list of services included in each tier, see Service tier comparison.
Security Command Center Enterprise
The Security Command Center Enterprise tier offers additional features compared to the Standard and Premium tiers, including a selection of Google Security Operations features and the ability to ingest data from other cloud providers. These features make Security Command Center a full cloud-native application protection platform (CNAPP), and are available in the Security Operations console.
Google Security Operations feature limits
The Google Security Operations features in the Security Command Center Enterprise tier have different limits to those found in the Google Security Operations plans. These limits are described in the following table.
| Feature | Limits |
|---|---|
| Applied Threat Intelligence | No access |
| Curated detections | Limited to detecting cloud threats, including Google Cloud and AWS |
| Custom rules | 20 custom single-event rules, multi-event rules aren't supported |
| Data retention | 3 months |
| Gemini for Google Security Operations | Limited to natural language search and case investigation summaries |
| Google SecOps security information and event management (SIEM) | Cloud logs only |
| Google SecOps security orchestration, automation, and response (SOAR) | Cloud response integrations only |
| Log ingestion |
Limited to logs that are relevant for cloud threat detection, including the following:
|
| Risk analytics | No access |
Service tier comparison
| Service | Service tier | ||
|---|---|---|---|
| Standard | Premium | Enterprise | |
|
Vulnerability detection |
|||
| Security Health Analytics | |||
|
Managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. Security Health Analytics findings
|
|||
| Compliance monitoring. Security Health Analytics detectors map to the controls of common security benchmarks like NIST, HIPAA, PCI-DSS, and CIS. | |||
| Custom module support. Create your own custom Security Health Analytics detectors. | |||
| Web Security Scanner | |||
| Custom scans. Schedule and run custom scans on deployed Compute Engine, Google Kubernetes Engine, or App Engine web applications that have public URLs and IP addresses and aren't behind firewalls. | |||
| Additional OWASP Top Ten detectors | |||
| Managed scans. Scan public web endpoints for vulnerabilities weekly, with scans configured and managed by Security Command Center. | |||
| Attack Path Simulations | |||
| Attack Path Simulations, also known as virtual red teaming, can help you to identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources. | |||
| Mandiant CVE assessments | |||
| CVE assessments are grouped by their exploitability and potential impact. You can query findings by CVE ID. | |||
| Other vulnerability services | |||
| Anomaly Detection1. Identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining. | |||
| GKE security posture dashboard findings (Preview). View findings about Kubernetes workload security misconfigurations, actionable security bulletins, and vulnerabilities in the container operating system or in language packages. | |||
| Sensitive Data Protection1. Discovers, classifies, and helps protect sensitive data. | |||
| VM Manager1 vulnerability reports (Preview). If you enable VM Manager, it automatically writes findings from its vulnerability reports to Security Command Center. | |||
|
Expanded detection of software vulnerabilities and containers across cloud environments, with the following built-in and integrated services:
|
|||
|
Mandiant Attack Surface Management. Discovers and analyzes your internet assets across environments, while continually monitoring the external ecosystem for exploitable exposures. |
|||
| Toxic combinations (Preview). Detects groups of security issues that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources. | |||
|
Threat detection and response |
|||
| Google Cloud Armor1. Protects Google Cloud deployments against threats such as distributed denial-of-service (DDoS) attacks, cross-site scripting (XSS), and SQL injection (SQLi). | |||
| Sensitive Actions Service. Detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor. | |||
|
Container Threat Detection. Detects container runtime attacks. Container runtime attacks
|
|||
| Event Threat Detection. Monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats, such as malware, cryptocurrency mining, and data exfiltration. | |||
| Virtual Machine Threat Detection. Detects potentially malicious applications running in VM instances. | |||
| Google SecOps security information and event management (SIEM). Scan logs and other data for threats across multiple cloud environments, define threat detection rules, and search the accumulated data. | |||
| Google SecOps security orchestration, automation, and response (SOAR). Manage cases, define response workflows, and search the response data. | |||
| Mandiant Hunt. Rely on Mandiant experts to provide continual threat hunting to expose attacker activity and reduce impact to your business. | Optional add-on | ||
|
Postures and policies |
|||
| Binary Authorization1. Implement software supply-chain security measures when you develop and deploy container-based applications. Monitor and limit the deployment of container images. | |||
| Policy Controller1. Enables the application and enforcement of programmable policies for your Kubernetes clusters. | |||
| Risk Manager1. Profile and generate reports for your organization's technical risk posture. | |||
|
Policy Intelligence. Additional features for Security Command Center Premium and Enterprise users, including the following:
|
|||
| Security posture. Define and deploy a security posture to monitor the security status of your Google Cloud resources. Address posture drift and unauthorized changes to the posture. On the Enterprise tier, you can also monitor your AWS environment. | |||
| Cloud Infrastructure Entitlement Management (CIEM). Identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions to your cloud resources. | |||
|
Data management |
|||
| Data residency | |||
| Data residency controls that restrict the storage and processing of Security Command Center findings, mute rules, continuous exports, and BigQuery exports to one of the data residency multi-regions that Security Command Center supports. | |||
| Findings export | |||
| BigQuery exports | |||
| Pub/Sub continuous exports | |||
|
Other features |
|||
|
Infrastructure as code (IaC) validation. Validate against organization policies and Security Health Analytics detectors. |
|||
|
Assured Open Source Software. Take advantage of the security and experience that Google applies to open source software by incorporating the same packages that Google secures and uses into your own developer workflows. Security Command Center Enterprise users get access to the Premium tier of Audit Manager at no extra cost. |
|||
|
Audit Manager. A compliance audit solution that evaluates your resources against select controls from multiple compliance frameworks. Security Command Center Enterprise users get access to the Premium tier of Audit Manager at no extra cost. |
|||
|
Multicloud support. Connect Security Command Center to other cloud providers to detect threats, vulnerabilities, and misconfigurations. Assess attack exposure scores and attack paths on external cloud high value resources. Supported cloud providers: AWS, Azure. |
|||
- This is a Google Cloud service that integrates with organization-level activations of Security Command Center to provide findings. One or more features of this service might be priced separately from Security Command Center.