Palo Alto Networks Cortex XSOAR vs Splunk SOAR comparison

You must select at least 2 products to compare!
Microsoft Logo
17,715 views|9,994 comparisons
92% willing to recommend
Palo Alto Networks Logo
11,001 views|6,061 comparisons
91% willing to recommend
Splunk Logo
6,537 views|3,915 comparisons
86% willing to recommend
Comparison Buyer's Guide
Executive Summary
Updated on Oct 11, 2022

We performed a comparison between Palo Alto Networks Cortez XSOAR and Splunk Phantom based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.

  • Ease of Deployment: Most users of both products report their initial deployment to be straightforward.

  • Features: Users of both solutions are happy with their scalability and stability.

    Cortex users say it has good automation and is user friendly and robust. Some users mention that they would like an on-premises version in addition to the cloud option.

    Splunk reviewers like its security automation platform feature and say it performs well and has excellent customization options but needs to improve its case management.

  • Pricing: Cortex receives mixed reviews in the pricing category. Splunk Phantom users say it is an expensive product.

  • ROI: Reviewers of both products report seeing an ROI.

  • Service and Support: Most users of both solutions report being satisfied with the level of support they receive.

Comparison Results: Both solutions come across as reliable and powerful products. Cortex does slightly better in the Pricing category, however.

To learn more, read our detailed Palo Alto Networks Cortex XSOAR vs. Splunk SOAR Report (Updated: May 2024).
771,946 professionals have used our research since 2012.
Q&A Highlights
Question: Which Do You Recommend, Phantom or Demisto?
Answer: I would not recommend Phantom or Demisto, but rather JASK! JASK is modernizing security operations to reduce organizational risk and improve human efficiency through technology consolidation, enhanced AI and machine learning. We are empowering the SOC analyst to focus on investigative and response work, rather than the onerous data ingestion, normalization, parsing, and alert discrimination that is required to simply determine what is important. Purpose-built by the JASK team, proven in solving real-world SOC issues, the JASK Autonomous Security Operations Center (ASOC) Platform enhances threat detection and orchestration to improve contextual visibility, expose blind spots and initiate faster response times with advanced insights.
Featured Review
Quotes From Members
We asked business professionals to review the solutions they use.
Here are some excerpts of what they said:
"The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running.""I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals, when it comes to incident response.""Its inbuilt Kusto Query Language is a valuable feature. It provides the flexibility needed to leverage advanced data analytics rules and policies and enables us to easily navigate all our security events in a single view. It helps any user easily understand the data or any security lags in their data and applications.""Microsoft Sentinel comes preloaded with templates for teaching and analytics rules.""We can use Sentinel's playbook to block threats. It covers all of the environment, giving us great visibility.""Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture.""It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us.""The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found."

More Microsoft Sentinel Pros →

"It was useful as a ticketing tool.""The automation part and the playbook creation part are awesome. The way it is responding to the customers and incidents is also very good. In the SOC environment, I guess it will carry out around 50% of the work.""The most valuable feature is its capability to automate responses and collect information for any security event before you even delve into the details. It's a vast product with an active roadmap, so I'm satisfied with it for now. It's very efficient at data collection and correlation.""It has an extensive list of integrations that are available out of the box which makes it easy to start.""We use the solution to automate our SIEM tools and incidents.""I have no complaints about Cortex's stability.""The most valuable features of Palo Alto Networks Cortex XSOAR are the remote controller from the workstation that can execute commands and isolate the systems outside of the network. Only the system with an internet connection can execute the task because the main console is in the cloud.""I am satisfied with the product overall."

