Cortex XDR by Palo Alto Networks Reviews

The typical use case for Cortex XDR by Palo Alto Networks is that it has many features that traditional antivirus doesn't possess. Traditional antivirus doesn't have the capacity to dig down into the forensic part of any threat. The beauty of the product is that it digs down into forensics and provides a graphical view of each and every file that is called or clicked by the user.

The features of Cortex XDR by Palo Alto Networks that I find most effective in threat detection involve two main aspects. Our red teaming expert attempted to break Cortex XDR, and it generated detailed logs. The behavioral engine is another significant feature we appreciate. If a user doesn't click any link within 30 days and on the 31st day clicks a new link, Cortex XDR immediately alerts us that this user has clicked on an uncommon link or their behavior is uncommon. As an organization and implementer, we value these two features: the behavioral engine and the logging capability.

Areas of Cortex XDR by Palo Alto Networks that have room for improvement include the pricing structure. They are charging for Network Traffic Analyzer (NTA) services, so if the per GB data could be provided at a certain level free of cost or at the same cost which the customer is taking for the entire bundle, that would be better. We have to invest significantly more for NTA due to total sizing and per data licenses.

I have been working with Cortex XDR by Palo Alto Networks for more than 10 to 11 months since we procured this product in August 2024.

The stability of Cortex XDR by Palo Alto Networks is good. For the last 11 months, we haven't faced any outage issues, so it is a stable product.

Regarding the scalability of Cortex XDR by Palo Alto Networks, it's a good product from a scalability perspective, and all the previously mentioned points can be considered in terms of scalability.

I would rate technical support from Palo Alto on a scale from one to ten as an eight, as I find it good.

Positive

Before using Cortex XDR by Palo Alto Networks, we were using Microsoft Defender.

The initial setup of Cortex XDR by Palo Alto Networks is easy to implement. We have installed it with the help of GP Active Directory GP policy, and it was quite easy because we have installed it on more than 3,000 endpoints.

I have seen a return on investment with Cortex XDR by Palo Alto Networks, as this product is offered at a minimal cost, and we can find a good ROI from it.

The switch from Microsoft Defender to Cortex XDR by Palo Alto Networks was made because we had a limited license with Microsoft, and the cost of Microsoft Defender is quite higher than that of Cortex XDR.

Cortex XDR by Palo Alto Networks integrates with other security tools in our infrastructure; we have integrated it with a third-party SOC.

Based on my experience, I would recommend Cortex XDR by Palo Alto Networks to other people.

I would rate this solution a nine out of ten, as I find it to be the best solution.

Public Cloud

I have used Cortex for more than I worked in Cortex. I have around 2.1 years of experience using Cortex XDR, but currently, I am using Cortex.

My main use case for Cortex is to prepare the chart flow of the main Cortex XDR. In Cortex XDR, we have to alert for our auto-triaging and repetitive tasks, and we use it for triage automatically. We use it for CTI Cyber Threat Intelligence enrichment, such as IP, URL, and IOCs, automatically. It also has reputation checks using VirusTotal, abuse.ch, and others for the purpose of the uses in Cortex XDR. It also includes playbook automation. For example, Cortex has many playbooks for phishing, malware, infection, ransomware, and lateral movement. These playbooks automatically conduct the entire investigation and response. In case management, it stores details, timelines, evidence, and others for easier incident tracking. From the SOC perspective, we have to reduce false positive cases, and it reduces duplicate alerts, allowing our SOC analyst to respond faster. On the other hand, for the use of the EDR, Cortex provides detection behavior, attack prevention, and can always identify file-less and memory-based attacks and UEBA normally.

An additional point I need to add in Cortex XDR is manual commands during the investigation, such as Cortex war room commands, IP reputation checks, hash look analysis, and endpoint isolation. These help us to conduct a faster investigation. Additionally, we need to create and modify playbooks according to the organization and the needs of the organization's use cases, for example, auto-disabling a user in case of a suspicious login, auto-quarantining an endpoint with malware, and an auto-phishing and investigation workflow. We use Cortex for reporting to generate incident summary reports, post-incident reviews, and RCA documentation. We integrate it with tools such as SIEM, EDR, firewall, email security, web, and others for alert correlation.

