Compete · XDR Managed

Cortex MDR —
Managed by Unit 42

Unit 42 Managed Detection & Response vs third-party MDR providers. 24/7 SOC operations powered by Palo Alto Networks' own threat intelligence and XDR Pro per GB data platform.

Critical: Palo Alto Managed Service — What Partners Must Know

Cortex MDR (formerly Cortex Pro) is Cortex XDR Pro per GB managed by Palo Alto Networks' Unit 42 team. This is NOT a partner-delivered service. Palo's analysts handle all detection, investigation, and response operations 24/7. Partners can recommend and facilitate the sale, but do not operate the SOC and are not the service delivery entity. Set expectations with customers clearly and early — a customer who expects their partner to run the MDR service is going to be disappointed. The value exchange is: partner identifies the need and facilitates the sale; Unit 42 delivers the service; partner augments with deployment, tuning, and advisory services alongside.

Feature Comparison

MDR Competitive Matrix

Cortex MDR (Unit 42) vs leading managed detection and response providers across six dimensions.

Capability Cortex MDR (Unit 42) CS Falcon Complete Arctic Wolf MDR Secureworks Taegis Expel MDR
SOC Coverage 24/7 Unit 42 24/7 CrowdStrike 24/7 24/7 24/7
Threat Intelligence Unit 42 Named-Group CrowdStrike Adversary Concierge Security Counter Threat Unit Community Feeds
Response Actions Automated + Analyst Full Response Guided Response Contained Response Full Response
Data Sources Endpoint+Network+Cloud Falcon-Centric Multi-Source Multi-Source Multi-Source
SLA Defined SLA Defined SLA Variable Variable Defined SLA
Automation (Agentix) Agentix AI Charlotte AI Human-Led AI-Assisted Automation-First

Battle Cards

Competitor Deep Dives

CrowdStrike Falcon Complete

Falcon Complete is CrowdStrike's managed endpoint security service — 24/7 monitoring, detection, and response on CrowdStrike Falcon technology. It's endpoint-centric: monitoring is focused on Falcon EDR telemetry. Falcon Complete offers a breach prevention warranty as a differentiator. The most direct MDR competitor for accounts already in the CrowdStrike ecosystem.

Falcon Complete Falcon Enterprise (included) CrowdStrike SOC Analysts Breach Prevention Warranty

Where PAN Wins

  • Broader data platform: Cortex MDR is built on XDR Pro per GB — ingesting endpoint, network, and cloud telemetry. Falcon Complete primarily monitors Falcon EDR data; network and cloud coverage requires additional modules and cost.
  • Unit 42 named-group threat intelligence: Unit 42's threat research team tracks named adversary groups with attribution-level intelligence. This directly improves detection rule fidelity and speeds investigation when specific threat actors are active in the customer's industry.
  • Agentix AI automated response: Cortex MDR's automated response layer via Agentix AI handles routine containment and response actions without analyst involvement — reducing MTTR and allowing Unit 42 analysts to focus on complex cases. Falcon Complete's automation is Charlotte AI-assisted but more analyst-dependent.
  • NGFW telemetry inclusion: PAN NGFW customers get native network telemetry in the MDR scope — attacks moving from perimeter to endpoint are investigated as one case. CrowdStrike has no equivalent network security telemetry in Falcon Complete.

Where They're Strong

  • Breach prevention warranty: CrowdStrike offers a financial warranty against breaches on Falcon Complete — a powerful risk-transfer argument for buyers focused on cyber insurance cost reduction.
  • Deep Falcon EDR telemetry: Falcon Complete analysts operate on the deepest Falcon telemetry — if the environment is Falcon-heavy, detection quality is genuine.
  • Brand momentum: CrowdStrike's MDR brand is strong — especially following their IR response wins at major breach events.

Landmines to Set

  • "When Falcon Complete investigates a threat — what network telemetry do their analysts have access to? If you have PAN NGFWs, who's investigating that data?"
  • "If a threat actor moves laterally from endpoint to cloud workload, does Falcon Complete scope cover both — or does it stop at endpoint?"
  • "What is CrowdStrike's MTTR SLA in Falcon Complete? How does that compare to Cortex MDR's automated response via Agentix for containment actions?"

Key Objections

CrowdStrike offers a breach warranty — Palo doesn't have that.

Response: The breach warranty is a compelling narrative — but read the fine print. The warranty typically covers specific incidents detected by Falcon that weren't remediated — not all-cause breach costs. The more valuable question is: which MDR provider detects more threats faster and contains them before they become a breach? Cortex MDR's broader data platform (endpoint + network + cloud) and Agentix automated response means fewer breaches to claim warranty on.

