Palo Alto Networks Cortex XSOAR Reviews

Our usual use cases for Palo Alto Networks Cortex XSOAR are basically security automation, where we write our different rules based on different security issues like intrusions, misuse, account takeover, and account management, such as identity and access management. Based on these events, we write the signatures in Python code for these particular events by connecting to upstream and downstream systems.

We use automation to create dashboards for security operations and link these dashboards to automations, which will have standard operating procedures linked for each use case, deployable at the discretion of the security analyst. This is mainly how we use Palo Alto Networks Cortex XSOAR.

The integration capabilities of Palo Alto Networks Cortex XSOAR with third-party tools enhance our security strategy as it works with 80% of the tools we have. Being a Palo shop, we have numerous Palo products like Palo Firewall, Palo CASB, and Palo Autofocus, in addition to regular third-party automations like ServiceNow. The integration is very good, especially with the addition of AI features that require little to no programming.

Before using Palo Alto Networks Cortex XSOAR, we did not have a single tool but used different custom-written tools, as we lacked a comprehensive solution. Previously, we wrote integrations on top of SIEM tools or other incident management tools such as ServiceNow automations. However, once we adopted Cortex XSOAR, we migrated all our workflows to it.

The most valuable features of Palo Alto Networks Cortex XSOAR, especially since we are leveraging it for automation, are the Playbooks feature, followed by the command and control screen feature that allows us to aggregate multiple dashboards and create custom dashboards based on different scenarios.

Regarding Playbook automation, I find it has helped streamline our incident response workflows significantly. Previously, manual incident reviews and actions took up a lot of time. Without dashboards and single pane of glass access, the security analyst had to handle multiple data sources, incident sources, and SOP documents, leading to more manual effort and increased potential for errors. All actions required manual tracking of logs and reviews to management. With Palo Alto Networks Cortex XSOAR Playbooks, we utilize standard inbuilt automations from Palo and can create our custom automations. We integrate multiple inbuilt playbooks and write our custom playbooks for incident management, taking inputs from incident sources such as SIEM and threat intelligence, aggregating them into dashboards, and enabling relevant automations for necessary changes, logging, or actions.

The machine learning models in Palo Alto Networks Cortex XSOAR help prioritize alerts in our organization, proving to be very important as they aid our incident processing. Given that many incidents require discretion from analysts due to their relevance to our business, the ML workflows eliminate a lot of false positives.

Palo Alto Networks Cortex XSOAR analytics features significantly impact our ability to gain insights and visibility into security, which is crucial for communicating with management. Management has different preferences for seeing the most frequent threats or identifying which particular systems are targeted by threat actors, making these analytics very useful.

I think the areas of Palo Alto Networks Cortex XSOAR that could be improved are mainly in UX. We have communicated with the vendor team about this, but they are prioritizing product functionality over usability because most target customers are technical and understand a primitive UI. They face difficulties in implementing UI changes as their team is stretched. Thus, the UI/UX of the tool needs significant improvement. There are plans on their roadmap, but a lot remains to be done. Parts of the tool run on an older framework, causing slowness. Usability is a broader issue than features alone. This usability problem is common in many cybersecurity tools, unlike customer-facing applications.

Some integrations have speed issues and might not function seamlessly with different upstream configurations, requiring manual updates. These are the main pain points we encountered, particularly with UI/UX, integration speed, and the usability of certain inbuilt playbooks.

I have been working with Palo Alto Networks Cortex XSOAR since 2022, so it has been three years.

I would rate the stability and reliability of Palo Alto Networks Cortex XSOAR as a nine. Occasionally, we have had rare issues with few plugins that led to high stack usage, requiring shutdown and restart. Generally, it is highly available nine out of ten times.

I would rate Palo Alto Networks Cortex XSOAR's scalability as an eight. It is highly scalable, but we do encounter some issues here and there.

The issues with scalability arise from the speed of some integrations, as not all are perfectly tuned by Palo; some were released without complete testing. Overall, most platform requirements are met with high scalability capabilities.

I often communicate with the technical support team of Palo Alto Networks.

My experience with Palo Alto Networks technical support has been quite satisfactory, rating it an eight. Eight out of ten times, they provide valuable help. However, in two instances, I encountered service associates who were not very knowledgeable or where the tasks were complex, leading to escalations. Even then, they were timely in their responses.

Positive

Before selecting Palo Alto Networks Cortex XSOAR, our organization was using Demisto, which made it logical to transition to Cortex XSOAR. We did evaluate Splunk, but we decided that Palo Alto Networks Cortex XSOAR was the better option.

