Security Hub Cost Analysis: The Per-Check Pricing Reality

Security Hub is the AWS-native CSPM (Cloud Security Posture Management) service. The pricing surface is simple in concept and brutal at scale. This piece breaks down the math, the configuration levers, and the negotiation hooks we apply when Security Hub appears as a line item in an EDP cycle.

Security Hub pricing breakdown

Security Hub has two billing dimensions in 2026:

• Security checks. $0.0010 per check evaluation, with tier breaks at 100,000 and 500,000 per account per month.
• Finding ingestion. $0.00003 per ingested finding above the free tier of 10,000 findings per account per month.

On paper, $0.0010 per check is cheap. The cost emerges from the check volume.

Where check volume comes from

Each enabled security standard evaluates dozens of controls against every relevant resource, continuously. For a 50-account organisation:

At $0.0010 per check, that is $3,900 in tier 1 alone, but with tier breaks the real bill on this volume comes to roughly $4M/month. This is why nobody actually pays full rate; AWS publishes tier breaks that bring the effective rate down significantly. The point is that check volume can run into billions with default configuration.

Realistic enterprise Security Hub bills land in the $20K to $60K/month range for organisations under 200 accounts, climbing to $100K+ above that.

The standards selection lever

AWS publishes six built-in standards and supports many partner-provided standards:

• AWS Foundational Security Best Practices (FSBP)
• CIS AWS Foundations Benchmark v1.4
• CIS AWS Foundations Benchmark v3.0
• PCI DSS v3.2.1
• PCI DSS v4.0
• NIST SP 800-53 Rev. 5
• Partner standards (third-party)

Most enterprises enable FSBP and one or two compliance-aligned standards. Common mistake: enabling both CIS v1.4 and CIS v3.0 simultaneously, which doubles check volume on the same control set.

Optimisation: pick one CIS version, pick one PCI version, disable NIST unless it is required by your compliance regime.

Control selection within a standard

Within each standard, individual controls can be disabled. A typical enterprise needs roughly 60 to 70 percent of FSBP controls; the remainder either do not apply (because the resource type does not exist in your environment) or duplicate other tooling.

How to identify controls to disable:

1. Pull Security Hub findings for the past 90 days.
2. Identify control IDs that have produced zero findings (resource type absent).
3. Disable those controls organisation-wide.
4. Identify controls that produce only PASSED findings (no failures).
5. If your governance regime allows, disable the controls that have not failed in 90 days.

Realistic savings: 15 to 25 percent of Security Hub check volume eliminated by disabling irrelevant controls.

Finding ingestion costs

Beyond 10,000 findings per account per month, ingestion costs $0.00003 per finding. For a 100-account org producing 50,000 findings per account, that is 4M billable findings or $120/month. Not large by itself, but adds up with third-party finding sources.

Third-party finding sources (Wiz, Palo Alto, third-party SAST tools) push findings into Security Hub for centralised visibility. Each pushed finding counts. For organisations integrating 5+ tools, finding ingestion can rival the check evaluation line item.

Multi-account aggregation

Security Hub supports an aggregator account that consolidates findings from member accounts. The aggregator does not double-bill ingested findings (a finding produced in account A and aggregated to account B counts once).

Multi-region aggregation works similarly. Findings aggregated across regions to a primary region bill once at the source region rate.

Optimisation: configure regional aggregation to consolidate billing in lowest-cost regions where standards support permits.

Security Hub Central Configuration

Released in late 2023, Central Configuration lets a delegated admin push standard and control configuration to all member accounts. This removes the configuration drift that previously caused accidental over-enablement.

Before Central Configuration, individual account owners frequently re-enabled standards that org admins had disabled, restoring billing. Central Configuration solves this. Customers not yet on Central Configuration should migrate as the first optimisation step.

Automation cost: Security Hub plus EventBridge plus Lambda

Most enterprise Security Hub deployments include downstream automation: EventBridge rules that fire on findings, Lambda functions that auto-remediate, SNS or Slack notifications for ops teams.

Each of those services bills separately. For a 50,000-finding/month deployment:

• EventBridge rule invocations: free up to 1M events.
• Lambda invocations: per finding processed.
• SNS or Slack delivery: per notification.
• CloudWatch Logs for the automation: per GB ingested.

