Security Command Center pricing

This document explains Security Command Center pricing details.

If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.

Security Command Center offers two service tiers, a Standard tier and a Premium tier, and two activation levels, project-level activation and organization-level activation.

Google Cloud charges only for the Premium service tier of Security Command Center. The charges for Security Command Center are separate from the amounts that Google Cloud charges for the use of the services themselves.

Project-level activations are charged based on a usage-based billing model, as described in Pricing for project-level activations.

Organization-level activations are charged on a usage-based billing model or a fixed-price subscription, as described in Pricing for organization-level activations.

For information about the possible indirect charges that can apply to either tier, see Indirect charges associated with built-in services.

Pricing for project-level activations

For project-level activations of Security Command Center, the Premium tier charges are based on the usage of certain Google Cloud services within the project.

The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for project-level activations of Security Command Center.

Google Cloud service Security Command Center Premium rate
Compute Engine $0.0071 / vCPU-hour
GKE Autopilot mode1 $0.0071 / vCPU-hour
Cloud SQL $0.0071 / vCPU-hour
App Engine - Standard $0.001781 / instance-hour
App Engine - Flex $0.0071 / vCore-hour
Cloud Storage $0.002 / 1,000 Class A operations
$0.0002 / 1,000 Class B operations
BigQuery on-demand compute (analysis) $1.00 / TB of data processed
BigQuery capacity compute (analysis) - editions $0.00548 / slot hour

Table notes:

  1. When running in GKE Standard mode, usage of worker nodes is included under Compute Engine.

Project-level activation pricing example

As an example, assume that you used the following Google Cloud services during a month:

  • 50,000 vCPU hours across a variety of machine types and across various regions
  • 100 BigQuery editions slots for compute (analysis)
  • 5 million Class A operations in Cloud Storage

Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:

  • 50,000 vCPU-hours * $0.0071 = $355
  • 100 slots * $0.00548 * 730 [average hours in a month] = $400
  • 5,000,000 operations * $0.002/1,000 = $10
  • Total cost = $765

Pricing for organization-level activations

For organization-level activations of Security Command Center, the Premium tier pricing is available as either a usage-based billing model or a fixed-price subscription. If you want to purchase a subscription, contact a Google Cloud sales representative or your Cloud partner.

The ability to activate the Security Command Center Premium tier at the organization level using the usage-based pricing option lets you base your Security Command Center charges on your usage of certain Google Cloud services within the organization. Your usage is charged to the billing accounts associated with the projects in the organization.

The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for organization-level, usage-based activation of Security Command Center.

Google Cloud service Security Command Center rate
Compute Engine $0.0057 / vCPU-hour
GKE Autopilot 1 $0.0057 / vCPU-hour
Cloud SQL $0.0057 / vCPU-hour
App Engine - Standard $0.001425 / instance-hour
App Engine - Flex $0.0057 / vCore-hour
Cloud Storage $0.0016 / 1,000 Class A operations
$0.00016 / 1,000 Class B operations
BigQuery on-demand compute (analysis) $0.80 / TB of data processed
BigQuery capacity compute (analysis) - editions $0.004384 / slot hour

Table notes:

  1. When running GKE in Autopilot mode. When running in Standard mode, usage of worker nodes is included under Compute Engine.

Pricing example for usage-based pricing for organization-level activations

As an example, assume that you used the following Google Cloud services during a month:

  • 50,000 vCPU hours across a variety of machine types and across various regions
  • 100 BigQuery editions slots for compute analysis
  • 5 million Class A operations in Cloud Storage

Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:

  • 50,000 * $0.0057 = $285
  • 100 * $0.004384 * 730 [average hours in a month] = $320
  • 5,000,000 * $0.0016/1,000 = $8
  • Total cost = $613

Changing the level of Security Command Center activation

If the activation level of Security Command Center changes, the billing model changes with it.

Changing from project-level activations to an organization-level activation

If Security Command Center Premium tier is active for one or more projects in an organization that then activates Security Command Center Premium tier at the organization level, the following changes apply:

  • The use of Security Command Center Premium tier is covered by the organization-level activation and is no longer charged to any of the projects.
  • The pricing terms for the organization-level activation of Security Command Center become the effective pricing terms.

Changing from an organization-level activation to a project-level activation

If Security Command Center Premium tier is active at the organization level and you use the usage-based billing model, any project-level activations become effective after you downgrade the organization-level activation to the Standard tier.

If Security Command Center Premium tier is active at the organization level and you have a subscription, any project-level activations don't become effective until the subscription for the organization-level activation expires.

As soon as a subscription for an organization-level activation expires, any project-level activations that were set up before the expiration become active and start incurring charges.

Possible indirect charges associated with Security Command Center

Regardless of which tier or activation level you choose, you can incur additional charges that are not directly attributed to Security Command Center, including the following:

  • Any costs associated with additional paid scanners like Sensitive Data Protection or a third-party partner scanner that adds data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
  • Any costs associated with resources that are scanned by vulnerability scanners, such as Web Security Scanner, as explained in the following section.

Indirect charges associated with vulnerability scans

Certain vulnerability scans that some built-in, Premium tier vulnerability detection services perform, can increase the resource costs that are incurred by the scan targets.

These indirect charges are not identified in billing as being associated with Security Command Center or its services.

The built-in services that perform such scans include:

  • Web Security Scanner
  • Rapid Vulnerability Detection (Preview)

Examples of the charges that can be incurred at the scan target include the following:

  • Incremental usage of App Engine, Compute Engine, and Google Kubernetes Engine.
  • Incremental bandwidth (traffic) charges.

The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.

For this reason, the Security Command Center services are optimized to keep traffic to a minimum. For example, by default, the scan rate of Web Security Scanner is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.

As another example, Rapid Vulnerability Detection scans can increase network egress traffic from a scanned VM. The network egress traffic is billed to the target VM.

Any increase in network egress traffic that might be caused by vulnerability scans is dependent on the number of endpoints and hosted applications at the scan target, because each endpoint or application requires a separate scan. For example, if the scan targets of an organization are all within North American regions, a single Rapid Vulnerability Detection scan uses an estimated 200 KB of egress traffic. If the organization runs 100,000 scans a month, the resulting increase in billable traffic would be around 20 GB.

What's next