More Palo Alto Networks Cortex XSOAR Pros →

"The best feature is the integration and the custom Python code that we can write. Splunk SOAR provides us with both of these capabilities, allowing us to integrate different security solutions with Splunk SOAR and take remediation actions directly on those security tools.""The ability to automate Splunk SOAR and customize the playbook use cases is the most valuable feature and is very exciting for me.""The most valuable feature is the API connector, depending on how it's formatted and who made the actual app offering for it. The REST API is my favorite component. It's very easy to use. The filters are also really valuable. Those are the two primary features but I enjoy using the rest of it.""The solution’s dashboard is really good and customizable. It also has a good UI.""The most valuable features of Splunk SOAR are the easy integration with other solutions, including other Splunk solutions. The most important playbooks we need on the market come already on the Frontend. However, nowadays, Splunk changed its name, it's not Frontend anymore, it's Splunk Store. This is a very strong point.""The playbooks are valuable. They are the core component. Being able to implement and build a code process to work through and scale out what we want to do is valuable.""It has definitely saved a decent amount of time for our analysts so they can focus on other tasks.""Before its use, analyzing each email would take at least 15 to 20 minutes, with some complex cases taking up to 30 minutes...With the automation provided by Splunk Phantom, we could significantly reduce the amount of time and human effort required to complete this task."

More Splunk SOAR Pros →

"Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks.""It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.""The solution could improve the playbooks.""Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes.""Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized.""Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.""They're giving us the queries so we can plug them right into Sentinel. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.""The only thing is sometimes you can have a false positive."

More Microsoft Sentinel Cons →

"Palo Alto Networks Cortex XSOAR could improve the look, feel, and management of the cloud console. Additionally, the user could be more easily integrated.""The platform’s setup procedures could be streamlined compared to one of its competitors.""The user interface could be a bit better.""The solution is complicated to learn.""The solution should be made a bit cheaper.""The tool’s multi-tenancy feature must be improved.""We need a little hands-on experience to install the solution.""The price of the solution could be improved."

More Palo Alto Networks Cortex XSOAR Cons →

"The application does not work properly and does not pass the log-based configuration. I feel that some kind of review should happen in the application. This review should validate things so that we can get the right information. Splunk does not tell us where the IP address is associated with.""We want to see improvements made to the APIs such that we can connect to many different systems and data sources.""The Splunk SOAR platform was not designed specifically for case management which is why this area needs improvement.""In my opinion, the focus should be on improving its simplicity, specifically the interface, and configuration.""The algorithm and machine learning have room for improvement and can be more user-friendly.""It would be ideal if we could automate processes even more.""And most of the challenges that I have faced with the solution can be found in the documentation itself.""Splunk's support for integration is subpar and has room for improvement."

More Splunk SOAR Cons →

Pricing and Cost Advice
  • "It comes with a Microsoft subscription which the customer has, so they don't have to invest somewhere else."
  • "It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure"
  • "Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit."
  • "I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration."
  • "It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics."
  • "I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us."
  • "Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost."
  • "Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges."
  • More Microsoft Sentinel Pricing and Cost Advice →

  • "There is a perception that it is priced very high compared to other solutions."
  • "From the cost perspective, I have heard that its price is a bit high as compared to other similar products."
  • "There is a yearly license required for this solution and it is expensive."
  • "It is approx $10,000 or $20,000 per year for two user licenses."
  • "When I first looked at Demisto, it had a price tag of $250,000 but when we finally purchased it, it was $345,000."
  • "The price of Palo Alto Networks Cortex XSOAR is expensive."
  • "The price of Palo Alto Networks Cortex XSOAR is comparable to other solutions in the market."
  • "The solution is based on an annual licensing model that is expensive."
  • More Palo Alto Networks Cortex XSOAR Pricing and Cost Advice →

