Compete · XSIAM

Unit 42 Managed XSIAM —
The AI SOC, Managed

Unit 42 Managed XSIAM 2.0 (MSIAM) vs the leading MDR providers. 24/7 SOC operations powered by Palo Alto Networks' Unit 42 team on the full Cortex XSIAM AI SOC platform — 3,000+ AI models, machine-speed response, and a built-in Breach Response Guarantee.

Palo-Operated Service — What Partners Must Know

Unit 42 Managed XSIAM 2.0 (MSIAM) is a Palo Alto Networks-operated managed service — 100% run by the Unit 42 team. This is NOT a partner-delivered service. Unit 42's analysts, threat hunters, responders, and SOC engineers handle all detection, investigation, and response operations 24/7 on the full Cortex XSIAM AI SOC platform. Partners can recommend, position, and facilitate the sale — but do not operate the SOC and are not the service delivery entity. Set expectations with customers clearly and early. This is also a distinct offering from Cortex MDR (XDR-based) — Managed XSIAM is the XSIAM-native managed service, the next evolution. The value exchange is: partner identifies the need and facilitates the sale; Unit 42 delivers the XSIAM-powered AI SOC; partner augments with deployment, integration, tuning, and advisory services alongside.

Feature Comparison

MDR Competitive Matrix

Unit 42 Managed XSIAM 2.0 vs leading managed detection and response providers across six dimensions.

Capability MSIAM (Unit 42) CS Falcon Complete Arctic Wolf MDR Secureworks Taegis Expel MDR Microsoft Sentinel+ Deepwatch
SOC Coverage 24/7 Unit 42 24/7 CrowdStrike 24/7 Concierge 24/7 24/7 MSSP-Delivered 24/7
Underlying Platform XSIAM Full AI SOC Falcon EDR-Centric Tech-Agnostic Taegis XDR No Proprietary Platform Azure / Sentinel SIEM-Agnostic
Detection Engineering Continuous / AI-Driven Charlotte AI Assisted Human-Led CTU Intel-Backed Automation-First MSSP-Dependent Platform-Neutral
Machine-Speed Auto-Response Pre-Auth Workflows Limited Analyst-Required AI-Assisted Automation-First Manual / MSSP Playbook-Based
IR Coverage Included 250 hrs Guarantee Breach Warranty Add-On / None Separate SOW Not Included Not Included Not Included
Path to AI SOC Native — Today No Equivalent No Roadmap Roadmap Uncertain No Platform No AI SOC Platform-Neutral

Battle Cards

Competitor Deep Dives

CrowdStrike Falcon Complete (MDR)

Falcon Complete is CrowdStrike's flagship managed detection and response offering — 24/7 monitoring, detection, and response built entirely on Falcon technology. It's endpoint-centric by design: detection scope is anchored to Falcon EDR telemetry. Charlotte AI provides AI assistance to Falcon Complete analysts. CrowdStrike positions Falcon Complete with a breach prevention warranty. The most direct MDR competitor in accounts already running CrowdStrike — but CrowdStrike has no XSIAM equivalent and no native AI SOC platform.

Falcon Complete Falcon Enterprise (included) Charlotte AI Breach Prevention Warranty CrowdStrike SOC Analysts

Where PAN Wins

  • Full AI SOC vs. endpoint-centric MDR: MSIAM is built on Cortex XSIAM — a purpose-built AI SOC platform with 3,000+ AI models for detection, investigation, and response across endpoint, network, identity, and cloud. Falcon Complete is engineered around Falcon EDR telemetry; expanding to network or cloud requires additional modules, additional cost, and doesn't produce a unified AI SOC.
  • Machine-speed pre-authorized response: MSIAM's pre-authorized automated workflows execute containment actions across endpoints, firewalls, identity systems, and cloud without waiting for analyst approval. Real-world proof: Oneida Nation achieved MTTR of 43 seconds. Falcon Complete's response automation via Charlotte AI is more analyst-gated and endpoint-constrained.
  • Breach Response Guarantee vs. Breach Warranty: MSIAM includes up to 250 hours of Unit 42 IR — no new SOW, no negotiation, no delay. The 250-hour guarantee activates immediately when a breach occurs. CrowdStrike's breach warranty is a financial warranty instrument with coverage conditions — not pre-deployed IR capacity.
  • Third-party EDR telemetry: MSIAM accepts native and third-party EDR telemetry including CrowdStrike Falcon, SentinelOne, and others. CrowdStrike Falcon Complete exclusively monitors Falcon telemetry — it cannot monitor a mixed-EDR or competitive environment.
  • Continuous detection engineering: MSIAM's Unit 42 team continuously improves detection rules based on real incidents in the managed fleet — detections get smarter over time. Falcon Complete's detection engineering improvements are tied to Falcon product releases rather than managed-fleet learning loops.
  • Unit 42 threat intelligence with real IR experience: Unit 42 analysts who staff MSIAM are the same team responding to nation-state breaches globally. Their threat intelligence feeds directly into detection rule tuning. Charlotte AI is a product capability — not the same as having active breach responders tuning detections.

