Console
    Contact Us Start free

    Security Command Center service tiers

    Security Command Center is offered in three service tiers: Standard, Premium, and Enterprise. Each tier determines the features and services that are available to you in Security Command Center. A short description of each service tier follows:

    • Standard. Basic security posture management for Google Cloud only. The Standard tier can be activated at the project or organization level. Best for Google Cloud environments with minimal security requirements.
    • Premium. Everything in Standard, plus security posture management, attack paths, threat detection, and compliance monitoring for Google Cloud only. The Premium tier can be activated at the project or organization level. Best for Google Cloud customers who need pay-as-you-go billing.
    • Enterprise. Complete multi-cloud CNAPP security that helps you to triage and remediate your most critical issues. Includes most of the services that are in Premium. The Enterprise tier can only be activated at the organization level. Best for helping to protect Google Cloud, AWS, and Azure.

    The Standard tier is offered at no additional charge, while the Premium and Enterprise tiers have different pricing structures. For more information, see Security Command Center pricing .

    For a list of services included in each tier, see Service tier comparison .

    For the Google SecOps features supported with the Security Command Center Enterprise tier, see Google Security Operations feature limits in Security Command Center Enterprise .

    Service tier comparison

    Service
    Service tier
    Standard
    Premium
    Enterprise
    Vulnerability detection
    Security Health Analytics
    Managed vulnerability assessment scanning for Google Cloud that can automatically detect the highest severity vulnerabilities and misconfigurations for your Google Cloud assets.
    Compliance monitoring . Security Health Analytics detectors map to the controls of common security benchmarks like NIST, HIPAA, PCI-DSS, and CIS.
    Custom module support . Create your own custom Security Health Analytics detectors.
    Web Security Scanner
    Custom scans . Schedule and run custom scans on deployed Compute Engine, Google Kubernetes Engine, or App Engine web applications that have public URLs and IP addresses and aren't behind firewalls.
    Additional OWASP Top Ten detectors
    Managed scans . Scan public web endpoints for vulnerabilities weekly, with scans configured and managed by Security Command Center.
    Virtual red teaming
    Virtual red teaming, performed by running Attack Path Simulations , helps you to identify and prioritize vulnerability and misconfiguration findings by identifying the paths that a potential attacker could take to reach your high-value resources.
    1
    Mandiant CVE assessments
    CVE assessments are grouped by their exploitability and potential impact. You can query findings by CVE ID.
    Other vulnerability services
    Anomaly Detection . 2 Identifies security anomalies for your projects and virtual machine (VM) instances, like potential leaked credentials and cryptocurrency mining.
    1
    1
    Container image vulnerability findings ( Preview ). Automatically write findings to Security Command Center from Artifact Registry scans that detect vulnerable container images deployed to specific assets.
    GKE security posture dashboard findings ( Preview ). View findings about Kubernetes workload security misconfigurations, actionable security bulletins, and vulnerabilities in the container operating system or in language packages.
    Model Armor . Screen LLM prompts and responses for security and safety risks.
    Sensitive Data Protection discovery . 2 Discovers, classifies, and helps protect sensitive data.
    1 , 3
    1 , 3
    Chokepoints . Identifies resources or resource groups where multiple attack paths converge.
    Notebook Security Scanner ( Preview ). Detect and resolve vulnerabilities in Python packages that are used in Colab Enterprise notebooks.
    Toxic combinations . Detects groups of risks that, when they occur together in a particular pattern, create a path to one or more of your high-value resources that a determined attacker could potentially use to reach and compromise those resources.
    VM Manager vulnerability reports ( Preview ). 2 If you enable VM Manager , it automatically writes findings from its vulnerability reports to Security Command Center.
    1
    Vulnerability Assessment for Google Cloud ( Preview ). Helps you discover critical and high severity software vulnerabilities in your Compute Engine VM instances without installing agents.
    Mandiant Attack Surface Management . Discovers and analyzes your internet assets across environments, while continually monitoring the external ecosystem for exploitable exposures.
    4
    Vulnerability Assessment for AWS . Detects vulnerabilities in AWS resources, including software installed on Amazon EC2 instances and in Elastic Container Registry (ECR) images.
    Threat detection and response
    Google Cloud Armor . 2 Protects Google Cloud deployments against threats such as distributed denial-of-service (DDoS) attacks, cross-site scripting (XSS), and SQL injection (SQLi).
    1
    1
    Sensitive Actions Service . Detects when actions are taken in your Google Cloud organization, folders, and projects that could be damaging to your business if they are taken by a malicious actor.
    Cloud Run Threat Detection . Detects runtime attacks in Cloud Run containers.
    Container Threat Detection . Detects runtime attacks in Container-Optimized OS node images .
    Event Threat Detection . Monitors Cloud Logging and Google Workspace, using threat intelligence, machine learning, and other advanced methods to detect threats such as malware, cryptocurrency mining, and data exfiltration.
    Virtual Machine Threat Detection . Detects potentially malicious applications running in VM instances.