While evaluating options, Splunk lacked the number of playbook integrations that Palo Alto Networks Cortex XSOAR offered. Although I hear Splunk has improved since then, being a Palo shop provided additional advantages, including a favorable bundle discount, as everything from our CASB to cloud monitoring and firewalls is with Palo, creating a tight dependency.

The initial setup process for Palo Alto Networks Cortex XSOAR involved having the necessary infrastructure suggested by Palo, spinning up the servers, establishing dependencies, ensuring proper network segmentation, and setting up the right monitoring appliances and connections. Once the setup was complete, we moved all dependencies, basic necessary automations, and basic dashboards into the system, which comprised the beginning work.

Overall, the process has been far from straightforward.

I have faced several challenges during installation where the necessary servers require varying amounts of RAM and specific network segmentation. These requirements are not straightforward, and I realized many issues post-installation. While they advise installing a VM, the actual installation process reveals that debugging is often necessary, making it less seamless and not functional right out of the box.

I participated in the initial setup and deployment of Palo Alto Networks Cortex XSOAR.

Palo Alto Networks Cortex XSOAR has had a huge impact on our organization's mean time to resolution for incidents. As I previously described, instead of going through the entire manual process, it improves the security SOC operations efficiency tremendously, by more than 80% to 90%. I would rate this solution a nine overall.

We are more of a SI and reseller, not really acting as a customer ourselves. We are reselling Palo Alto Networks Cortex XSOAR and SentinelOne. We are dealing with all Palo Alto products, related to firewalls, including Fortinet, Palo Alto, Check Point, and Cisco.

When these services go live, we will see their full potential. I am dealing with Palo Alto products such as firewalls and SASE, which we have proposed to multiple customers, and we have positioned Palo Alto Networks Cortex XSOAR for a few customers.

The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.

Palo Alto Networks Cortex XSOAR is a good product with enhanced and efficient playbooks, as demonstrated during our use case simulations. We have implemented automation features, such as automated responses to email threats and automatic configuration of target devices for blocking specific IPs.

The analytics feature in Palo Alto Networks Cortex XSOAR is impressive. The solution is quite exhaustive regarding integrations, with many pre-integrations available, especially for market-leading products. There might be challenges with make-in-India products, as they tend not to build the necessary connectors. This depends on whether you are selling to enterprises or other customers. For government customers, you might encounter many Indian products, such as firewalls, which could pose integration challenges unless you have open APIs. However, for market-leading products, there are ready-made integrations available.

To improve the solution, it needs to have complete features that are low-code, no-code, and should be plug-and-play. We need to see improvements in that area to facilitate cyber analysts.

Currently, we are not using it in-house; however, we have explored whether we should create our next-generation SOC using IBM QRadar, Elastic, or maybe some other product such as Fortinet.

The technical support provided by Palo Alto Networks Cortex XSOAR is good. I would rate their support around nine out of ten.

Positive

Comparing pricing to Micro Focus, they were offering bundles, making it free with their SIEM. For customers, it is zero versus $20 million, which is why they have to make a decision.

The customer was already using Micro Focus, which provided a bundle with their SIEM and SOAR product, requiring a lot of manual work and configuration. To replace that, we are positioning Palo Alto Networks Cortex XSOAR, which can be used in the SOC and do a lot of automation for the customer, but it was expensive, making it essential for the customer to evaluate whether ROI is coming from the business model, as they are also acting as a SOC provider.

Comparing pricing to Micro Focus, they were offering bundles, making it free with their SIEM. For customers, it is zero versus $20 million, which is why they have to make a decision.

We are considering Splunk, which has a good market presence in the niche. Second is QRadar, which also has a good market presence, but the future with IBM is uncertain. Third is Elastic, which is doing great now as they have formed some partnerships; it will be a good product providing these kinds of services in the future.

We act as a SI with tie-ups with different EDR vendors. We are providing Palo Alto Networks Cortex XSOAR and SentinelOne as our main products.

We have given certain POCs, but we are not using it in-house. We are evaluating different products for our next-generation SOC, considering market conditions and pricing as key factors.

I found it easy to use and configure at the time of evaluation. I have not seen how the machine learning models help prioritize alerts, but this will be evaluated when shown to customers.

I would recommend Palo Alto Networks Cortex XSOAR for big companies only because it may be costly, so small companies will not adopt it unless they have a clear mindset to proceed with this product for specific reasons. It is easy to integrate within existing systems, especially with third-party solutions.

Based on my experience, I would rate Palo Alto Networks Cortex XSOAR a six out of ten.