Where They're Strong

  • Breach prevention warranty narrative: The financial warranty is a compelling risk-transfer story for buyers focused on cyber insurance and CFO-level risk conversations — even if the mechanics differ from MSIAM's IR hours guarantee.
  • Deep Falcon EDR fidelity: In pure Falcon environments, Falcon Complete analysts operate on the deepest possible Falcon telemetry. Detection quality in homogeneous CrowdStrike environments is genuine.
  • Brand strength and market momentum: CrowdStrike's MDR brand is exceptionally strong — especially in security teams where Falcon is already entrenched. Incumbent advantage is real.
  • Charlotte AI assistant experience: For security teams that want AI-assisted investigation workflows alongside analyst work, Charlotte AI provides a transparent, interactive experience within the Falcon console.

Landmines to Set

  • "When Falcon Complete investigates a threat — what network and identity telemetry do their analysts have access to? If you run PAN NGFWs, who is investigating that telemetry?"
  • "If a threat actor moves laterally from endpoint to cloud workload to identity, does Falcon Complete scope cover the full attack chain — or does coverage stop at the endpoint boundary?"
  • "How does the breach warranty activate in practice? What documentation, conditions, and timelines apply? How does that compare to MSIAM's 250-hour IR guarantee that activates without a new SOW?"
  • "Does Falcon Complete have a roadmap for a full AI SOC — not just Charlotte AI assistance, but autonomous AI agents executing detection and response? What does that look like vs. XSIAM's 3,000+ models operating today?"
  • "If you ever move off CrowdStrike — can Falcon Complete continue to monitor your environment? MSIAM accepts third-party EDR telemetry including CrowdStrike, so you're never locked into a single endpoint vendor."

Key Objections

We're already in CrowdStrike. Falcon Complete is the natural extension.

Response: That's exactly the conversation to have. MSIAM accepts CrowdStrike Falcon telemetry as a supported third-party EDR source — so you don't have to replace your endpoint agent to get MSIAM coverage. The question is: do you want your SOC platform to be endpoint-centric (Falcon Complete), or do you want a full AI SOC that correlates endpoint, network, identity, and cloud telemetry with 3,000+ AI models and pre-authorized machine-speed response? If endpoint is all that matters, Falcon Complete is fine. If you need full-surface coverage and an actual AI SOC — that's MSIAM.

CrowdStrike has a breach warranty — what does Palo offer for financial protection?

Response: The CrowdStrike breach warranty is a financial instrument with coverage conditions — it pays out when specific conditions are met. MSIAM's Breach Response Guarantee is pre-deployed IR capacity: 250 hours of Unit 42 IR included, no new SOW, activates immediately when a breach occurs. You want your MDR provider to stop the breach, not just compensate you after it happens. Oneida reduced MTTR to 43 seconds with MSIAM — that's prevention, not warranty payout.

Arctic Wolf — Managed Detection and Response

Arctic Wolf is an MDR pure-play with a "Concierge Security Team" model — dedicated analysts assigned to each customer who learn the environment over time. Arctic Wolf is deliberately technology-agnostic, positioning as a managed security layer on top of customers' existing tools. Strong in mid-market where dedicated analyst relationships and vendor-neutral positioning are valued. Primary structural weakness: technology-agnostic means no proprietary detection platform — detection quality is bounded by the underlying tools the customer already has, and there is no AI SOC platform or path to one.