    Google SecOps . Integrates with Security Command Center to help you detect, investigate, and respond to threats. Google SecOps includes the following:

    Issues . Identifies the most important security risks that Security Command Center has found in your cloud environments. Issues are discovered using virtual red teaming, along with rule-based detections that rely on the Security Command Center security graph.

    Mandiant Threat Defense . Rely on Mandiant experts to provide continual threat hunting to expose attacker activity and reduce impact to your business.

    Mandiant Threat Defense is not activated by default. For more information and pricing details, contact your sales representative or Google Cloud partner.

    Postures and policies
    Binary Authorization . 2 Implement software supply-chain security measures when you develop and deploy container-based applications. Monitor and limit the deployment of container images.
    1
    1
    Cyber Insurance Hub . 2 Profile and generate reports for your organization's technical risk posture.
    1
    1
    Policy Controller . 2 Enables the application and enforcement of programmable policies for your Kubernetes clusters.
    1
    1

    Policy Intelligence . Additional features for Security Command Center Premium and Enterprise users, including the following:

    • Advanced IAM recommendations. The included Recommender features are as follows:

      • Recommendations for non-basic roles.
      • Recommendations for roles granted on resources other than organizations, folders, and projects. For example, recommendations for roles granted on Cloud Storage buckets.
      • Recommendations that suggest custom roles.
      • Policy insights.
      • Lateral movement insights.
    • Policy Analyzer at scale (above 20 queries per organization per day). This limit is shared among all Policy Analyzer tools.
    • Visualizations for Organization Policy analysis .
    Security posture . Define and deploy a security posture to monitor the security status of your Google Cloud resources. Address posture drift and unauthorized changes to the posture. On the Enterprise tier, you can also monitor your AWS environment .
    1
    Cloud Infrastructure Entitlement Management (CIEM) . Identify principal accounts (identities) that are misconfigured or that are granted excessive or sensitive IAM permissions to your cloud resources.
    4
    Compliance Manager ( Preview ). Define, deploy, monitor, and audit frameworks that are designed to let you meet the security and compliance obligations for your Google Cloud environment.
    Data security posture management (DSPM) ( Preview ). Evaluate, deploy, and audit data security frameworks and cloud controls to govern access and use of sensitive data.
    Data management
    Data residency and encryption
    Customer-managed encryption keys (CMEK) . Use Cloud Key Management Service keys that you create to encrypt selected Security Command Center data. By default, Security Command Center data is encrypted at rest with Google-owned and Google-managed encryption keys.
    1
    1
    Findings export
    BigQuery exports. Export findings from Security Command Center to BigQuery, either as a one-time bulk export ( Preview ) or by enabling continuous exports .
    Pub/Sub continuous exports
    Cloud Logging continuous exports
    1
    Other features
    Infrastructure as code (IaC) validation . Validate against organization policies and Security Health Analytics detectors.
    1
    Query assets with SQL in Cloud Asset Inventory
    Request more Cloud Asset Inventory quota
    Risk reports ( Preview ). Risk reports help you understand the results of the attack path simulations that Security Command Center runs. A risk report contains a high-level overview, sample toxic combinations, and associated attack paths.
    1
    AI Protection ( Preview ). AI Protection helps you manage the security posture of your AI workloads by detecting threats and mitigate risks to your AI asset inventory.
    Assured Open Source Software . Take advantage of the security and experience that Google applies to open source software by incorporating the same packages that Google secures and uses into your own developer workflows.
    Audit Manager . A compliance audit solution that evaluates your resources against select controls from multiple compliance frameworks. Security Command Center Enterprise users get access to the Premium tier of Audit Manager at no extra cost.
    Multicloud support. Connect Security Command Center to other cloud providers to detect threats, vulnerabilities, and misconfigurations. Assess attack exposure scores and attack paths on external cloud high-value resources. Supported cloud providers: AWS, Azure.
    1. Requires an organization-level activation.
    2. This is a Google Cloud service that integrates with organization-level activations of Security Command Center to provide findings. One or more features of this service might be priced separately from Security Command Center.
    3. Not activated by default. For more information and pricing details, contact your sales representative or Google Cloud partner.
    4. Not supported if data residency controls are enabled.