My primary use cases for Palo Alto Networks Cortex XSOAR are malware incidents, specifically phishing-related incidents, Trojan horses, spyware, and similar threats.

The automation and marketplace features of Palo Alto Networks Cortex XSOAR are what I appreciate most. These features provide flexibility to integrate different threat intelligence feeds and playbooks, and they are enjoyable to create.

Palo Alto Networks Cortex XSOAR has had a positive impact on the mean time to resolution for incidents (MTTR), as it has significantly reduced noise. For instance, I have created custom playbooks for phishing incidents that were false positives, which automatically close incidents.

Regarding areas for improvement in Palo Alto Networks Cortex XSOAR, I want to highlight one concern about playbook creation. While I personally appreciate this approach, I have observed that junior analysts on my team find it difficult to build playbooks. If Palo Alto Networks could improve the ease of use, specifically for playbook creation, that would be beneficial, as this is a gap I have identified.

When I create a playbook for spyware or malware, I need to develop level one, level two, and sometimes level three sub-playbooks. Fetching data in the input and output fields is sometimes challenging. I have observed that junior analysts find this particularly challenging, so I believe it would be valuable to simplify the process of creating and configuring input fields and sub-playbooks.

I have been working with Palo Alto Networks Cortex XSOAR for three years.

Regarding the performance of Palo Alto Networks Cortex XSOAR, I have not experienced any lagging. All pages load quickly in just one or two seconds, and the system works smoothly even when I navigate deep into the playbook section.

Palo Alto Networks Cortex XSOAR has very good application capabilities and is highly scalable. However, scalability depends on the customer using the product, as developing more playbooks requires significant time and effort. Palo Alto Networks does provide prebuilt playbooks that can assist with this.

I have not needed to contact technical support for Palo Alto Networks Cortex XSOAR because the issues I encounter do not require CSP assistance. I was guided by a senior architect during deployment.

Neutral

I have previously used FortiSOAR as an alternative to Palo Alto Networks Cortex XSOAR for incident response and security operations.

The initial deployment of Palo Alto Networks Cortex XSOAR is very straightforward. I only needed to set up the Broker VM or CIE and then the agents, and the system began sending data immediately. This approach is beneficial for XDR purposes and enables integration with SIEM and other products to automate the response flow.

Based on my experience, two to three people are sufficient for deployment. This includes a senior architect, a junior architect or assistant architect, and one resource for training and instruction. Three people are more than adequate, although the deployment can also be accomplished with two people.

When comparing Palo Alto Networks Cortex XSOAR to FortiSOAR, the differences are evident, particularly in the user interface. I would place Palo Alto Networks Cortex XSOAR above FortiSOAR because it provides incident layout flexibility, allowing me to customize incident layouts based on specific requirements.

Palo Alto Networks Cortex XSOAR does not require any maintenance on my end. I only need to check for updates on the content packs I am using, whether they are for malware or other security purposes, since Palo Alto Networks handles all maintenance responsibilities.

The initial deployment of Palo Alto Networks Cortex XSOAR is very easy. I only needed to set up the Broker VM or CIE and then the agents, and the system began sending data immediately. This approach is beneficial for XDR purposes and enables integration with SIEM and other products to automate the response flow.

Regarding the performance of Palo Alto Networks Cortex XSOAR, I have not experienced any lagging. All pages load quickly in just one or two seconds, and the system works smoothly even when I navigate deep into the playbook section.

Palo Alto Networks Cortex XSOAR has had a positive impact on the mean time to resolution for incidents (MTTR), as it has significantly reduced noise. For instance, I have created custom playbooks for phishing incidents that were false positives, which automatically close incidents.

Palo Alto Networks Cortex XSOAR is highly scalable. However, scalability depends on the customer using the product, as developing more playbooks requires significant time and effort. Palo Alto Networks does provide prebuilt playbooks that can assist with this.

Regarding integration capabilities with other third-party tools for enhancing security, integrating tools such as VirusTotal and AutoFocus is very straightforward. I only need to set up API keys and provide URLs. As of my last check, approximately eighteen integrations are available.

I have not explored the machine learning and AI components of Palo Alto Networks Cortex XSOAR because my role focuses on creating custom use cases and playbooks to reduce MTTR. I have not utilized these features at this time.

I would rate this product an 8 out of 10.

