ServiceNow Security Operations (SecOps) is not one licence but a family of separately sold products — Security Incident Response (SIR), Vulnerability Response (VR), Configuration Compliance and Threat Intelligence. SIR is licensed by named SecOps fulfiller user — your security analysts — while VR is frequently scoped against the asset or vulnerability surface, which decouples its cost from analyst headcount. That split is the heart of every SecOps surprise: bring more infrastructure into scanning and VR cost rises even though your team has not grown. This guide explains each metric, the tier ladder, and where SecOps spend quietly runs ahead of value.
SecOps is sold as discrete products on the Now Platform, each with its own metric and its own subscription line. Security Incident Response is the workflow your SOC analysts use to triage and remediate incidents, and it is licensed by named fulfiller — the analyst count is the cost driver. Vulnerability Response ingests findings from scanners such as Qualys, Tenable or Rapid7, prioritises them against business context, and drives remediation; because its value tracks the size of the estate being scanned, it is commonly scoped by asset volume rather than analyst headcount. The table maps the SecOps family.
| SecOps product | Primary metric | What it does |
|---|---|---|
| Security Incident Response (SIR) | Named SecOps fulfiller | Incident triage, response, orchestration |
| Vulnerability Response (VR) | Asset / vulnerability scope | Prioritise and remediate scanner findings |
| Configuration Compliance | Asset / policy scope | Test configs against hardening policies |
| Threat Intelligence | Add-on | Enrich incidents with IoC feeds |
The SecOps product family and its metrics. The metric difference between SIR and VR is the single most important thing to scope correctly. See the ServiceNow module licensing pillar for how this fits the wider model.
Because they scale with different things. SIR cost should track the number of analysts doing incident work, so a named-fulfiller metric is rational — more analysts, more licences. VR delivers value across the whole attack surface it scans, so its price is tied to that surface. The consequence is the SecOps surprise we see most often: a security team of fifteen analysts onboards thousands of additional servers and cloud workloads into Vulnerability Response, and the VR cost climbs with the asset count while the analyst count — and the SIR cost — stays flat. Buyers who scope VR against today's estate and ignore the growth curve get a true-up they did not plan for.
This decoupling of cost from headcount is the same structural problem that catches buyers across other vendors' usage-based metrics — Oracle's feature-usage and option licensing behaves identically, as we cover in Oracle license cost in 2026. The defence is the same everywhere: forecast the scoped quantity, not just the headcount, before signing.
We model the asset surface and the analyst count separately before ServiceNow sets the SecOps quote. No-obligation scoping call.
SIR and VR each ship in Standard and Professional tiers, with Professional adding advanced automation, orchestration and analytics; Threat Intelligence and Configuration Compliance are separate add-ons. As with every ServiceNow module, the Professional step is where attach revenue concentrates, and the buyer's question is which analysts actually run the advanced playbooks.
| Tier / add-on | Typical inclusion | Right for |
|---|---|---|
| SIR Standard | Core incident response workflow | Baseline SOC triage |
| SIR Professional | + Security orchestration, automation, advanced analytics | Mature SOCs running automated playbooks |
| VR Standard / Professional | Prioritisation; Pro adds advanced automation and exception handling | Scaled vulnerability programmes |
| Threat Intelligence | IoC enrichment add-on | Teams consuming external feeds |
SecOps tiers and add-ons. Match the Professional tier to the analysts exercising orchestration, not the whole team. For the wider price structure see ServiceNow pricing in 2026.
Yes. SecOps is its own subscription, and a SecOps fulfiller licence does not grant ITSM access — nor the reverse. A security analyst who also works general IT incidents needs both licences, which is a familiar double-count in organisations where security and IT operations overlap. The remedy mirrors the rest of the platform: align each person to a primary workflow, license the genuine dual-role minority deliberately, and use the ServiceNow license types model to confirm nobody is carrying a full fulfiller licence they never exercise.
The metric behind every module, the user-type benchmarks, and the attach-defence positions we use on live ServiceNow renewals.
SecOps waste concentrates in three places: VR asset scope set too generously and never reviewed, uniform tier upgrades that put the whole SOC on Professional for a capability a few analysts use, and dual SecOps/ITSM seats for staff who rarely cross modules. The points below are where we focus on live SecOps engagements.
SecOps modernisation often arrives as a security-led purchase outside the usual software-asset-management process, which is precisely why the scoping discipline lapses. Our vendor audit defence and ServiceNow optimization practices bring the same buyer-side rigour to a SecOps deal that we apply to ITSM, and when SecOps is one line in a larger renegotiation our multi-vendor portfolio case study shows the coordinated result. For the audit exposure that runs alongside any user-based product, see ServiceNow audit and compliance.
SecOps is the SecOps cluster's clearest example of cost decoupling from headcount, alongside the agent model of CSM and the application-user model of App Engine.
| Module | Licensed by | Scales with |
|---|---|---|
| SecOps | Named fulfiller (+ VR asset scope) | Analysts; vulnerability surface |
| CSM | Named agent | Service agents (not customers) |
| App Engine | Application user | Users of custom-built apps |
SecOps versus its sibling modules. Read the companion guides on CSM and App Engine.
SecOps is sold as separate products — Security Incident Response, Vulnerability Response, Configuration Compliance and Threat Intelligence. SIR is licensed by named SecOps fulfiller (analysts); VR is frequently scoped against the asset or vulnerability surface, which decouples its cost from analyst headcount.
SIR cost tracks analyst headcount, so it is licensed by named fulfiller. VR value scales with the size of the scanned estate, so it is often scoped by asset volume — meaning VR cost can rise as you onboard infrastructure even if the security team does not grow.
Yes. SecOps is a distinct subscription and the fulfiller licences are not interchangeable with ITSM. An analyst who also works IT incidents needs both — aligning analysts to a primary workflow avoids paying twice.
SIR and VR each ship in Standard and Professional tiers, with Professional adding advanced automation, orchestration and analytics; Threat Intelligence and Configuration Compliance are separate add-ons. Matching the tier to the analysts who run the advanced playbooks is the main lever.
Weekly compliance intelligence for IT leaders.