Cisco XDR Reviews

We integrated Cisco XDR into customer environments and I completed multiple deployments with the product.

The investigative ability of Cisco XDR is amazing to me. Once all the data is in Cisco XDR and it flags an incident when it sees something that is notable, important, and of concern, it will raise an incident. The ability to look at one screen about this incident and get data from multiple different sources is a very great capability for incident responders to obtain the information they need. Cisco has AI built into the product where it actually translates some of this log data. Professionals typically have to spend a huge amount of time looking through logs trying to figure out what the log data means, and this is done for you automatically.

The number one thing was getting visibility from customer environments into one console. Customers would have network telemetry from NetFlow, Secure Network Analytics, or the Cisco Telemetry Broker. They would have an endpoint product, a firewall product, and cloud resources, but they needed to correlate all of that data into one location and be able to respond to it instead of having to go into all of these separate security products. By integrating all of these products with Cisco XDR, this allowed them to have a single pane of glass and respond more effectively and quickly to security threats and know what they needed to respond to with that intelligence.

Workflows could definitely be easier to work with. Workflows are automated tasks that can be kicked off inside of a playbook. When someone is responding to something, they can click a button and it will perform automated tasks for them inside of these other products. The product can actually control the behavior of a firewall and you can write a rule in a firewall from Cisco XDR without having to go into the firewall software. However, if it is not a native workflow automation, it is very difficult to create your own. It is not intuitive and you almost have to be a developer and get really good with the API. This could definitely be improved on, particularly the custom workflow automation.

Another thing that could be improved is Cisco documenting how it makes decisions, because there are certain factors or criteria that it uses from the source products. Cisco XDR gets all of its data from the integrations, so if you do not integrate anything, it is not going to do anything. Sometimes in these integration products, such as Secure Network Analytics or Cisco Security Exposure, they could be generating some type of alert and you do not necessarily see that in Cisco XDR. This is because it knows, maybe because of these other products, it is not really a big deal and is not big enough to raise an incident. However, I do not think Cisco does a great job in explaining what those rules are, such as why this happens and how this happens. This can cause some questions and some concern. I think it is doing the right thing, but I think it would be better if they had a rule set to say, based on this data, this is how the product actually works.

I have been using the solution since twenty twenty four, for about two years and a half.

I have never run into any type of scalability issue. I have deployed Cisco XDR in really small environments and with really large environments, and there was never a point where we could not process the data. Most of the time, Cisco already has a lot of the data, especially if it is Cisco native products. I am not aware of any scalability issues where we were deploying it and said that if it is an environment over a certain size, then we cannot do it or we have to do something different.

If I had to give it a rating out of five, I would probably say about four out of five. Every now and then something weird happens in the console, the web console. This typically is because the developers seem to be making lots of changes and you have to clear your cache and clear your browser cache, and then it will eventually work. Sometimes that is a little bit annoying. There are some back-end things that may take a little bit of time to process. When you first set up the integrations, it is not immediate. There are some things on some timers and some scheduled activities such as batch processing. This goes back to people needing to understand that, and Cisco does not do a great job of explaining that. You may think that something is broken, but it just has not run yet. So on the initial integration sometimes, it does take a little bit for data to start showing up and it can cause some confusion.

I occasionally contact customer service, though not too often. I would say probably in the earlier days there were more support cases because Cisco XDR came into existence later in 2024 and the product was evolving a lot in the early days. Later on, it has gotten a lot better, and I have not had to open up much support cases.

I never saw a false positive. I think it is very accurate. There were some times where it actually flagged some behavior that would have been malicious if I had not known very specific things about it. For example, it was custom code that was written by developers that did not use very good coding methodologies, so it was doing crazy things, but in this exact instance, it was not malicious. However, if I had not had that special knowledge already, I would need to respond to that. It identified that they do not need to be doing this in the first place, so that required a code change. I would say it is highly accurate. It runs everything through the MITRE Framework and it uses Cisco's intelligence where they are getting threat intelligence from Talos and all of the products that people have deployed, even if they do not have Cisco XDR. If you have Cisco security products deployed out in the world, all that data is feeding the back end. Therefore, you are taking advantage of the millions of customers out there and the environments that are running Cisco. Even if they do not have Cisco XDR, they are feeding data into your Cisco XDR solution and it is making it more intelligent.

It is all about getting the data into the product because technically there is not really anything to install in the environment. It is about connecting what is in the environment out to Cisco XDR. I would always focus on the network traffic, getting either Secure Network Analytics data out there or deploying the Cisco Telemetry Broker to get network data. We need network telemetry and then focus on the endpoint. The endpoint is probably one of the more difficult ones because it does touch all of the hosts in that customer, so they are typically more concerned with changes because they do not want to affect that environment. So we are integrating that, network, endpoint telemetry, email integration, and then cloud. If we can get the cloud data, that is typically what we would do. I have not had any issues on the Cisco XDR side. It is typically things in the customer environment that are already not working correctly and therefore we have to fix it to get the data out. However, it is typically a straightforward process as long as the underlying products are in good shape. That is where you really run into a problem, but those are not part of a Cisco XDR problem. They are just normal life in IT.

The implementation team is very professional, very helpful, and willing to help. We always had a good experience.

Cisco XDR absolutely can provide ROI. It has some default tasks that it thinks probably everybody should use, but then you can make those work. For example, if you do not have this type of product, you can take that out and not focus your time on incident response on that. You can focus your time on incident response on your email, endpoint security, and cloud.

