This document explains Security Command Center pricing details.
If you pay in a currency other than USD, the prices listed in your currency onCloud Platform SKUsapply.
Pricing for the Security Command Center tiers is structured as follows:
| Tier | Pricing model |
|---|---|
| Standard | Free of charge |
| Premium | Pay-as-you-go pricing for project-level activations |
| Pay-as-you-go pricing for organization-level activations | |
| Enterprise | Subscription-based pricing for organization-level activations only |
Security Command Center offers three service tiers: Standard, Premium, andEnterprise.
Google Cloud charges only for the Premium and Enterprise servicetiers of Security Command Center. The charges for Security Command Center are separatefrom the amounts that Google Cloud charges for the use of the servicesthat are listed on this page.
Premium tier pricing is available as a pay-as-you-go model; pricingdiffers depending on whether Security Command Center is activated at the organizationlevel or project level.
Enterprise tier pricing is available as a fixed-pricesubscription or an asset-based subscription.
For information about the possible indirect charges that can apply toany tier, see Possible indirect charges associated with Security Command Center.
Premium tier: Pricing for project-level activations
For project-level activations of Security Command Center, the Premium tier chargesare based on the usage of certain Google Cloud services within theproject.
The following table lists the Google Cloud services, the rates, and theusage metrics that will determine the charges for project-level activations ofSecurity Command Center.
| Google Cloud service | Security Command Center Premium rate |
|---|---|
| Compute Engine | $0.0071 / vCPU-hour |
| GKE Autopilot mode1 | $0.0071 / vCPU-hour |
| Cloud SQL | $0.0071 / vCPU-hour |
| App Engine - Standard | $0.001781 / instance-hour |
| App Engine - Flex | $0.0071 / vCore-hour |
| Cloud Storage | $0.002 / 1,000 Class A operations $0.0002 / 1,000 Class B operations |
| BigQuery on-demand compute (analysis) | $1.00 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.00548 / slot hour |
Table notes:
- When running in GKE Standard mode, usage of worker nodes is included under Compute Engine.
Premium tier: Project-level activation pricing example
As an example, assume that you used the following Google Cloud servicesduring a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute (analysis)
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command CenterPremium tier for the month would be calculated as follows:
- 50,000 vCPU-hours * $0.0071 = $355
- 100 slots * $0.00548 * 730 [average hours in a month] = $400
- 5,000,000 operations * $0.002/1,000 = $10
- Total cost = $765
Premium tier: Pricing for organization-level activations
For organization-level activations of Security Command Center,the Premium tier pricing is available as a pay-as-you-go model.
The ability to activate the Security Command Center Premium tier at theorganization level lets you base yourSecurity Command Center charges on your usage of certain Google Cloud serviceswithin the organization. Your usage is charged to the billing accountsassociated with the projects in the organization.
The following table lists the Google Cloud services, the rates,and the usage metrics that will determine the charges for organization-levelactivations of Security Command Center with pay-as-you-go pricing.
| Google Cloud service | Security Command Center rate |
|---|---|
| Compute Engine | $0.0057 / vCPU-hour |
| GKE Autopilot 1 | $0.0057 / vCPU-hour |
| Cloud SQL | $0.0057 / vCPU-hour |
| App Engine - Standard | $0.001425 / instance-hour |
| App Engine - Flex | $0.0057 / vCore-hour |
| Cloud Storage | $0.0016 / 1,000 Class A operations $0.00016 / 1,000 Class B operations |
| BigQuery on-demand compute (analysis) | $0.80 / TB of data processed |
| BigQuery capacity compute (analysis) - editions | $0.004384 / slot hour |
Table notes:
- When running GKE in Autopilot mode. When running in Standard mode, usage of worker nodes is included under Compute Engine.
Premium tier: Example for pay-as-you-go pricing for organization-level activations
As an example, assume that you used the following Google Cloud services during a month:
- 50,000 vCPU hours across a variety of machine types and across various regions
- 100 BigQuery editions slots for compute analysis
- 5 million Class A operations in Cloud Storage
Based on the preceding usage, the charges for the Security Command CenterPremium tier for the month would be calculated as follows:
- 50,000 * $0.0057 = $285
- 100 * $0.004384 * 730 [average hours in a month] = $320
- 5,000,000 * $0.0016/1,000 = $8
- Total cost = $613
Premium tier: Changing the level of Security Command Center activation
This section describes the changes that apply if the activation level ofSecurity Command Center changes.