The best features of Cortex are automated incident response, playbook automation, cyber threat intelligence, and management. It includes case and incident management, such as incident details, evidence, timelines, and using the dashboard. There is a war room for investigation and to consume alert correlation rules to reduce noise and false positives. It has over 700 integrations. It works with SIEM, EDR, firewall, email security, the cloud environment, and many others. Additionally, it has endpoint detections, behavior analytic UEBA, and machine learning-based detection using ML modules to detect advanced threats. There's a centralized data lake and customized dashboard reports.

I find automation through the playbook to be the most valuable feature I use day-to-day. Playbooks save analyst time. If used for Cortex, it saves the analyst's time with a reduction in false positives. For IOC enrichment, we utilize MTDR, mean time to respond, to resolve incidents faster.

I notice a positive impact since using Cortex. We experience a faster, quicker response. Regarding positive changes, if we have a short positive, we investigate the IP, URL, VirusTotal, and abuse.ch. We use XDR, and it's fast and reliable with no human error. It automatically works to reduce the workload of the SOC analyst, thus decreasing manual work.

There are no other improvements Cortex needs in my opinion.

I have around 2.1 years of experience using Cortex XDR, but currently, I am using Cortex.

Cortex is stable in my experience.

Cortex has good scalability and can handle growth and increased workloads well.

The customer support from Cortex is very good and very useful.

Positive

I did not use a different solution before.

My experience with pricing, setup cost, and licensing is that it is high, but it is better for the SOC environment and for the users.

I notice time saving as a return on investment.

My experience with pricing, setup cost, and licensing is that it is high, but it is better for the SOC environment and for the users.

Before choosing Cortex, we looked at different platforms for automation and chose one after reviewing which one was performing higher in the market, apart from Cortex.

My advice for others looking into using Cortex is that it is very easy to use and very useful for the customer environment, whether it's a public or private one. It is extremely helpful from a SOC perspective, requiring very little time to manage situations, especially during integration, which is necessary. Cortex is very useful and cost-effective, in addition to being very easy to use.

My company has a business relationship with the Cortex vendor for business purposes.

I would rate this product a 7 out of 10.

Hybrid Cloud

Amazon Web Services (AWS)

My impression of Cortex XDR by Palo Alto Networks agent's ability to block sophisticated threats in real time is positive, as the last time I used an application from Huawei, Cortex blocked it in a very fast way. It has a false positive, but I think it's very fast and detectable. It detects in a fast way.

This has affected my overall security posture, as I know that sometimes the security may be difficult on the end user, but the security of the endpoint is very important, even though it may be difficult.

Palo Alto helps me in these scenarios with the security endpoints protection because Cortex XDR by Palo Alto Networks is necessary to protect the end user. Sometimes we face the false positive issue, where an application is not a malicious file, but Cortex has detected it as one. So we need to call the Cortex administrator to whitelist these files and handle the difficulties that may arise.

Cortex XDR by Palo Alto Networks is a very strong solution, and it offers many features including XDR, EDR and NDR solutions, and also offers an encryption feature.

What I like about Cortex XDR by Palo Alto Networks is that it is a comprehensive solution that contains everything the organization may need when using endpoints.

I would assess the effectiveness of Cortex XDR by Palo Alto Networks' AI-driven endpoint security in reducing risk for my organization by saying that it is integrated with AI, so it has many features that secure my organization in an efficient way.

The main benefits that Cortex XDR by Palo Alto Networks brings to the table include the fact that it is just on the cloud. You don't need to install it on your servers and there is no need for disk allocation for the server. It's on the cloud, so any device connected to the internet can communicate with the Cortex manager and get the updates and definitions of viruses and malware. That's a good feature.

The impact that Cortex XDR by Palo Alto Networks has had on my security analyst workload is significant, as it has improved the analyst security in my organization. Cortex XDR by Palo Alto Networks has many events, incidents, alerts, and alarms that help a security analyst detect malicious files or prepare for attacks or malicious activity.

I would like to see improvements in Cortex XDR by Palo Alto Networks, especially in some environments such as government organizations, where information cannot go through the cloud. Cortex XDR by Palo Alto Networks needs to be installed on our servers in some organizations, so I think it should also be available on-premises, not just in the cloud. It would be a very good solution. Additionally, I think the price is very high, and if it can be adjusted, I believe it will be a very good solution.

I have been working with Cortex XDR by Palo Alto Networks for eight months.

I find Cortex XDR by Palo Alto Networks stable, as I have not had any crashes, downtimes, or performance issues with it.

Cortex XDR by Palo Alto Networks is scalable.