Cisco XDR totally supports third-party integrations and it works as long as the third party already has an API. If they have an API that allows changes to be made and data to be written, then it typically works really well. If it is a closed-off system, it is not going to work well. The cloud integrations work really well getting data from AWS and getting data from Azure, and getting that network data. This is a great part of it and it does not really require much of an integration. It is just reading that data that is already there. However, it kind of depends on the third party, but it does work. When I have done it before, it has worked well.

It is difficult to say because it depends on how many products a customer would have. But if they had an endpoint product, a firewall product, a network product, and a cloud product, and they had an incident, they would have to get into each one of those and then do research, potentially an hour per product. Whereas now, they are in Cisco XDR and they are able to get the answer to this in less than thirty minutes. This is a huge time savings to me personally.

Getting the endpoint data is absolutely critical and Cisco XDR does a great job. Getting endpoint data from something such as CrowdStrike or from Cisco Secure Endpoint and then taking in data from the network with NetFlow logs or data from Secure Network Analytics or something that does IPFIX, and then the cloud logs and then also being able to do email integration for email threats, all of that data is available to investigate, to make decisions, and to see if one host ever talked to another host. When investigating an incident, that is extremely beneficial. The integration of that data and merging it into one screen where I do not have to look at different solutions is a great benefit. The merging of all of that data into one display is probably the best benefit of Cisco XDR.

There is the concept of playbooks where, if an incident is raised and there is a problem, it allows companies to build out how they want their incident response staff to operate. What is the first step? What is the second step? What do we investigate first? Who do we notify about this? It allows them to customize that response process to align with the company's own written IT security policy. This helps focus incident responders on the tasks that they need to do for that specific environment and focus on the things that are important to them, not just what Cisco thinks.

I would rate this product a nine out of ten overall.

Cisco XDR serves as the main platform for threat detection and threat response in my organization.

We have integrated all of our internal devices including firewalls, servers, EDRs, and endpoints into Cisco XDR. In typical scenarios, we find blacklisted IP communication detected by our firewall, and Cisco XDR blocks these particular attempts made by blacklisted IPs, thereby helping us secure our environment from potential cyber threats.

We focus on the alerts generated by Cisco XDR and the threat intelligence reports available on the platform. Our security team reads through those reports and proactively blocks those IPs and the IOCs on our firewall rather than waiting for Cisco XDR to raise an alert about a particular IP or IOC attempting to communicate with the environment. The threat intelligence information available on the platform is quite useful for us to proactively take actions to better secure our environment and reduce our attack surface for potential cyber threats.

Cisco XDR offers a wide range of integrations and connectors where we can integrate a whole range of devices available in our on-premises environment as well as cloud sources which we have primarily on AWS and Azure. Those environment log sources are integrated with Cisco XDR and it helps provide a single pane of glass view in terms of our security posture, giving us visibility within a single platform rather than focusing on individual security devices such as firewalls or EDRs which would typically be working in silos.

These integrations are straightforward. Cloud workloads are easier to integrate compared to on-premises devices, primarily because the cloud workloads have readymade connectors and integration standard operating procedures for us to integrate with Cisco XDR. We have typically not faced challenges with integrations with Cisco XDR. There may be certain OEMs which are not well known and cannot be directly integrated without the help of vendor support or OEM support, which we were able to connect with and ensure they are integrated with Cisco XDR.

From the reporting perspective, the dashboards offer quite a lot of predefined and useful options which help with live threat monitoring and provide a high-level view of the current threats, incident reporting metrics, mean time to detect, and mean time to respond. These sorts of dashboards are available on the platform and help provide a good view even for someone at the leadership level.

Cisco XDR has definitely improved our security posture and our visualization, ensuring that we are protected and providing greater visibility for our SOC team.

Cisco XDR has definitely reduced our mean time to respond. Previously it used to be more than 24 hours, but we have been able to reduce it to less than 16 hours due to all the various integrations and automation capabilities.

Cisco XDR has been useful for us to gain visibility into gaps in our security posture and how those can be improved by conducting analysis on the platform itself. We have utilized the platform to improve our security posture and reduce blind spots.

Cisco XDR can be improved in terms of out-of-the-box integrations and standard operating procedures available on the platform where we would not have to refer to documents outside of the platform to integrate. Having these standard operating procedures or integration methods available within the platform for most devices will help improve our experience with Cisco XDR.

The primary area for improvement is the integrations itself.

I have been working in my current field for about ten plus years.

Cisco XDR is stable in our environment and we have not found major issues in terms of downtime or lack of monitoring coverage.

In terms of scalability, Cisco XDR is quite scalable in terms of a licensing model and the number of assets we have integrated with it. It is seamless.

The customer support has been quite good. When we raise a ticket on technical support, they reach out to us within a couple of hours to listen to our issue and provide us with solutions. I would rate customer support at nine out of ten.

Positive

We used IBM QRadar before we switched to Cisco XDR primarily because IBM QRadar was more a legacy system and customizations, connector building, parser building, and integrations were taking a long time where we had to reach out to IBM for support. With Cisco XDR, we found a quicker turnaround time.

Our team required extra training and onboarding support during the initial phase, but as of now they are using it seamlessly. I would rate it at approximately eight out of ten.

We have experienced return on investment since we have been utilizing this platform for the last five years. Over time as the platform has evolved and more automations have been put in place, the number of human resources required has drastically reduced. Previously, we used to require four people in each shift to manage all of the incidents and workloads, which would essentially be about twelve people per day. We have been able to cut them down to six people per day, which is roughly half the team size required as of now. This helps in saving cost and time.

In terms of licensing and support cost, it is quite seamless. Based on the number of users we require, we have purchased as many licenses, and the setup is also a one-time cost which we received support for from Cisco's technical support team.