We use Palo Alto Networks Cortex XSOAR for incident response as a case management tool. All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools that we bring in. This is our central place where our SOC analysts can work and determine if they need to perform incident response on the alerts they have. It provides them with the ability to do data enrichment, so it has all the information we can provide upfront. They can find out the username, phone number, email address, where they work, and all that information. If it involves a malware file, they can get all the details from VirusTotal, such as the file name, how often it has been in the environment, and similar information. We built a lot of automation around it. From that, we track our case metrics, which helps us leverage how long it takes us to investigate and mitigate any threats.

What I appreciate most about Palo Alto Networks Cortex XSOAR is that it is very open, even more so than Anomali. I can create various custom automations and custom fields. There is significant customization ability in this platform. If I already have an established process, I do not have to change my process to fit into the tool. I can modify the tool to fit into my process, which makes things considerably easier.

All of our alerts from different tools come into this central place as we have multiple SIEMs. We have items coming from Anomali and other platforms that are not SIEM tools. This serves as our central location where our SOC analysts can work and determine if incident response is needed. The platform provides data enrichment capabilities, offering information upfront so analysts do not have to search for it. They can access details such as username, phone number, email address, and workplace information. For malware files, they can retrieve details from VirusTotal, including file names and environment presence. We have built substantial automation around these features, which also helps us track case metrics, investigation time, and threat mitigation duration.

For Palo Alto Networks Cortex XSOAR, there is always room for improvement. One of the significant issues we encounter is system slowdown when we receive an influx of alerts, which inhibits how quickly we can access the information needed for investigation.

I have been using Palo Alto Networks Cortex XSOAR since 2018, for about seven years.

I would rate the stability of Palo Alto Networks Cortex XSOAR a six out of ten.

The scalability of Palo Alto Networks Cortex XSOAR supports our growth and security needs because we can integrate various tools and continuously add more capability. Whatever we can envision with this tool, we can implement. We have not reached a limit on the amount of items we can have in the platform. We manage scaling effectively. Though we experience slowdowns during simultaneous operations, once we get through that period, performance returns to normal and we can process things quickly. There does not seem to be any limitation on the amount of data or alerts we put through the platform.

I follow up with Palo Alto Networks Cortex XSOAR support when issues occur. Their support has been better than Anomali's and they are more responsive. The main challenge we encounter with their support is that their engineers, who handle escalated issues, are located in the Middle East. We often need to accommodate their time zone for meetings. I would rate their support a six out of ten.

Neutral

The deployment of Palo Alto Networks Cortex XSOAR started on-premises and then moved to the cloud. The on-premises deployment was very simple, using a standard shell file. The setup instructions are straightforward - you execute the shell file on the server, agree to terms, and fill in some data points such as passwords. After completing these guided questions and steps, the installation is automated. You do not have to intervene, and it spins up and starts itself. The process is painless to set up.

My advice would be to understand your use cases and ensure this solution addresses them. Test it against other products in the market. Whatever you can envision, you can probably implement. The platform is very supportive of different integrations and tools. I would suggest learning Python or having someone with Python understanding as they develop things in the platform. Having a code-based background is beneficial as the platform is very code-centric for the playbooks. Having that background or at least logic could be helpful. This review rates Palo Alto Networks Cortex XSOAR 9 out of 10.

I have worked on multiple use cases related to network security and cybersecurity. In network security, I've created multiple playbooks to fetch data from multiple firewalls. 

We can also upgrade them in parallel to Axon. Apart from that, we can block URLs and IPs in real time. It takes less than five minutes to block something. You don't have to push a policy or create a rule on the firewall directly. You just upload the IOC (Indicator of Compromise), URL, or IP into a SharePoint sheet, and it gets blocked within five minutes.

Those are the kinds of use cases I've created. In addition, we've automated several tasks, including Nikto vulnerability scans and SOCL (Security Orchestration, Automation, and Response) tasks. 

We've also created multiple threat intelligence playbooks, fetching data through the MITRE framework and following compliances like HIPAA. It's a very good tool.

XSOAR support the company's compliance and regulatory requirements. For example, I'm working with multiple clients from different industries—one from manufacturing, another from healthcare, and one from banking. Each of these clients has its own compliance policies. XSOAR is a product that allows you to meet all regulatory requirements effectively. The flexibility in XSOAR is much greater compared to other tools.

Security-wise, the integration of IAM and SSO in XSOAR is straightforward. For example, I'm currently working with an Indian client that must adhere to RBI regulations. These regulations require that data remain within the Indian subcontinent and not be sent overseas when using cloud services.

For instance, FortiSOAR has data centres in Dallas and Australia. Google Chronicle has data centres in Europe, Japan, and the US. However, XSOAR also has a data centre in India, which is essential for meeting local regulatory requirements. This makes XSOAR a very suitable option for such needs.