Arctic Wolf MDR Arctic Wolf Managed Cloud Monitoring Concierge Security Team Arctic Wolf Aurora Platform Arctic Wolf Incident Response

Where PAN Wins

  • Proprietary AI SOC platform vs. tool aggregation: MSIAM is built on Cortex XSIAM — a purpose-built AI SOC platform with 3,000+ AI models, native UEBA, automated playbooks, and continuous detection engineering. Arctic Wolf's Aurora Platform is a data aggregation and correlation layer on top of customer tooling — it cannot produce the AI-driven detection and response depth of XSIAM.
  • Machine-speed automated response: MSIAM pre-authorized workflows execute containment across endpoints, firewalls, identity, and cloud at machine speed. The Green Bay Packers deployment saw 54% more alerts investigated, 120+ analyst hours saved monthly, and response times reduced from hours to minutes. Arctic Wolf's model is human-led — every containment action requires analyst involvement, creating response latency that compounds at scale.
  • Unit 42 threat intelligence depth: Unit 42 named-group attribution, real-time threat research, and active incident response experience directly informs MSIAM detections. Arctic Wolf's Concierge teams are skilled analysts but operate without equivalent proprietary threat intelligence or global IR experience.
  • Breach Response Guarantee: MSIAM includes 250 hours of Unit 42 IR with no new SOW. Arctic Wolf's IR service is a separate purchase — there is no included IR guarantee with their MDR service.
  • Continuous detection engineering: MSIAM detection rules improve over time based on real incidents in the managed fleet — a feedback loop that Arctic Wolf's tool-agnostic model structurally cannot replicate at the same scale or depth.
  • XSIAM native scope — endpoint, network, identity, cloud: MSIAM monitors the full attack surface natively. Arctic Wolf's network and cloud monitoring requires sensor deployment and connector configuration — coverage quality depends on what's connected.

Where They're Strong

  • Concierge relationship model: Dedicated analysts who know the specific customer environment over time is genuinely valued in mid-market accounts where relationship continuity and named-analyst familiarity drive satisfaction scores.
  • Technology-agnostic positioning: "We work with what you have" eliminates the endpoint displacement conversation — powerful for customers resistant to agent change or deeply invested in non-Palo endpoint tools.
  • Mid-market pricing accessibility: Arctic Wolf is typically priced more aggressively for mid-market accounts — easier budget conversation for buyers below the enterprise threshold.
  • No platform lock-in narrative: Arctic Wolf's vendor-neutrality story resonates with procurement teams and security architects who prioritize optionality.

Landmines to Set

  • "Arctic Wolf works with your existing tools — which means detection quality is bounded by those tools. If your current endpoint or SIEM misses a technique, Arctic Wolf misses it too. What is your current endpoint MITRE ATT&CK coverage score?"
  • "What is Arctic Wolf's automated containment capability? If a threat is detected at 2 AM, how long until a containment action fires — analyst decision or automated? MSIAM pre-authorized workflows execute in seconds, not minutes."
  • "Does Arctic Wolf have an AI SOC platform or a roadmap to one? How do 3,000+ AI models compare to analyst-led triage with tool connectors?"
  • "If you ever have a serious breach — what does Arctic Wolf's IR capacity look like? Is there an included IR guarantee, or is that a separate engagement at separate cost?"

Key Objections

We like that Arctic Wolf works with our existing tools — we don't want to rip and replace.

Response: That's a fair starting point — and MSIAM also accepts third-party EDR telemetry including your existing endpoint agent. You don't have to rip and replace to get MSIAM coverage. The real question is: do you want your managed security service to be limited by what your existing tools can see — or do you want a full AI SOC platform with 3,000+ models running continuously on top of your environment? Arctic Wolf aggregates what your tools find. XSIAM finds what your tools miss.

Secureworks — Taegis ManagedXDR

Secureworks' Taegis ManagedXDR is built on their proprietary Taegis XDR platform with a managed service layer. Secureworks has deep MSSP heritage and the Counter Threat Unit (CTU) provides genuine threat intelligence. However, the 2024 Sophos acquisition of Secureworks creates significant uncertainty: will future investment go to Taegis or Sophos MDR? Enterprise accounts with legacy Secureworks relationships are facing a strategic renewal decision. This uncertainty is an exploitable competitive vulnerability.