Before choosing Cisco XDR, we evaluated Splunk, IBM QRadar which was already existing in the environment, and Microsoft Sentinel. Cisco XDR was the best option in terms of overall feature capabilities and pricing.

In terms of DLP, Cisco XDR is quite useful. We are using a different DLP as well within our organization, so we are not extensively relying upon Cisco XDR for DLP, but it is a good solution to fall back upon. In terms of pricing, it is not the cheapest but it is also not the most expensive compared to other products we have experienced in the past.

Cisco XDR is hosted on private cloud.

We are typically deployed on AWS and have utilized automation workflows to improve our mean time to respond, reducing it from over 24 hours to less than 16 hours.

We prioritize incidents based on its criticality in terms of which devices or environments are affected that we have integrated with this platform. This has definitely helped in prioritizing incidents and ensuring that we have good coverage twenty-four hours a day, seven days a week across business hours and non-business hours by looking at the trend of what incident types occur and how often they occur, as well as what kind of team support is required across multiple shifts during the day and night.

The platform helps our SOC team access the platform across the entire shifts. We follow three shifts, and it helps with the shift handover when we transition from the morning shift to the afternoon shift or from the afternoon shift to the night shift. The platform helps seamlessly hand over from the previous analyst in the previous shift to the new analyst in the next shift.

My advice to other potential buyers of Cisco XDR would be to always conduct an evaluation or a proof of concept before actually purchasing because each environment is different and while Cisco XDR may be useful in most environments, there are potentially some environments where it may not be useful. It is always good to try before you buy. I would rate this product an eight out of ten.

My primary use case for Cisco XDR is log review from devices, and then doing analytics for quicker responses in the future to security incidents.

The feature I appreciate the most about Cisco XDR is the flexibility for a user to be able to create their own reporting and dashboards. I would say I got to stop beta testing myself. I am testing what can be customized the most with it. Being able to ingest all the analytics and make it something that's either meaningful to them or to their own leadership is a big plus. It's not just what the product is at launch; you have the ability to customize and make it useful to your business to actually get real, purposeful information out of just a swamp of data.

The features of Cisco XDR have actually benefited the organization significantly by allowing us to do the outputs of specific data and even filtered subsets of the data. We can do the same reporting but only deliver in either reports or dashboards the information about the systems that a specific team is responsible for, or the larger teams that multiple departments or IT silos roll up into. We're basically able to just modify the filters and have the same reports in the same dashboards where it's all the same; 99% of the work is the same.

To improve Cisco XDR, I can't think of anything super meaningful because a couple of features I'm interested in are actually ones that integrate with Duo, but that's not widely used. I'm fine with the features that are on their way into the product based on the roadmap I've seen, so I can't suggest any other features from a user perspective.

I have been using Cisco XDR for 18 months.

My assessment of the stability and reliability of Cisco XDR is positive. Any perceived performance issues were traced back to specific users attempting to process too much data at once. We clarified optimal procedures, which encouraged people to interact with the system more efficiently and avoided traditional outdated workflows.

My experience with customer service and technical support has been fantastic. We've only needed to contact them twice for our security team, and each time was mainly to understand how something was functioning.

Positive

Prior to adopting Cisco XDR, we were using four products, three of which stayed in evaluation while dropping others. We recognized that Cisco XDR could replace multiple systems, making it an appealing choice.

My experience with the deployment of Cisco XDR was that it was simple. During the proof of concept, the setup was straightforward, and for the most part, we provided systems access to the security team, allowing them to tie everything together without needing additional help.

I have expanded the usage of Cisco XDR. The process of expanding usage has been smooth and easy. Since we frequently work with Cisco, it makes it hassle-free to justify needing more and explaining why.

Having proven its value and capability to quickly ramp up our operations has simplified expanding licensing and replacing systems. I know of several incidents that demonstrate Cisco XDR's return on investment (ROI). Two customers faced a network breach and a bad configuration incident, but unlike in the past where recovery took days, they managed to shut down access points quickly. Their ability to divert a crypto attack within 30 minutes saved them from a multi-day outage that previously had entire staff doing nothing but recovering systems.

Within our teams, I absolutely see the ROI with Cisco XDR. We have effectively identified gaps in our incident response processes and what information we need. Security is one of the most cost-effective insurance policies, and Cisco XDR serves as our magnifying glass to understand our security contract better. It has provided us with a tool that enhances visibility and interactivity among our teams.

My experience with pricing, setup costs, and licensing has been intriguing. I used to work for a Cisco partner, and I still have friends there with whom I discuss comparisons regarding some hardware products we sold. The shift I've seen is the elimination of the need for professional service packages. Users can customize their use of Cisco XDR significantly from the onset, which has resulted in a lower total cost of ownership compared to when we sold hardware and multiple systems.

I don't recall every product we considered before selecting Cisco XDR, but we looked at about nine alternatives. Our security team discovered details about Cisco XDR through integration work as a partner, which led us to realize that it could address many features we were interested in but were not initially evaluating. The aspect that stood out most during the evaluation process of Cisco XDR was its ease of use. Seeing how quickly we set up a proof of concept, along with the internal demos we received, made me confident about its implementation. Once we allowed everyone hands-on experience, it further affirmed how much smoother and more intuitive it was compared to others.

The impact of AI assistance and Cisco XDR on productivity is massive. We're no longer tied to just our reporting that was created for either looking at information specifically requested, or in response to a past event that we knew about. Now, security administrators can just go look and chat with the bot to get back a much more instant response and almost a live view of the data. They can navigate through breadcrumbs to get to the details of an event without causing hours of delays for someone to dig through that data or involve someone more conversationally versed in specific hardware products to look at the data.

