Security Command Center pricing
This document explains Security Command Center pricing details.
If you pay in a currency other than USD, the prices listed in your currency on Cloud Platform SKUs apply.
Security Command Center offers three service tiers: Standard, Premium, and Enterprise:
| Tier | Pricing model |
|---|---|
| Standard | Free of charge |
| Premium | Subscription-based pricing for organization-level activations only Pay-as-you-go pricing for project-level and organization-level activations |
| Enterprise | Subscription-based pricing for organization-level activations only |
Google Cloud charges only for the Premium and Enterprise service tiers of Security Command Center. The charges for Security Command Center are separate from any other Google Cloud charges.
Premium tier pricing is available as a fixed-price subscription and as a pay-as-you-go model. Pay-as-you-go pricing differs depending on whether Security Command Center is activated at the organization level or project level.
Enterprise tier pricing is available as a fixed-price subscription.
For information about the possible indirect charges that can apply to any tier, see Possible indirect charges associated with Security Command Center.
Premium tier: Subscription-based pricing
The Security Command Center Premium tier is available as a fixed-price subscription option.
Fixed-price subscription
Fixed-price subscription offers a predictable price with no overages or retro-charges. Pricing is based on the forecasted spend on Google Cloud services (not including Google Cloud Marketplace purchases, Premium Support or other Google-provided professional services).
If your total annual Google Cloud spend or spend commitment exceeds $15 million, contact your sales representative or Google Cloud partner to discuss the pricing options available to you.
If your total annual Google Cloud spend or spend commitment is less than $15 million, the annual cost of the Google Cloud component is calculated as follows:
- If you do not have a Google Cloud spend commitment, the cost of the subscription is 5% of your projected annualized run rate of Google Cloud spend based on your current spend levels. The subscription can be purchased for a one-year term.
- If you do have a Google Cloud spend commitment, the cost of the subscription is 5% of the larger of the following:
- Your committed annual spend for Google Cloud services.
- Your projected annualized run rate of Google Cloud services spend, based on your current spend levels, adjusted for projected growth.
You can attach the subscription to your new spend commitment contract, or add it to an existing one. In both cases, the subscription must be for a minimum of 12 months, but the term can be as long as the remaining time on the commitment contract. If you entered into a new spend commitment contract within the last 12 months, you may request to extend the subscription beyond the end of the commitment contract by up to 12 months. However, if your current annualized run rate is more than your next period's spend commitment, you can purchase the subscription only up to one year at a time.
Minimum subscription fee
The minimum annual cost of a Security Command Center Premium subscription is $15,000.
Ready to purchase? Contact us
To purchase a subscription, contact a Google Cloud sales specialist or your Google Cloud partner.
Premium tier: Pay-as-you-go pricing
Pricing for project-level activations
For project-level activations of Security Command Center Premium tier with pay-as-you-go pricing, the charges are based on the usage of certain Google Cloud services within the project.
The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for project-level activations of Security Command Center Premium tier with pay-as-you-go pricing.
| Google Cloud service | Security Command Center Premium rate |
|---|---|
| Compute Engine | $0.0071 / vCPU-hour |
| GKE Autopilot mode1 | $0.0071 / vCPU-hour |
| Cloud SQL | $0.0071 / vCPU-hour |
| App Engine - Standard | $0.001781 / instance-hour |
| App Engine - Flex | $0.0071 / vCore-hour |
| Cloud Storage | $0.002 / 1,000 Class A operations $0.0002 / 1,000 Class B operations |
| Artifact Analysis/Artifact Registry scanning | $0.20 per scan |
| BigQuery on-demand compute (analysis) | $1.00 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.00548 / slot hour |
Table notes:
- When running in GKE Standard mode, usage of worker nodes is included under Compute Engine.
Project-level activation pay-as-you-go pricing example
As an example, assume that you used the following Google Cloud services during a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute (analysis)
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:
- 50,000 vCPU-hours * $0.0071 = $355
- 100 slots * $0.00548 * 730 [average hours in a month] = $400
- 5,000,000 operations * $0.002/1,000 = $10
- Total cost = $765
Pricing for organization-level activations
For organization-level activations of Security Command Center Premium tier with pay-as-you-go pricing, the charges are based on the usage of certain Google Cloud services within the organization. Your usage is charged to the billing accounts associated with the projects in the organization.
