Protect your assets and enterprise environment with ServiceNow Security Operations applications and the power of the Now Platform®. Connect your security and IT teams to help you prioritize and resolve threats based on the impact they pose to your organization.

Security Operations overview

The Security Operations suite of applications helps you protect your assets by improving your overall security posture. For example, by integrating applications such as Security Incident Response, Vulnerability Response, and Security Posture Control with your existing security tools, your Security Operation Center (SOC) analysts, managers, and IT teams can:
  • Respond to rapidly evolving cyber and security threats
  • Identify, prioritize, and remediate vulnerabilities
  • View your complete asset inventory
  • Determine your overall security tool coverage
  • Resolve security incidents faster with intelligent workflows and ServiceNow Generative AI skills (GenAI). See Now Assist for Security Incident Response for more information.

Security Operations applications for workflows

The Security Operations applications fall under two broad categories for Security Operations workflows:
  • Attack surface management- Applications and tools that help you anticipate, understand, and close your vulnerabilities.
  • Enterprise security case management - Applications and tools that help you move quickly to respond to critical incidents.
Figure 1. Security workflows
The Security Operations applications and workflows organized by category.

The two categories of Security Operations applications and the use cases they help you address in your enterprise environment.

Benefits of the Security Operations applications

View Security Operations applications and data with next-generation user interfaces (workspaces). With workspaces, the security analysts, Security Operation Center (SOC) managers, and remediation specialists in your organization can monitor and manage the following types of workflows from one location:
  • The life cycle of security incidents from an initial analysis to containment, eradication, and recovery.
  • The vulnerabilities that they care the most about so they can decide strategically which vulnerabilities they send to IT teams to fix.
  • Key insights and key use cases for security tool coverage and asset hygiene that report and monitor imported information about your assets.

Attack surface management applications

Table 1. Applications that help you anticipate threats and identify vulnerabilities
Application Description Users
Security Posture Control

Gain insights into how well security tools are deployed and covering your assets based on an asset inventory and imported data. Service graph connectors and ServiceNow products such as Hardware Asset Management (HAM) and ITOM Discovery are supported for data imports.

Audits based on policies help you prioritize the remediation of high-risk combinations such as internet exposure and known vulnerabilities. Create custom policies and insights to monitor the compliance of assets with your internal security tool configuration standards.
  • CISO
  • Information security analyst
  • Security operations manager
  • IT Operations engineer
  • Service owner (remediation owner persona)
Vulnerability Response
Third-party vulnerability scanners and assessment tools help you identify the risks vulnerabilities pose the following types of assets:
  • Infrastructure (host)
  • Container
  • Applications
  • Software bill of materials

Vulnerabilities that are identified by these tools translate as risks to the security and IT teams responsible for maintaining and securing an organization’s assets.
  • CISO
  • Information security analyst
  • Security operations manager
  • IT Operations engineer
  • Service owner (remediation owner persona)
Configuration Compliance

Verify your compliance with security or corporate policies.

Identify, prioritize, and remediate non-compliant configuration items with test results obtained from third-party Secure Configuration Assessment (SCA) integrations.
  • CISO
  • Information security analyst
  • Security operations manager
  • IT Operations engineer
  • Service owner (remediation owner persona)

Enterprise security case management applications

Table 2. Applications that help you respond to critical security breaches and incidents
ApplicationDescriptionUsers
Security Incident Response

Simplify the process of identifying critical incidents by applying powerful workflow and automation tools that speed up remediation.

Integrate your existing Security Information and Event Manager (SIEM) tools with Security Incident Response and Security Operations applications to import threat data from various sources and automatically create prioritized security incidents.
  • CISO
  • Information security analyst
  • Security operations manager
  • Threat intelligence analyst
Major Security Incident Management

The major security incident management capabilities work with the existing security incident response product capabilities. This includes an ability for a security analyst to escalate a standard security incident to a major security incident, so that the new product capabilities are available to support the remediation process.

Track the progress of Major Security Incident (MSI) from discovery to analysis. Propose solutions, promote, and link security incidents, and closure.
  • CISO
  • Information security analyst
  • Security operations manager
  • IT Operations engineer
  • Service owner (remediation owner persona)
  • General council
Data Loss Prevention Incident Response The Data Loss Prevention Incident Response (DLP IR) permits you to review and manage the remediation workflow of DLP incidents from multiple sources, such as endpoint, network, email, and cloud.

With the DLP application, you can identify, respond, and protect your data loss channels.
  • CISO
  • Information security analyst
  • Security operations manager
Threat Intelligence

Allows incident response teams to automate threat lookups, searches, and correlation. The integration with MITRE ATT&CK permits you to measure and understand detection and mitigation coverage and assists with threat hunting.
  • CISO
  • Information security analyst
  • Security operations manager
  • Threat intelligence analyst
Threat Intelligence Security Center (TISC) Aggregate, curate, and manage threat intelligence from multiple sources and conduct threat intelligence case management. Track campaigns, operationalize threat intelligence, and respond to actionable intelligence.
  • CISO
  • Information security analyst
  • Security operations manager
  • Threat intelligence analyst

What to explore next

Select a tile to get started with the Security Operations Workspaces.

Troubleshoot and get help