The feature for prioritizing incidents across multiple security controls in Cisco XDR has affected my incident management process significantly. Even on the vendor side, as a traditional IT shop, we have silos of excellence where all these teams don't necessarily work together until there is an incident. Having our security and specified incident response leads from each team be able to get this data quickly allows security to determine if an incident is a mistake, a script triggering alarms, or just a bad network change.

My experience with using Cisco XDR to evaluate gaps in security coverage has been quite beneficial. Giving our security team and the first few end-user leads that own specific systems access to the AI chatbot has been crucial. We did reviews to determine what they are asking of the bot, how often they prompt it, and the types of responses they are getting back. This helped us identify that many of the teams in the middle that own connecting pieces did not realize that the security team was more responsive and concerned about certain issues than they thought.

My advice for other organizations considering Cisco XDR is to evaluate if they're already using a platform that meets all their needs. Think about what additional capabilities you desire, and envision what could be possible if everyone had access to pertinent data. Engaging directly with someone at Cisco to demonstrate how XDR can meet those needs is crucial to instill excitement and clarity among teams about data, workflows, and security. On a scale of 1-10, I rate Cisco XDR a 9.

My main use case for Cisco XDR is centralized threat detection, security monitoring, and incident response across our infrastructure. It helps us correlate alerts from multiple security tools into a single dashboard, improving visibility and reducing investigation time. The platform has been useful in identifying suspicious activities quickly and streamlining the security operations.

In one instance, Cisco XDR helped us identify unusual login attempts and suspicious endpoint activity across multiple systems. The platform correlated alerts from endpoint protection and network security tools, allowing our team to quickly investigate the issue from a single console. Using the automated insights and response recommendations, we were able to isolate the affected device and prevent further impact. This significantly reduced the investigation time and improved our incident response efficiency.

Overall, Cisco XDR has helped improve visibility across our security environment and made the threat investigation more efficient. The centralized monitoring and alert correlation features save valuable time for the security team and simplify the daily operations.

The best features of Cisco XDR are its centralized visibility, intelligent alert correlation, and automated incident response capability. It brings together data from endpoint, network, email, cloud, and other security tools into a single platform, making investigation much faster and more efficient. The AI-driven analytics and threat intelligence help to reduce false positives and prioritize the real threats for the SOC team. We also find the integration with third-party security tools and automation workflow very useful for streamlining daily security operation and improving response times.

The centralized visibility and alert correlation make the biggest day-to-day difference for our team using Cisco XDR. Cisco XDR brings alerts and telemetry from multiple security tools into a single dashboard, which greatly reduces the time spent switching between platforms. It helps our team quickly understand the full context of an incident and prioritize the genuine threats more efficiently. This has improved investigation speed, reduced alert fatigue, and made overall security operations much smoother.

The feature set in Cisco XDR has been very helpful for improving operational efficiency and security visibility. We especially appreciate how it simplifies complex investigations and helps the team respond to potential threats more confidently and quickly.

Cisco XDR has positively impacted our organization by improving overall threat visibility, reducing incident response time, and simplifying security operations. The centralized dashboard and alert correlation capabilities help our team to investigate security events more efficiently and focus on high-priority threats first. It has also reduced the manual effort by streamlining workflows and improving coordination across different security tools. Overall, the platform has strengthened our cybersecurity posture and increased operational efficiency for the security team.

Although Cisco XDR is a very strong tool, there is always some space for improvement. One area where Cisco XDR could improve is its overall user experience and ease of navigation, especially for small security teams. Some advanced features and integrations have a learning curve, so a more intuitive interface and simplified configuration process will make daily operations easier.

I could not choose Cisco XDR a perfect score mainly because there is still room for improvement in usability and customization. While the platform is very powerful and feature-rich, certain configurations and integrations can be complex for a team during initial setup and daily management. Overall, it is a strong solution with excellent security capabilities, but a few usability enhancements would make the experience even better.

I have been using Cisco XDR for three years.

Cisco XDR is totally stable.

Cisco XDR has shown very good scalability in our experience, especially in hybrid and growing environments. Since it is built on cloud-native architecture, it can efficiently handle increased volumes of telemetry, endpoint, cloud workloads, and security events without major performance issues. As our environment expanded, the platform continued to provide centralized visibility and consistent threat correlation across multiple security layers. The ability to integrate additional tools and scale monitoring capabilities without significant infrastructure changes has been a strong advantage for our organization.

Our experience with customer support for Cisco XDR is generally good. The support team is knowledgeable, responsive, and helpful during troubleshooting, deployment, guidance, and integration-related queries. In critical situations, we have received timely responses, assistance, and useful technical recommendations that helped to resolve our issues significantly.

Before implementing Cisco XDR, we relied on separate security tools for endpoint protection, email security, and network monitoring with limited centralized correlation. As our environment grew, managing alerts across multiple platforms became time-consuming and increased investigation complexity. We moved to Cisco XDR to gain better visibility, centralized threat detection, and faster incident response through a unified portal. The improved integration capabilities and automated correlation features were key reasons for the switch.

We have seen a positive return on the investment from using Cisco XDR, mainly through improved operational efficiency and faster incident handling. Our security team spends significantly less time investigating alerts because the platform correlates data from multiple tools into a single view, which has reduced manual effort and improved response time. Overall, the automation and centralized visibility have helped improve productivity without needing to significantly increase security staffing.