Taegis ManagedXDR Taegis XDR Platform Counter Threat Unit (CTU) Taegis VDR Sophos (parent company)

Where PAN Wins

  • Platform clarity and investment certainty: Cortex XSIAM has committed, public, accelerating investment from Palo Alto Networks — the roadmap is clear. Secureworks-under-Sophos creates real uncertainty: is Taegis the strategic product or Sophos MDR? Customers renewing Taegis ManagedXDR are making a multi-year commitment to an unclear roadmap.
  • Full AI SOC vs. AI-assisted XDR: MSIAM operates on XSIAM's 3,000+ AI models with autonomous detection and response workflows. Taegis ManagedXDR is an AI-assisted XDR platform — a meaningful difference in capability and scalability.
  • Machine-speed pre-authorized response: MSIAM's pre-authorized workflows execute containment at machine speed. Taegis ManagedXDR's response layer is more analyst-dependent, with AI assisting analyst decision-making rather than executing autonomously.
  • Breach Response Guarantee: MSIAM includes 250 hours of Unit 42 IR with no new SOW. Secureworks IR is a separate professional services engagement — not included in the managed service.
  • Unit 42 IR brand vs. CTU: Unit 42 is globally recognized for elite incident response at nation-state breach events. CTU is credible threat intelligence — but Unit 42's active breach response reputation is a stronger trust signal for enterprise buyers.
  • Third-party EDR flexibility: MSIAM supports CrowdStrike, SentinelOne, and other EDR telemetry sources. Taegis ManagedXDR's telemetry breadth depends on connector coverage and integration completeness.

Where They're Strong

  • Legacy enterprise relationships: Long-term Secureworks customers with established CTU and SOC relationships are sticky. The relationship itself is a genuine retention asset that MSIAM must overcome.
  • Counter Threat Unit intelligence: CTU is a genuine threat research organization with a long track record of adversary tracking and named threat group attribution.
  • Taegis vulnerability management integration: Taegis VDR integration with the managed service creates a broader managed security posture narrative that MSIAM doesn't natively match.

Landmines to Set

  • "With Secureworks now under Sophos ownership, what happens to the Taegis platform roadmap in two to three years? Is Taegis the strategic product going forward, or does Sophos MDR absorb it?"
  • "When is your Taegis renewal? The platform uncertainty is a real strategic risk — a renewal is a good time to benchmark against MSIAM before committing to another multi-year term."
  • "Does Taegis ManagedXDR have a path to an autonomous AI SOC — not AI-assisted response, but AI agents executing autonomously? XSIAM's 3,000+ models are operating that way today."
  • "What is your MTTR SLA on Taegis ManagedXDR for containment actions? Is that analyst-dependent, or automated?"

Key Objections

We have a long relationship with Secureworks — switching feels risky.

Response: Relationship continuity is real value — but the Sophos acquisition means your long relationship is with an organization that may look very different in 18 months. The more important question is: does Taegis ManagedXDR give you a credible path to an AI SOC, or is it a well-run managed service on a platform with an uncertain future? MSIAM is Palo Alto Networks' strategic platform investment — the roadmap, the IR team, and the AI capability are not going anywhere.

Expel — Managed Detection and Response

Expel is an automation-first MDR provider with a transparent, metrics-driven approach to managed security. Expel Workbench provides security teams real-time visibility into every analyst action — a genuine transparency differentiator. Expel integrates with customers' existing security tools rather than replacing them. Strong with tech-savvy organizations that want operational transparency and fast response SLAs. Structural weakness: no proprietary threat intelligence platform, detection quality bounded by integrated tooling, and no path to an AI SOC.

Expel MDR Expel Workbench Expel for Cloud Expel for Phishing Expel Vulnerability Management

Where PAN Wins

  • Proprietary AI SOC platform vs. integration aggregation: MSIAM's XSIAM platform produces detections independently of — and superior to — whatever tools the customer runs. Expel's detection fidelity is bounded by the tools they integrate with. If those tools miss a technique, Expel misses it.
  • Unit 42 threat intelligence depth: Unit 42 operates at a level of threat intel depth and attribution fidelity that a pure-play MDR provider like Expel does not maintain independently. Expel uses community threat feeds and customer-connected tool telemetry — not named-group attribution from active global IR operations.
  • Machine-speed pre-authorized response: MSIAM's autonomous workflows execute containment across endpoints, firewalls, identity, and cloud without analyst involvement for pre-authorized scenarios. A real example: phishing investigation MTTR dropped 90% — from 40 minutes to 3 minutes. Expel's automation is strong but operates within the constraints of its tool integrations.
  • Breach Response Guarantee — IR hours included: 250 hours of Unit 42 IR is included in MSIAM at no additional cost, no new SOW. Expel has no included IR guarantee — major incidents require a separate engagement.
  • Continuous detection engineering at platform scale: MSIAM's detection improvements compound over the full managed fleet — not just a single customer's environment. Expel's detection engineering is account-level and integration-dependent.