Premium tier: Changing from project-level activations to an organization-level activation
If Security Command Center Premium tier is active for one or more projects in anorganization that then activates Security Command Center Premium tier at theorganization level, the following changes apply:
- The use of Security Command Center Premium tier across all projects within theorganization is covered by the organization-level activation.
- The pricing terms for the organization-level activation of Security CommandCenter become the effective pricing terms.
Premium tier: Changing from an organization-level activation to a project-level activation
If Security Command Center Premium tier is active at the organization level and youuse the pay-as-you-go pricing model, any project-level activations becomeeffective after you downgrade the organization-level activation to the Standardtier.
If Security Command Center Premium tier is active at the organization level and youhave a subscription, any project-level activations don't become effective untilthe subscription for the organization-level activation expires.
As soon as a subscription for an organization-level activation expires, anyproject-level activations that were set up before the expiration become activeand start incurring charges.
Pricing for the Enterprise tier
For the Security Command Center Enterprise tier, there are two subscription modelsavailable directly from Google: fixed-price subscription andasset-based subscription. Fixed-price subscription works formost customers, because it offers a predictable price. However, depending onyour needs, asset-based subscription can be the appropriate choice.
Definition of an asset
The size of your environments is measured by the number of assets that are beingmonitored by Security Command Center.
For both fixed-price and asset-based subscription models, the following tablespecifies the definition of an asset for each resource type that the Enterprisetier charges for.
| Resource type | Google Cloud service | AWS service |
|---|---|---|
Virtual machines 1 VM with 4 or more vCPUs running for a year = 1 asset Container nodes 1 node with 4 or more vCPUs running for a year = 2 assets | Compute Engine | Amazon EC2 |
Managed containers (Kubernetes Pods and ECS tasks) and database instances 1 vCPU running for a year = 0.25 asset | GKE Autopilot mode Cloud SQL | Amazon EKS Amazon ECS Amazon RDS |
Big data 800 TB = 1 asset 16 slots running for a year = 1 asset | BigQuery | Not applicable |
Storage 200 million Class A operations = 1 asset 2 billion Class B operations = 1 asset | Cloud Storage | Amazon S3 |
Fixed-price subscription
Fixed-price subscription offers a predictable price with no overages orretro-charges. It has two components: a price to monitor yourGoogle Cloud environments and a price to monitor other cloud environments.
Google Cloud component
The price to monitor your Google Cloud environments is based on theforecasted spend on five core Google Cloud services:
- Compute Engine
- Google Kubernetes Engine
- Cloud SQL
- BigQuery
- Cloud Storage
If your total annual Google Cloud spend or spend commitment on the fivecore services exceeds $15 million, contact your sales representative orGoogle Cloud partner to discuss the pricing options available to you.
If your total annual Google Cloud spend or spend commitment is lessthan $15 million, the annual cost of the Google Cloud component iscalculated as follows:
If you do not have a Google Cloud spend commitment, the cost of thesubscription is 5% of your projected annualized run rate of Google Cloudspend on the five core services, based on your current spend levels. Thesubscription can be purchased for a one-year term.
If you do have a Google Cloud spend commitment, the cost of thesubscription is 5% of the larger of the following:
- Your committed annual Google Cloud spend on the five core services
- Your projected annualized run rate of Google Cloud spend on the fivecore services, based on your current spend levels, adjusted to growth withyour commit.
You can attach the subscription to your new spend commitment contract, oradd it to an existing one. In both cases, the subscription must be for aminimum of one year, but the term can be as long as the remaining time on thecommitment contract. If you entered into a new spend commitment contractwithin the last 12 months, you may request to extend the subscriptionbeyond the end of the commitment contract by up to 12 months. However, if yourcurrent annualized run rate is more than your next period's spendcommitment, you can purchase the subscription only up to one year at a time.
Other clouds component
The price to monitor your other clouds is based on the size of the other cloudenvironments relative to the size of the Google Cloud environments.Environment size is measured by the number of assets thatare being monitored by Security Command Center. You have the ability to control thenumber of assets being used in other clouds to maintain this ratio.
The following table shows the size designations and the correspondingsubscription fee of the other clouds component.
| Size | Other cloud environment size1 | Subscription fee2 |
|---|---|---|
| Small | ≤ 10% | No fees |
| Medium | > 10% and ≤ 50% | 10% |
| Large | > 50% and ≤ 100% | 50% |
| Extra Large | > 100% and ≤ 150% | 100% |
| Custom | > 150% ("C%") | (C - 50)% |
Table notes:
- Relative to the size of your Google Cloud environments
- A percentage of the price of the Google Cloud component
For example, suppose that the price of your Google Cloud component is $100.00.For the other clouds component, you chose the medium tier. In this case, theprice of your other clouds component is $10.00 (10% of $100.00).