Arctic Wolf — Managed Detection and Response

Arctic Wolf is an MDR-pure-play with a "Concierge Security Team" model — dedicated analysts assigned to each customer. Arctic Wolf is technology-agnostic (works with existing customer tooling) and positions as a managed service layer on top of customers' current investments. Strong in mid-market where dedicated analyst relationships are valued. Primary weakness: technology-agnostic means no proprietary detection platform advantage.

Arctic Wolf MDR Arctic Wolf MWOC (Cloud) Concierge Security Team Arctic Wolf Aurora Platform

Where PAN Wins

  • Proprietary XDR data platform: Cortex MDR is built on XDR Pro per GB — a purpose-built security data lake with native ML detections, UEBA, and 2,600+ AI models. Arctic Wolf's detection is built on top of customer-provided tooling — detection quality is bounded by what the underlying tools provide.
  • Unit 42 threat intelligence depth: Unit 42 named-group attribution, real-time threat research, and active incident response experience directly informs Cortex MDR detections. Arctic Wolf's Concierge teams are skilled analysts but operate without equivalent proprietary threat intelligence.
  • Agentix AI automation: Cortex MDR's automated response via Agentix AI handles containment actions without waiting for analyst triage. Arctic Wolf's model is human-led — analyst involvement is the primary response mechanism, creating response latency.
  • NGFW native correlation: PAN NGFW customers get automatic network telemetry in the MDR scope — Arctic Wolf requires a connector to access NGFW data, and detection quality depends on log format mapping.

Where They're Strong

  • Concierge relationship model: Dedicated analysts who know the customer's environment over time is genuinely valued in mid-market accounts where relationship continuity matters.
  • Technology-agnostic positioning: "We work with what you have" is a powerful argument for customers who don't want to change their endpoint security vendor.
  • Mid-market pricing: Arctic Wolf is typically priced aggressively for mid-market accounts — easier budget conversation for SMB/mid-market buyers than Cortex MDR.

Landmines to Set

  • "Arctic Wolf works with your existing tools — which means detection quality is limited by those tools. If your endpoint vendor misses a technique, Arctic Wolf misses it too. How confident are you in your current endpoint detection performance?"
  • "What is Arctic Wolf's automated containment capability? If a threat is detected at 2 AM, how long until a containment action fires — analyst decision or automated?"
  • "What threat intelligence platform do Arctic Wolf analysts use for named-group attribution? How does that compare to Unit 42's active IR and research capability?"

Secureworks — Taegis ManagedXDR

Secureworks' Taegis ManagedXDR is built on their proprietary Taegis XDR platform with a managed service layer. Secureworks (now part of Sophos) has deep MSSP heritage with the Counter Threat Unit (CTU) providing threat intelligence. Strong in enterprise accounts with legacy Secureworks relationships. The Sophos acquisition creates uncertainty about the long-term Taegis roadmap vs. Sophos MDR.

Taegis ManagedXDR Taegis XDR Platform Counter Threat Unit (CTU) Taegis VDR

Where PAN Wins

  • Platform clarity post-acquisition: Palo Alto Networks' Cortex platform has clear, committed investment and roadmap. Secureworks-under-Sophos creates uncertainty about whether Taegis or Sophos MDR becomes the strategic product — customers have noticed.
  • Agentix AI automation maturity: Cortex MDR's Agentix AI automated response is more mature than Taegis's AI-assisted response layer.
  • NGFW native integration: PAN NGFW customers get immediate, native telemetry correlation. Secureworks' network visibility requires additional configuration and connector setup.
  • Unit 42 IR brand: Unit 42 is more widely recognized for elite incident response than the CTU team — important for customers who value the IR credentials behind their MDR service.

Where They're Strong

  • Legacy enterprise relationships: Long-term Secureworks customers with established CTU relationships are sticky — the relationship itself is an asset.
  • Counter Threat Unit intelligence: CTU is a genuine threat research organization with a long track record of adversary tracking.
  • Taegis vulnerability management: Taegis VDR integration with the MDR service creates a broader managed security posture argument.

Landmines to Set

  • "With Secureworks now part of Sophos, what happens to the Taegis platform roadmap? Are future investments going to Taegis or Sophos MDR?"
  • "What is your Taegis renewal timeline? The platform uncertainty is a real risk to evaluate alongside the cost comparison."

Expel — Managed Detection and Response

Expel is an automation-first MDR provider with a transparent, metrics-driven approach. Expel Workbench provides customers real-time visibility into what their SOC analysts are doing — a differentiating transparency model. Expel integrates with customers' existing security tools rather than replacing them. Strong in tech-savvy organizations that want operational transparency and fast response SLAs.