Where They're Strong

  • Workbench transparency model: Expel Workbench provides real-time visibility into every analyst action and decision — a genuine differentiator for security leaders who must justify MDR investment to their board and want operational accountability.
  • Documented, aggressive SLAs: Expel's time-to-respond SLAs are clearly documented and frequently cited by customers as a key satisfaction driver. Their track record on SLA adherence is strong.
  • Automation-first philosophy: Expel's principle of automating every automatable action before analyst involvement resonates with lean security teams. Their automation layer within tool constraints is genuinely efficient.
  • Tech-agnostic sell: Expel's "we work with your existing stack" avoids the displacement conversation and reduces friction with procurement teams resistant to new platform investments.

Landmines to Set

  • "Expel integrates with your existing tools — detection quality is bounded by those tools' telemetry and detection rules. What is your current MITRE ATT&CK coverage on your endpoint? If it misses a technique, Expel misses it too."
  • "Who is the threat intelligence source behind Expel's detection rules? How does community feed attribution compare to Unit 42's named-group attribution from active global IR operations?"
  • "Does Expel have an AI SOC platform or a roadmap to one? Not automation-within-tools — a full AI SOC with 3,000+ models running autonomous detection and response workflows?"
  • "If you have a major breach — what does Expel's IR response look like? Is there included IR capacity, or is that a separate cost at breach time when you're least able to negotiate?"

Key Objections

Expel's Workbench gives us full transparency — we can see everything they do. Palo's service feels like a black box.

Response: Transparency is a legitimate requirement — and MSIAM provides investigation reporting, threat impact reports, and operational visibility through the XSIAM console. The deeper question is: do you want transparency into what your MDR provider sees with your current tools, or do you want a service that finds what your tools can't? Expel's transparency is real — but it's transparency into a detection surface limited by your existing stack. MSIAM's reporting reflects coverage from 3,000+ AI models across your full environment.

Microsoft Sentinel + Defender Managed (via MSSP)

Microsoft does not operate its own managed SOC for Sentinel and Defender — instead, Microsoft routes managed coverage through MSSP partners via the Microsoft Sentinel MSSP program and Defender Experts (a limited, Microsoft-operated offering focused on proactive hunting rather than full managed SOC). In practice, most Microsoft-based "managed" security is MSSP-delivered on top of Sentinel/Defender — quality varies enormously by partner. Microsoft's strength is E5 licensing economics and the Copilot for Security narrative, not a purpose-built AI SOC operated by Microsoft.

Microsoft Sentinel Defender XDR Copilot for Security Defender Experts for Hunting MSSP Partner Ecosystem

Where PAN Wins

  • Purpose-built AI SOC vs. SIEM + partner: MSIAM is a single, integrated AI SOC managed by one accountable team. Microsoft's managed coverage is MSSP-delivered — quality, consistency, and accountability vary by partner. There is no Microsoft-operated AI SOC equivalent to MSIAM.
  • Unified accountability: With MSIAM, Palo Alto Networks and Unit 42 are fully accountable for detection and response outcomes. With Microsoft Sentinel + MSSP, accountability is split between Microsoft (platform), the MSSP (operations), and Defender product teams — when something goes wrong, the finger-pointing begins.
  • Machine-speed pre-authorized response: MSIAM's autonomous workflows execute containment across the full attack surface. Microsoft's Copilot for Security is an AI assistant for analysts — not an autonomous response platform. MSSPs on Sentinel must build their own automation layer.
  • Breach Response Guarantee — 250 hours Unit 42 IR: No Microsoft managed offering includes an IR guarantee from a top-tier IR team. Defender Experts for Hunting is proactive hunting only — not managed SOC and not breach response.
  • Non-Azure environment coverage: MSIAM covers multi-cloud and hybrid environments natively including AWS and GCP. Sentinel's best coverage is Azure — non-Azure environments require additional connectors with varying fidelity.
  • No MSSP quality variance: MSIAM's quality is the Unit 42 team, period. Microsoft-based managed security quality is the MSSP the customer selected — which could be excellent or average.