The following table lists the Google Cloud services, the rates, and the usage metrics that will determine the charges for organization-level activations of Security Command Center Premium tier with pay-as-you-go pricing.
| Google Cloud service | Security Command Center rate |
|---|---|
| Compute Engine | $0.0057 / vCPU-hour |
| GKE Autopilot 1 | $0.0057 / vCPU-hour |
| Cloud SQL | $0.0057 / vCPU-hour |
| App Engine - Standard | $0.001425 / instance-hour |
| App Engine - Flex | $0.0057 / vCore-hour |
| Cloud Storage | $0.0016 / 1,000 Class A operations $0.00016 / 1,000 Class B operations |
| Artifact Analysis/Artifact Registry scanning | $0.20 per scan |
| BigQuery on-demand compute (analysis) | $0.80 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.004384 / slot hour |
Table notes:
- When running GKE in Autopilot mode. When running in Standard mode, usage of worker nodes is included under Compute Engine.
Organization-level activation pay-as-you-go pricing example
As an example, assume that you used the following Google Cloud services during a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute analysis
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command Center Premium tier for the month would be calculated as follows:
- 50,000 * $0.0057 = $285
- 100 * $0.004384 * 730 [average hours in a month] = $320
- 5,000,000 * $0.0016/1,000 = $8
- Total cost = $613
Changing the level of Security Command Center Premium tier activation with pay-as-you-pricing
This section describes the changes that apply if the activation level of Security Command Center Premium tier with pay-as-you-go pricing changes.
Changing from project-level activations to an organization-level activation
If Security Command Center Premium tier is active for one or more projects in an organization that then activates Security Command Center Premium tier at the organization level, the following changes apply:
- The use of Security Command Center Premium tier across all projects within the organization is covered by the organization-level activation.
- The pricing terms for the organization-level activation of Security Command Center become the effective pricing terms.
Changing from an organization-level activation to a project-level activation
If Security Command Center Premium tier is active at the organization level and you use the pay-as-you-go pricing model, any project-level activations become effective after you downgrade the organization-level activation to the Standard tier.
If Security Command Center Premium tier is active at the organization level and you have a subscription, any project-level activations don't become effective until the subscription for the organization-level activation expires.
As soon as a subscription for an organization-level activation expires, any project-level activations that were set up before the expiration become active and start incurring charges.
Enterprise tier: Subscription-based pricing
The Security Command Center Enterprise tier is available as a fixed-price subscription.
Fixed-price subscription
Fixed-price subscription offers a predictable price with no overages or retro-charges. It has two components: a price to monitor your Google Cloud environments and a price to monitor other cloud environments.
Google Cloud component
The price for your Google Cloud environments is based on the forecasted spend on Google Cloud services (not including Google Cloud Marketplace purchases, Premium Support or other Google-provided professional services).
If your total annual Google Cloud spend or spend commitment on the five core services exceeds $15 million, contact your sales representative or Google Cloud partner to discuss the pricing options available to you.
If your total annual Google Cloud spend or spend commitment is less than $15 million, the annual cost of the Google Cloud component is calculated as follows:
If you do not have a Google Cloud spend commitment, the cost of the subscription is 5% of your projected annualized run rate of Google Cloud spend on the five core services, based on your current spend levels. The subscription can be purchased for a one-year term.
If you do have a Google Cloud spend commitment, the cost of the subscription is 5% of the larger of the following:
- Your committed annual Google Cloud spend on the five core services
- Your projected annualized run rate of Google Cloud spend on the five core services, based on your current spend levels, adjusted to growth with your commit.
You can attach the subscription to your new spend commitment contract, or add it to an existing one. In both cases, the subscription must be for a minimum of one year, but the term can be as long as the remaining time on the commitment contract. If you entered into a new spend commitment contract within the last 12 months, you may request to extend the subscription beyond the end of the commitment contract by up to 12 months. However, if your current annualized run rate is more than your next period's spend commitment, you can purchase the subscription only up to one year at a time.
Other clouds component
The price to monitor your other clouds is based on the size of the other cloud environments relative to the size of the Google Cloud environments. Environment size is measured by the number of assets that are being monitored by Security Command Center. You have the ability to control the number of assets being used in other clouds to maintain this ratio.
