★ Showcase — SecOps

Cortex XSIAM 3.4
The AI-Driven SOC

Replacing legacy SIEM at machine speed. XSIAM unifies SIEM + SOAR + XDR + ASM + TIM into one AI-native platform — the fastest-growing product in cybersecurity.

$0.5B+
ARR
600+
Customers
<10m
MTTR
1B+
Training Responses

Overview

What is XSIAM?

Cortex XSIAM (Extended Security Intelligence and Automation Management) is Palo Alto Networks' AI-driven SOC platform that unifies SIEM, SOAR, XDR, ASM, and TIM into a single, natively integrated solution.

Built from the ground up with machine learning at its core, XSIAM was designed to replace legacy SIEM by operating at machine speed — ingesting data from any source, correlating alerts with AI, and automating response through AgentiX-powered agentic workflows. It eliminates alert fatigue by stitching together related signals into unified cases, dramatically reducing Mean Time to Resolve.

"One of the fastest-growing products in cybersecurity."
— Nikesh Arora, CEO, Palo Alto Networks

Latest Release

XSIAM 3.4 — February 2026

The most significant update yet, with immersive AI-powered analyst experiences and a refreshed platform design.

v3.4 Release Highlights

1
Immersive AI Analyst Experience
Redesigned UX with AI summarization, visualized issue relationships, and a new Resolution Center. Contextual agentic assistance side-by-side in a unified case workspace.
2
Natural Language Querying
Generate and run XQL queries using AI prompts. Accelerates threat hunting without specialized query expertise. Available in EU/US regions for creation; all regions can run queries.
3
Cost-Effective Cortex Data Lake Tier
Flexible ingestion/storage subscription for compliance, long-term investigations, and forensics with real-time search and correlation.
4
Advanced Email Security Enhancements
Interactive Email Security Command Center for real-time threat and response visibility. Requires Advanced Email Security add-on.
5
Exposure Management Enhancements
Validate active defenses and calculate true residual risk with Security and Compensating Controls integration.
6
New Platform Design Experience
Refreshed modern interface with a unified design language across the entire XSIAM platform.

Detailed Feature Enhancements

Expand each section to view all features added in 3.4

  • New forwarding integrations for cases/issues (Splunk, Amazon SQS, S3, Webhook)
  • Asset Card Compliance Tab, CSV report with remediation guidance, tags, cloud account IDs
  • Autodetect Palo Alto Networks VM-Series Firewalls (AWS GWLB)
  • SLAs for issue resolution
  • Asset-level rule configuration (Exclusion, Starring, Scoring, Playbook rules)

Compliance Standards Added:

  • CIS AWS Storage Services Benchmark 1.0.0
  • CIS Microsoft Azure Storage Services Benchmark 1.0.0
  • CIS Microsoft Windows 11 Enterprise Benchmark 4.0.0
  • CIS Microsoft Windows Server 2016 Benchmark 3.0.0
  • CIS EKS Benchmark 1.7.0, GKE 1.8.0, AKS 1.8.0
  • EU AI Act
  • ISO/IEC 42001:2023
  • CIS Amazon Linux 2 STIG Benchmark 2.0.0
  • Cloud Security Assurance Program (CSAP) — SaaS Standard, Simplified, Low
  • Process Anomaly Analytics (Windows)
  • Enhanced RDP Analytics
  • EDR Linux & macOS Abnormal Communication
  • EDR macOS Generic Persistence
  • Webshell Analytics (managed + unmanaged servers)
  • Linux Credential Grabbing detection
  • Improved asset attribution evidence
  • Website vulnerability identification (new vulnerabilities tab)
  • Native agent interoperability via MCP
  • Increased transparency into agent execution
  • Prompt Library for managing AI prompts
  • Automation Engineer Agent — create automation scripts using natural language
  • New supported regions: US, EU, Canada, UK, South Korea, Singapore, Australia, Japan, India, Germany, France
  • Secure personalized queries with multi-user isolation
  • Clearer query accountability (person / system / API key)
  • Federated Search across AWS, GCP, and Azure without data movement
  • XQL-based Cloud Security rules
  • New Cortex DLP module — covers data in use, in motion, and at rest across web and local channels, even offline
  • Broader Linux protection without kernel access
  • Cross-platform threat blocking on Linux (on-write)
  • USB device control for macOS
  • iOS device isolation from console
  • Amazon ECS EC2 agent installer
  • Simplified endpoint tag management via APIs
  • Rescan vulnerable assets via UI and API
  • Improved Network Scanner reports with CSV export
  • Rapid7 integration
  • Unified "Data Sources & Integrations" page
  • Improved Authentication Story logic
  • Conflict-free editing with lock system
  • Improved access control (None permission level)
  • Object-based dashboard permissions (Viewer / Editor)
  • Enhanced Asset SBAC audit logs
  • SBAC for cases/issues without inventory assets
  • Secure issue exclusion access
  • Broker VM Pathfinder applet deprecated
  • Marketplace relocated to Settings > Configurations
  • Data Sources & Integrations replaces Automation & Feed Integrations
  • Broker VM new image on Debian 13 (improved security, long-term support)

Evolution

Release Timeline

The rapid evolution of XSIAM from automation-first SIEM to the complete AI-driven SOC.