The best feature is the CLI part. If you want to execute any command or something like that, it is very easy. You can get a tab, and you just type the command there, and it will run. The playground feature is very good. You don't need a separate development environment; you can use it directly within XSOAR. These are the things that make XSOAR stand out compared to other products.

For orchestration, the processes are very user-friendly. Even if I'm not an XSOAR admin, I can quickly become proficient with it. You just have to navigate through the various options in Palo Alto Networks Cortex XSOAR, and it becomes easy to manage. For instance, if you are a SOC analyst and want to start using XSOAR, it's very easy to access and retrieve the details you need.

To put it in simpler terms, using XSOAR is like using a Fire Stick, where you have all your OTT platforms available. Similarly, in XSOAR, you get all the related alerts, whether from SIEM, EDR, or XDR, all consolidated in one place. You can analyze the data, make decisions, and even automate certain processes based on the data you receive. XSOAR assists in automating workflows, making decision-making processes easier.

The orchestration in XSOAR is significantly easier compared to other SOAR tools I've used, like Siemplify, Splunk Phantom, and FortiSOAR. The processes are much more streamlined in XSOAR, which is what I appreciate most about it.

So, when it comes to automation and playbooks, it is very easy. XSOAR is the only platform that supports three scripting languages: Python, JavaScript, and PowerShell. So you don't have to worry much about compatibility. If someone knows Python, they can easily create a playbook for automation. They can write the automation scripts and handle everything. Even if you're like me, coming from a Windows background and only familiar with PowerShell scripting, you can still create automation within XSOAR. This flexibility is something that XSOAR provides, unlike other tools that only support Python.

XSOAR uses machine learning and generative AI, particularly in threat intelligence. In security, threat intelligence is the only area where AI and machine learning are truly effective. Aside from that, whatever vendors are claiming about AI is often just marketing hype. They might suggest that AI can be used everywhere, but security compliance is a crucial factor. 

For example, if I request AD admin access, it's unlikely anyone would grant it due to security concerns. This demonstrates the limits of AI in certain aspects of security. They may have chatbots and other features, but their necessity is questionable. For instance, if I need details about a particular IP or URL, I can retrieve it myself by running a command. Human intervention is still necessary in these cases.

We can definitely use AI in incident response, but the major thing is in managing case notes. We recently initiated a project focused on ensuring that case notes added by analysts follow a proper format. We can then utilize generative AI to improve this process. For example, if an alert is related to a DNS query, we can create different templates. Based on the best keyword match, AI can make decisions, which is part of our plan.

Recently, they started implementing microservices in XSOAR, which has improved quality and addressed previous issues. However, they should focus more on licensing costs. The user licensing fees are quite high. 

For example, I received a quote for XSOAR, and it was $12,000 per user per year. If you have a SOC team of 30 members/analysts, you're looking at a substantial expense. They should consider reducing these costs since this high pricing seems to be more about profit.

So, there is room for improvement in the pricing. 

Moreover, the reporting and dashboard features are decent but could be improved. The user interface (UI) is quite heavy and takes time to load, which is a major drawback.

I have been working with the XSOAR product for almost four four and a half years.

I've mostly worked on the SaaS side and haven't encountered any major issues.

So, it's highly scalable. But in practice, scalability is often underutilized. It's only leveraged when fully necessary, such as when the system becomes protected and fully operational.

If you use the case management module of XSOAR, then you need to cover all the SOC personnel. If you just want to automate tasks and send details via email, then three or four licenses are more than enough.

Technical support varies. If you have premium support, they treat you well. If not, it might be frustrating. But it depends on the person handling it.

Positive

I have used Fortinet, Splunk, and other vendors. 

The implementation strategy varies. You start by ingesting alerts from various sources and then begin creating playbooks. The process depends on what the client needs first. 

Typically, I start by setting up Single Sign-On (SSO) and the user base. After that, I proceed with the deployment, which is the most efficient approach. Meanwhile, I also allow SOC analysts some time to familiarize themselves with the system.

Typically, a single resource can manage the entire deployment process. You don't need a large team.

The time frame depends on the client. If the client is proactive and has all the data and processes in place, it can take one to two months. Otherwise, it can be a more tedious process.

Both versions are available—SaaS and on-premises. I’ve worked on both, but mostly with the SaaS-based version. However, both versions are almost identical in functionality.

Maintenance is very easy. If you want to upgrade XSOAR, you just have to open a ticket with support. They will give you a specific window, and it takes less than five minutes to get updated, and everything works fine.

