Exploring Security Operations

  • Release version: Zurich
  • Updated December 3, 2025
  • 5 minutes to read

    • Protect your assets and enterprise environment with ServiceNow Security Operations applications and the power of the ServiceNow AI Platform®. Connect your security and IT teams to help you prioritize and resolve threats based on the impact they pose to your organization.

    Security Operations overview

    The Security Operations suite of applications helps you protect your assets by improving your overall security posture. For example, by integrating applications such as Unified Security Exposure Management (USEM) Security Incident Response, Vulnerability Response, and Security Posture Control with your existing security tools, your Security Operation Center (SOC) analysts, managers, and IT teams can:
    • Respond to rapidly evolving cyber and security threats.
    • Identify, prioritize, and remediate exposure findings in the Unified Security Exposure Management (USEM) platform that brings together infrastructure, application, container, and configuration exposures into one unified experience.
    • View your complete asset inventory.
    • Determine your overall security tool coverage.
    • Resolve security incidents faster with intelligent workflows and ServiceNow Generative AI skills (GenAI). See Now Assist for Security Incident Response for more information.

    Security Operations applications for workflows

    The Security Operations applications fall under two broad categories for Security Operations workflows:
    • Unified Security Exposure Management (USEM) - Applications and tools that help you anticipate, understand, and close your security exposures. See Unified Security Exposure Management (USEM) for more information about using Security Operations applications in USEM.
    • Enterprise security case management - Applications and tools that help you move quickly to respond to critical incidents.
    Figure 1. Security workflows
    The Security Operations applications and workflows organized by category.

    Benefits of the Security Operations applications

    View Security Operations applications and data with next-generation user interfaces (workspaces). With workspaces, the security analysts, Security Operation Center (SOC) managers, and remediation specialists in your organization can monitor and manage the following types of workflows from one location:
    • The life cycle of security incidents from an initial analysis to containment, eradication, and recovery.
    • The security exposures that they care the most about so they can decide strategically which vulnerabilities they send to IT teams to fix.
    • Key insights and key use cases for security tool coverage and asset hygiene that report and monitor imported information about your assets.
    The two categories of Security Operations applications and the use cases they help you address in your enterprise environment:
    • USEM applications - Applications that help you anticipate threats and identify security exposures.
    • Enterprise security case management applications - Applications that help you respond to critical security breaches and incidents

    USEM applications

    Table 1. Applications that help you anticipate threats and identify security exposures
    Application Description Users
    Security Posture Control

    Gain insights into how well security tools are deployed and covering your assets based on an asset inventory and imported data. Service graph connectors and ServiceNow products such as Hardware Asset Management (HAM) and ITOM Discovery are supported for data imports.

    Audits based on policies help you prioritize the remediation of high-risk combinations such as internet exposure and known vulnerabilities. Create custom policies and insights to monitor the compliance of assets with your internal security tool configuration standards.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)
    Unified Security Exposure Management (USEM)

    View security exposure findings as well as consolidated, multiple exposure findings across all asset types in one unified platform.

    Monitor and manage all types of security exposures across your organization’s attack surface that use imported data from the following applications:
    • Vulnerability Response
    • Application Vulnerability Management
    • Configuration Compliance
    • Container Vulnerability Response
    • Vulnerability managers and analysts
    • Compliance managers and analysts
    • Remediation owners
    • Security champions
    • Service owners

    Enterprise security case management applications

    Table 2. Applications that help you respond to critical security breaches and incidents
    Application Description Users
    Security Incident Response

    Simplify the process of identifying critical incidents by applying powerful workflow and automation tools that speed up remediation.

    Integrate your existing Security Information and Event Manager (SIEM) tools with Security Incident Response and Security Operations applications to import threat data from various sources and automatically create prioritized security incidents.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst
    Major Security Incident Management

    The major security incident management capabilities work with the existing security incident response product capabilities. This includes an ability for a security analyst to escalate a standard security incident to a major security incident, so that the new product capabilities are available to support the remediation process.

    Track the progress of Major Security Incident (MSI) from discovery to analysis. Propose solutions, promote, and link security incidents, and closure.
    • CISO
    • Information security analyst
    • Security operations manager
    • IT Operations engineer
    • Service owner (remediation owner persona)
    • General council
    Data Loss Prevention Incident Response The Data Loss Prevention Incident Response (DLP IR) permits you to review and manage the remediation workflow of DLP incidents from multiple sources, such as endpoint, network, email, and cloud.

    With the DLP application, you can identify, respond, and protect your data loss channels.
    • CISO
    • Information security analyst
    • Security operations manager
    Threat Intelligence

    Allows incident response teams to automate threat lookups, searches, and correlation. The integration with MITRE ATT&CK permits you to measure and understand detection and mitigation coverage and assists with threat hunting.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst
    Threat Intelligence Security Center (TISC) Aggregate, curate, and manage threat intelligence from multiple sources and conduct threat intelligence case management. Track campaigns, operationalize threat intelligence, and respond to actionable intelligence.
    • CISO
    • Information security analyst
    • Security operations manager
    • Threat intelligence analyst

    What to explore next

    Select a tile to get started with the Security Operations Workspaces.

    Troubleshoot and get help

    ServiceNow Community
    ServiceNow Community
    Customer Success Center
    Impact
    Developer
    developer.servicenow.com
    Impact
    http://impact.servicenow.com
    ServiceNow University
    ServiceNow University
    NowCreate
    Best Practices
    Partner
    https://www.servicenow.com/partners.html
    ServiceNow
    http://servicenow.com
    ServiceNow Store
    http://servicenow.com
    Support