Palo Alto Cortex Review and Alternatives

Palo Alto invented the term “XDR”. The origins of the term lie with EDR systems. EDR stands for endpoint detection and response. Although industry commentators assume that the “X” stands for “extended,” Nir Zuk, the founder of Palo Alto Networks and the creator of XDR, states that “X” represents anything.

A quick way to understand XDR is to think of it as enterprise-wide coordination of EDR units. One of the critical characteristics of an XDR is that it is SaaS-based. Such systems reach into the protected network where endpoint-resident modules provide local implementation of security policies.

Cortex is Palo Alto’s XDR product.

About Palo Alto Networks

The re-imagining of the EDR into an XDR is typical of the process that brought Palo Alto its commercial success. The company’s first product was the next-generation firewall. The company was formed in 2005 by Nir Zuk, who created the first stateful firewall, a technology that has since become the industry standard strategy for protecting networks.

The company took two years to create its next-generation firewall. The product adds machine learning to the stateful firewall mechanism. This AI discipline aims to track typical behavior on a system and the flag activities that deviate from that pattern. This system has become known as user and entity behavior analytics (UEBA).

Palo Alto Networks offers its firewall on a network appliance and a cloud platform. In addition, the company has identified related services that can benefit from a location on the edge of a network in both deployment options. The Palo Alto Cortex XDR is one of those products.

About Palo Alto Cortex

Palo Alto Cortex XDR implements a two-layer strategy to protect endpoints on a network. First, each endpoint had a local agent installed on it. This is a cut-down version of an EDR package. It is not the entire system that you would expect from EDR software because much of the detection process for the security system is implemented in the upper layer of the package, which is a central coordinator that is implemented as a SaaS platform.

Not all of the technology that goes into Cortex was developed in-house by Palo Alto. For example, the company bought Expanse, Inc in November 2020 to acquire its expertise in attack surface management. The Expanse system is now marketed as a product called Cortex Xpanse. The Expanse vulnerability awareness system is also integrated into the core of the Cortex system.

Palo Alto Cortex features

The three critical elements of Palo Alto Cortex are:

  • Endpoint detection and response (EDR)
  • Security orchestration, automation, and response (SOAR)
  • User and entity behavior analytics (UEBA)

These contributing services are all tied together by the cloud-based coordinator. In the ideal system setup, the EDR units installed on endpoints would be supplemented by a Palo Alto next-generation firewall, which can also implement network security scanning. However, the SOAR mechanisms in the XDR package can extract data and send response instructions to third-party firewalls and network monitors.

Endpoint detection and response

The EDR element of the Palo Alto Cortex is the base system of the package. Each protected endpoint needs this software installed on it. This is an advanced anti-malware system. As well as detecting malware, the service can spot malicious actions by humans. That includes intruders and disgruntled or duped account holders.

The EDR can perform its threat hunting by using UEBA. However, the actions that turn this system into an XDR are the communications that each EDR instance working in an enterprise has with the central coordinating service on the cloud.

Each EDR gathers logs from the operating system and software packages running on the device that hosts it. The EDR searches through this data, weeds out inconsequential information, and searches through the rest for indicators of compromise. This local action means that the endpoint can still be protected even if the device is disconnected from the network and the EDR can’t communicate with the Cortex server.

The local threat-hunting processes are light. This is because the EDR is produced so that it doesn’t hog processing power on its host. Instead, the XDR server performs more comprehensive searches. The EDR uploads all of its detection source data to the Palo Alto server, which is consolidated with the data gathered by all other EDRs running on the system to feed this centralized threat hunting.

If the XDR service spots a problem, it notifies the affected EDR unit. Also, it passes warnings to all of the other EDRs on the system to tailor their threat hunting towards the detected security problem.

Security orchestration, automation, and response

Collecting log data from applications and software running on an endpoint is categorized as “orchestration”. This means an exchange of data between systems created by different providers. The automation and response parts of SOAR involve the ability of the EDR to interact with third-party systems, such as access rights managers and firewalls, to shut down a detected threat.

A series of playbooks can define the actions that kick in when a threat is identified. This is a series of triggers that specify actions if a specific type of threat is detected. For example, if malware is detected, the playbook would select killing of the processes identified as malicious and deleting the files and programs associated with them.

User and entity behavior analytics

UEBA is a common element found in EDR systems. This strategy was adopted to get around the problem of protecting businesses against new malware and new intrusion strategies. The problem with the old anti-malware model is that it relies on a team of cyber security experts noticing new malware and producing indicators to distribute to every instance of their software. Those instances then update their malware databases, which informs malware scanning.