Where They're Strong

  • E5 licensing bundle economics: Organizations already paying for Microsoft E5 get Sentinel and Defender XDR effectively bundled — the marginal cost for the platform appears low, making the managed service layer seem like an add-on rather than a platform commitment.
  • Azure-native environments: For heavily Azure-committed organizations, Sentinel's native integration with Azure AD, Azure workloads, and M365 telemetry is genuinely strong and low-friction.
  • Copilot for Security narrative: Microsoft's AI narrative is well-funded and pervasive — Copilot for Security is a strong boardroom conversation even if the product is AI-assisted rather than AI-autonomous.
  • M365 telemetry depth: For M365-heavy organizations, Defender for O365 and Defender for Identity telemetry in a Sentinel SIEM is genuinely comprehensive for email and identity threat coverage.

Landmines to Set

  • "Who actually runs your SOC in the Microsoft model — Microsoft, or your MSSP? If it's the MSSP, what is your accountability path when there's a breach?"
  • "Copilot for Security assists your analysts — who are your analysts? If you're relying on an MSSP, how does their analyst quality compare to Unit 42's breach responders staffing MSIAM?"
  • "What does breach response look like in the Microsoft model? Is there an included IR guarantee, or is that a separate engagement at breach time?"
  • "What's your AWS and GCP coverage quality in Sentinel today? How does that compare to MSIAM's native multi-cloud telemetry?"

Key Objections

We're already paying for E5 — Sentinel and Defender are effectively free. Why pay for MSIAM?

Response: E5 includes the platform — not the 24/7 managed service. You still need to staff or buy managed coverage on top of Sentinel. When you add a quality MSSP to operate it, the true cost of Microsoft-based managed security is often comparable to or higher than MSIAM. And you get an MSSP's team, not Unit 42's. The question is: would you rather have an MSSP operating a SIEM, or Unit 42 operating an AI SOC with 3,000+ models, pre-authorized machine-speed response, and a 250-hour IR guarantee?

Microsoft has Copilot for Security — they're leading on AI.

Response: Copilot for Security is an AI assistant for analysts — it helps analysts work faster. XSIAM's 3,000+ AI models and autonomous response workflows operate without analyst involvement for pre-authorized scenarios. MSIAM runs those AI models continuously across your environment. One is AI-assisted human work; the other is an actual AI SOC. That's not a marketing distinction — it's a structural difference in what fires at 2 AM when your team is offline.

Deepwatch — Managed Security Platform

Deepwatch is a managed security platform that positions as SIEM-agnostic and platform-neutral — working with existing SIEM investments (Splunk, Microsoft Sentinel, and others) as the management and analytics layer on top. Strong in mid-enterprise accounts with significant existing SIEM investments where ripping out the platform is not an option. Deepwatch provides SOC analysts, threat hunting, and detection engineering on top of whatever SIEM the customer runs. Primary weakness: platform neutrality means no proprietary AI SOC advantage — detection and response quality is bounded by the SIEM platform.

Deepwatch MDR Deepwatch Advanced Threat Hunting Deepwatch Vulnerability Management Splunk Partnership Sentinel Integration

Where PAN Wins

  • AI SOC platform vs. managed SIEM layer: MSIAM is built on a purpose-built AI SOC — not a managed layer on top of an existing SIEM. Deepwatch's value is analyst and process quality operating on a SIEM that wasn't designed to be an AI SOC. XSIAM was designed from the ground up for autonomous AI-driven detection and response.
  • Machine-speed autonomous response: MSIAM's pre-authorized workflows execute containment at machine speed across endpoints, firewalls, identity, and cloud. Deepwatch's response actions are analyst-driven — the SIEM provides the alert, the Deepwatch analyst decides the response. No autonomous execution layer.
  • Unit 42 threat intelligence vs. SIEM-fed intelligence: Unit 42's threat intelligence feeds directly into MSIAM detection rules from active global IR operations. Deepwatch's threat intelligence depends on the SIEM's native intel feeds and third-party enrichment — no proprietary attributed threat research at Unit 42 depth.
  • Breach Response Guarantee — 250 hours IR included: MSIAM's IR guarantee has no equivalent in the Deepwatch offering. Deepwatch IR is a separate engagement.
  • Continuous detection engineering at fleet scale: MSIAM's detection improvements compound across the full managed fleet. Deepwatch's detection engineering is account-level and SIEM-constrained.
  • True consolidation path: MSIAM is the AI SOC that can replace the SIEM and the analyst team. Deepwatch adds cost on top of the existing SIEM investment. MSIAM consolidates the SIEM, SOAR, detection engineering, and managed SOC into one platform and service.