My experience with Palo Alto tech support is very strong, as I had one case with the TAC support, and they responded on time, with a good response that solved my issue.

Positive

The initial setup process for Cortex XDR by Palo Alto Networks is straightforward, as you get an email with the tenant activation URL, and you just specify where you want the cloud to be, on which country, and proceed through the steps. It's very straightforward.

I don't have any examples to share where I found this AI integration beneficial.

I don't know if I have experienced a reduction in alert triage times since integrating Cortex XDR by Palo Alto Networks.

There are no missing features that I would like to see included in Cortex XDR by Palo Alto Networks in the future, as I think it's a complete solution. However, we can engage AI more with our analysis, but for now, I think it's a complete solution.

From a technical perspective, I think that Cortex XDR by Palo Alto Networks is worth the money, and I find it cost-effective.

The key differences, both pros and cons of Cortex XDR by Palo Alto Networks in comparison to other competitors in the market include the fact that I feel it's the same solution, but every solution has a battle card for its features. Symantec offers a device control that also exists in Cortex XDR by Palo Alto Networks. I think there is one feature that's special to Cortex and one feature that's special to Symantec. Every vendor is special in one feature. It depends on the customer and the prices.

Implementing Cortex XDR by Palo Alto Networks has affected my organization's total cost of ownership for security solutions, as nowadays, our PCs have good specifications, with 16 GB RAM and 256 GB SSD disk, which I think is enough for Cortex XDR by Palo Alto Networks. In my environment, I have two products for endpoint protection: Symantec and Cortex. Sometimes I feel my device is slow, but I think I am using many applications, so that's why. I think normally, using Cortex XDR by Palo Alto Networks will not affect users with good specifications in their PCs or laptops.

I would overall rate Cortex XDR by Palo Alto Networks as a product and solution an 8 out of 10, which I think is a very good solution.

My advice for other organizations considering Cortex XDR by Palo Alto Networks is to be aware of the price, as that seems to be the main concern.

I work with Cortex XDR by Palo Alto Networks. My primary use involves utilizing its capabilities as a next-generation antivirus solution, providing extended detection and response features along with threat prevention and behavioral control.

Cortex XDR by Palo Alto Networks is a good product, serving as a next-generation antivirus with extended detection and response features. It offers threat prevention, behavioral control, automation in threat response, and analytics capabilities, which enhance security measures. The product provides automation responses in case of a threat attack, severity assessments, centralized manageability, and comprehensive compliance features, resulting in reduced costs.

I recommend adding a data loss prevention (DLP) solution to Cortex XDR by Palo Alto Networks. The inclusion of this feature would allow the application of DLP policies alongside antivirus policies via a single agent and console, making it more competitive as other OEMs often offer DLP solutions as part of their antivirus products. Additionally, multi-tenancy and multi-cloud features are not available and should be considered for inclusion.

I have been discussing Cortex XDR by Palo Alto Networks and have utilized its different facets and features in my professional experience.

I have not faced any challenges with the customer support from Palo Alto Networks. Their support is efficient and responsive whenever I raise a ticket through my portal.

Neutral

There are good return on investment possibilities from using Cortex XDR by Palo Alto Networks due to its cost-saving compliance features, which can attract customers by reducing expenses and offering comprehensive compliance solutions.

Compared to competitors such as CrowdStrike and Sophos, the pricing of Cortex XDR by Palo Alto Networks is similar to CrowdStrike but more expensive than Sophos. Check Point Harmony, Trend Micro, and Sophos offer lower prices.

Competition in the market includes CrowdStrike, Sophos, and Check Point Harmony. They provide similar technology and capabilities like email security, endpoint protection, and DLP solutions in a single console.

On a scale from one to ten, I would rate Cortex XDR by Palo Alto Networks a nine. The tool is exceptional in its capabilities, particularly with the Unit 42 feature set and its other integrated options.

I recommend Cortex XDR by Palo Alto Networks for a company that would like to have a more stable platform that does not disrupt their business or applications.

Cortex XDR by Palo Alto Networks's ability to block sophisticated threats in real time is quite good and is on par with SentinelOne's.

I assess the effectiveness of Cortex XDR by Palo Alto Networks's AI-driven endpoint security and find that both have very good results. The difference is around the details. SentinelOne is winning in this area in terms of the detailed information that can be captured and the detailed information in terms of the detections. SentinelOne also has superior storyline capabilities, which is why I think we use it for forensics as well. Cortex XDR by Palo Alto Networks is winning due to the simplicity and non-intrusive detection capabilities.

