Cortex XDR — Pro per Endpoint Tier

Cortex XDR Pro
Per Endpoint — Advanced EDR + Investigation

Everything in Prevent plus full EDR analytics, tailored endpoint data collection, third-party log ingestion, and enhanced investigation with causality chain visualization. The complete endpoint detection and investigation platform.

~$81
Per Endpoint/Yr
30-Day
Data Retention
XTH
Threat Hunting Add-On

Overview

What is XDR Pro per Endpoint?

Cortex XDR Pro per Endpoint is the full EDR tier of the Cortex XDR license stack, adding detection, investigation, and response capabilities on top of the Prevent EPP foundation. It activates the Cortex Data Lake for endpoint telemetry and enables correlated multi-source detections — all from the same agent already running on endpoints at the Prevent tier.

Pro per Endpoint is the sweet spot for organizations that need full investigation and threat hunting visibility without yet committing to a full SIEM/SOC platform replacement. It enables security teams to trace attack causality across the full process tree, query historical telemetry, ingest third-party log sources, and automate response — all within a single console already managing prevention.

Key licensing note: XDR Pro per Endpoint is priced per managed endpoint. It is the prerequisite for Unit 42 MDR (Cortex Pro). XTH (eXtended Threat Hunting Data) is an optional add-on that unlocks granular 30+ day telemetry for deeper hunting workflows.

Tier Delta

What Pro Adds Over Prevent

Same agent, same console — these capabilities unlock with a Pro license. No re-deployment required.

Data Collection
Tailored Endpoint Data Collection
Activates the Cortex Data Lake for endpoint telemetry. Captures process, network connection, file, and registry events at configurable granularity — giving analysts the raw data needed for investigation and hunting without performance impact.
Ingestion
Third-Party Log Collection
Ingest logs from PANW NGFWs, Prisma Cloud, identity providers, and third-party sources into the Cortex Data Lake. Enables correlated multi-source detections that surface threats invisible in endpoint-only telemetry.
Investigation
Enhanced Detection & Investigation Visibility
Full causality chain visualization — trace every attack from initial execution through lateral movement, privilege escalation, and persistence. Reduces MTTR from hours to minutes by eliminating manual log correlation.
Forensics
Live Terminal & Forensic Collection
Live remote shell access for forensic investigation without dispatching a technician. Collect memory dumps, disk artifacts, and file samples directly from the XDR console during an active incident.
Analytics
UEBA — User and Entity Behavior Analytics
Behavioral baselines for users and entities across endpoint and identity data. Detects anomalous login patterns, unusual data access, and credential abuse that evade signature-based detection at Prevent tier.
Response
Automated Remediation
Script-based automated response — isolate endpoints, kill malicious processes, delete files, quarantine artifacts — directly from the console or triggered automatically via XSOAR playbooks integrated with the Cortex platform.

Optional Add-On

XTH — eXtended Threat Hunting Data

XTH (eXtended Threat Hunting Data) is an add-on to XDR Pro per Endpoint that unlocks the highest-granularity telemetry tier for threat hunting teams. It captures additional event types and extends retention, enabling hunters to find dwell-time threats that standard 30-day retention misses.

Granular Event Capture

High-fidelity DNS, registry, process injection, and network telemetry beyond standard Pro collection — critical for nation-state and APT-level hunting scenarios.

Extended Retention

Query historical telemetry beyond the standard 30-day window — essential for detecting dwell-time intrusions where attackers maintain persistence for months before acting.

XQL Hunt Queries

Use Palo Alto's XQL (eXtended Query Language) against the full XTH dataset — purpose-built for security investigation, not adapted from a general-purpose query language.

Position with XTH When…

Customer has a dedicated threat hunting function, handles regulated data (FINRA, HIPAA, CMMC), faces APT-level threats, or requires evidentiary-quality forensic data for legal/regulatory response.

