I am a security architect. I construct the solutions. ServiceNow Security Operations is on-premises, however, it's a hybrid model where you can have a public cloud also working in tandem with your on-site deployment.
The main use case is SecOps or security operations. ServiceNow Security is a two-way ticketing model that gets integrated with Splunk, for example. Splunk will provide two-way integration into the service management process. You have Splunk on one end and ServiceNow on the other end. The tickets will be integrated between the two and be either manually or automatically created. The tickets can be initiated from either platform and automatically or manually pushed as well.