In terms of detections, SentinelOne has advantages, but also disadvantages since they are intrusive. The result is that there are many threats that can be detected, but there are also many false positives. Cortex XDR by Palo Alto Networks is non-intrusive, but in terms of the detail, sometimes potential threats cannot be captured.

Cortex XDR by Palo Alto Networks is already good at what they're doing in terms of detections, but I think they should improve their integration capabilities, especially for their XDR capabilities, which are more tied down to their own ecosystems.

For Cortex XDR by Palo Alto Networks to get closer to ten or at least nine, I would like to see more openness in terms of the integrations for their XDR capabilities. The second improvement I would like to see is more into the response and the detection and response capabilities for backups of the system state of the endpoint, such as what we have on SentinelOne.

Cortex XDR by Palo Alto Networks is more stable than SentinelOne because the detections are not too intrusive.

The technical support by Palo Alto Networks is quite standard, so I think it's acceptable.

Positive

SentinelOne is more complex to operate since they have so many options and rules that can be changed, which can take some time for a SOC analyst to learn about.

Cortex XDR by Palo Alto Networks is easy to implement.

Cortex XDR by Palo Alto Networks is more expensive than SentinelOne right now.

In terms of the average cost of top-tier EDR platforms, I think Cortex XDR by Palo Alto Networks is still reasonable. However, if you compare it to SentinelOne, which has more functionalities and detection capabilities on an open platform, the pricing on SentinelOne is far more reasonable and cheaper than Cortex XDR by Palo Alto Networks.

Both are almost the same in popularity, but if I can choose one, SentinelOne is quite hyped right now.

They have a representative in Indonesia for both SentinelOne and Cortex XDR by Palo Alto Networks.

Palo Alto Networks has slightly more advantages in terms of the architecture since they have options for their endpoint that cannot connect directly to the internet to have a proxy site, which is something that SentinelOne does not have.

Cortex XDR by Palo Alto Networks is more of a closed system. I have given this review a rating of eight.

We were using Cortex XDR by Palo Alto Networks for different use cases such as Windows login failures, disabled account login failures, and user additions to domain groups. There were multiple use cases that were totally dependent upon the client, including what log ingestions they wanted and what rules they wanted us to apply to it.

What I appreciate most about Cortex XDR by Palo Alto Networks is that it has a good tenant feature in which we have multiple tenants. We were working in EU tenants, and apart from this, the GUI is completely easy to understand.

Cortex XDR by Palo Alto Networks has helped lighten the load of our security analysts because it was the major tool that we were using and the one we utilized most. I would suggest it was a good solution for me.

One of the downsides of Cortex XDR by Palo Alto Networks is the KQL language. When I was working as a security analyst using Cortex, there was a disadvantage. People need to have knowledge of the KQL language to understand the fine-tuning of alerts or the creation of new rules. That would be a drawback. Additionally, when investigating a particular alert or case, the complete information is not available in the GUI table if we compare it to other XDRs or other tools.

I would suggest that Cortex XDR by Palo Alto Networks' AI-driven endpoint security would work better. Whenever we are investigating something, the AI would help us by simply writing into a description box. For example, if I want user login information for a particular user, I would write it and the AI would automatically generate all login events from that host. I would suggest that this would be a better feature.

I have used Cortex XDR by Palo Alto Networks for around one and a half years.

I have seen lagging with Cortex XDR by Palo Alto Networks. There was one time when we faced a threat actor trying to gain access to our system. When our team utilized the tool, we were all on the same dashboard and we faced a lag issue at that time of around five minutes, which was quite significant.

I think scalability for Cortex XDR by Palo Alto Networks is good. I would rate it nine out of ten.

I have contacted Cortex XDR by Palo Alto Networks' technical support because we got stuck somewhere during deployment in our systems on a technical matter. The help was excellent, and I would rate the support a ten out of ten. The support was very good.

Positive

I have used CrowdStrike as an alternative to Cortex XDR by Palo Alto Networks.

The deployment of Cortex XDR by Palo Alto Networks is moderate level. I deployed it in my organization last year. You just need a little bit of knowledge, but apart from this, everything is good.

The pricing for Cortex XDR by Palo Alto Networks depends on the organization and the number of endpoints and hosts you are adding, as well as the bandwidth. I cannot specify what the pricing is. However, if you keep it minimal, then it will attract other organizations and you will grab the market.