XSIAM 2.0
2024
  • Automation-first approach with AI at the core
  • Foundational SIEM + SOAR + XDR unification
XSIAM 3.0
April 2025
  • Cloud posture integration
  • Cases/issues workflow & Command Center
  • ASM & unified Asset Inventory
  • SBAC & new automation experience
XSIAM 3.2
July 2025
  • AI-powered Exposure Management
  • Advanced Email Security add-on
  • Ticket Sync (Jira / ServiceNow)
  • Digital Risk Protection & Global Lookup
XSIAM 3.3
November 2025
  • AgentiX — agentic AI SOAR
  • Cortex MCP Server
  • Federated Search in XDL (AWS/GCP/Azure)
  • Forensics for Linux, ML JScript analysis
  • XDR Agent for Windows ARM64
XSIAM 3.4 Current
February 2026
  • Immersive AI analyst experience with Resolution Center
  • Natural language XQL querying
  • Cost-effective Cortex Data Lake tier
  • Advanced Email Security Command Center
  • Exposure Management with compensating controls
  • Refreshed platform design language

Licensing

License Tiers

Three tiers designed to match different SOC maturity levels and security requirements.

Capability Cortex NG SIEM XSIAM Enterprise XSIAM Enterprise Plus
Log Ingestion & Analytics
Detection & Hunting
Automation / SOAR
UEBA
XDR Pro per Endpoint
Host Insights
XTH (Threat Hunting)
On-Prem Discovery
Cloud Detection (CDR)
Kubernetes / OpenShift
XDR Cloud per Host

Extensibility

Add-On Modules

Expand XSIAM with purpose-built modules for specialized security needs.

Attack Surface Management

Discover, evaluate, and mitigate external attack surface risks continuously.

Threat Intelligence Mgmt

Aggregate, correlate, and operationalize threat intelligence from multiple feeds.

Forensics

Deep forensic investigation capabilities for incident response and evidence collection.

Identity Threat Detection

ITDR — detect and respond to identity-based threats across the enterprise.

Compute Unit

Additional compute resources for high-volume data processing and analytics workloads.

Notebooks

Interactive investigation notebooks for advanced threat hunting and analysis workflows.

Endpoint Event Forwarding

Forward endpoint events to external systems for additional analysis or compliance.

GB Event Forwarding

Volume-based event forwarding for large-scale data export and integration.

Featured

Advanced Email Security

LLM-powered email security with 3 detection engines, automatic remediation, and SmartScore risk prioritization. Includes the new Email Security Command Center for real-time threat visibility.

Palo's Training — Demo Zone (Learning Center)

Demo & Training

Hands-on demos, learning paths, and certifications to master XSIAM.

XSIAM SE Demo Environment

XSIAM SE Demo Login
xsiam-sedemo.xdr.us.paloaltonetworks.com

Demo Zone — Learning Center

Core Certifications

★ Most Important

Certified XSIAM Engineer

Validates the ability to implement, configure, and operate XSIAM in production environments.

Topics Covered

  • Deployment & architecture
  • Data onboarding & ingestion
  • Playbook creation & automation
  • Detection engineering

Required For

  • XSIAM onboarding engagements
  • Health checks
  • Managed SOC delivery

Certified XSIAM Analyst

Validates SOC analyst skills for day-to-day operations using the XSIAM platform.

Topics Covered

  • Incident response workflows
  • Alert handling & triage
  • Threat hunting techniques

Required For

  • SOC teams
  • MSSP analysts
  • Detection validation

Pre-Sales

Scoping Checklist

Key data points to collect before every XSIAM engagement.

Log Volume — Daily ingest in GB/day across all sources (SIEM, firewalls, endpoints, cloud)
Endpoint Count — Total managed endpoints (Windows, macOS, Linux, mobile)
Cloud Accounts — Number of AWS, Azure, GCP accounts / subscriptions
Data Sources — List of current log sources (firewalls, EDR, cloud trails, identity, email)
Compliance Requirements — Regulatory frameworks (PCI, HIPAA, SOX, NIS2, DORA, CMMC)
Current SIEM Vendor — Existing SIEM platform and license/contract end dates

Conversations

Discovery Questions

Open-ended questions to uncover SOC pain points and build the case for XSIAM.

01 How many alerts does your SOC handle per day, and what percentage are actually investigated?
02 What is your current Mean Time to Detect and Mean Time to Respond for a typical incident?
03 How many separate tools does your SOC team use today, and how much time is spent pivoting between them?
04 What is your annual SIEM spend including licensing, storage, and personnel to maintain it?
05 Are you experiencing analyst burnout or difficulty retaining SOC staff due to alert fatigue?
06 How are you currently correlating data across endpoints, network, cloud, and identity sources?
07 What is your current level of automation in the SOC? Do you have playbooks, or is response mostly manual?
08 When is your current SIEM contract up for renewal, and are you evaluating alternatives?
09 Do you have visibility into your external attack surface today? How are you tracking exposed assets?
10 How important is AI/ML-driven detection to your security strategy over the next 12–18 months?
11 Are you consolidating security vendors? What does your ideal end-state platform look like?
12 How do you currently handle threat intelligence operationalization — is it manual or automated?