I currently manage XSOAR end-to-end, from giving demos to customers to implementing it in their environments. I handle everything, including the automation part.

XSOAR can automate nearly anything. Compared to any other SOAR tool, it's more powerful and provides more control to automate tasks across various areas, whether it's network security, IAM, server management, or other infrastructure levels. XSOAR offers seamless integrations with around 80+ integrations available in the marketplace. The layouts are customizable, and you can create multiple layouts or custom incident schemas. These features make XSOAR the market leader in its category.

ROI becomes evident when your SOC is mature. The problem many businesses face is that they receive a budget and immediately purchase products without focusing on processes. The process is more important than the tools. 

Many companies spend heavily on CapEx but neglect operational optimization. If you focus on improving operational processes, you will see better results. For example, many organizations pay for a high EPS (events per second) rate on their SIEM, but 99% of the events are false positives. This is wasteful. 

Once your SOC processes are mature and you have a high number of true positive alerts, that's when XSOAR can be truly effective. Automation is the last step in the process; you have to take it step by step. XSOAR comes into play when you're ready to automate efficiently.

Before you proceed, it's important to trim down the false positives and establish a robust process. You need to orchestrate multiple things. These are the elements currently missing with the client. Once your SOC (Security Operations Center) is matured, and you start receiving accurate, true positive alerts, XSOAR will provide a significant ROI. 

You can automate almost 90% of the playbooks that SOC analysts manage. The remaining 10% would involve decision-making tasks, which can be handled by L3 or L2 analysts. L1 tasks have already been automated, allowing L1 analysts to focus on L2 responsibilities.

Overall, I would rate it a nine out of ten. The main drawbacks are the dashboard and reporting features—they could be better. Also, the user licensing fee is quite high. Apart from that, I don't think there are any major issues. 

If we’re paying for premium support, they should consider providing some complimentary private keys or licenses. It's like buying an Amazon Fire Stick and expecting free Amazon Prime and Netflix for a few days. But they’re not giving anything for free.

I would recommend this product to other users, if they have a decent budget to spend. Further, I would advise to ensure your processes are robust. Once your process is stable, you can buy XSOAR, and it can do wonders. It's just a tool, after all.

The primary use case for Cortex XSOAR is as an orchestration automation platform. I use it to execute automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies. It involves incident orchestration and automation in the selection of security analysts to be involved in event handling.

The solution is an orchestration automation platform. Three main features can help me: execution of automatic tasks for collecting, enriching, and correlating security events from hundreds of different technologies that I can integrate into the platform. Each incident collected is orchestrated with automation that selects the security analyst to be involved, or provides complex execution plans for managing security incidents.

The complexity of Cortex XSOAR has a trade-off with its versatility. The product can be tailored for each deployment to respond to specific customer needs, and this complexity may be seen as a downside. The deployment requires integration and the development of integration modules. Deployment is not easy, requiring significant tuning and building of integrations over weeks.

I have been working with Cortex XSOAR for about three years.

I would rate the stability of Cortex XSOAR as nine out of ten.

I would rate the scalability of Cortex XSOAR as nine out of ten.

Customers who purchase Cortex XSOAR usually receive kickstart services provided directly by the vendor, ensuring initial setup and tuning is well-supported. In daily operations, the support service follows Palo Alto's standards, which I rate as eight out of ten.

Positive

The initial setup is assisted by kickstart services provided by the vendor to ensure a smooth start, including the initial setup and tuning of Cortex XSOAR.

My deployment experience is key. A strong interaction with the customer’s engineers for integration is critical for successful deployment. Maintenance is usually provided either by the vendor or third-party resellers.

Even though customers often comment on the price, the potential savings come from managing a large number of security events with a limited number of analysts. This leads to economic advantages despite the product's cost not being low.

I would recommend Cortex XSOAR to customers with an internal SOC team or who deliver SOC services for third parties. 

I would rate the overall solution an eight out of ten.

I have created a couple of playbooks for a few clients using Cortex XSOAR. For example, we created a phishing playbook that checks the reputation of IP addresses or URLs using various reputation checker platforms. We've integrated Firepower Threat Defense, as well as Aviso IPTP and Cisco Talos for comparing the results. These were some of the use cases we worked on.

Using Cortex XSOAR has helped us create complex playbooks and streamline our security operations through automation. The integration capabilities with other solutions, like Cortex XDR and various SIEM solutions, have improved our incident management and detection capabilities.

The most valuable features of Cortex XSOAR include its vast library of plugins, which allow us to integrate various tools and solutions seamlessly. Additionally, the ability to create complex playbooks tailored to our needs and the option to incorporate user input within the workflows are highly beneficial.

