Security Command Center pricing

This document explains Security Command Center pricing details.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Pricing overview

When you use Security Command Center Premium or Standard tier, you might be charged for the following:

Any costs associated with the Security Command Center tier you select, as described later on this page.
Any costs associated with additional paid scanners like Cloud Data Loss Prevention (Cloud DLP) or a third-party partner scanner to add data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
Any App Engine costs associated with using Web Security Scanner, as described later on this page.

Security Command Center tier pricing

Security Command Center pricing is based on the Security Command Center tier that you select:

Tier details

Tier details
Standard tier features Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types: `DATAPROC_IMAGE_OUTDATED` `LEGACY_AUTHORIZATION_ENABLED` `MFA_NOT_ENFORCED` `NON_ORG_IAM_MEMBER` `OPEN_CISCOSECURE_WEBSM_PORT` `OPEN_DIRECTORY_SERVICES_PORT` `OPEN_FIREWALL` `OPEN_GROUP_IAM_MEMBER` `OPEN_RDP_PORT` `OPEN_SSH_PORT` `OPEN_TELNET_PORT` `PUBLIC_BUCKET_ACL` `PUBLIC_COMPUTE_IMAGE` `PUBLIC_DATASET` `PUBLIC_IP_ADDRESS` `PUBLIC_LOG_BUCKET` `PUBLIC_SQL_INSTANCE` `SSL_NOT_ENFORCED` `WEB_UI_ENABLED` Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten. Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly. Support for granting users Identity and Access Management (IAM) roles at the organization level. Access to integrated Google Cloud services, including the following: Cloud Data Loss Prevention discovers, classifies, and protects sensitive data. Google Cloud Armor protects Google Cloud deployments against threats. Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and coin mining. Integration with BigQuery, which exports findings to BigQuery for analysis. Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.
Premium tier features The Premium tier includes all Standard tier features and adds the following: Event Threat Detection uses threat intelligence, machine learning, and other advanced methods to monitor your organization's Cloud Logging and Google Workspace and detect the following threats: Malware Cryptomining Brute force SSH Outgoing DoS IAM anomalous grant Data exfiltration Event Threat Detection also identifies the following Google Workspace threats: Leaked passwords Attempted account breaches Changes to 2-step verification settings Changes to single sign-on (SSO) settings Government-backed attacks Container Threat Detection detects the following container runtime attacks: Added Binary Executed Added Library Loaded Malicious Script Executed Reverse Shell Virtual Machine Threat Detection detects cryptocurrency mining applications running inside VM instances. Security Health Analytics: the Premium tier includes managed vulnerability scans for all Security Health Analytics detectors (140+) and provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs. In the Premium tier, Security Health Analytics includes monitoring and reporting for the following standards: CIS 1.2 CIS 1.1 CIS 1.0 PCI DSS v3.2.1 NIST 800-53 ISO 27001 Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten. Note: The category A09:2021 Security Logging and Monitoring Failures (previously A10:2017 Insufficient Logging & Monitoring) is not supported. This category describes insufficiencies that allow attackers to remain undetected. Unlike the other nine OWASP categories, it doesn't pertain to specific vulnerabilities that attackers can exploit. Similarly, Web Security Scanner can't attack web applications to provoke a detectable response. The issues included in this category require human judgment. Web Security Scanner also adds managed scans that are automatically configured. These scans identify the following security vulnerabilities in your Google Cloud apps: Cross-site scripting (XSS) Flash injection Mixed-content Clear text passwords Usage of insecure JavaScript libraries The Premium tier includes support for granting users IAM roles at the organization, folder, and project levels. The Premium tier includes the Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub. You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises. Secured Landing Zone service service can be enabled only in the Security Command Center Premium tier. When enabled, this service displays findings if there are policy violations in the resources of the deployed blueprint, generates corresponding alerts, and selectively takes automatic remediation actions. Preview This feature is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the launch stage descriptions. VM Manager vulnerability reports Preview This feature is covered by the Pre-GA Offerings Terms of the Google Cloud Terms of Service. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the launch stage descriptions. If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

Standard tier features

Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:
- DATAPROC_IMAGE_OUTDATED
- LEGACY_AUTHORIZATION_ENABLED
- MFA_NOT_ENFORCED
- NON_ORG_IAM_MEMBER
- OPEN_CISCOSECURE_WEBSM_PORT
- OPEN_DIRECTORY_SERVICES_PORT
- OPEN_FIREWALL
- OPEN_GROUP_IAM_MEMBER
- OPEN_RDP_PORT
- OPEN_SSH_PORT
- OPEN_TELNET_PORT
- PUBLIC_BUCKET_ACL
- PUBLIC_COMPUTE_IMAGE
- PUBLIC_DATASET
- PUBLIC_IP_ADDRESS
- PUBLIC_LOG_BUCKET
- PUBLIC_SQL_INSTANCE
- SSL_NOT_ENFORCED
- WEB_UI_ENABLED
Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IP addresses that aren't behind a firewall. Scans are manually configured, managed, and executed for all projects, and support a subset of categories in the OWASP Top Ten.
Security Command Center errors: Security Command Center provides detection and remediation guidance for configuration errors that prevent Security Command Center and its services from functioning properly.
Support for granting users Identity and Access Management (IAM) roles at the organization level.
Access to integrated Google Cloud services, including the following:
- Cloud Data Loss Prevention discovers, classifies, and protects sensitive data.
- Google Cloud Armor protects Google Cloud deployments against threats.
- Anomaly Detection identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and coin mining.
Integration with BigQuery, which exports findings to BigQuery for analysis.
Integration with Forseti Security, the open source security toolkit for Google Cloud, and third-party security information and event management (SIEM) applications.

Premium tier features

The Premium tier includes all Standard tier features and adds the following:

Event Threat Detection uses threat intelligence, machine learning, and other advanced methods to monitor your organization's Cloud Logging and Google Workspace and detect the following threats:

Malware
Cryptomining
Brute force SSH
Outgoing DoS
IAM anomalous grant
Data exfiltration

Event Threat Detection also identifies the following Google Workspace threats:

Leaked passwords
Attempted account breaches
Changes to 2-step verification settings
Changes to single sign-on (SSO) settings
Government-backed attacks

Container Threat Detection detects the following container runtime attacks:

Added Binary Executed
Added Library Loaded
Malicious Script Executed
Reverse Shell

Virtual Machine Threat Detection detects cryptocurrency mining applications running inside VM instances.
Security Health Analytics: the Premium tier includes managed vulnerability scans for all Security Health Analytics detectors (140+) and provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs.

In the Premium tier, Security Health Analytics includes monitoring and reporting for the following standards:
- CIS 1.2
- CIS 1.1
- CIS 1.0
- PCI DSS v3.2.1
- NIST 800-53
- ISO 27001
Web Security Scanner in the Premium tier includes all Standard tier features and additional detectors that support categories in the OWASP Top Ten.
Note: The category A09:2021 Security Logging and Monitoring Failures (previously A10:2017 Insufficient Logging & Monitoring) is not supported. This category describes insufficiencies that allow attackers to remain undetected. Unlike the other nine OWASP categories, it doesn't pertain to specific vulnerabilities that attackers can exploit. Similarly, Web Security Scanner can't attack web applications to provoke a detectable response. The issues included in this category require human judgment.
Web Security Scanner also adds managed scans that are automatically configured. These scans identify the following security vulnerabilities in your Google Cloud apps:
- Cross-site scripting (XSS)
- Flash injection
- Mixed-content
- Clear text passwords
- Usage of insecure JavaScript libraries
The Premium tier includes support for granting users IAM roles at the organization, folder, and project levels.
The Premium tier includes the Continuous Exports feature, which automatically manages the export of new findings to Pub/Sub.
You can request for additional Cloud Asset Inventory quota if the need for extended asset monitoring arises.

Secured Landing Zone service service can be enabled only in the Security Command Center Premium tier. When enabled, this service displays findings if there are policy violations in the resources of the deployed blueprint, generates corresponding alerts, and selectively takes automatic remediation actions.

VM Manager vulnerability reports

If you enable VM Manager, the service automatically writes findings from its vulnerability reports, which are in preview, to Security Command Center. The reports identify vulnerabilities in the operating systems installed on Compute Engine virtual machines. For more information, see VM Manager.

Standard tier pricing

Security Command Center Standard tier is free of charge.

Premium tier pricing

Security Command Center Premium tier is available as either a one year or multi-year fixed price subscription.

If your total annual Google Cloud spend or commit exceeds $15 million, contact your sales representative to discuss the pricing options available to you.

If your total annual Google Cloud spend or commit is less than $15 million, the annual cost of Security Command Center Premium is 5% of the larger of the following:

Your committed annual Google Cloud spend (for deals up to the term of your commit), or
Your actual annual current annualized Google Cloud spend (for deals up to one year)

There is a minimum annual cost of $25,000. You can attach the Security Command Center Premium tier subscription to your new commit deals, or add Security Command Center Premium to an existing commit deal. In both cases, the Security Command Center Premium tier subscription is the same length as your commit deal. The subscription is billed monthly over the term of the subscription.

For specific details, contact your sales representative.

Premium tier pricing examples

The following are examples of Security Command Center Premium tier subscription costs.

Based on commit deal

If you have a multi-year commit deal structured at...

Year 1 at $1 million
Year 2 at $2 milion
Year 3 at $4 million

...then your Security Command Center Premium tier fixed price would be:

Year 1 at $50,000
Year 2 at $100,000
Year 3 at $200,000

In the preceding scenario, even if your annual spend on Google Cloud in year one was actually $1.2 million, the Security Command Center Premium charges for that year would still be fixed at $4,167 per month, or $50,000 total.

Your total cost for the preceding multi-year deal would be $350,000. Even if your usage during the three year term goes above the commit, your total Security Command Center Premium tier costs during the three year commit will still be $350,000.

When current annual spend rate is greater than your existing commit deal

Security Command Center Premium may be purchased based on your annual spend rate for up to one year at a time. When your annual spend rate exceeds a commit value, annual spend rate must be used for purchase. Security Command Center can be purchased on a multi-year basis only if your current spend is less than Year 2+ of your commit.

For example, if you have a multi-year commit deal structured at...

Year 1 at $1 million
Year 2 at $2 million
Year 3 at $4 million

...but in year 1, your annual spend rate is $1.5 million, then your Security Command Center Premium tier fixed price would be:

Year 1 at $75,000 (since $1.5 million annual spend rate is higher than your $1 million commit
Year 2 at $100,000
Year 3 at $200,000

In the preceding scenario, if you subscribed to Security Command Center Premium and your actual spend on Google Cloud in year 1 grew to $1.9 million, the Premium tier charges for that year would still be fixed at $6,250 per month, or $75,000 total.

Security Command Center Premium tier pricing not based on log consumption or usage

When you subscribe to the Security Command Center Premium tier, all of the processing of required log data for Event Threat Detection in your organization is included. You won't be charged based on the volumes of log data consumed.

The Security Command Center Premium tier includes setup of Web Security Scanner managed scans, however, the operation of scans could impact the following:

App Engine, Compute Engine, and GKE instance quota limits, and bandwidth (traffic) charges.
Quotas for API calls to App Engine services like mail and search, and Compute Engine and GKE services.

The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

Web Security Scanner is optimized to keep traffic to a minimum. By default, the scan rate is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. A large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.

Web Security Scanner pricing

Managed capabilities of Web Security Scanner are only included as part of Security Command Center Premium. While there is no direct charge for using Web Security Scanner, you might incur indirect charges when using the service.

Using Web Security Scanner impacts App Engine instance quota limits, bandwidth (traffic) charges, and quotas for API calls to App Engine services like mail and search. The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

Web Security Scanner is optimized to keep traffic to a minimum. By default, the scan rate is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.

Secured Landing Zone service service pricing

Managed capabilities of the Secured Landing Zone service service are only included as part of Security Command Center Premium. While there is no direct charge for using theSecured Landing Zone service service, you might incur indirect charges when using the service.

What's next

Read the Security Command Center documentation.
Get started with Security Command Center.
Learn about Security Command Center solutions and use cases.

Request a custom quote

With Google Cloud's pay-as-you-go pricing, you only pay for the services you use. Connect with our sales team to get a custom quote for your organization.

Contact sales

Security Command Center pricing

Pricing overview

Security Command Center tier pricing

VM Manager vulnerability reports

Standard tier pricing

Premium tier pricing

Premium tier pricing examples

Based on commit deal

When current annual spend rate is greater than your existing commit deal

Security Command Center Premium tier pricing not based on log consumption or usage

Related charges that are the side effect of using SCC Premium

Web Security Scanner pricing

Secured Landing Zone service service pricing

What's next

Request a custom quote