I prefer CrowdStrike more than Cortex XDR by Palo Alto Networks because it has better features. It has a graphical GUI in which if any threats come in, you will have a whole map of it and you can figure out from where the chain of the threat has started. You can check what the initial access was and stop it from there.

I would suggest that Cortex XDR by Palo Alto Networks' agent ability to block more sophisticated or complicated threats in real-time has been effective so far. I have seen that it blocks almost ninety percent of the threats. Sometimes we are left with some IOCs which are zero-day vulnerabilities. In those cases, we have to manually send it to the Cortex XDR by Palo Alto Networks team that manages all the back-end. They filter out the rules, create the workflows, then block all of the things. I would suggest that from one hundred, it works ninety percent of the time.

Cortex XDR by Palo Alto Networks does require maintenance after the deployment on my end. It has requirements. Sometimes we need fine-tuning of the alerts and sometimes we face errors. We occasionally require help when we get stuck somewhere. We reach out to Palo Alto and they help us. The after-service is very good. I would rate this review an eight out of ten overall.

Amazon Web Services (AWS)

I have been working as a cybersecurity manager. I focus on implementing cybersecurity solutions for different companies, and I have hands-on experience working with Cortex XDR solution by Palo Alto Networks.

Cortex XDR features advanced threat detection capabilities. The handling GUI allows for advanced searches, rule creation, and local detection. It incorporates AI for normal behavior detection, distinguishing unusual operations. 

These features make the product very effective for threat detection. Additionally, the GUI is user-friendly and the product offers robust AI or normal behavior detection.

Cortex XDR could improve its sales support team, including better commission structures and referral programs. Enhancements in marketing and AI features would also be beneficial. It would be advantageous to deploy more rules to the front end and on end-user devices.

I have been familiar with Cortex XDR for about three or four years.

Cortex XDR is stable, offering high quality and reliable performance. It is consistent and dependable in its operation.

Customer support from Palo Alto Networks is generally adequate. It depends on how I escalate the issue. Every vendor has similar support; it depends on how the case is handled and raised.

Positive

I was a reseller for Palo Alto Networks solutions.

I have worked with many different vendors and their products, such as Microsoft Defender, and I am familiar with various cybersecurity solutions from different companies.

My customers have reported good ROI since implementing Cortex XDR. They appreciate the rich telemetry data from the solution, as it provides in-depth threat identification.

Cortex XDR is perceived as expensive by some customers, yet offers dynamic pricing. Other companies have not shared similar complaints, and it always pitches itself well to customers.

I'd rate the solution nine out of ten.

I give Cortex XDR a nine out of ten. Although it has a stable and high-quality performance, customer alignment still plays a significant role in the decision-making process.

Other

Our primary use case for Cortex XDR is to bridge the gap between a Security Information and Event Management (SIEM) system and an Endpoint Detection and Response (EDR) solution. We use it to fetch data from network devices and endpoints, perform comparisons, and generate alerts. It is useful for detecting impossible travel scenarios where a user's IP address switches rapidly between geographically distant locations, which can indicate VPN use or other anomalies.

The product's most valuable feature is the ability to integrate and correlate data from network and endpoint sources. This comprehensive visibility allows us to quickly identify and respond to threats, such as impossible travel scenarios, with greater accuracy and speed.

The product could be improved in several areas. The complexity and confusion regarding product variants, such as XDR, Forexiant, and Forexon, must be addressed. There is also a need for clearer differentiation between features and capabilities within Cortex's suite, as the overlap between XDR and XIM can be confusing.

Improvements in the user interface and more intuitive KQL query handling could also enhance usability. Additionally, better support for various deployment scenarios and cost management options would be beneficial.

I have been using Cortex for approximately two years.

The solution's stability is generally good.

The solution scales well. It is deployed without major issues across 60,000 endpoints in our organization.

Customer support quality varies depending on the support plan. The premium plan offers excellent support. However, if you opt for a standard plan, the level of support may be less satisfactory.

Positive

The initial setup was relatively straightforward. Modern methods, such as pushing clients over port 443, have made deploying endpoints easier than legacy systems.

Cortex XDR is a costly solution.

Overall, Cortex XDR is good software. Ensure you have the financial resources to support the investment or consider alternative solutions if cost is a significant concern.

I rate it a nine out of ten.