Cortex Cloud Posture Management and Cortex Cloud Runtime Security licensing is provided via an annual subscription, based on the number and type of cloud resources protected. The fundamental metric for consumption is the protected workload. You must procure a license capacity sufficient to cover the total number of workloads you intend to secure.
Licensing is subject to a metering system or Fair Usage policy. This mechanism defines how usage is tracked and what happens when the average consumption of protected workloads exceeds the purchased license capacity. Cortex Cloud accounts for workload utilization based on a 90-day average to smooth spikes and drops in usage of highly ephemeral workloads. Exceeding capacity often triggers a notification, but usually does not immediately disable security functions to ensure your workloads don't lose their protection.
To view the product license and add-ons associated with your tenant, go to → .
Protected workloads
A workload represents any active compute entity that requires protection. These workloads count toward your Cortex Cloud license usage. Examples include:
Workload Type | Billable Units |
|---|---|
VMs not running containers | 1 VM |
VMs running containers | 1 VM |
Endpoint | 1 Endpoint |
CaaS (Container As A Service | 10 Agent Protected Managed Containers |
Cloud Buckets | 10 Cloud Buckets |
Managed Cloud Database (PaaS) | 2 PaaS Databases |
DBaaS TB Stored | DBaaS 1TB Stored |
SaaS Users | 10 SaaS Users |
On-Premise Data assets | 1 Connection |
Cloud ASM – Service | 4 Unmanaged Assets |
Container Images in Registries | Free quota:10 container image scans per deployed workload (VM/CaaS) Beyond free quota:10 container image scans |
CLI Image Scans | - |
Cortex Cloud Posture Management and Cortex Cloud Runtime Security are available in multiple license configurations, either individually or as part of a bundled package. For more information on bundling options with other Cortex products, see Cortex XSIAM product licenses.
License | Configuration |
|---|---|
Cloud Posture Management | Agentless comprehensive visibility across your cloud environment. Includes the following:
|
Cloud Runtime Security | Full cloud protection, detection, and response. Includes the following:
|
Add-ons
Security add-ons: You can purchase security add-ons to expand the core capabilities of your Cortex Cloud Posture Management and Cortex Cloud Runtime Security licenses.
Data Ingestion
Application Security (IAC Security, SCA, Secrets Security)
Enterprise Runtime Security (XDR)
Identity Threat Detection and Response (IDTR)
Forensics investigation
Host Insights
Extended Threat Hunting (XTH)
Advanced Email Security
Data Loss Prevention (DLP) - Beta
Capacity add-ons: You can purchase capability add-ons to extend the duration that security and telemetry data are retained for investigation and compliance purposes
Data Retention: Cortex Cloud Posture Management and Cortex Cloud Runtime Security retention per dataset.
Query Capacity (compute units): A single Compute Unit add-on.
License usage and overflow rules
Cortex tracks license usage to ensure that your purchased capacity is used efficiently. The system distinguishes between different workload types and applies clear rules to avoid double-counting and handle usage that exceeds purchased limits.
Cortex categorizes workloads as follows:
Cloud Posture Workloads – Total workloads purchased with a Cloud Posture Management license, including any security add-ons.
Cloud Runtime Workloads – Total workloads purchased with a Cloud Runtime license.
Note
A Cloud Runtime license includes both Posture Scanning and Runtime Protection on the same asset. Usage, including any overflow, is tracked automatically to ensure accurate reporting across both licenses without duplicate counting.
Overflow rules
The following table outlines how the system counts workloads based on your purchased licenses and current usage:
Licenses purchased | Usage scenario | License counter display | Overflow behaviour |
|---|---|---|---|
Cloud Posture Only | Total posture workloads exceed quota. | All usage counts are shown under Cloud Posture Workload | All workload usage, including over-quota workloads, counts toward the Posture license. |
Cloud Runtime Only | Total runtime workloads exceed quota. | All usage counts are shown under Cloud Runtime Workload | All workload usage, including over-quota workloads, counts toward the Runtime license. |
Both Cloud Posture and Cloud Runtime | Workloads are within quota limits. | Posture: Counts toward Posture quota. Runtime: Counts toward Runtime quota. | No workload overflow. Counters show usage within purchased quotas. |
Both Cloud Posture and Cloud Runtime | Posture exceeds quota, Runtime has remaining capacity | Posture: 100% full usage. Runtime: Partial or full usage count due to spillover. | Spillover occurs only from Posture to Runtime; it does not occur in reverse. Excess Posture workloads use the available Runtime quota until it’s full. |
Both Cloud Posture and Cloud Runtime | Runtime quota full | Posture: Total usage (including excess). Runtime: Total usage (over-quota) | Spillover only occurs from Posture to Runtime; it does not occur in the reverse. Excess Posture workloads are added back to the Posture counter, and any over-quota usage is shown there. |