Creating complex playbooks using coding languages, such as Python, could be easier. Sometimes the process becomes tedious and requires manual tasks.

I have worked with Cortex XSOAR for approximately five to six months.

I have not experienced any performance or stability issues with Cortex XSOAR.

Cortex XSOAR is scalable. We had around 50 to 60 playbooks created by my colleagues, and the solution scaled well up to a certain extent and beyond.

I would rate the technical support 9.5 to ten out of ten. Palo Alto Networks provides concrete and to-the-point solutions to our issues.

Positive

Before using Palo Alto Networks Cortex XSOAR, I used a product called Sequium SOAR. It was not up to the mark as we could not insert any code or create complex playbooks.

The setup was done by another team.

I do not know about the pricing as it was handled by the salespeople.

We evaluated other products such as SplunkSource, SecondSource, and Stream LensSource. However, we chose Cortex XSOAR because of its scalability and flexibility.

To create your own customized playbooks, it's important to be well-versed with Python.

I'd rate the solution ten out of ten.

For organizations that are stable with their security operations, like those with around 50 members in their security team running full-phased operations 24/7, Cortex is necessary. They can automate many processes and build their own scripts. Then, we use it for Flashflakes. 

But for a smaller organization with binding budgets and who is unaware of security, they may end up wasting money on it. This is an expensive tool. We have to use it wisely, or it’s easy to mistrust its value.

Previously, when Demisto was, there was a community edition; we could use it, reinstall it, and customize it. Since Palo Alto took over, it has become more financially oriented. It's business, but they could offer a pro model and a lighter model for different needs. 

For example, creating a pro model alongside a lighter model could be beneficial, like FortiSOAR or others providing a lighter model that focuses on the automation segment, where you could integrate maybe five or ten playbooks and integrations for day-to-day operations. This would make it more accessible to everyone.

Currently, Cortex XSOAR operates on a larger scale, which may not be necessary for all. If there's a minimum budget of around 50k or 80k for SOAR, having a scaled-down version of Cortex XSOAR would be advantageous. This would allow integration with current business operations at a minimal cost, saving money while still leveraging the capabilities of Cortex XSOAR.

And if there's a need to scale up later, moving to a pro model could be an option. That's something that's missing on the business side but could greatly aid incident response, as we're all trying to secure organizations from threats. Having such an option would make it a more socially viable cost and still provide widespread use.

In future releases, I would like to see more differential models could be implemented, instead of having a one-size-fits-all approach.

It is a stable solution.

It is a scalable solution. The best part was the working model when it transitioned from Demisto to Palo Alto Networks. Demisto had around 220 plus integrations when they launched. That was back in 2018 before it was acquired by Palo Alto Networks. But automation can be increased.

The customer service and support are very good. Palo Alto has scaled well. 

Positive

We've worked with Cortex XSOAR. We haven't worked with other SOAR solutions much.

From my experience, Cortex XSOAR is a leading product in the market.  While I haven't worked with competing products like Phantom to offer a comparative analysis, it's standing against Microsoft's Azure Sentinel SOAR solution. 

Cortex XSOAR is indeed a market leader. It may come at a higher price point, but it supports a vast technology ecosystem and offers a comprehensive suite of features, such as inbuilt ITSM management, a war room, an advisory system, threat intelligence connections, and a lot of integrations. The communication capabilities are exceptional. When it comes to top-tier products like Cortex XSOAR, we're paying for premium quality.

You have to spend a dedicated core engineer and a lead team to tune and tweak it. But once you do that, it all runs automatically. You will save money on a lot of analysts or multiple analysis jobs because a lot of automation will be done for savings, especially since it's all based on machine learning now. 

At the end of the day, I cannot remove or unplug the analysts, but I can reduce the number. If I have 20 people managing and monitoring an endpoint solution or a SIEM solution for one organization, I can reduce it to at least one-fourth, and you will save a lot of money.

The pricing is fair. The pricing reflects the value and feature set it offers. 

For example, with the purchase of a license, a dedicated success team, professional support, and integration assistance are part of the package. 

People pay for the right value, but the organization has to leverage it fully. If they don’t, it can be problematic. They might end up wasting money on something they don’t need. 

When a client wants to economize on licenses—preferring development and technology investment over licensing fees—the Elastic SIEM tool is a zero-cost option we haven't fully explored yet, either as a company or personally.

Technologies like QRadar and cloud-based projects such as QRock are in the market. 