Before selecting Cisco XDR, we evaluated some other options like Microsoft Defender XDR, CrowdStrike Falcon, and Palo Alto. We compared them based on integration capabilities, threat visibility, ease of management, and overall fit for our hybrid environment. Cisco XDR stood out because of its strong integration with our existing infrastructure, centralized visibility, and efficient alert correlation capabilities.

My experience with pricing and licensing for Cisco XDR has been generally positive, especially considering the security visibility and response capability it provides. The licensing model is flexible with different tiers like Essential, Advance, and Premier, which help organizations choose based on their requirements and budget. Once configured, the platform delivers good operational value and centralized management. We do feel that the licensing structure could be improved, and some components and integrations can be a bit complex to understand initially.

My advice would be to clearly evaluate your existing security ecosystem and integration requirements before implementing Cisco XDR. The platform delivers the most value when it is properly integrated with endpoint, network, email, and cloud security tools to provide full visibility and effective alert correlation. It is also important to plan the deployment and onboarding process carefully, especially in hybrid environments, to ensure the policies, integration, and workflows are configured correctly. Providing proper training for the security team will also help maximize the platform capabilities and overall return on the investment.

Overall, Cisco XDR has been a valuable addition to our security operations. It has helped improve threat visibility, streamlined investigations, and enhanced incident response across our hybrid environment. The centralized approach to monitoring and alert correlation has made daily security operations more efficient and manageable for the team. I would rate my overall experience with Cisco XDR a nine out of ten.

Our main use case for Cisco XDR is centralized threat detection and incident investigation. On a daily basis, our SOC team uses Cisco XDR to monitor alerts, collect events from multiple security tools, investigate suspicious activities, and respond to incidents faster from a single dashboard.

Recently, our team used Cisco XDR when we received multiple suspicious login and endpoint alerts from different tools. Cisco XDR automatically correlated those alerts into a single incident, which helped our SOC team quickly identify a potential compromised user account and isolate the affected endpoints, much faster than our previous workflow.

The best features Cisco XDR offers that stand out the most for us are alert collection, centralized visibility, automated investigation workflow, and integration with multiple security tools. Cisco XDR helps our analysts investigate incidents much faster because related alerts from endpoints, email, network, and identity tools are automatically correlated into a single incident.

The automated investigation workflow in Cisco XDR has reduced a considerable amount of manual effort for our SOC team. Previously, analysts had to manually collect logs and check multiple tools separately. Now, Cisco XDR automatically brings related alerts, user activity, device details, and threat intelligence together.

I also appreciate the threat intelligence integration and unified dashboard because they provide better context during investigation and help us handle incidents more effectively. Since implementing Cisco XDR, our organization has improved its incident response process and overall SOC visibility. Our analysts can investigate threats faster, alert fatigue has been reduced, and the team spends less time switching between different tools. It also improved coordination during security incidents because all relevant information is available on one platform.

Cisco XDR could be improved in areas concerning dashboard customization and reporting flexibility. Some integrations with third-party tools require additional configuration effort. The interface can feel somewhat complex for new analysts at first. Better onboarding guidance and more simplified workflows would make adoption easier.

I would also appreciate seeing more advanced built-in analytics and easier customization for alerts and dashboards. Apart from that, the platform has been very effective for our SOC operations.

I have been using Cisco XDR for around one-plus years.

Cisco XDR has been stable in our experience. We have not faced any major outages or performance issues.

Cisco XDR has scaled effectively for our environment. As our organization added more endpoints, cloud workloads, and security integrations, the platform handled the increased alert volume without major performance issues. Since it is cloud-native, scaling has been considerably easier compared to traditional security monitoring platforms.

Overall, the customer support for Cisco XDR is very useful, and our experience has been positive. The support engineers are very knowledgeable and helped us resolve issues in a reasonable time. My experience was positive overall.

Before Cisco XDR, we mainly relied on a combination of traditional SIEM monitoring and separate security tools for endpoint, email, and network visibility. We switched because investigations were taking too long and analysts had to manually correlate alerts from different platforms. Cisco XDR gave us a more centralized and automated approach for threat detection and incident response.

Our experience with pricing and licensing for Cisco XDR has been positive overall. The initial setup was relatively straightforward because we already had some Cisco security products in our environment, which made integration easy. The licensing is flexible and based on the features and scale required.

We have definitely seen a return on investment with Cisco XDR. The biggest benefit has been time savings for our SOC team. Investigation and response time improved by around forty to fifty percent, and analysts spend considerably less time manually correlating alerts from different tools. It also helps us manage increasing alert volumes without needing to significantly expand the SOC team, which improves operational efficiency and reduces overall security management efforts.

The centralized visibility, automation, and reduction in investigation time have provided good operational value for our SOC team.

We evaluated solutions including Microsoft Defender XDR, Palo Alto, and CrowdStrike Falcon XDR before choosing Cisco XDR.

My advice would be to first understand your existing security stack and integration requirements before deployment. I would also recommend starting with a phased rollout and spending time on alert tuning for overall effectiveness and best performance.

We use Cisco XDR in a hybrid cloud deployment. Most of the security monitoring is cloud-based, but it also integrates with our on-premises infrastructure and internal security tools.

I rate Cisco XDR an eight out of ten overall because it has improved our SOC visibility and incident response significantly, while still having some room for improvement in usability and customization. I chose eight because the platform delivers strong threat detection, visibility, and investigation capabilities. However, some areas concerning dashboard customization, reporting, and ease of onboarding for new analysts could still be improved. If the interface became more intuitive and third-party integrations became simpler to manage, it would be closer to a ten for us.

