Cortex XDR — Pro per GB Tier

Cortex XDR Pro per GB
Network Visibility + Data Source Ingestion

Complete network traffic and user behavior visibility through multi-source log ingestion. Combined with Pro per Endpoint, delivers near-XSIAM coverage — the strategic bridge to full SOC platform replacement.

Per GB
Ingest Pricing Model
Multi-Source
Network + Cloud + Identity
XSIAM
Natural Next Step

Overview

What is XDR Pro per GB?

Cortex XDR Pro per GB is the data-ingestion tier of the Cortex XDR license stack, priced per gigabyte of data ingested into the Cortex Data Lake. It enables ingestion of network traffic logs, firewall data, cloud workload events, identity provider logs, and third-party security tool telemetry — providing the visibility layer that endpoint-only deployments lack.

Pro per GB is typically deployed alongside Pro per Endpoint, not as a standalone product. The combination delivers correlated endpoint + network + user behavior analytics within a single investigation workflow — dramatically reducing the time analysts spend pivoting between a SIEM, EDR console, and network monitoring tool. For many customers, this combination functionally replaces the need for a standalone SIEM while serving as the natural on-ramp to XSIAM.

Positioning insight: Customers running a legacy SIEM (Splunk, IBM QRadar, ArcSight) primarily for log aggregation and correlation are natural Pro per GB candidates. XDR Pro per GB replaces the aggregation layer while adding ML-driven correlation that legacy SIEMs cannot match — at a significantly lower total cost for most log volumes.

Combined Architecture

The Power Combo: Pro per Endpoint + Pro per GB

Together, these two XDR Pro tiers deliver near-XSIAM visibility — full investigation coverage across endpoint, network, cloud, and identity — without requiring a full SOC platform migration.

XDR Pro per Endpoint
+
XDR Pro per GB
=
Near-XSIAM Visibility

Streamlined Investigation

Endpoint causality chains automatically correlated with network flows and identity events — analysts see the full attack story in one console without pivoting between tools.

Extensive Remediation

Remediation scope extends beyond the endpoint — block IPs at the firewall, revoke identity tokens, quarantine cloud workloads — all from the unified XDR console during active response.

User Behavior Analytics

Correlate endpoint telemetry with user identity and access logs to detect insider threats, credential abuse, and compromised accounts — not possible with endpoint-only EDR.

SIEM Displacement Path

This combination positions customers to eliminate a legacy SIEM at renewal — with XSIAM as the full replacement. Every GB already being ingested is direct preparation for the XSIAM conversation.

Ingestion Scope

Data Sources and Ingestion

Pro per GB ingests logs from across the security stack into the Cortex Data Lake for unified correlation and detection.

Palo Alto NGFWs Firewall traffic logs, URL filtering, threat logs, and DNS natively ingested — no connector required. Full session-level visibility correlated with endpoint investigation.
Network Traffic (NDR) Ingest NetFlow, syslog, and PCAP summaries from network sensors, switches, and third-party NDR tools. Enables lateral movement detection across the network.
Identity Providers Okta, Azure AD, Active Directory — authentication events, privilege changes, MFA bypass attempts, and impossible travel detection feeding UEBA analytics.
Cloud Platforms AWS CloudTrail, Azure Activity Logs, GCP Audit Logs — cloud API activity correlated with endpoint and network telemetry for full multi-cloud investigation scope.
Email Security Ingest alerts and events from Proofpoint, Mimecast, or Microsoft Exchange — correlate phishing campaigns with endpoint compromise events for full kill chain mapping.
Third-Party Security Tools CEF/syslog ingestion from virtually any security tool — vulnerability scanners, web proxies, DLP platforms — unified in the Cortex Data Lake alongside native sources.
Prisma Cloud PANW's cloud security platform feeds cloud workload alerts directly into XDR — enabling cloud investigation without pivoting to a separate CNAPP console.
SIEM Migration (Syslog Forward) Forward existing SIEM logs into Cortex Data Lake during transition — enables parallel operations and smooth SIEM displacement without data gaps during migration.

Sales Conversations

Discovery Questions

Surface SIEM pain, data source gaps, and network visibility needs that qualify Pro per GB.