Sales Conversations

Discovery Questions

Qualify investigation workflow maturity, threat hunting readiness, and data collection requirements.

01 When your team gets an endpoint alert today, how do you investigate it — what tools do you use, how long does it take to trace root cause, and where are the data gaps?
02 Do you have a formal threat hunting program today? If so, what data sources are your hunters querying, and what's the biggest limitation in your current hunting platform?
03 Are you currently correlating endpoint data with firewall logs, cloud events, or identity provider data in your investigation workflow — or are you pivoting between multiple disconnected tools?
04 How much historical telemetry data can you query today? Have you had incidents where the attack had been in your environment longer than your retention window allowed you to investigate?
05 If you could trace every alert back to root cause automatically — including the full process tree, network connections, and file activity — how would that change your team's mean time to respond?

Competitive Positioning

Why Palo Wins at the Pro Endpoint Tier

How Cortex XDR Pro per Endpoint differentiates from advanced EDR competitors.

CrowdStrike Falcon Enterprise / Elite
Advanced EDR tiers
  • Cortex XDR natively correlates endpoint, network, cloud, and identity telemetry in a single console — CrowdStrike Enterprise requires additional modules and separate licensing for equivalent cross-domain visibility.
  • XQL provides flexible hunting query capability native to the Cortex Data Lake — CrowdStrike's Event Search requires Humio/LogScale licensing for equivalent query depth.
  • PANW ecosystem integration (NGFW logs native in XDR) gives network context inside the EDR investigation — CrowdStrike requires connectors and additional setup for firewall correlation.
  • Upgrade to Unit 42 MDR or XSIAM stays within the same agent and console — CrowdStrike Falcon Complete MDR and Charlotte AI require separate contracts and operational handoffs.
Microsoft Defender for Endpoint P2
M365 E5-bundled EDR
  • Full investigation and hunting capability for non-Microsoft assets (Linux, macOS, third-party network devices) — Defender P2 is optimized for the Microsoft stack and has limited cross-platform parity.
  • Cortex investigation is vendor-agnostic — no dependency on Entra ID, Azure AD, or Microsoft cloud services for full feature capability.
  • XDR Pro per Endpoint includes UEBA without requiring a separate Microsoft add-on — Defender's UEBA requires additional Microsoft 365 Defender or Azure AD P2 licensing.
  • Clear path to XSIAM as a standalone SIEM/SOC replacement — Defender P2 locks customers deeper into the Microsoft ecosystem with Sentinel as the only logical SIEM upgrade.
SentinelOne Singularity Complete
Advanced EDR + XDR
  • Cortex Data Lake provides a purpose-built security data lake with full XQL query capability — SentinelOne's data lake (Scalyr/DataSet) is a bolted-on acquisition with separate pricing and integration complexity.
  • Native PANW NGFW log correlation in XDR investigation — SentinelOne requires third-party connectors for equivalent network visibility, with latency and coverage gaps.
  • WildFire cloud sandbox intelligence shared across 70,000+ PANW customers globally provides collective defense — SentinelOne's AI-driven detection relies primarily on its own installed base telemetry.
  • Cortex Pro (Unit 42 MDR) available as a native upgrade — SentinelOne's MDR offering (Vigilance) uses SentinelOne analysts without Unit 42's frontline IR intelligence depth.

Platform Expansion

Next Step: Add Pro per GB or Move to XSIAM

Two paths forward from Pro per Endpoint

Add XDR Pro per GB

Extend correlated visibility to network traffic, user behavior, and cloud sources. Pro per Endpoint + Pro per GB together deliver near-XSIAM visibility for organizations not yet ready for a full SOC platform replacement.

View Pro per GB →

Graduate to XSIAM

Organizations ready to replace their SIEM move directly to XSIAM — which includes XDR Pro per Endpoint, adds NG-SIEM, full SOAR automation, ASM, and AI-driven SOC operations. Same agents, no re-deployment.

View XSIAM →