My main use case for Cisco XDR is for centralized threat detection and faster investigation across multiple security tools. It helps correlate alerts automatically, reducing manual analysis time for the SOC team.

One specific example of how I used Cisco XDR for a centralized investigation is related to a phishing alert, where Cisco XDR correlated email, endpoint, and network telemetry into a single incident view. It helped our SOC quickly trace the compromised device, isolate it, and reduce investigation time significantly compared to the manual log analysis.

Cisco XDR has helped improve visibility across our environment by bringing multiple security alerts into one platform. The automated correlation and investigation features have made incident response faster and reduced alert fatigue for the team.

The best features Cisco XDR offers are its ability to correlate alerts from different security tools into a single incident view. I also found the automated investigation workflows and real-time visibility very useful for reducing the response time and analysis workload.

The automated investigation workflows in Cisco XDR have helped my team prioritize high-risk alerts by automatically enriching the incidents with related telemetry and threat intelligence. The real-time visibility across endpoints, email, and network activity made it easier to identify affected systems quickly and respond before the issue spread further.

Another feature I value in Cisco XDR is its integration with multiple Cisco and third-party security products. It gives a more unified security view and helps analysts work more efficiently without constantly switching between different consoles.

Cisco XDR has positively impacted my organization by improving our incident response efficiency by reducing investigation time and simplifying alert management. It also helped our SOC team gain better visibility across the environment, leading to faster detection and remediation of threats.

One area where Cisco XDR could improve is the learning curve for new users, especially during initial setup and workflow customization. The platform can also benefit from more flexible reporting and deeper third-party integration for non-Cisco environments.

Cisco XDR could also improve dashboard customization and simplify navigation for faster access to critical investigations. In some cases, fine-tuning alert correlation rules requires additional effort to reduce false positives in the complex environment.

I have been using Cisco XDR for the last 1.5 years, around two years.

My experience with Cisco XDR has been mostly stable in day-to-day SOC operations. I have not faced any major downtime issues, and the platform has handled large alert volumes reliably. Occasionally, UI lag and integration-related delays can happen during updates or initial tuning.

Cisco XDR has scaled well in my environment as our security infrastructure and alert volume increased. Its cloud-native architecture and support for multi-vendor integration made it easier to expand visibility across endpoints, network, cloud, and email without major performance issues.

Customer support for Cisco XDR has generally been responsive and helpful in my experience, especially for deployment and integration-related issues. The TAC team usually provides good technical guidance, although response quality can sometimes vary depending on the complexity of the issue and the assigned engineer.

Before adopting Cisco XDR, I relied on multiple standalone security tools and SIEM-based monitoring for investigation. I switched because Cisco XDR provides better alert correlation, centralized visibility, and faster incident response compared to managing alerts separately across different platforms.

Our experience with pricing and licensing for Cisco XDR was generally positive, especially since the AWS Marketplace simplified subscription management and deployment. The setup was straightforward, but licensing can become complex when integrating multiple third-party products or advanced modules.

We purchased Cisco XDR through the AWS Marketplace because it simplified deployment, licensing, and integration with our existing AWS environment. It also made procurement and subscription management much more convenient for our team.

I have seen a measurable ROI after implementing Cisco XDR. My SOC team reduced manual investigation and triage effort by nearly 40 to 50%, which significantly improved analyst productivity and reduced response time for critical incidents. Cisco also highlights that Cisco XDR can reduce investigation workflows from hours to minutes through automation and centralized visibility.

Before finalizing Cisco XDR, I evaluated platforms like Microsoft Defender XDR and Palo Alto Cortex XDR. I chose Cisco XDR because of its strong integration with our existing Cisco security ecosystem, centralized investigation capabilities, and easier cross-platform visibility for the SOC team.

One specific example of how I used Cisco XDR for a centralized investigation is related to a phishing alert, where Cisco XDR correlated email, endpoint, and network telemetry into a single incident view. It helped our SOC quickly trace the compromised device, isolate it, and reduce investigation time significantly compared to the manual log analysis.

My advice for considering Cisco XDR is to spend the time planning integration and alert tuning during the initial deployment phase. Organizations already using Cisco security products will gain the most value, especially from the centralized visibility and automated investigation capabilities.

I would rate this product a 9 overall.

My main use case for Cisco XDR is to collect all the logs from the use cases of how users try to explore and perform their tasks. We are threat hunting to prevent, detect, and respond to threats, collecting from different systems such as M365 and others, correlating them into one central location, and trying to correlate between different kinds of logs to provide whether the alert is a true positive or not.

A simple example of how I used Cisco XDR to connect all these logs and coordinate between different systems is that we have M365 connected to Cisco XDR, as well as browser security connected. Many users use client applications including Outlook, but many use cases go wrong when they are using it via a browser. So what we did was correlate all the source logs from the browser and XDR and try to correlate them with the user's reactions as well as their daily usage. This helps us understand their daily perspective of how they are behaving. Behavioral analysis was easier when we connected all these systems.

From the malware detection perspective, Cisco XDR can actually find out if there is any malware present, and we can lock down the system as well, which we call isolation. That is a great add-on for me.

From the SOC perspective, the best features Cisco XDR offers are the ease of use and the ability to understand the logs and log aggregation. It is one of a kind. What stands out for me about the log analysis and the user interface in Cisco XDR is that Cisco has an AI assistant that we can utilize to understand the correlation. The main intent of the integration architecture allows us to integrate easily without any cumbersome processes. We can simply specify what should be integrated with what. They have an open integration architecture already present with third-party tools such as CrowdStrike, Palo Alto Networks, and AWS. Additionally, the automated response workflow can actually automate the flows and tell me the response automatically, indicating whether something is an issue or not. All these features make my daily work and log analysis easier.