01 What SIEM are you running today, and what's your primary use case — compliance log retention, active threat detection, or both? How satisfied are you with the detection quality versus the cost?
02 When you're investigating an endpoint alert, how quickly can you correlate it with network traffic and identity data? How many different tools or consoles does that investigation span?
03 Are you currently feeding your firewall logs, cloud audit trails, and identity events into your SIEM — and if so, what is that costing you per GB or per year in licensing?
04 Have you had incidents where the attack entered through the network or an identity compromise — and your endpoint EDR alone didn't give you enough context to reconstruct the full attack chain?
05 What is your SIEM contract renewal timeline? Are you open to evaluating alternatives, or specifically looking to reduce per-GB ingestion costs while improving detection quality?

Competitive Positioning

Why Palo Wins vs. SIEM and Data Platforms

XDR Pro per GB against the dominant SIEM and data ingestion competitors.

Splunk Enterprise / Cloud
Market-leading SIEM / data platform
  • XDR Pro per GB pricing is typically 60–70% lower than equivalent Splunk ingest at enterprise scale — Splunk's per-GB model is notoriously expensive as data volumes grow.
  • Native ML-driven detection and behavioral analytics purpose-built for security — Splunk requires custom SPL queries and SIEM rules to achieve comparable detection quality.
  • Endpoint investigation natively correlated with ingested log data in one console — Splunk ES requires Splunk SOAR (separate license) for comparable automated response workflows.
  • XSIAM is the full SOC platform alternative to Splunk — XDR Pro per GB is the bridge that lets customers prove out the data lake model before full SIEM displacement.
Microsoft Sentinel
Azure-native cloud SIEM
  • Cortex Data Lake provides purpose-built security data lake with XQL — Sentinel's Kusto query language is powerful but general-purpose, requiring security-specific customization for comparable detection logic.
  • No Azure commitment required — XDR Pro per GB is vendor-agnostic and integrates across AWS, GCP, and on-premises environments without being tied to a single cloud provider.
  • PANW threat intelligence (WildFire, Unit 42) natively enriches detections — Sentinel relies on Microsoft Defender TI and third-party connectors for equivalent intelligence depth.
  • Organizations not running M365 E5 face significant Sentinel add-on costs — XDR Pro per GB offers a predictable standalone pricing model without Microsoft licensing dependency.
CrowdStrike LogScale
Log management / SIEM platform
  • Cortex Data Lake is natively integrated with XDR endpoint telemetry — LogScale was built as a general-purpose log management tool and requires additional work to achieve comparable endpoint investigation depth.
  • PANW ecosystem (NGFW, Prisma Cloud, XSOAR) provides native first-party data sources that feed the data lake without connector complexity — CrowdStrike LogScale requires third-party connectors for non-CrowdStrike sources.
  • XDR Pro per GB positions directly for XSIAM — the full AI-driven SOC platform. CrowdStrike's equivalent platform (Falcon Next-Gen SIEM) lacks equivalent SOAR depth and automation maturity.
  • Unit 42 MDR available as a native next step — CrowdStrike LogScale does not have a comparable expert-managed threat hunting service with the same intelligence pedigree.

Platform Expansion

The Natural Next Step: XSIAM

You're already ingesting the data — XSIAM is the logical destination

Customers running XDR Pro per Endpoint + Pro per GB are already building the data foundation for XSIAM. The upgrade to XSIAM adds the AI-driven analytics layer, full SOAR automation, and the full NG-SIEM platform on top of the same Cortex Data Lake — with no re-instrumentation and no data migration required.

AI-Driven Analytics

XSIAM's AI pre-triages alerts, correlates data across all sources, and surfaces only actionable incidents — dramatically reducing analyst workload beyond what XDR Pro correlation achieves.

Full SOAR Automation

XSOAR playbooks built into the platform automate end-to-end response workflows — enrichment, triage, containment, and documentation — without leaving the console.

SIEM Replacement

XSIAM includes NG-SIEM capability — compliance reporting, log retention, and detection engineering — replacing Splunk, Sentinel, or QRadar at renewal without operational disruption.

Attack Surface Mgmt

XSIAM includes Cortex Xpanse ASM — continuous external attack surface discovery and monitoring. Adds proactive exposure visibility that XDR Pro per GB alone does not provide.