    Google Security Operations feature limits in Security Command Center Enterprise

    The Security Command Center Enterprise tier offers additional features compared to the Standard and Premium tiers, including a selection of Google Security Operations features and the ability to ingest data from other cloud providers. These features make Security Command Center a cloud-native application protection platform (CNAPP).

    The Google Security Operations features in the Security Command Center Enterprise tier have different limits to those found in the Google Security Operations plans . These limits are described in the following table.

    Feature Limits
    Applied Threat Intelligence No access
    Curated detections Limited to detecting cloud threats on Google Cloud, Microsoft Azure, and AWS.
    Custom rules 20 custom single-event rules , multi-event rules aren't supported.
    Data retention 3 months
    Gemini for Google Security Operations Limited to natural language search and case investigation summaries
    Google SecOps security information and event management (SIEM) Cloud data only.
    Google SecOps security orchestration, automation, and response (SOAR) Cloud response integrations only. For the list of supported integrations, see Supported Google Security Operations integrations .

    Supports one SOAR environment .
    Log ingestion

    Limited to logs that are supported for cloud threat detection. For the list, see Supported log data collection in Google SecOps

    Risk analytics No access

    Supported Google Security Operations integrations

    The following sections list the Google Security Operations Marketplace integrations that are supported with Security Command Center Enterprise. They are listed in separate columns in the following table.

    • Packaged and preconfigured integrations: are included in the SCC Enterprise - Cloud Orchestration and Remediationuse case and are preconfigured to support cloud-native application protection platform (CNAPP) use cases. They are available when you activate Security Command Center Enterprise and update the Enterprise use case .

      Configurations in the SCC Enterprise - Cloud Orchestration and Remediationuse case include, as an example, dedicated playbooks that use Jira and ServiceNow with predefined handling of response cases. The integrations are preconfigured to support all cloud providers that Security Command Center Enterprise supports.

    • Downloadable integrations: with Security Command Center Enterprise, you can download the following integrations and use them in a playbook. The versions that you download from Google Security Operations Marketplace are not configured specifically for Security Command Center Enterprise and require additional manual configuration.

    Each integration is listed by name. For information about a specific integration, see Google Security Operations Marketplace integrations .

    Type of application or information

    Packaged and preconfigured integrations

    Downloadable integrations

    Google Cloud and Google Workspace integrations

    • AppSheet
    • Google Alert Center
    • Google BigQuery
    • Google Chat
    • Google Chronicle
    • Google Cloud Asset Inventory
    • Google Cloud Compute
    • Google Cloud IAM
    • Google Cloud Policy Intelligence
    • Google Cloud Recommender
    • Google Cloud Storage
    • Google Kubernetes Engine
    • Google Rapid Response (GRR)
    • Google Security Command Center
    • Google Translate
    • GSuite
    • SCCEnterprise
    • AppSheet
    • Google Alert Center
    • Google BigQuery
    • Google Chat
    • Google Chronicle
    • Google Cloud Asset Inventory
    • Google Cloud Compute
    • Google Cloud IAM
    • Google Cloud Policy Intelligence
    • Google Cloud Recommender
    • Google Cloud Storage
    • Google Kubernetes Engine
    • Google Rapid Response (GRR)
    • Google Security Command Center
    • Google Translate
    • GSuite
    • SCCEnterprise