Where They're Strong

  • SIEM-protective positioning: For accounts with major Splunk or Sentinel investments they cannot exit, Deepwatch's "we work on top of your SIEM" avoids the platform displacement conversation entirely.
  • Mid-enterprise pricing: Deepwatch is typically positioned at price points accessible to mid-enterprise buyers who can't justify a full platform replacement alongside managed service costs.
  • Splunk-deep expertise: Deepwatch's Splunk partnership and deep Splunk expertise is a genuine advantage in heavily Splunk-committed environments where Splunk is not going anywhere.

Landmines to Set

  • "With Deepwatch, you're paying for managed analysts on top of your existing SIEM cost. What is the total cost of Splunk plus Deepwatch vs. MSIAM — which consolidates both into one AI SOC managed service?"
  • "What does Deepwatch's automated response look like — specifically, what containment actions execute autonomously vs. requiring analyst approval? How long does analyst-required response take at 3 AM?"
  • "Does Deepwatch have a roadmap to an AI SOC? Not AI-assisted SIEM — an autonomous AI SOC platform? What does that timeline look like vs. XSIAM operating that way today?"
  • "What is Deepwatch's IR capability if you have a major breach — is there included IR capacity, or is that a separate engagement?"

Key Objections

We've invested heavily in Splunk — we can't replace it. Deepwatch lets us keep Splunk.

Response: That's a valid constraint — but let's run the economics. You're paying Splunk licensing plus Deepwatch managed service fees. MSIAM on XSIAM replaces both — and it's a purpose-built AI SOC, not a managed layer on a SIEM. Depending on your Splunk commitment timeline, a side-by-side TCO comparison often shows MSIAM competitive or better over a 3-year period. More importantly: do you want to be on a SIEM in three years, or on an AI SOC that's continuously improving its own detection engineering?

Platform Advantage

The XSIAM Advantage

What every competitor lacks — and what MSIAM delivers natively from day one.

Unit 42 Managed XSIAM 2.0 — What No Competitor Can Match

3,000+ AI Models — Running Continuously

Every alert is processed by Cortex XSIAM's 3,000+ built-in AI models for detection, correlation, and investigation — not just AI assistance for analysts. No competitor has an equivalent native AI model density in their managed offering.

Machine-Speed Pre-Authorized Response

Pre-authorized workflows execute across endpoints, firewalls, identity providers, and cloud workloads without waiting for analyst approval. Oneida Nation: MTTR 43 seconds. Green Bay Packers: response from hours to minutes, 120+ analyst hours saved monthly.

250-Hour Breach Response Guarantee

Up to 250 hours of Unit 42 incident response is included — no new SOW, no negotiation delay. When a breach occurs, IR resources activate immediately. No other MDR competitor offers this level of pre-deployed IR capacity at no additional cost.

Continuous Detection Engineering

Detections improve continuously based on real incidents in the MSIAM managed fleet. Detection rules get smarter as threat actors evolve — not just updated at product release cycles. The more customers in the managed fleet, the better every customer's detections.

Third-Party EDR + Native XSIAM Telemetry

MSIAM ingests native XSIAM telemetry AND third-party EDR data from CrowdStrike, SentinelOne, and others. Customers don't have to displace existing endpoint investments to get AI SOC coverage — and they get correlation across all sources simultaneously.

Two Tiers: Pro and Premium

Pro delivers AI-driven managed SOC with continuous detection, investigation, and response. Premium adds designated SOC engineers, custom detections engineered for the specific customer environment, and custom automation playbooks. Both tiers: 100% Unit 42 operated.

Proactive Threat Hunting

Unit 42 threat hunters proactively hunt for threats in the customer environment and produce threat impact reports when new threats emerge in the wild — before the customer's environment is targeted. Not reactive triage: proactive intelligence.

Real Results — Not Projections

Phishing investigation: MTTR dropped 90% (40 minutes to 3 minutes). Green Bay Packers: 54% more alerts investigated. Oneida Nation: MTTR 43 seconds. These are production outcomes from live MSIAM deployments — not benchmark scenarios.

XSIAM MDR Qualification & Selling Tips

Open with MTTR: Ask every prospect: "What is your current mean time to respond — from detection to containment?" Anything over 4 hours is an MSIAM conversation. Use the Oneida Nation (43 seconds) and Green Bay Packers (hours to minutes) proof points immediately to anchor the benchmark.
Position MSIAM as distinct from Cortex MDR: Don't let customers conflate MSIAM with Cortex MDR. MSIAM is XSIAM-native — the full AI SOC managed by Unit 42. Cortex MDR is XDR-based managed detection and response. MSIAM is the next evolution, not a rebranding.
Lead with the 250-hour IR Guarantee: In every MSIAM conversation, the Breach Response Guarantee is a conversation-stopper. "250 hours of Unit 42 IR — no new SOW, activated immediately." Ask competitors to match it. None can.
The AI SOC question: Every MDR conversation should include: "Does your current MDR provider have a path to an AI SOC — not AI-assisted analysts, but autonomous AI detection and response running continuously?" No competitor has a credible answer. XSIAM is the answer.
Staffing math — the SOC economics argument: A fully-staffed 24/7 SOC requires 6–8 FTE at minimum. Calculate the customer's current SOC staffing cost, SIEM licensing cost, and SOAR tool cost vs. MSIAM annual cost. Consolidation economics are often dramatically favorable to MSIAM.
Third-party EDR as a bridge: For accounts with CrowdStrike or SentinelOne, lead with: "You don't have to replace your endpoint agent to get MSIAM coverage. We ingest CrowdStrike and SentinelOne telemetry natively." Remove the displacement objection before it surfaces.
Continuous detection engineering — the compounding argument: "MSIAM detections improve over time based on real incidents in the fleet. In 12 months, your MSIAM detections are better than they were on day one — because Unit 42 engineers them continuously based on what they see across the fleet. No MDR-on-top-of-SIEM can do that."
Pro vs. Premium tier qualification: Premium is the conversation for accounts who want designated SOC engineers and custom detection/playbook development. Ask: "Do you have environment-specific detection scenarios your current MDR can't cover? Custom detections, custom automation — that's the Premium conversation."
Cyber insurance leverage: Many cyber insurers offer premium discounts for verified 24/7 AI SOC coverage. The MSIAM Breach Response Guarantee and Unit 42's IR credentials are strong documentation for insurance underwriters. Frame MSIAM as a cyber insurance cost reduction mechanism alongside the security benefit.
Set partner role expectations early: Be explicit in the first customer conversation: "Unit 42 operates the SOC — we are your deployment, integration, and advisory partner. Here's exactly what we do and what they do." Prevent expectation gaps that surface post-signature.

Partner Opportunity

Partner Role in XSIAM MDR

While Unit 42 operates the AI SOC, partners play a critical enabling role in the MSIAM motion — and there is significant billable services opportunity alongside the transaction.

How Partners Win with Unit 42 Managed XSIAM

Identify the Right Accounts

Target accounts with MTTR exceeding 4 hours, SOC teams with fewer than 4 FTE analysts, organizations spending more than 60% of analyst time on tier-1 triage, or accounts actively evaluating MDR alternatives. MSIAM also fits organizations facing SIEM renewal decisions — the TCO consolidation argument is strong.

Facilitate the Sale

Partners own the relationship and the deal. Position MSIAM, set correct expectations about the Unit 42-operated service model, and drive the commercial conversation. Partners receive full deal registration credit. Be explicit about the Palo-operated nature of the service from first conversation.

XSIAM Deployment & Integration

MSIAM requires Cortex XSIAM as the foundation. Partners deploy XSIAM, integrate third-party EDR telemetry (CrowdStrike, SentinelOne, etc.), configure data source connectors, and ensure the platform is properly scoped and tuned before Unit 42 takes over monitoring operations.

Custom Detection & Playbook Development (Premium)

For Premium tier accounts requiring custom detections and automation playbooks, partners with XSIAM SOAR expertise can deliver the scoping and specification work that informs Unit 42's custom engineering. This is a premium advisory services opportunity alongside the managed service transaction.

Incident Readiness & Tabletop Exercises

Pre-MSIAM gap assessments, incident readiness reviews, and tabletop exercises are high-value partner services that deepen the customer relationship before and after the MSIAM transaction. Leverage Unit 42's IR framework to deliver structured readiness assessments as billable engagements.

Complementary Managed Services

MSIAM is the AI SOC anchor. Partners can layer vulnerability management, compliance reporting, security awareness training, third-party risk management, and cloud security posture advisory on top — MSIAM becomes the foundation of a broader managed security portfolio rather than a standalone transaction.