Asset-based subscription
An asset-based subscription is based on the number of assets thatSecurity Command Center is monitoring. Assets are metered and reported on anongoing basis as fractional assets and charged accordingly. For example, ifyou consume 1,200TB of BigQuery data in one hour, that is countedas 1.5 assets. For information about how an asset is countedfor each service, see Definition of an asset.
Each month, you are charged a base price plus charges from any usage overagesthat are not covered by your total subscription amount for a given period.
- Subscription length: Subscriptions have a minimum length of one year.
- Subscription period: A subscription is made up of one or moresubscription periods. Typically, there is one subscription period per year.
- Base annual price per asset: This value starts at $309 per asset andcan be as low as $199 per asset, based on the number of assets thatyou purchase and the length of the subscription.
- Number of assets purchased in the subscription: You can purchase adifferent number of assets for each period within the entire subscription.You can consume these assets throughout the period at any pace. At the endof a period, unused assets purchased do not carry over to the subsequentperiod. Overage fees apply.
- Subscription price: This value is calculated based on the number ofassets you purchase multiplied by the price per asset per period. Thisprice is charged monthly in arrears.
- Overage fees: Overage fees start after you fully consume the totalsubscription amount of the current period. Overage fees are charged at therate of the base annual price per asset. That is, if a discounted price perasset was applied for the base annual price, the same discounted priceapplies for the overage fees.
Asset-based subscription pricing example
Consider the following example values:
- Subscription length: 12 months
- Subscription period: 12 months
- Starting asset count: 1,000
- Predicted asset count at the end of the period: 3,000
- Calculated total assets in the period: 1,000 + (3,000 - 1,000) / 2 =2,000 (assumes a linear increase)
- Number of assets purchased in the subscription: 2,000
Based on these example values, the charges for the Security Command Center Enterprisetier are calculated as follows:
- Base annual price: 2,000 assets * $309 per asset = $618,000 (basedon an undiscounted base price of $309 per asset)
- Subscription price: $618,000 / 12 = $51,500 per month
- Overage fees: If the total subscription amount for the period (2,000assets) is consumed in month 9, overage fees start in month 10 at the samerate used to calculate the base annual price: $309 per surplus asset, inthis case.
Minimum subscription fee
The minimum annual cost of a Security Command Center Enterprise subscription is$15,000. This cost applies to both fixed-price subscription andasset-based subscription. To purchase a subscription, contact aGoogle Cloud sales specialist or your Google Cloud partner.
Possible indirect charges associated with Security Command Center
Regardless of which tier or activation level you choose, you can incuradditional charges that are not directly attributed to Security Command Center,including—but not limited to—the following:
- Any costs associated with additional paid scanners like Sensitive Data Protection or athird-party partner scanner that adds data to Security Command Center. You will bebilled by the scanner provider based on their usage fees.
- Any costs associated with resources that are scanned by vulnerabilityscanners, such as Web Security Scanner, as explained in the followingsection.
- Any costs associated with the ingestion andstorage of log data. For more information, see Cloud Logging pricing.
Indirect charges associated with vulnerability scans
For the Premium and Enterprise tiers, certain vulnerability scans that somebuilt-in vulnerability detection services perform can increase the resourcecosts that are incurred by the scan targets.
These indirect charges are not identified in billing as being associated withSecurity Command Center or its services.
The built-in Web Security Scanner service can perform these scans.
Examples of the charges that can be incurred at the scan target include thefollowing:
- Incremental usage of App Engine, Compute Engine, andGoogle Kubernetes Engine.
- Incremental bandwidth (traffic) charges.
The actual amount of traffic generated from a scan depends on the applicationand the number of URLs, event handlers, forms, and parameters.
For this reason, the Security Command Center services are optimized to keeptraffic to a minimum. For example, by default, the scan rate ofWeb Security Scanner is throttled to approximately 15 queries per second(QPS), with slight variations in the rate due to the asynchronous nature of manyweb applications.Currently, a large scan stops after 100,000 test requests, not includingrequests related to site crawling. Site crawling requests are not capped.
Any increase in network egress traffic that might be caused by vulnerabilityscans is dependent on the number of endpoints and hosted applications at thescan target, because each endpoint or application requires a separate scan.
Indirect charges associated with multicloud support
You can incur charges associated with the ingestion and storage of data fromother clouds.
Multicloud support is included with the Enterprise tier.
What's next
- Read the Security Command Center documentation.
- Learn more about Security Command Center.
- Activate Security Command Center.