    Amazon Web Services integrations

    • AWS CloudTrail
    • AWS CloudWatch
    • AWS Elastic Compute Cloud (EC2)
    • AWS GuardDuty
    • AWS Identity and Access Management (IAM)
    • AWS IAM Access Analyzer
    • AWS S3
    • AWS Security Hub
    • AWS WAF
    • AWS CloudTrail
    • AWS CloudWatch
    • AWS Elastic Compute Cloud (EC2)
    • AWS GuardDuty
    • AWS Identity and Access Management (IAM)
    • AWS IAM Access Analyzer
    • Amazon Macie*
    • AWS S3
    • AWS Security Hub
    • AWS WAF

    Microsoft Azure and Office365 integrations

    • Azure Active Directory
    • Azure AD Identity Protection
    • Azure Security Center
    • Microsoft Graph Mail
    • Microsoft Teams
    • Azure Active Directory
    • Azure AD Identity Protection
    • Azure Security Center
    • Microsoft Graph Mail
    • Microsoft Teams

    IT service management (ITSM)-related applications

    • BMC Helix Remedyforce
    • BMC Remedy ITSM
    • CA Service Desk Manager
    • Easy Vista
    • Freshworks Freshservice
    • Jira
    • Micro Focus ITSMA
    • Service Desk Plus V3
    • ServiceNow
    • SysAid
    • Zendesk
    • Zoho Desk
    • BMC Helix Remedyforce
    • BMC Remedy ITSM
    • CA Service Desk Manager
    • Easy Vista
    • Freshworks Freshservice
    • Jira
    • Micro Focus ITSMA
    • Service Desk Plus V3
    • ServiceNow
    • SysAid
    • Zendesk
    • Zoho Desk

    Communication-related applications

    • Email V2
    • Exchange
    • Google Chat
    • Microsoft Graph Mail
    • Microsoft Teams
    • Slack
    • Email V2
    • Exchange
    • Google Chat
    • Microsoft Graph Mail
    • Microsoft Teams
    • Slack

    Threat intelligence

    • Mandiant Threat Intelligence
    • Mitre Att&ck
    • VirusTotalV3
    • Mandiant Threat Intelligence
    • Mitre Att&ck
    • VirusTotalV3
    * Integration is not packaged in the SCC Enterprise - Cloud Orchestration and Remediationuse case

    Supported Google SecOps log data collection

    The following sections describe the type of log data that customers with Security Command Center Enterprise can ingest directly to the Google Security Operations tenant. This data collection mechanism is different than the AWS connector in Security Command Center that collects resource and configuration data.

    The information is grouped by cloud provider.

    • Google Cloud log data
    • Amazon Web Services log data
    • Microsoft Azure log data

    For each type of log listed, the Google SecOps ingestion label is provided, for example GCP_CLOUDAUDIT . See Supported log types and default parsers for a complete list of Google SecOps ingestion labels.

    Google Cloud

    The following Google Cloud data can be ingested to Google SecOps:

    The following must also be enabled and routed to Cloud Logging:

    For information about how to collect logs from Linux and Windows VM instances and send to Cloud Logging, see Google Cloud Observability agents .

    The Security Command Center Enterprise activation process automatically configures the ingestion of Google Cloud data to Google SecOps. For more information about this, see Activate the Security Command Center Enterprise tier > Provision a new instance .

    For information about how to modify the Google Cloud data ingestion configuration, see Ingest Google Cloud data to Google Security Operations .

    Amazon Web Services

    The following AWS data can be ingested to Google SecOps:

    • AWS CloudTrail ( AWS_CLOUDTRAIL )
    • AWS GuardDuty ( GUARDDUTY )
    • AWS EC2 HOSTS ( AWS_EC2_HOSTS )
    • AWS EC2 INSTANCES ( AWS_EC2_INSTANCES )
    • AWS EC2 VPCS ( AWS_EC2_VPCS )
    • AWS Identity and Access Management (IAM) ( AWS_IAM )

    For information about collecting AWS log data and using curated detections, see Connect to AWS for log data collection .

    Microsoft Azure

    The following Microsoft data can be ingested to Google SecOps:

    For information about collecting Azure log data and using curated detections, see Connect to Microsoft Azure for log data collection .
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: