[Serverless] Update Security billing dimensions docs to reflect Endpoint Protection included at no extra cost

[gaurav-elastic]

Update Security Billing Dimensions Docs for Endpoint Pricing Change

Parent Epic: https://github.com/elastic/security-team/issues/13454
Page to update: https://www.elastic.co/docs/deploy-manage/cloud-organization/billing/security-billing-dimensions
Due date: 23rd March 2026, 09:00 Pacific time

Background

As part of the initiative to simplify Elastic Security Serverless endpoint protection pricing, the Endpoint Protection Complete/Essentials - Protected Endpoints PLI is being set to $0. Endpoint Protection will be included by default at no additional cost for all Serverless Security projects.

The current documentation on the Security billing dimensions page describes Endpoint Protection as an "optional add-on" with per-endpoint billing. This needs to be updated to reflect the new pricing model.

Current Text

Endpoint Protection is an optional add-on to Security Analytics that provides endpoint protection and threat prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations:

• Endpoint Protection Essentials — Includes robust protection against malware, ransomware, and other malicious behaviors.
• Endpoint Protection Complete — Adds endpoint response actions and advanced policy management.

You pay based on the number of protected endpoints configured with the Elastic Defend integration. Logs, events, and alerts from these endpoints are billed using the Ingest and Retention pricing. If you're using Elastic Defend solely for data collection (without Endpoint Essentials or Complete add-ons), endpoints do not count towards billing. In this case, you're only billed for data ingestion and retention, and you can configure event collection and telemetry in the policy without enabling protections.

Proposed Updated Text

Endpoint Protection is included with Security Analytics at no additional cost, providing endpoint protection and threat prevention for all your endpoints. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations:

• Endpoint Protection Essentials — Includes robust protection against malware, ransomware, and other malicious behaviors.
• Endpoint Protection Complete — Adds endpoint response actions and advanced policy management.

Endpoint Protection is enabled by default for all Serverless Security projects and there is no additional per-endpoint charge. Logs, events, and alerts from protected endpoints are billed using the Ingest and Retention pricing. You can configure event collection and telemetry in the policy to control your data volume.