Cisco XDR has positively impacted my organization because instead of ten people working on one event, Cisco XDR can do many things an analyst can do, reducing the human effort required and coordinating everything. The mean time to respond has improved for the company, and we have automated many processes. A severe incident would typically take my engineer one or two days to solve, but Cisco XDR would have already completed almost half of that work. The engineer can then review the incident and understand whatever analysis has already been provided.

The features of Cisco XDR are a great add-on for the SOC team, and the security has increased by using Cisco XDR.

There are no significant improvements needed for Cisco XDR. The inclusion of new incident mechanisms and the ability to automate them automatically would make things easier.

I have been using Cisco XDR for almost one year.

In my experience, Cisco XDR is stable.

Since Cisco XDR is on a cloud-native architecture, I believe it is significantly scalable.

Customer support for Cisco XDR is a bit slow in the initial stages, but I believe it has improved nowadays.

Before Cisco XDR, I previously used SecureWorks and switched due to problems.

I have seen a return on investment with Cisco XDR. I can share that I save time and people. For money saved, I do not see much improvement, but time saved is significant.

My experience with pricing, setup cost, and licensing for Cisco XDR was good.

Before choosing Cisco XDR, I evaluated options including SecureWorks and SentinelOne.

With the functionality and support Cisco XDR provides, I advise others to go for Cisco XDR, whether for a small company or a large company. I rate this product 7 out of 10.

We mainly use Cisco XDR for centralized threat detection and incident investigation, especially for correlating endpoints, emails, firewall, and identity alerts in one place, so the SOC team can respond faster.

One significant benefit of Cisco XDR is the automatically alert correlation instead of manually piecing together endpoint, firewall, and email events from different consoles. The platform links them into a single incident timeline, which noticeably speeds up triage during phishing or lateral movement investigations.

It also helped reduce alert fatigue significantly by spending less time chasing isolated low-value alerts and more time focusing on incidents that actually have a correlated risk behind them.

The best feature of Cisco XDR for me is the cross-tool alert correlation. It pulls signals from endpoint, network, email, and identity tools into one investigation flow instead of requiring analysts to jump across multiple dashboards. The automated incident prioritization and attack chain visibility also stand out because they reduce a significant amount of manual triage work.

Cisco XDR does a good job grouping related alerts into single incidents and assigning alerts based on how the event connects. The SOC team is not treating every alert equally, which helps us cut down on investigation time because analysts can focus on high-confidence incidents first instead of manually sorting through hundreds of disconnected alerts.

The integrations are probably another standout. Cisco XDR works especially well if you already have Cisco security products in your environment, and the built-in automation playbook capabilities help reduce repetitive SOC tasks.

Cisco XDR improved our incident response workflow considerably. Investigations became faster, alert fatigue dropped, and the analysts had much better visibility across endpoint, network, email, and identity activity from a single console.

Cisco XDR could improve the UI customization experience. Some workflows still feel more complex than they need to be, especially when tuning detections or building advanced automations across non-Cisco integrations.

Reporting and third-party integrations could be slightly smoother in Cisco XDR. Cisco native products work great together, but some non-Cisco integrations still need extra tuning and the reporting side could be more flexible for SOC metrics and executive summaries.

I would like to see deeper native threat hunting and more flexible dashboard customization in Cisco XDR, especially for teams that want highly tailored SOC workflows without relying on extra tooling.

I have been using Cisco XDR for one year.

Cisco XDR has been pretty stable for us so far. There have been no major downtime issues and the platform has handled large alert volumes reliably during day-to-day SOC operations.

Cisco XDR scaled well as alert volumes and integrations grew. We did not see performance issues even after expanding coverage across more users, endpoints, and security tools.

Customer support is excellent. I have had the experience of needing to resolve my ticket as soon as possible, and they are really helpful and very seamless with that process. They also resolved my ticket before I was expecting.

Before Cisco XDR, we were relying on a separate SIEM, EDR, and email security console with a lot of manual correlation between tools. We switched because the investigation workflow was too fragmented and Cisco XDR gave us a more unified incident view with better automation and cross-tool visibility.

Setup was faster than expected because a lot of integrations were already native. Licensing was still enterprise style but easier to justify once we saw the reduction in manual SOC workload.

The biggest ROI from Cisco XDR was time savings in the SOC. We saw triage and investigation time drop by roughly 40 to 50 percent for common incidents because analysts were not manually coordinating alerts across multiple tools anymore. It also helped reduce alert fatigue and duplicate investigations, so the existing team could handle more incidents without needing to scale headcount at the same pace.

Pricing for Cisco XDR felt pretty reasonable compared to some other enterprise XDR platforms, especially if you already have Cisco security products in your environment.

We looked at Microsoft Defender XDR, CrowdStrike Falcon, and Palo Alto Cortex XDR before choosing Cisco XDR.

If you are considering Cisco XDR, it really delivers the most value when you already have a decent security ecosystem and want centralized visibility plus faster investigations, especially if you are already using Cisco security products. I would rate this product an 8 out of 10.

I use Cisco XDR primarily for emails and endpoints. I use Cisco XDR features for prioritizing incidents across multiple security controls, mainly focusing on emails but also on threat analysis such as phishing and malware. This enables rapid investigations and automated responses, blocking senders and isolating endpoints from threats collectively.

The best feature about Cisco XDR is that when it comes to email security, the centralized visibility is superb. For example, it gathers email data from various gateways, offering a centralized view of threats, which is very useful.