Typical downstream cost: $200 to $800/month on top of Security Hub itself. Track this in cost allocation tags.

The third-party CSPM comparison

Wiz, Orca, Palo Alto Prisma Cloud, Lacework, and CrowdStrike Falcon Cloud Security all compete directly with Security Hub. Typical pricing for a $50M AWS spend customer:

Third-party CSPMs typically bundle workload protection, posture management, and data classification, replacing GuardDuty and Macie as well. The full-stack TCO comparison usually favours consolidation, especially when negotiated against an EDP.

EDP overlay specifics

Security Hub negotiable items in an EDP:

• Tier break thresholds for check evaluations.
• Volume discount on finding ingestion above 1M per month.
• Bundled pricing across Security Hub, GuardDuty, Macie, Inspector.
• Multi-year subscription discount.
• CSPM migration credit (when switching from Wiz, Palo Alto, etc.).

Action checklist

1. Pull last 12 months of Security Hub spend by dimension.
2. Audit standards enabled; disable duplicate CIS or PCI versions.
3. Pull 90 days of finding data; disable controls that produced zero or only PASSED findings.
4. Migrate to Central Configuration if not already on it.
5. Configure regional aggregation to consolidate billing.
6. Compare AWS native bundle TCO to Wiz, Orca, Palo Alto Prisma.
7. Scope Security Hub in your next EDP cycle.
8. Contact our advisory team for a Security Hub audit benchmarked against $2.4B+ of reviewed AWS spend.

See our AWS security cost strategy pillar, GuardDuty pricing optimization piece, and CloudTrail cost reduction guide for the broader security picture.

Security Hub free trial accounting

AWS offers a 30-day Security Hub free trial in each AWS account. New accounts spinning up under your Organization automatically start a free trial. After 30 days, billing kicks in.

Common scenario: a developer creates a sandbox account, enables Security Hub for testing, then forgets about it. 30 days later, Security Hub starts billing for that sandbox account.

Mitigation: AWS Organizations Control Tower or SCP can prevent Security Hub enablement in tagged sandbox accounts. Alternatively, centralised admin via delegated administrator can pre-configure Security Hub state consistently.

Custom controls and the per-evaluation cost

Security Hub supports custom controls via integrations (third-party SAST findings, custom Lambda functions evaluating compliance). Each custom control evaluation counts toward the per-check billing.

Trap: enterprise security teams building elaborate custom rules in Security Hub for visibility may inflate per-check counts by 100M+ per month if rules are poorly scoped. Custom controls should target specific resource types, not "all resources."

Security Hub plus AWS Audit Manager economics"

Audit Manager is a sibling service that consumes Security Hub findings to produce compliance evidence. Audit Manager bills approximately $1.25 per evidence collection per assessment per month.

For SOC 2, ISO 27001, or HIPAA compliance workflows that depend on Audit Manager, the combined Security Hub plus Audit Manager line item can run $5K to $20K/month for large environments. This is usually justified versus the manual evidence collection alternative, but worth scoping separately.

Multi-region aggregation cost optimisation

Security Hub findings in each enabled region bill independently. Aggregating regions to a primary region reduces operational overhead but does not directly reduce per-check billing (each region still evaluates and bills).

The cost optimisation: disable Security Hub in regions with minimal AWS resource presence. Many enterprises enable Security Hub in all 30+ regions out of consistency, then never deploy resources to most of them. Per-region overhead is the per-account-per-region Security Hub minimum charge plus baseline finding ingestion.

Conformance pack costing

Security Hub integrates with AWS Config Conformance Packs. Each conformance pack adds Config rule evaluations on top of Security Hub checks. The double-counting is real: a "S3 encryption enabled" check may bill once as a Security Hub control and once as a Config rule.

Audit: identify Security Hub controls and Config rules that evaluate the same thing. Disable one. Usually Config rules are cheaper to evaluate, but Security Hub provides better aggregation.

Onboarding new accounts

When new accounts join your Organization, Security Hub baseline cost begins immediately if Central Configuration is set to auto-enable. For organisations growing by 10+ accounts per quarter, this materially impacts Security Hub bill trajectory.

Best practice: configure auto-enrolment in Central Configuration with a tag-based exclusion for sandbox or short-lived accounts.