- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
an hour ago
If your organization is looking down the barrel of a ServiceNow SecOps License renewal within the next 12 months, the landscape has fundamentally shifted. Back in April 2026, ServiceNow restructured the licensing and packaging rules for Security Operations.
The legacy approach, where Security Incident Response (SIR) and Vulnerability Response (VR) operated largely as single product SKUs with various add ons, has been completely replaced by a structured three tier model: Foundation, Advanced, and Prime.
Crucially, capabilities that historically came standard or out of the box are now gated behind specific tiers. If you are preparing for a renewal, understanding exactly where your required capabilities live is essential to avoiding unexpected gaps or unnecessary license inflation.
Watch the Whiteboard Deep Dive
Before reviewing the structural breakdown below, you can watch the full session video where I map out these April 2026 tier changes, the hidden licensing ceilings, and the exact decision matrix I use when sitting down with enterprise CISOs:
What Changed: From Add-ons to Tiered Bundles
In the previous packaging model, major workflows were standard inclusions. Today, capabilities are strictly partitioned across Foundation, Advanced, and Prime. Additionally, Now Assist generative AI allocations are tied directly to the tier itself rather than handled as an independent conversation.
Here is the architectural breakdown of how capabilities map to the new tiers:
-
Foundation Tier: This serves as the entry point, providing core application tables, threat intelligence, configuration compliance, and basic Now Assist capabilities. It acts strictly as a ticketing discipline framework rather than a mature, program level solution.
-
Advanced Tier: This is the practical baseline for enterprise environments. It introduces Major Security Incident Management (MSIM) on the SIR side, and Vulnerability Crisis Management (for zero days) and Patch Orchestration on the VR side. Critically, the Cybersecurity Executive Dashboard, the primary reporting layer for board level visibility, is unlocked at this tier for both products.
-
Prime Tier: This introduces entirely native platform capabilities focused on security stack consolidation. Data Loss Prevention (DLP) Incident Response is exclusive to SIR Prime, while Vulnerability Solution Management (mapping remediation directly back to root cause configuration items rather than isolated ticket counts) is exclusive to VR Prime.
The 4 Common Deployment Patterns
Because SIR and VR are rarely deployed in isolation, architectural decision making relies on combining the tiers effectively. Looking at enterprise deployments under this model, four primary patterns emerge:
| Pattern | Profile | Use Case |
| Foundation + Foundation | Mid market or minimal SOC operations. | Suitable for small teams requiring centralized security ticketing discipline without formal, board reported program metrics. |
| Advanced + Advanced | Current enterprise default baseline. | Designed for organizations with a named CISO, a formalized MSIM process, an active patch cadence, and a requirement for native board level reporting. |
| SIR Prime + VR Advanced | DLP integrated operations. | Tailored for highly regulated industries like banking or healthcare requiring native DLP alert consolidation on platform, but without immediate engineering appetite for advanced VR solution management. |
| Prime + Prime | Full security vendor consolidation. | Leveraged by large enterprises running an explicit mandate to shrink the security tool stack, run native DLP response, and track remediation via root cause CI mapping. |
Real World Architecture Scenarios
To see how this applies in practice, consider these two distinct organizational profiles:
Scenario A: The Regulated Regional Bank
-
Profile: 800 IT fulfillers, 1,500 monitored security assets, a named CISO, active DLP initiatives, and a requirement for quarterly board level patch metrics.
-
Analysis: Selecting Foundation + Foundation blocks all required board metrics outright. Moving to Advanced + Advanced captures the major incident workflows and executive dashboards but leaves DLP response disconnected.
-
Architectural Target: SIR Prime + VR Prime. The combination of active DLP management and the need for root cause asset remediation justifies the top tier alignment.
Scenario B: The B2B SaaS Provider
-
Profile: 150 IT fulfillers, 400 monitored assets, an outsourced SOC running with two internal analysts, no current or planned DLP program.
-
Analysis: Jumping straight to Prime + Prime introduces significant shelfware, paying for DLP workflows and solution management engineering that the internal team lacks the cycles to consume. Conversely, Foundation breaks their formal major incident response structure.
-
Architectural Target: SIR Advanced + VR Advanced. This provides full coverage for the actual operating model without tier inflation.
5 Critical Questions for Platform Alignment
Before entering renewal discussions, platform owners and security architects should validate these five operational pivot points:
-
Do you have a formalized Major Security Incident process? If yes, SIR Advanced is your absolute floor. MSIM does not exist in Foundation.
-
Is there an active or funded DLP roadmap? If you plan to manage DLP alerts natively on the platform, SIR Prime is required.
-
Are your vulnerability metrics board reported? If your leadership tracks patch cadences, SLAs, and zero day crisis responses, VR Advanced is the minimum floor required to generate those outcomes.
-
Are you tracking ticket closure or root cause remediation? If the mandate is to prove configuration items are materially safer rather than just showing closed task counts, VR Prime’s Solution Management is necessary.
-
Is SecOps part of a broader vendor reduction strategy? If the goal is decommissioning third party tools, map the displacement math directly against the Prime tier capabilities to see where the consolidation overlap sits.
Pitfalls to Watch For
-
Decoupled Decision Making: Remember that SIR and VR tiers are entirely independent architecture decisions. You do not have to match tiers across both products; building a mixed architecture like SIR Prime with VR Advanced is completely valid.
-
Now Assist Consumption Volatility: GenAI allocations scale with the tier. Heavy automated summarization or intense incident volumes will deplete allocations faster than standard sizing estimates suggest. Ensure your consumption footprint is modeled closely ahead of time.
How is your organization approaching the transition to the structured tiers? If you have run into specific scoping boundary lines between Advanced and Prime on recent implementations, let's discuss in the comments below.