ServiceNow · Licensing

ServiceNow SecOps Licensing: Analysts, Assets, and the VR Trap.

ServiceNow SecOps security operations licensing

ServiceNow Security Operations (SecOps) is not one licence but a family of separately sold products — Security Incident Response (SIR), Vulnerability Response (VR), Configuration Compliance and Threat Intelligence. SIR is licensed by named SecOps fulfiller user — your security analysts — while VR is frequently scoped against the asset or vulnerability surface, which decouples its cost from analyst headcount. That split is the heart of every SecOps surprise: bring more infrastructure into scanning and VR cost rises even though your team has not grown. This guide explains each metric, the tier ladder, and where SecOps spend quietly runs ahead of value.

How is ServiceNow SecOps licensed?

SecOps is sold as discrete products on the Now Platform, each with its own metric and its own subscription line. Security Incident Response is the workflow your SOC analysts use to triage and remediate incidents, and it is licensed by named fulfiller — the analyst count is the cost driver. Vulnerability Response ingests findings from scanners such as Qualys, Tenable or Rapid7, prioritises them against business context, and drives remediation; because its value tracks the size of the estate being scanned, it is commonly scoped by asset volume rather than analyst headcount. The table maps the SecOps family.

SecOps productPrimary metricWhat it does
Security Incident Response (SIR)Named SecOps fulfillerIncident triage, response, orchestration
Vulnerability Response (VR)Asset / vulnerability scopePrioritise and remediate scanner findings
Configuration ComplianceAsset / policy scopeTest configs against hardening policies
Threat IntelligenceAdd-onEnrich incidents with IoC feeds

The SecOps product family and its metrics. The metric difference between SIR and VR is the single most important thing to scope correctly. See the ServiceNow module licensing pillar for how this fits the wider model.

Why is Vulnerability Response priced differently from Security Incident Response?

Because they scale with different things. SIR cost should track the number of analysts doing incident work, so a named-fulfiller metric is rational — more analysts, more licences. VR delivers value across the whole attack surface it scans, so its price is tied to that surface. The consequence is the SecOps surprise we see most often: a security team of fifteen analysts onboards thousands of additional servers and cloud workloads into Vulnerability Response, and the VR cost climbs with the asset count while the analyst count — and the SIR cost — stays flat. Buyers who scope VR against today's estate and ignore the growth curve get a true-up they did not plan for.

This decoupling of cost from headcount is the same structural problem that catches buyers across other vendors' usage-based metrics — Oracle's feature-usage and option licensing behaves identically, as we cover in Oracle license cost in 2026. The defence is the same everywhere: forecast the scoped quantity, not just the headcount, before signing.

VR scope creeping past your forecast?

We model the asset surface and the analyst count separately before ServiceNow sets the SecOps quote. No-obligation scoping call.

Contact Us →

What tiers does ServiceNow SecOps come in?

SIR and VR each ship in Standard and Professional tiers, with Professional adding advanced automation, orchestration and analytics; Threat Intelligence and Configuration Compliance are separate add-ons. As with every ServiceNow module, the Professional step is where attach revenue concentrates, and the buyer's question is which analysts actually run the advanced playbooks.

Tier / add-onTypical inclusionRight for
SIR StandardCore incident response workflowBaseline SOC triage
SIR Professional+ Security orchestration, automation, advanced analyticsMature SOCs running automated playbooks
VR Standard / ProfessionalPrioritisation; Pro adds advanced automation and exception handlingScaled vulnerability programmes
Threat IntelligenceIoC enrichment add-onTeams consuming external feeds

SecOps tiers and add-ons. Match the Professional tier to the analysts exercising orchestration, not the whole team. For the wider price structure see ServiceNow pricing in 2026.

Does SecOps require a separate licence from ITSM?

Yes. SecOps is its own subscription, and a SecOps fulfiller licence does not grant ITSM access — nor the reverse. A security analyst who also works general IT incidents needs both licences, which is a familiar double-count in organisations where security and IT operations overlap. The remedy mirrors the rest of the platform: align each person to a primary workflow, license the genuine dual-role minority deliberately, and use the ServiceNow license types model to confirm nobody is carrying a full fulfiller licence they never exercise.

White Paper

ServiceNow Module & Subscription Guide

The metric behind every module, the user-type benchmarks, and the attach-defence positions we use on live ServiceNow renewals.

Get the guide →

Where do buyers overspend on SecOps?

SecOps waste concentrates in three places: VR asset scope set too generously and never reviewed, uniform tier upgrades that put the whole SOC on Professional for a capability a few analysts use, and dual SecOps/ITSM seats for staff who rarely cross modules. The points below are where we focus on live SecOps engagements.

SecOps modernisation often arrives as a security-led purchase outside the usual software-asset-management process, which is precisely why the scoping discipline lapses. Our vendor audit defence and ServiceNow optimization practices bring the same buyer-side rigour to a SecOps deal that we apply to ITSM, and when SecOps is one line in a larger renegotiation our multi-vendor portfolio case study shows the coordinated result. For the audit exposure that runs alongside any user-based product, see ServiceNow audit and compliance.

How does SecOps compare to the other ServiceNow modules?

SecOps is the SecOps cluster's clearest example of cost decoupling from headcount, alongside the agent model of CSM and the application-user model of App Engine.

ModuleLicensed byScales with
SecOpsNamed fulfiller (+ VR asset scope)Analysts; vulnerability surface
CSMNamed agentService agents (not customers)
App EngineApplication userUsers of custom-built apps

SecOps versus its sibling modules. Read the companion guides on CSM and App Engine.

Frequently asked questions.

How is ServiceNow SecOps licensed?

SecOps is sold as separate products — Security Incident Response, Vulnerability Response, Configuration Compliance and Threat Intelligence. SIR is licensed by named SecOps fulfiller (analysts); VR is frequently scoped against the asset or vulnerability surface, which decouples its cost from analyst headcount.

Why is Vulnerability Response priced differently from Security Incident Response?

SIR cost tracks analyst headcount, so it is licensed by named fulfiller. VR value scales with the size of the scanned estate, so it is often scoped by asset volume — meaning VR cost can rise as you onboard infrastructure even if the security team does not grow.

Does SecOps require a separate licence from ITSM?

Yes. SecOps is a distinct subscription and the fulfiller licences are not interchangeable with ITSM. An analyst who also works IT incidents needs both — aligning analysts to a primary workflow avoids paying twice.

What tiers does ServiceNow SecOps come in?

SIR and VR each ship in Standard and Professional tiers, with Professional adding advanced automation, orchestration and analytics; Threat Intelligence and Configuration Compliance are separate add-ons. Matching the tier to the analysts who run the advanced playbooks is the main lever.

Related reading.

← Back to all insights

The Compliance Brief

Weekly compliance intelligence for IT leaders.