The following table shows the size designations and the corresponding subscription fee of the other clouds component.
| Size | Other cloud environment size1 | Subscription fee2 |
|---|---|---|
| Small | ≤ 10% | No fees |
| Medium | > 10% and ≤ 50% | 10% |
| Large | > 50% and ≤ 100% | 50% |
| Extra Large | > 100% and ≤ 150% | 100% |
| Custom | > 150% ("C%") | (C - 50)% |
Table notes:
- Relative to the size of your Google Cloud environments
- A percentage of the price of the Google Cloud component
For example, suppose that the price of your Google Cloud component is $100.00. For the other clouds component, you chose the medium tier. In this case, the price of your other clouds component is $10.00 (10% of $100.00).
Minimum subscription fee
The minimum annual cost of a Security Command Center Enterprise subscription is $15,000.
Ready to purchase? Contact us
To purchase a subscription, contact a Google Cloud sales specialist or your Google Cloud partner.
Possible indirect charges associated with Security Command Center
Regardless of which tier or activation level you choose, you can incur additional charges that are not directly attributed to Security Command Center, including—but not limited to—the following:
- Any costs associated with additional paid scanners like Sensitive Data Protection or a third-party partner scanner that adds data to Security Command Center. You will be billed by the scanner provider based on their usage fees.
Any costs associated with resources that are scanned by vulnerability scanners, such as Web Security Scanner, as explained in the following section. Artifact Analysis scanning does not increase resource costs for Artifact Registry or Google Kubernetes Engine (GKE).
Any costs associated with the ingestion and storage of log data. For more information, see Cloud Logging pricing.
Possible indirect charges associated with Model Armor
Model Armor is included in Security Command Center Enterprise and Premium tiers. Model Armor can also be purchased and used separately.
Model Armor pricing
Generative AI models break down text and other data into units called tokens. Model Armor uses the total number of tokens in AI prompts and responses for pricing purposes.
Model Armor uses the same token definition as Google Cloud Vertex AI: four characters (using UTF-8 code points) per token excluding white space. This token definition applies to all prompts and responses screened by Model Armor.
Model Armor in Security Command Center
Security Command Center includes Model Armor with a predefined number of tokens per month at no additional cost. The use of Model Armor beyond this no-cost monthly allocation is billed separately. See the following table for detailed pricing.
| Security Command Center tier | Tokens included at no cost (per month) | Cost per additional 1 million tokens |
|---|---|---|
| Enterprise | 3 billion | $1.20 |
| Premium - activated at an organization level | 2 million | $1.20 |
| Premium - activated at a project level | 2 million | $1.50 |
Model Armor purchased standalone
Model Armor can also be used without Security Command Center Premium or Enterprise tiers. In this standalone scenario, there is no cost for using Model Armor up to 2 million tokens per month. Use of Model Armor beyond this no-cost monthly allocation is billed at a rate of $1.50 per million tokens.
Indirect charges associated with vulnerability scans
For the Premium and Enterprise tiers, certain vulnerability scans that some built-in vulnerability detection services perform can increase the resource costs that are incurred by the scan targets. Artifact Analysis scanning of Artifact Registry does not increase resource costs, and there should be no indirect charges associated with these scans.
These indirect charges are not identified in billing as being associated with Security Command Center or its services.
The built-in Web Security Scanner service can perform these scans.
Examples of the charges that can be incurred at the scan target include the following:
- Incremental usage of App Engine, Compute Engine, and Google Kubernetes Engine.
- Incremental bandwidth (traffic) charges.
The actual amount of traffic generated from a scan depends on the application and the number of URLs, event handlers, forms, and parameters.
For this reason, the Security Command Center services are optimized to keep traffic to a minimum. For example, by default, the scan rate of Web Security Scanner is throttled to approximately 15 queries per second (QPS), with slight variations in the rate due to the asynchronous nature of many web applications. Currently, a large scan stops after 100,000 test requests, not including requests related to site crawling. Site crawling requests are not capped.
Any increase in network egress traffic that might be caused by vulnerability scans is dependent on the number of endpoints and hosted applications at the scan target, because each endpoint or application requires a separate scan.
Indirect charges associated with multicloud support
You can incur charges associated with the ingestion and storage of data from other clouds.
Multicloud support is included with the Enterprise tier.
What's next
- Read the Security Command Center documentation.
- Learn more about Security Command Center.
- Activate Security Command Center.