Security Command Center pricing
This document explains Security Command Center pricing details.
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.
Pricing for the Security Command Center tiers is structured as follows:
| Tier | Pricing model |
|---|---|
| Standard | Free of charge |
| Premium | Pay-as-you-go pricing for project-level activations |
| Pay-as-you-go pricing for organization-level activations | |
| Enterprise | Subscription-based pricing for organization-level activations only |
Security Command Center offers three service tiers: Standard, Premium, and Enterprise.
Google Cloud charges only for the Premium and Enterprise service tiers of Security Command Center. The charges for Security Command Center are separate from the amounts that Google Cloud charges for the use of the services that are listed on this page.
Premium tier pricing is available as a pay-as-you-go model; pricing differs depending on whether Security Command Center is activated at the organization level or project level.
Enterprise tier pricing is available as a subscription.
For information about the possible indirect charges that can apply to any tier, see Possible indirect charges associated with Security Command Center.
Premium tier: Pricing for project-level activations
For project-level activations of Security Command Center, the Premium tier charges are based on the usage of certain Google Cloud services within the project.
The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for project-level activations of Security Command Center.
| Google Cloud service | Security Command Center Premium rate |
|---|---|
| Compute Engine | $0.0071 / vCPU-hour |
| GKE Autopilot mode1 | $0.0071 / vCPU-hour |
| Cloud SQL | $0.0071 / vCPU-hour |
| App Engine - Standard | $0.001781 / instance-hour |
| App Engine - Flex | $0.0071 / vCore-hour |
| Cloud Storage | $0.002 / 1,000 Class A operations $0.0002 / 1,000 Class B operations |
| BigQuery on-demand compute (analysis) | $1.00 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.00548 / slot hour |
Table notes:
- When running in GKE Standard mode, usage of worker nodes is included under Compute Engine.
Premium tier: Project-level activation pricing example
As an example, assume that you used the following Google Cloud services during a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute (analysis)
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:
- 50,000 vCPU-hours * $0.0071 = $355
- 100 slots * $0.00548 * 730 [average hours in a month] = $400
- 5,000,000 operations * $0.002/1,000 = $10
- Total cost = $765
Premium tier: Pricing for organization-level activations
For organization-level activations of Security Command Center, the Premium tier pricing is available as a pay-as-you-go model.
The ability to activate the Security Command Center Premium tier at the organization level lets you base your Security Command Center charges on your usage of certain Google Cloud services within the organization. Your usage is charged to the billing accounts associated with the projects in the organization.
The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for organization-level activations of Security Command Center with pay-as-you-go pricing.
| Google Cloud service | Security Command Center rate |
|---|---|
| Compute Engine | $0.0057 / vCPU-hour |
| GKE Autopilot 1 | $0.0057 / vCPU-hour |
| Cloud SQL | $0.0057 / vCPU-hour |
| App Engine - Standard | $0.001425 / instance-hour |
| App Engine - Flex | $0.0057 / vCore-hour |
| Cloud Storage | $0.0016 / 1,000 Class A operations $0.00016 / 1,000 Class B operations |
| BigQuery on-demand compute (analysis) | $0.80 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.004384 / slot hour |
Table notes:
- When running GKE in Autopilot mode. When running in Standard mode, usage of worker nodes is included under Compute Engine.
Premium tier: Example for pay-as-you-go pricing for organization-level activations
As an example, assume that you used the following Google Cloud services during a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute analysis
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:
- 50,000 * $0.0057 = $285
- 100 * $0.004384 * 730 [average hours in a month] = $320
- 5,000,000 * $0.0016/1,000 = $8
- Total cost = $613
Premium tier: Changing the level of Security Command Center activation
This section describes the changes that apply if the activation level of Security Command Center changes.
Premium tier: Changing from project-level activations to an organization-level activation
If Security Command Center Premium tier is active for one or more projects in an organization that then activates Security Command Center Premium tier at the organization level, the following changes apply:
- The use of Security Command Center Premium tier across all projects within the organization is covered by the organization-level activation.
- The pricing terms for the organization-level activation of Security Command Center become the effective pricing terms.
Premium tier: Changing from an organization-level activation to a project-level activation
If Security Command Center Premium tier is active at the organization level and you use the pay-as-you-go pricing model, any project-level activations become effective after you downgrade the organization-level activation to the Standard tier.
If Security Command Center Premium tier is active at the organization level and you have a subscription, any project-level activations don't become effective until the subscription for the organization-level activation expires.
As soon as a subscription for an organization-level activation expires, any project-level activations that were set up before the expiration become active and start incurring charges.
Pricing for the Enterprise tier
For the Security Command Center Enterprise tier, pricing follows a subscription model and is based on the number of workloads that Security Command Center is protecting. The table in this section defines how a workload is counted for each supported resource type. Each month, you are charged a base price plus charges from any usage overages that are not covered by your total subscription amount for a given period.