I assess the effectiveness of the DLP (Data Loss Prevention) capabilities in Cisco XDR as very useful. For example, it analyzes outbound and inbound web traffic and provides unified control. I have centralized control over data going out of the organization, so I can control what to send and what not to send. Such functionalities are very useful.

The main benefits I see from using Cisco XDR include its proactive security measures. For example, it allows advanced threat hunting and analysis, working proactively instead of just focusing on reactive measures. If a threat comes, it blocks the threat, but this solution proactively activates and alerts me, so it is very helpful in terms of security. Another benefit is that the integration is very good with third-party security tools or other Cisco products; I can integrate this very easily.

Cisco XDR has streamlined incident response by quickly notifying me, even through emails. I have set up phone messages, so normally I get alerts through my service provider if any threats arise. It is quick to send notifications if anything occurs, even notifying me of the preventive measures taken, such as blocking IPs and isolating devices.

If I could see improvements in Cisco XDR in the future, I would like to see a stronger focus on AI-driven solutions. For example, it has a feature called advanced threat detection, and if it can capture threats from worldwide new threats and publish them into a particular database linked with an AI-driven system that can immediately alert people, that would be very good for zero-day threats. The second improvement I suggest is reducing the subscription price a bit more.

I would like to see enhanced features in Cisco XDR, such as demo sessions with the product, and supporting multiple languages would be great.

Regarding the pricing aspect of Cisco XDR, I think the price is a bit expensive.

I have been working with Cisco XDR for almost one year.

I would rate Cisco technical support as extended, but their service is very unresponsive. It is very difficult to get in touch with them, so I would rate it a four out of ten.

Positive

Before Cisco XDR, I did not use any other products for XDR purposes.

The deployment aspect of Cisco XDR is smooth. Since I was new to this product, I did not do it in-house; I had a third party do it for me. My contribution was about 40 percent, and they did 60 percent of the work, so it went smoothly.

The deployment aspect of Cisco XDR is smooth. Since I was new to this product, I did not do it in-house; I had a third party do it for me. My contribution was about 40 percent, and they did 60 percent of the work, so it went smoothly.

I find it does bring a return on investment, but that will take a long period. I would say it is not in a short span; probably two to three years or more.

I thought of going with Check Point intrusion prevention system, but that product needs more technical knowledge, so I skipped it because it is also a bit more expensive than Cisco XDR.

My advice for other organizations considering Cisco XDR is that it offers proactive security measures that are really very helpful. It is also a unified control system where all emails and endpoints are visible on one dashboard, making it easy to understand, even for a non-technical person to quickly grab information by just seeing that. I would rate Cisco XDR as a product an eight out of ten overall.

I have used Cisco XDR to detect and respond to malicious activities on my client's endpoint. For instance, the last time I used it was when a client downloaded a malicious executable file, and when the endpoint picked it up as suspicious activity, I investigated and discovered using a threat intelligence platform, VirusTotal, that the hash of the executable file is malicious. I quarantined the endpoint and deleted the malicious executable file afterward, using it to block the malware.

It has positively affected our incident management process because Cisco XDR helps with early detection and does not allow room for escalation of malicious activities before remediation starts.

One function that Cisco XDR streamlines incident response through is its containment feature, which speeds up response time and demonstrates how it is useful in incident response.

For data loss prevention, I find it really helpful because it monitors email activities for some clients and reports suspicious data exfiltration activities, capturing and reporting instances when there is communication to a public IP suspicious for data exfiltration, allowing me to verify legitimacy with the client.

I find Cisco XDR really useful and interesting, and I believe that with time, it is going to get even better.

I appreciate the fact that Cisco XDR detects malicious activity as fast as it can and notifies me when suspicious executable files are downloaded in the client's environment, providing all the information needed for investigation, which is a feature I really enjoy.

When the alerts come in, they bring context, which is helpful. The alert comes in with context such as the file hash, sometimes with the source IP address or the destination IP address, and this context helps bring a suspicious activity to resolution quickly.

Before using Cisco XDR, I sometimes did not detect malicious activities in my client's environment, but since implementing this solution, my mean time to detect has actually reduced, and my mean time to respond has fallen within the acceptable threshold, positively impacting my organization as I can detect and respond to threats in time.

At the moment, I am still exploring Cisco XDR, and while it seems well built and the team has done good work on it, I cannot point out any specific errors or make generic suggestions for now, but I believe in six months I will be able to detail improvements.

For now, I really cannot think of anything that needs improvement because what I need for investigation comes with the alert, and I perform remediation activities on the solution.

The interface of Cisco XDR can be improved. I can navigate it, but I am still exploring and believe it can be made easier to interact with.

I have been using Cisco XDR for about close to eight months.

Cisco XDR is stable in my experience.

Cisco XDR is really scalable. For example, you can start with less than 10 endpoints and expand as results appear, and it is applicable not only to endpoints but can also be used on servers.

The customer support for Cisco XDR is fantastic. I have not had a reason to call them, but based on client information, they seem readily available whenever needed.

For this specific client, they have not used an XDR before, so Cisco XDR is the first one they are using in their environment.

They were convinced to try Cisco XDR due to the value they received from other Cisco products, such as Cisco ISE and Cisco ASA Firewall.

Regarding pricing, setup cost, and licensing for Cisco XDR, it was my client that did the licensing and costing, so I cannot speak much about that as I only manage the solution on their behalf.

Based on feedback from my client, they seem very satisfied with the output of Cisco XDR solution, so I assume they are content.

I recommend Cisco XDR to any client that may be interested because I have used a number of Cisco products and have no negative reservations at this point.

I would rate this product an 8 out of 10.