Cortex XDR — Cloud per Host Tier

Cortex XDR Cloud
Per Host — Cloud Workload Protection + Detection

Cloud-native endpoint protection and detection for virtual machines, containers, and Kubernetes workloads. Full cloud workload visibility with tailored endpoint telemetry and third-party log integration.

Per Host
VM / Container Pricing
K8s
Kubernetes Native
XTH
Threat Hunting Add-On

Overview

What is XDR Cloud per Host?

Cortex XDR Cloud per Host is the cloud workload-focused tier of the Cortex XDR license stack, priced per cloud host (VM or container node). It delivers the same multi-layer endpoint protection and detection capabilities as XDR Pro per Endpoint — but tailored for cloud-native environments including virtual machines, containers, and Kubernetes clusters.

Cloud per Host includes tailored endpoint data collection optimized for cloud workload behavior, third-party log ingestion from cloud provider audit trails and container orchestration events, and full detection and investigation visibility in the Cortex console. The XTH (eXtended Threat Hunting Data) add-on is available for organizations running cloud-focused threat hunting programs. It is designed for organizations with significant IaaS/PaaS footprints running workloads in AWS, Azure, GCP, or private cloud environments.

Kubernetes Support

Cortex XDR Cloud per Host includes native Kubernetes visibility — monitoring container workloads, pod-to-pod network activity, and runtime behavior within K8s clusters. Detect container escapes, malicious process execution within pods, and unauthorized API server access without requiring a separate K8s security tool.

Positioning note: XDR Cloud per Host focuses on detection and response for cloud workloads already running. For customers who need cloud security posture management (CSPM), vulnerability management, and IaC scanning across their cloud estate, pair it with Cortex Cloud (the CNAPP platform) — see the upsell section below.

What's Included

Cloud-Native Capabilities

Protection, detection, and investigation capabilities purpose-built for cloud workload environments.

Cloud Workload Protection (CWPP)
Multi-layer prevention for cloud VMs and instances — malware, ransomware, exploit, and behavioral protection. Same XDR agent technology adapted for cloud workload deployment patterns and ephemeral infrastructure.
Container Runtime Security
Monitor container behavior at runtime — detect malicious process execution within containers, unauthorized outbound connections, and privilege escalation attempts. Covers Docker and containerd environments.
Kubernetes Visibility
Native K8s monitoring — pod-level process visibility, namespace isolation enforcement, and API server audit event correlation. Detects container escapes, lateral movement between pods, and unauthorized cluster access.
Tailored Cloud Data Collection
Endpoint telemetry collection optimized for cloud workload behavior — process trees, network connections, and file system events captured at configurable granularity for cloud-native investigation workflows.
Third-Party Log Ingestion
Ingest AWS CloudTrail, Azure Activity Logs, GCP Audit Logs, and Kubernetes audit events into the Cortex Data Lake — enabling correlated cloud investigation across workload behavior and cloud API activity in a single console.
WildFire Cloud Sandbox
Unknown files and suspicious processes from cloud workloads submitted to WildFire for detonation analysis. Cloud-native malware, cryptomining payloads, and supply chain attack artifacts detected and shared globally.
Enhanced Detection and Investigation
Full causality chain investigation for cloud workloads — trace lateral movement from compromised container to host to cloud control plane. Correlate cloud API events with workload runtime behavior for complete attack reconstruction.
XTH Add-On Available
eXtended Threat Hunting Data add-on unlocks granular telemetry and extended retention for cloud workloads — enabling hunting for APT and supply chain attack patterns in cloud environments with extended dwell times.

Sales Conversations

Discovery Questions

Qualify cloud security posture, container adoption, and K8s visibility requirements.

01 How large is your cloud workload footprint today — how many VMs, container instances, or K8s nodes are you running across AWS, Azure, GCP, or private cloud?
02 Are you running Kubernetes in production? If so, do you have runtime security monitoring at the pod level — or are you only monitoring at the cluster or node level?
03 What visibility do you have into malicious process execution or network activity within running containers? If a container was compromised today, how would you detect it and trace the attack chain?
04 Are your cloud workloads covered by your current endpoint security tooling — or are they a blind spot because your EDR agent wasn't designed for ephemeral cloud infrastructure?
05 Do you have a way to correlate cloud API audit events (CloudTrail, Azure Activity Log) with workload runtime behavior during a security investigation — or are you piecing that together from separate tools?

Competitive Positioning

Why Palo Wins in Cloud Workload Security

How Cortex XDR Cloud per Host competes against cloud workload protection vendors.

CrowdStrike Falcon Cloud Security
Cloud workload protection + CSPM
  • Cortex XDR Cloud per Host provides full detection and investigation capability with native PANW ecosystem integration — CrowdStrike Cloud Security bundles CSPM features that overlap with what customers may already have from Wiz or Prisma Cloud.
  • Native correlation with PANW NGFW and Prisma Cloud telemetry within a single XDR console — CrowdStrike requires additional modules and separate SIEM/SOAR tooling for equivalent cross-platform investigation.
  • XTH add-on provides cloud-specific extended threat hunting at an incremental cost — CrowdStrike's equivalent hunting capability requires Falcon Adversary Intelligence at premium pricing.
  • Combine with Cortex Cloud (CNAPP) for a complete cloud security story from a single vendor — vs. CrowdStrike's fragmented acquisition-based cloud security portfolio.
Wiz
Agentless CNAPP / cloud security
  • Wiz is agentless and excels at cloud posture and vulnerability discovery — but has no runtime detection or investigation capability. XDR Cloud per Host adds the runtime security layer Wiz cannot provide.
  • Cortex XDR detects active attacks within running workloads in real time — Wiz's agentless approach misses behavioral runtime threats that require in-process visibility.
  • Pair XDR Cloud per Host with Cortex Cloud to match Wiz's CNAPP scope and add runtime security that Wiz lacks — giving customers a single vendor for the full cloud security stack.
  • XDR investigation capability for cloud incidents vastly exceeds Wiz's forensic scope — Wiz shows configuration risks, XDR shows active attack chains and enables hands-on response.
Lacework / Fortinet
Cloud security analytics
  • PANW ecosystem integration breadth — XDR Cloud per Host works natively with PANW firewalls, Prisma Cloud, and XSIAM, providing a consolidation story Lacework cannot match.
  • WildFire collective intelligence from 70,000+ global customers provides a richer threat detection layer than Lacework's primarily behavioral analytics approach.
  • Lacework's Fortinet acquisition has created product portfolio uncertainty — Cortex XDR Cloud per Host has a clear roadmap as a core PANW Cortex platform tier with active investment.
  • XSIAM upgrade path from XDR Cloud per Host stays within the PANW ecosystem — Lacework customers have no comparable SOC platform destination within the Fortinet portfolio.

Platform Expansion

Next Step: Combine with Cortex Cloud (CNAPP)

XDR Cloud per Host + Cortex Cloud = Full Cloud Security

XDR Cloud per Host secures workloads at runtime — detecting active attacks and enabling investigation. Cortex Cloud (PANW's CNAPP platform) adds the proactive posture layer — cloud security posture management (CSPM), infrastructure as code (IaC) scanning, data security posture management, and software supply chain protection. Together they provide complete cloud security coverage from a single PANW platform.

CSPM — Posture Management

Continuous misconfiguration discovery and remediation across AWS, Azure, and GCP. Agentless scanning that complements XDR Cloud's runtime protection.

IaC Security

Scan Terraform, CloudFormation, and Kubernetes manifests for misconfigurations before deployment — shift-left security that prevents the vulnerabilities XDR would have to detect at runtime.

Unified Risk View

Cortex Cloud correlates posture findings with XDR runtime detections — prioritizing misconfiguration remediation based on active exploit activity, not just theoretical risk scores.

Replace Point Tools

XDR Cloud per Host + Cortex Cloud can displace Wiz, Lacework, Aqua Security, and Sysdig — replacing a multi-vendor cloud security tool stack with a unified PANW platform.