Cortex XDR — Pro per GB Tier
Cortex XDR Pro per GB
Network Visibility + Data Source Ingestion
Complete network traffic and user behavior visibility through multi-source log ingestion. Combined with Pro per Endpoint, delivers near-XSIAM coverage — the strategic bridge to full SOC platform replacement.
Overview
What is XDR Pro per GB?
Cortex XDR Pro per GB is the data-ingestion tier of the Cortex XDR license stack, priced per gigabyte of data ingested into the Cortex Data Lake. It enables ingestion of network traffic logs, firewall data, cloud workload events, identity provider logs, and third-party security tool telemetry — providing the visibility layer that endpoint-only deployments lack.
Pro per GB is typically deployed alongside Pro per Endpoint, not as a standalone product. The combination delivers correlated endpoint + network + user behavior analytics within a single investigation workflow — dramatically reducing the time analysts spend pivoting between a SIEM, EDR console, and network monitoring tool. For many customers, this combination functionally replaces the need for a standalone SIEM while serving as the natural on-ramp to XSIAM.
Combined Architecture
The Power Combo: Pro per Endpoint + Pro per GB
Together, these two XDR Pro tiers deliver near-XSIAM visibility — full investigation coverage across endpoint, network, cloud, and identity — without requiring a full SOC platform migration.
Streamlined Investigation
Endpoint causality chains automatically correlated with network flows and identity events — analysts see the full attack story in one console without pivoting between tools.
Extensive Remediation
Remediation scope extends beyond the endpoint — block IPs at the firewall, revoke identity tokens, quarantine cloud workloads — all from the unified XDR console during active response.
User Behavior Analytics
Correlate endpoint telemetry with user identity and access logs to detect insider threats, credential abuse, and compromised accounts — not possible with endpoint-only EDR.
SIEM Displacement Path
This combination positions customers to eliminate a legacy SIEM at renewal — with XSIAM as the full replacement. Every GB already being ingested is direct preparation for the XSIAM conversation.
Ingestion Scope
Data Sources and Ingestion
Pro per GB ingests logs from across the security stack into the Cortex Data Lake for unified correlation and detection.
Sales Conversations
Discovery Questions
Surface SIEM pain, data source gaps, and network visibility needs that qualify Pro per GB.
Competitive Positioning
Why Palo Wins vs. SIEM and Data Platforms
XDR Pro per GB against the dominant SIEM and data ingestion competitors.
- XDR Pro per GB pricing is typically 60–70% lower than equivalent Splunk ingest at enterprise scale — Splunk's per-GB model is notoriously expensive as data volumes grow.
- Native ML-driven detection and behavioral analytics purpose-built for security — Splunk requires custom SPL queries and SIEM rules to achieve comparable detection quality.
- Endpoint investigation natively correlated with ingested log data in one console — Splunk ES requires Splunk SOAR (separate license) for comparable automated response workflows.
- XSIAM is the full SOC platform alternative to Splunk — XDR Pro per GB is the bridge that lets customers prove out the data lake model before full SIEM displacement.
- Cortex Data Lake provides purpose-built security data lake with XQL — Sentinel's Kusto query language is powerful but general-purpose, requiring security-specific customization for comparable detection logic.
- No Azure commitment required — XDR Pro per GB is vendor-agnostic and integrates across AWS, GCP, and on-premises environments without being tied to a single cloud provider.
- PANW threat intelligence (WildFire, Unit 42) natively enriches detections — Sentinel relies on Microsoft Defender TI and third-party connectors for equivalent intelligence depth.
- Organizations not running M365 E5 face significant Sentinel add-on costs — XDR Pro per GB offers a predictable standalone pricing model without Microsoft licensing dependency.
- Cortex Data Lake is natively integrated with XDR endpoint telemetry — LogScale was built as a general-purpose log management tool and requires additional work to achieve comparable endpoint investigation depth.
- PANW ecosystem (NGFW, Prisma Cloud, XSOAR) provides native first-party data sources that feed the data lake without connector complexity — CrowdStrike LogScale requires third-party connectors for non-CrowdStrike sources.
- XDR Pro per GB positions directly for XSIAM — the full AI-driven SOC platform. CrowdStrike's equivalent platform (Falcon Next-Gen SIEM) lacks equivalent SOAR depth and automation maturity.
- Unit 42 MDR available as a native next step — CrowdStrike LogScale does not have a comparable expert-managed threat hunting service with the same intelligence pedigree.
Platform Expansion
The Natural Next Step: XSIAM
Customers running XDR Pro per Endpoint + Pro per GB are already building the data foundation for XSIAM. The upgrade to XSIAM adds the AI-driven analytics layer, full SOAR automation, and the full NG-SIEM platform on top of the same Cortex Data Lake — with no re-instrumentation and no data migration required.
AI-Driven Analytics
XSIAM's AI pre-triages alerts, correlates data across all sources, and surfaces only actionable incidents — dramatically reducing analyst workload beyond what XDR Pro correlation achieves.
Full SOAR Automation
XSOAR playbooks built into the platform automate end-to-end response workflows — enrichment, triage, containment, and documentation — without leaving the console.
SIEM Replacement
XSIAM includes NG-SIEM capability — compliance reporting, log retention, and detection engineering — replacing Splunk, Sentinel, or QRadar at renewal without operational disruption.
Attack Surface Mgmt
XSIAM includes Cortex Xpanse ASM — continuous external attack surface discovery and monitoring. Adds proactive exposure visibility that XDR Pro per GB alone does not provide.