Application Protection is a value-added service of Security Center that defends Java and PHP processes against runtime attacks using Runtime Application Self-Protection (RASP). It must be purchased before use. Two billing methods are available: subscription and pay-as-you-go.
7-day free trial
Security Center offers a 7-day free trial that includes 10 Application Protection authorizations. The trial is available only if you have not previously purchased any Security Center services. For eligibility details and setup steps, see Activate the 7-day free trial.
Billing
Application Protection is billed per protected process. Each running application process consumes one authorization.
Subscription — unit price decreases as the number of quotas increases:
| Quotas | Price |
|---|---|
| ≤ 50 | USD 6/quota/month |
| 51–200 | USD 4.5/quota/month |
| > 200 | USD 3/quota/month |
Pay-as-you-go — the system counts online instances every minute and bills daily at USD 0.0002 per instance-minute.
Prerequisites
Before purchasing, scan your assets to determine the number of authorizations you need. See How do I view the supported applications and their quantity?
Purchase a subscription
Application Protection protects only running Java and PHP applications.
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select your asset region: Chinese Mainland or Outside Chinese Mainland.
On the Application Protection page, click Subscription.
On the Quick Purchase tab, in the Application Protection area, set Purchase or Not to Yes and set Quantity to the number of processes to protect.
To use Application Protection only, set Edition to Value-added Plan.
To combine Application Protection with a Security Center edition or other value-added services, select the desired edition and services. See Purchase Security Center for details.
Read and accept the product agreement, click Order Now, and complete the payment.
Enable pay-as-you-go
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select your asset region: Chinese Mainland or Outside Chinese Mainland.
On the Application Protection page, click Activate Pay-as-you-go.
In the dialog box that appears, click Activate Now.
After activation, full protection is enabled by default for Java processes only, connected using the slow connection type. To protect a subset of servers instead, click Custom Quota Binding and select the servers in the Quota Management dialog box. Adjust server and process connections later on the Application Protection > Application Configurations tab.
For more information about automatic full provisioning, see Automatic full provisioning (Java processes only).
Unsubscribe
Subscription: On the Overview page, in the Subscription area, click Change Specifications > Downgrade. On the Order Downgrade tab, in the Application Protection area, set Purchase or Not to No. For more information, see Downgrade.
The refund amount is shown on the downgrade page. For refund destination details, see Refund destination.
Pay-as-you-go: On the Overview page, turn off the Application Protection switch in the Pay-as-you-go area. After you turn off the switch, you are no longer charged for the service.
FAQ
What types of applications does Application Protection support?
Application Protection supports Java and PHP applications only. Python, Go, and .NET are not supported. The runtime environments for Java and PHP must meet specific requirements.
Can I use Application Protection for internal servers?
Yes. Internal servers in third-party clouds or on-premises data centers that cannot reach the Internet can connect to Application Protection through a proxy. To do this, you must install the Security Center client and then the RASP agent on the servers to protect. The proxy connection type supports Java applications only.
Limits
Prepare one or more servers that can connect to the Internet to serve as proxy servers, or establish a network connection between your internal network and an Alibaba Cloud VPC.
If your internal environment has no Internet-connected server and no VPC connection, Security Center and Application Protection cannot be used.
Connect internal servers through a proxy
When provisioning application protection, in the Access Management panel on the Manual Access > Add Container tab, select Custom Installation and the corresponding proxy cluster, then install the RASP agent.
For the complete walkthrough, see Connect to Application Protection.

How do I view the supported applications and their quantity?
The number of protected application processes changes dynamically. Scan your assets before purchase to estimate the authorizations needed, and rescan after purchase to track the current state.
Scan frequency limits by edition:
| Edition | Scan frequency |
|---|---|
| Subscription: Basic, Value-added Service Only, Anti-virus, or Advanced | Once per day |
| Subscription: Enterprise or Ultimate | Unlimited |
| Pay-as-you-go with Host and Container Security enabled | Unlimited (Comprehensive Host Protection or Comprehensive Host and Container Protection servers only) |
| Pay-as-you-go without Host and Container Security | Once per day |
Before purchase:
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select your asset region: Chinese Mainland or Outside Chinese Mainland.
In the Protection Statistics area, click Scan Now. The Security Center client collects process information from your assets.
View the number of application processes. Click the number to see a list with server information, process name, PID, and startup parameters.
ImportantEach process consumes one authorization. Because process counts change dynamically, use the scan result as an estimate. The system saves scan data for 7 days; data older than 7 days is cleared automatically. After each scan, the latest data overwrites the existing data for that server.

After purchase:
Log on to the Security Center consoleSecurity Center consoleSecurity Center consoleSecurity Center console.
In the left navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner, select your asset region: Chinese Mainland or Outside Chinese Mainland.
On the Application Analysis tab, in the Application Access Statistics area, click Resource Statistics to the right of Remaining Quota.
In the Application Processes panel, click Scan Now. After the last detection time refreshes, the panel lists all application processes that support RASP protection.
Click the number under Java or PHP to view the corresponding process list. The Application Protection column shows the protection status for each process: Added, Not Added, or Failed. Click the
icon to export the process list.
Does Resource Statistics show processes from a shutdown server?
Scan data is retained for 7 days after collection. If a server is shut down, new scans cannot collect data from it. Previously collected data for that server remains available for 7 days from the time of collection, then is cleared automatically.