Pricing

This document explains Security Command Center pricing details.

You can also use the Google Cloud Pricing Calculator to estimate the cost of using Security Command Center.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Pricing overview

When you use Security Command Center Premium or Standard tier, you may be charged for the following:

  • Any costs associated with the Security Command Center tier you select, as described later on this page.
  • Any costs associated with additional paid scanners like Cloud Data Loss Prevention (Cloud DLP) or a third-party partner scanner to add data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
  • Any App Engine costs associated with using Web Security Scanner, as described later on this page.

Security Command Center tier pricing

Security Command Center pricing is based on the Security Command Center tier that you select:

Tier details

Standard tier features

  • Security Health Analytics: in the Standard tier, Security Health Analytics provides managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets. In the Standard tier, Security Health Analytics includes the following finding types:

    • 2SV_NOT_ENFORCED
    • NON_ORG_IAM_MEMBER
    • OPEN_FIREWALL
    • OPEN_RDP_PORT
    • OPEN_SSH_PORT
    • OPEN_TELNET_PORT
    • PUBLIC_BUCKET_ACL
    • PUBLIC_COMPUTE_IMAGE
    • PUBLIC_IP_ADDRESS
    • PUBLIC_LOG_BUCKET
    • PUBLIC_SQL_INSTANCE
    • SSL_NOT_ENFORCED
    • WEB_UI_ENABLED
  • Web Security Scanner custom scans: in the Standard tier, Web Security Scanner supports custom scans of deployed applications with public URLs and IPs that aren't behind a firewall.

Premium tier features

  • Event Threat Detection monitors your organization's Cloud Logging stream and consumes logs for one or more projects as they become available to detect the following threats:
    • Malware
    • Cryptomining
    • Brute force SSH
    • Outgoing DoS
    • IAM anomalous grant
    • Data exfiltration
  • Container Threat Detection detects the following container runtime attacks:
    • Suspicious binary
    • Suspicious library
    • Reverse shell
  • Security Health Analytics: in the Premium tier, Security Health Analytics provides monitoring for many industry best practices, and compliance monitoring across your Google Cloud assets. These results can also be reviewed in a Compliance dashboard and exported as manageable CSVs.

    In the Premium tier, Security Health Analytics includes monitoring and reporting for:

    • CIS 1.0
    • PCI DSS v3.2.1
    • NIST 800-53
    • ISO 27001
  • Web Security Scanner provides managed scans that identify the following security vulnerabilities in your Google Cloud apps:
    • Cross-site scripting (XSS)
    • Flash injection
    • Mixed-content
    • Clear text passwords
    • Usage of insecure JavaScript libraries
  • The Premium tier also includes all Standard tier features.

Standard tier pricing

Security Command Center Standard tier is free of charge.

Premium tier pricing

Security Command Center Premium tier is available as either a one year or multi-year fixed price subscription. The annual cost of the subscription is 5% of the larger of:

  • Your committed annual Google Cloud spend; or
  • Your actual annual current annualized Google Cloud spend.

There is a minimum annual cost of $25,000. You can attach the Security Command Center Premium tier subscription to your new commit deals, or add-on Security Command Center Premium to an existing commit deal. In both cases, the Security Command Center Premium tier subscription is co-terminus with your commit deal. The subscription is billed monthly over the term of the subscription.

For specific details, contact your sales representative.

Premium tier pricing examples

Following are examples of Security Command Center Premium tier subscription costs:

Based on commit deal

If you have a multi-year commit deal structured at:

  • Year 1 at $1 million
  • Year 2 at $2 milion
  • Year 3 at $4 million

Then your Security Command Center Premium tier fixed price would be:

  • Year 1 at $50,000
  • Year 2 at $100,000
  • Year 3 at $200,000

In the preceding scenario, even if your annual spend on Google Cloud in year one was actually $1.2 million, the Security Command Center Premium charges for that year would still be fixed at $4,167 per month, or $50,000 total.

Your total cost for the preceding multi-year deal would be $350,000. Even if your usage during the three year term goes above the commit, your total Security Command Center Premium tier costs during the three year commit will still be $350,000.

When current annual spend rate is greater than your existing commit deal

If you have a multi-year commit deal structured at:

  • Year 1 at $1 million
  • Year 2 at $2 milion
  • Year 3 at $4 million

but currently in year 1 your annual spend rate is $1.5M, then your Security Command Center Premium tier fixed price would be:

  • Year 1 at $75,000 (since $1.5 million annual spend rate is higher than your $1 million commit
  • Year 2 at $100,000
  • Year 3 at $200,000

In the preceding scenario, even if, after subscribing to Security Command Center Premium tier, your actual spend on Google Cloud in year 1 grew even higher to $1.9 million, the Security Command Center Premium tier charges for that year would still be fixed at $6,250 per month, or $75,000 total.

Your total cost for the preceding multi-year deal would be $375,000. Even if your usage during the 3 year term goes above the commit, your total Security Command Center Premium tier costs during the 3 year commit will still be $375,000.

Security Command Center Premium tier pricing not based on log consumption or usage

When you subscribe to the Security Command Center Premium tier, all of the processing of required log data for Event Threat Detection in your organization is included. You won't be charged based on the volumes of log data consumed.

The Security Command Center Premium tier includes setup of Web Security Scanner autoscans, however, the operation of these autoscans could impact the following:

  • App Engine, Compute Engine, and GKE instance quota limits, and bandwidth (traffic) charges.
  • Quotas for API calls to App Engine services like mail and search, and Compute Engine and GKE services.

The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

Web Security Scanner is optimized to keep traffic to a minimum. By default, the scan rate is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.

Legacy pricing

Expand the following section for information about the pricing that applies if you haven't migrated to the Security Command Center Premium or Standard tier.

Web Security Scanner pricing

While managed capabilities of Web Security Scanner are only included as part of Security Command Center Premium, and there is no direct charge for using Web Security Scanner. However, you may incur indirect charges when using Web Security Scanner.

Using Web Security Scanner impacts App Engine instance quota limits, bandwidth (traffic) charges, and quotas for API calls to App Engine services like mail and search. The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

Web Security Scanner is optimized to keep traffic to a minimum. By default, the scan rate is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.