Security Command Center pricing

This document explains Security Command Center pricing details.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Pricing overview

When you use Security Command Center Premium or Standard tier, you might be charged for the following:

• Any costs associated with the Security Command Center tier you select, as described later on this page.
• Any costs associated with additional paid scanners like Cloud Data Loss Prevention (Cloud DLP) or a third-party partner scanner to add data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
• Any App Engine costs associated with using Web Security Scanner, as described later on this page.

Security Command Center tier pricing

Security Command Center pricing is based on the Security Command Center tier that you select.

For a list of the features that are included with each tier, see Security Command Center tiers.

Standard tier pricing

Security Command Center Standard tier is free of charge.

Premium tier pricing

Security Command Center Premium tier is available as either a one year or multi-year fixed price subscription.

If your total annual Google Cloud spend or commit exceeds $15 million, contact your sales representative to discuss the pricing options available to you.

If your total annual Google Cloud spend or commit is less than $15 million, the annual cost of Security Command Center Premium is 5% of the larger of the following:

• Your committed annual Google Cloud spend (for deals up to the term of your commit), or
• Your actual annual current annualized Google Cloud spend (for deals up to one year)

There is a minimum annual cost of $15,000. You can attach the Security Command Center Premium tier subscription to your new commit deals, or add Security Command Center Premium to an existing commit deal. In both cases, the Security Command Center Premium tier subscription is the same length as your commit deal. The subscription is billed monthly over the term of the subscription.

For specific details, contact your sales representative.

Premium tier pricing examples

The following are examples of Security Command Center Premium tier subscription costs.

Based on commit deal

If you have a multi-year commit deal structured at...

• Year 1 at $1 million
• Year 2 at $2 milion
• Year 3 at $4 million

...then your Security Command Center Premium tier fixed price would be:

• Year 1 at $50,000
• Year 2 at $100,000
• Year 3 at $200,000

In the preceding scenario, even if your annual spend on Google Cloud in year one was actually $1.2 million, the Security Command Center Premium charges for that year would still be fixed at $4,167 per month, or $50,000 total.

Your total cost for the preceding multi-year deal would be $350,000. Even if your usage during the three year term goes above the commit, your total Security Command Center Premium tier costs during the three year commit will still be $350,000.

When current annual spend rate is greater than your existing commit deal

Security Command Center Premium may be purchased based on your annual spend rate for up to one year at a time. When your annual spend rate exceeds a commit value, annual spend rate must be used for purchase. Security Command Center can be purchased on a multi-year basis only if your current spend is less than Year 2+ of your commit.

For example, if you have a multi-year commit deal structured at...

• Year 1 at $1 million
• Year 2 at $2 million
• Year 3 at $4 million

...but in year 1, your annual spend rate is $1.5 million, then your Security Command Center Premium tier fixed price would be:

• Year 1 at $75,000 (since $1.5 million annual spend rate is higher than your $1 million commit)
• Year 2 at $100,000
• Year 3 at $200,000

In the preceding scenario, if you subscribed to Security Command Center Premium and your actual spend on Google Cloud in year 1 grew to $1.9 million, the Premium tier charges for that year would still be fixed at $6,250 per month, or $75,000 total.

Security Command Center Premium tier pricing not based on log consumption or usage

When you subscribe to the Security Command Center Premium tier, all of the processing of required log data for Event Threat Detection in your organization is included. You won't be charged based on the volumes of log data consumed.

Related charges that are the side effect of some SCC Premium tier services

The Security Command Center Premium tier includes certain built-in services that perform scans that can incur related or indirect charges for the following:

• App Engine, Compute Engine, and GKE instance quota limits and bandwidth (traffic) charges.
• Quotas for API calls to App Engine services like mail and search, and Compute Engine and GKE services.
• Egress networking traffic from scan targets.

The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

For information about the built-in services that can incur indirect charges, see Indirect charges associated with built-in services.

Indirect charges associated with vulnerability scans

Certain vulnerability scans that some built-in, Premium tier vulnerability detection services perform, can increase the resource costs that are incurred by the scan targets. These indirect charges are not identified in billing as being associated with Security Command Center or its services.

The built-in services that perform such scans include:

• Web Security Scanner
• Rapid Vulnerability Detection
• Secured Landing Zone

For example, Web Security Scanner scans can impact App Engine instance quota limits, bandwidth (traffic) charges, and quotas for API calls to App Engine services like mail and search. The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

For this reason, the Security Command Center services are optimized to keep traffic to a minimum. For example, by default, the scan rate of Web Security Scanner is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.

As another example, Rapid Vulnerability Detection scans can increase network egress traffic from a scanned VM. The network egress traffic is billed to the target VM.

Any increase in network egress traffic that might be caused by vulnerability scans is dependent on the number of endpoints and hosted applications at the scan target, because each endpoint or application requires a separate scan. For example, if the scan targets of an organization are all within North American regions, a single Rapid Vulnerability Detection scan uses an estimated 200 KB of egress traffic. If the organization runs 100,000 scans a month, the resulting increase in billable traffic would be around 20 GB.

What's next

• Read the Security Command Center documentation.
• Get started with Security Command Center.
• Learn about Security Command Center solutions and use cases.