Hackers realized that minor tweaks in their viruses would avoid detection and give them a window to wreak havoc between their malware being released and a distributed block. Unfortunately, not all computer users allow their anti-virus to be permanently connected to the internet, awaiting updates.

With UEBA, the detection software records normal activity and then identifies variations. For example, the system will document all of the authorized software and the processes that they run. If a new approach isn’t on the approved list, the EDR will pay more attention. Watching what that process does regarding resource or file access escalates suspicion.

Typically, a UEBA detection process is not instant. Instead, it involves a series of observations. It will include escalating the issue to the XDR unit, which has more powerful searching capabilities and benefits from data uploaded from all EDR units in the system.

XDR actions

The central XDR system is a SaaS platform and initiates the installation of all EDR units. So, this platform is the customer’s first contact with the system, and its dashboard is the main console that the user will access to customize and monitor the security system. Next, the user has to set up installation packages through a guided screen that will download the endpoint agents, the EDR instances. These agents will run on Windows, macOS, and Linux.

As the XDR unit gathers log data and other activity information extracted from software through SOAR, it is like a SIEM. So, there are two ways of assessing the Palo Alto Cortex system. One is that it is a group of EDRs coordinated by a cloud service; the other is that the package is a SIEM with endpoint agents that are a little more powerful than usual.

The playbooks that automate responses are optional. The user can choose to turn off that capability and rely on the XDR alerts when threats are identified. In this option, the user will implement remediation actions manually.

Palo Alto Cortex prices

Palo Alto doesn’t publish its prices for any of its products, so it isn’t possible to get a plan price for Cortex. However, you start your conversation with the Palo Alto Networks sales staff by requesting a demo of the XDR.

Palo Alto strengths and weaknesses

The Palo Alto Cortex package resolves many of the weak points of any security system. For example, a cloud-based system can be instantly updated with new threat intelligence without the slip-ups and failed updates that download onto endpoints sometimes experience.

A security system that is solely provided on endpoints can be circumvented. However, the XDR’s overview of the entire system shuts down that possibility. Furthermore, having endpoint agents that can continue to work in isolation defeats the strategy of cutting off the device from the network so it can’t communicate with the centralized security system.

Here are some good and bad points that we have identified about the Palo Alto Cortex system.


  • Each endpoint unit can operate autonomously
  • The central XDR gets updated automatically with new detection rules
  • Existing software can contribute to threat detection
  • Palo Alto is a highly respected security software provider that constantly innovates to keep ahead of hacker activity
  • Extra vulnerability scanning for system hardening
  • Reports for standards compliance


  • Palo Alto is secretive about pricing

Alternatives to Palo Alto Cortex

Although Palo Alto Cortex is the original XDR, it isn’t the only one available. Looking at how the XDR operates, it is also a good idea to investigate sound SIEM systems as an option to compare to Palo Alto Cortex. It is always a good idea to examine two or three alternatives before purchasing any IT asset.

Here is our list of the best alternatives to Palo Alto Cortex:

  1. CrowdStrike Falcon Insight This is a very close competitor to Palo Alto Cortex because it is a SaaS platform that installs EDR units on each endpoint. The EDR system in the Insight package is very powerful and is also marketed as an independent product, called Falcon Prevent. Adding the Insight layer to Prevent gives you a system-wide security service, including UEBA and automated response mechanisms. Falcon Prevent is available for Windows, macOS, and Linux, and you can get it on a 15-day free trial.
  2. LogRhythm XDR Stack LogRhythm structures its XDR offering as a stratified stack of modules. In addition to the EDR data gatherers. The tool could very quickly be described as a SIEM. This system includes SOAR and UEBA for data gathering, threat detection, and automated responses. The service is offered as a SaaS platform, but it can also be installed on Windows Server or run as a virtual appliance.
  3. Rapid7 Insight Platform This is a suite of services, and you can choose from a SIEM and a vulnerability manager, among other products. The SIEM is an XDR, called InsightIDR. This service includes UEBA and a threat intelligence fed, called Attack Behavior Analytics (ABA). Responses are automated through SOAR mechanisms. However, the endpoint agents for this system cannot operate autonomously.
  4. Exabeam This is a SIEM, but it is an excellent competitor to the Palo Alto XDR strategy. This is a distributed system that can easily include individual endpoints used by telecommuting staff. In addition, this package contains UEBA and automated response actions.
  5. TrendMicro XDR This system offers a menu of services that gives the buyer options over how far to extend the security managed by its SaaS platform. This includes endpoint detection, network security, cloud resource protection, and email monitoring. In all cases, local agents coordinate threat hunting and responses with third-party tools through SOAR. In addition, this service includes UEBA and automated response options through playbooks. The XDR is offered as a security tool or as a managed service.