Expel MDR Expel Workbench Expel for Cloud Expel for Phishing

Where PAN Wins

  • Proprietary detection platform: Cortex MDR's detection is built on XDR Pro per GB's AI models and Unit 42 threat intel — not dependent on customer-provided tooling quality. Expel's detection quality is bounded by the tools they integrate with.
  • Unit 42 threat intelligence depth: Unit 42 operates at a level of threat intel depth that a pure-play MDR provider like Expel does not maintain independently.
  • Scale of response automation: Agentix AI automated response at Cortex MDR scale handles more automated containment than Expel's automation layer, reducing analyst dependency for routine cases.
  • Network + endpoint + cloud scope: Cortex MDR's XDR Pro per GB data platform provides broader data source coverage than Expel's integration model for most enterprise environments.

Where They're Strong

  • Transparency and Workbench visibility: Expel Workbench gives security teams real-time visibility into every analyst action — a genuine differentiator for security leaders who need to justify MDR to their board.
  • Fast SLAs: Expel's time-to-respond SLAs are aggressive and well-documented — often cited by customers as a key selection criterion.
  • Automation-first model: Expel's philosophy of automating everything automatable before analyst involvement resonates with security leaders trying to run lean SOC teams.

Landmines to Set

  • "Expel integrates with your existing tools — so detection quality is limited by those tools' telemetry and detection rules. If your endpoint misses a technique, Expel misses it. What's your current endpoint MITRE ATT&CK coverage?"
  • "Who is the threat intelligence source behind Expel's detections? How does their intel compare to Unit 42's named-group attribution and active IR research?"

Partner Opportunity

Partner Role in Cortex MDR

While Unit 42 operates the SOC, partners play a critical enabling role in the Cortex MDR motion.

How Partners Win with Cortex MDR

Identify the Right Accounts

Target accounts with MTTR > 12 hours, understaffed SOC teams (fewer than 3 FTE analysts), or SOC teams spending > 60% of time on tier-1 alert triage. These are the accounts that need MDR most urgently.

Facilitate the Sale

Partners own the relationship and the deal. Position Cortex MDR as the solution, set correct expectations about the Palo-managed service model, and drive the commercial conversation. Partners receive full deal registration credit.

XDR Deployment & Tuning

Cortex MDR requires XDR Pro per GB as the data platform. Partners deploy and tune the XDR environment, configure data sources, optimize detection rules, and ensure the platform is properly scoped before Unit 42 takes over monitoring.

Policy Tuning Services

Ongoing policy review, false positive reduction, and detection rule optimization are partner services that run alongside the MDR service. Unit 42 monitors — partners keep the platform tuned for the customer's environment.

Incident Readiness Assessments

Pre-MDR gap assessments, tabletop exercises, and post-incident reviews are high-value partner services that complement the ongoing MDR service and deepen the customer relationship beyond the Palo transaction.

Complementary Services

Vulnerability management, security awareness training, compliance reporting, and third-party risk management are services partners can layer on top of the MDR foundation — Cortex MDR is often the anchor that enables a broader managed security service portfolio.

MDR Qualification & Selling Tips

MTTR as the opener: Ask every prospect: "What is your average time from alert to containment?" Anything over 4 hours is an MDR conversation. Anything over 12 hours is urgent.
Staffing math: A fully-staffed 24/7 SOC requires 6-8 FTE at minimum. Calculate the customer's SOC staffing cost vs. Cortex MDR annual cost — the economics are almost always favorable below 1,000 endpoints.
Unit 42 as the differentiator: In every MDR conversation, lead with Unit 42. "Your SOC is staffed by the same team that responds to nation-state breaches" is a powerful statement. Use Unit 42 IR case studies from the customer's industry vertical.
Set partner role expectations early: In the first customer conversation, be explicit: "Unit 42 runs the SOC — we're your deployment and advisory partner. Here's exactly what we do and what they do." Prevent the misalignment that happens when customers expect partner-delivered SOC operations.
Attach to XDR Pro per GB: Every Cortex MDR deal requires XDR Pro per GB. Position MDR as the natural evolution: "You're already investing in the data platform — adding MDR turns it into a fully managed SOC for X dollars/endpoint/month more."
Cyber insurance angle: Many cyber insurers offer premium discounts for accounts with 24/7 MDR coverage. Ask the customer about their cyber insurance renewal — MDR ROI often pays for itself partially through insurance premium reduction.