- Subscription length: Subscriptions have a minimum length of one year.
- Subscription period: A subscription is made up of one or more subscription periods. Typically, there is one subscription period per year.
- Base annual price per workload: This value starts at $309 per workload and can be as low as $199 per workload, based on the number of workloads that you purchase and the length of the subscription.
- Number of workloads purchased in the subscription: You can purchase a different number of workloads for each period within the entire subscription. You can consume these workloads throughout the period at any pace. At the end of a period, unused workloads purchased do not carry over to the subsequent period. All applicable workloads in a Google Cloud organization are billed for regardless of the number of workloads licensed. Overage fees apply.
- Subscription price: This value is calculated based on the number of workloads you purchase multiplied by the price per workload per period. This price is charged monthly in arrears.
- Overage fees: Overage fees start after you fully consume the total subscription amount of the current period. Overage fees are charged at the rate of the base annual price per workload. That is, if a discounted price per workload was applied for the base annual price, the same discounted price applies for the overage fees.
The following table shows what counts as a workload for each resource type that the Enterprise tier charges for. Workloads are metered and reported on an ongoing basis as fractional workloads and charged accordingly. For example, if you consume 600 TB of BigQuery data in one hour, that is counted as 1.5 workloads.
| Resource type | Google Cloud service | AWS service |
|---|---|---|
Virtual machines 1 VM with 4 or more vCPUs running for a year = 1 workload Container nodes 1 node with 4 or more vCPUs running for a year = 2 workloads |
Compute Engine | Amazon EC2 |
Managed containers (Kubernetes Pods and ECS tasks) and database instances 1 vCPU running for a year = 0.25 workload |
GKE Autopilot mode Cloud SQL |
Amazon EKS Amazon ECS Amazon RDS |
Big data 400 TB = 1 workload 8 slots running for a year = 1 workload |
BigQuery | Not applicable |
Storage 200 million Class A operations = 1 workload 2 billion Class B operations = 1 workload |
Cloud Storage | Amazon S3 |
If you want to purchase a subscription, contact a Google Cloud sales specialist or your Google Cloud partner.
Enterprise tier pricing example
Consider the following example values:
- Subscription length: 12 months
- Subscription period: 12 months
- Starting workload count: 1,000
- Predicted workload count at the end of the period: 3,000
- Calculated total workloads in the period: 1,000 + (3,000 - 1,000) / 2 = 2,000 (assumes a linear increase)
- Number of workloads purchased in the subscription: 2,000
Based on these example values, the charges for the Security Command Center Enterprise tier are calculated as follows:
- Base annual price: 2,000 workloads * $309 per workload = $618,000 (based on an undiscounted base price of $309 per workload)
- Subscription price: $618,000 / 12 = $51,500 per month
- Overage fees: If the total subscription amount for the period (2,000 workloads) is consumed in month 9, overage fees start in month 10 at the same rate used to calculate the base annual price: $309 per surplus workload, in this case.
Possible indirect charges associated with Security Command Center
Regardless of which tier or activation level you choose, you can incur additional charges that are not directly attributed to Security Command Center, including—but not limited to—the following:
- Any costs associated with additional paid scanners like Sensitive Data Protection or a third-party partner scanner that adds data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
- Any costs associated with resources that are scanned by vulnerability scanners, such as Web Security Scanner, as explained in the following section.
- Any costs associated with the ingestion and storage of log data. For more information, see Cloud Logging pricing.
Indirect charges associated with vulnerability scans
For the Premium and Enterprise tiers, certain vulnerability scans that some built-in vulnerability detection services perform can increase the resource costs that are incurred by the scan targets.
These indirect charges are not identified in billing as being associated with Security Command Center or its services.
The built-in services that perform such scans include:
- Web Security Scanner
- Rapid Vulnerability Detection (Preview)
Examples of the charges that can be incurred at the scan target include the following:
- Incremental usage of App Engine, Compute Engine, and Google Kubernetes Engine.
- Incremental bandwidth (traffic) charges.
The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.
For this reason, the Security Command Center services are optimized to keep traffic to a minimum. For example, by default, the scan rate of Web Security Scanner is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.
As another example, Rapid Vulnerability Detection scans can increase network egress traffic from a scanned VM. The network egress traffic is billed to the target VM.
Any increase in network egress traffic that might be caused by vulnerability scans is dependent on the number of endpoints and hosted applications at the scan target, because each endpoint or application requires a separate scan. For example, if the scan targets of an organization are all within North American regions, a single Rapid Vulnerability Detection scan uses an estimated 200 KB of egress traffic. If the organization runs 100,000 scans a month, the resulting increase in billable traffic would be around 20 GB.
Indirect charges associated with multicloud support
You can incur charges associated with the ingestion and storage of data from other clouds.
Multicloud support is included with the Enterprise tier.
What's next
- Read the Security Command Center documentation.
- Learn more about Security Command Center.
- Activate Security Command Center.