Splunk is certainly costly, but it offers strong technology and cloud infrastructure. Sentinel is cloud-exclusive and a bit expensive but advanced. There's a trade-off. 

However, if a customer has a limited budget for licenses but can afford operational expenses, we need to investigate Elastic, which operates like any data lake, offering quick searches and high data storage capacity depending on the computing power. One could manage hundreds of GB per hour, running analytics effectively. 

Nonetheless, clients must invest in building their security technologies and partnerships, which is resource-heavy SIEM. Elastic is expanding its offerings, but it still leads to a platform-based model that many opt for due to its cost-effectiveness. So, I have evaluated all these SIEM solutions. 

My company is involved with SOAR, but not to a great extent. Post-COVID, there are not many people who show interest in SOAR solutions and many customers are now reluctant to allocate budgets for this. 

Open-source alternatives are gaining traction, which is why we're considering developing capabilities in that area. With Microsoft's Sentinel, we see a unique case where its SOAR capabilities are more cost-effective. Hence, it has seen some adoption. 

However, my direct experience with a comprehensive SOAR solution is with Cortex XSOAR, which is a product of Palo Alto Networks—previously known as Demisto.

Overall, I would rate the solution a nine out of ten. The platform is constantly evolving, offering freeware and community editions. You can clearly go for it. The advice is to opt for it and use it to the max.

It is a security orchestration and automation tool.

It basically lets us automate and orchestrate tasks across all your security tools. Imagine integrating our vulnerability management tool with XSOAR. For example, we get a ServiceNow ticket requesting a scan for a specific server before it goes live. XSOAR can trigger that scan automatically, streamlining the entire process. That's the power of XSOAR—automating repetitive tasks and freeing up your security team for more strategic work.

The most valuable feature is its capability to automate responses and collect information for any security event before you even delve into the details.

It's a vast product with an active roadmap, so I'm satisfied with it for now. It's very efficient at data collection and correlation. 

There is room for improvement in support. The response time could be faster.

We have been using it for two years now. It's cloud-based and hosted by Palo Alto.

It's stable. The features and functionalities work as intended mostly. It's a good, reliable product.

We have six users actively using XSOAR. XSOAR is specifically for security teams, it is not for everyone to use.

The customer service and support are okay, not the best, not the worst. Their initial response time is quite long, and even after you get back to them, it takes them a while to provide troubleshooting steps and follow through.

Negative

We actually did run a couple of POCs for other products. My company switched to XSOAR because it's a very stable product, and its integration capabilities with most security tools are fantastic. 

If it wasn't available, we'd have to manually develop integrations for each tool, which would be incredibly time-consuming. So, that's the main reason we went with XSOAR.

For cloud deployments, it's a breeze. No installation is needed; just access the provided link and start working. 

But for on-prem, it's a different story. You need to install multiple components and provision servers and integrate them with Palo Alto's platform according to documentation. It's a lengthy process, not overly complex, but due to the tool's architecture, it's unavoidable for on-prem installations. Cloud-based is definitely the easier option.

On-premise installation is complex and time-consuming, with multiple servers and integrations to manage. So, on-premise installation is a hassle.

It's expensive, but the value it offers makes it worthwhile.

It's a very stable product, definitely worth the investment. You won't regret your spending.

Overall, I would rate the solution a nine out of ten. The only reason it loses a point is the support team. Their performance hasn't reached the same level as other Palo Alto offerings.

The solution is user-friendly and easy to configure.

Palo Alto needs to develop more AI-centric products. Also, the price could be cheaper. It doesn’t have infinite connectors.

I have been using Palo Alto Networks Cortex XSOAR for a couple of years.

The product is very stable.

5,000-7,000 users are using this solution.

Technical support is knowledgeable.

We used to work on the IBM XSOAR product, which was well-developed and competitive. The IBM component was strong, but Palo Alto Networks Cortex XSOAR performed well. The main difference lies in the level of suggestions provided by the playbooks when analyzing logs. IBM's suggestions to be better.

The initial setup is simple. Your level of understanding significantly impacts the effectiveness of implementation. People may learn the hard way, especially post-implementation, highlighting the importance of a comprehensive experience.

I recommended Palo Alto Networks Cortex XSOAR to a friend, and they have been using it to access and respond to issues in their data center. So far, there have been no complaints, not even worth mentioning. They also requested repairs through the platform.

The playbook is very good and user-friendly compared to IBM.

There are always things missing in some of the boxes. In some instances, there appears to be a leak. There are inconsistencies. Solutions like Palo Alto Networks Cortex XSOAR or similar products are necessary.

Overall, I rate the solution an eight out of ten.