  • "I don't know the exact price, but for my region, it is very expensive."
  • "In my opinion, the price is high, but if you want good products, you have to be willing to pay for them."
  • "It's very overpriced because it is based on the number of users. There is no bulk licensing."
  • "Splunk SOAR is more expensive compared to other options for SOAR."
  • "The licensing cost is reasonable."
  • "When we first purchased our Splunk SOAR license, it was based on an event-count model. It was based on the number of events. I had strong opinions at the time that automation should not be stifled by the amount of automation you can accomplish, so the previous structure was not as beneficial for us. Later that year, we got told or saw at a conference that they announced user-based pricing. We are now in a renewal period, so we migrated to a user-based license model, which is more appropriate for us so that we no longer have to worry about stifling our automation based on the quantity."
  • "Splunk SOAR is an expensive solution for an organization of our size."
  • "The cost is high and the licensing is on an annual basis."
  • More Splunk SOAR Pricing and Cost Advice →

    Use our free recommendation engine to learn which Security Orchestration Automation and Response (SOAR) solutions are best for your needs.
    771,946 professionals have used our research since 2012.
    Answers from the Community
    Anonymous User
    it_user889167 - PeerSpot reviewerit_user889167 (Director Of Business Development at a tech vendor with 51-200 employees)
    Real User

    I would recommend CyberSponse. There is a reason why CyberSponse have been awarded Government and Military contracts over all the competition! Commerical customers need the same power and capability, why settle for anything less!

    Questions from the Community
    Top Answer:Yes, Azure Sentinel is a SIEM on the Cloud. Multiple data sources can be uploaded and analyzed with Azure Sentinel and… more »
    Top Answer:It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for… more »
    Top Answer:We like that Azure Sentinel does not require as much maintenance as legacy SIEMs that are on-premises. Azure Sentinel is… more »
    Top Answer:Whether the product is cheap or expensive depends on the company and how much they are willing to spend on security… more »
    Top Answer:The solution is complicated to learn. Customers find it difficult to learn how the solution works. We need professionals… more »
    Top Answer:Splunk SOAR's quick response to incidents is the most valuable part.
    Top Answer:The cost is high and the licensing is on an annual basis.
    Top Answer:The cost of Splunk SOAR has room for improvement.
    Also Known As
    Azure Sentinel
    Demisto Enterprise, Cortex XSOAR, Demisto
    Learn More

    Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:

    - Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

    - Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

    - Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

    - Respond to incidents rapidly with built-in orchestration and automation of common tasks

    To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

    Palo Alto Networks delivers a complete solution that helps Tier-1 through Tier-3 analysts and SOC managers to optimize the entire incident life cycle while auto documenting and journaling all the evidence. More than 100+ integrations enable security orchestration workflows for incident management and other critical security operation tasks.

    Palo Alto Networks Cortex XSOAR is a piece of Security Orchestration, Automation, and Response software that redefines what it means for a program to orchestrate security in an automated manner. It is a next-generation solution that offers all of the features of dozens of siloed security operations center tools in one place. Cortex XSOAR combines case management, automation, real-time collaboration, and threat intelligence management to create a platform that can handle all aspects of system security. Teams that make use of Cortex XSOAR can expect to cut the number of issues that they will have to deal with by 75%. At the same time, the speed at which they resolve those issues that slip through will rise by 90%.

    Cortex XSOAR ensures that all of the IT and security tools that you employ function as a unified system. It does this by employing hundreds of integrations that allow you to run a wide variety of programs at once without ever worrying about them interfering with each other. These integrations are limited only by your imagination. They can be used immediately as they are, if that is what you need. However, they can also be customized according to the requirements of your system. This approach provides you with the maximum levels of both flexibility and utility.

    The model that this platform uses is based on a machine learning algorithm. The level of automation allows you to provide more than an unchanging and inflexible blanket of coverage. Cortex XSOAR takes all of the data that it gathers and uses it to expand its protective capabilities. This creates recommendations that you can use to create a threat playbook that can be deployed uniformly throughout your organization.

    Benefits of Palo Alto Networks Cortex XSOAR

    Some of Palo Alto Networks Cortex XSOAR’s benefits include:

    • The ability to have all of your data collected in a single location. Valuable time can be saved now that everything that security analysts need to know in order to diagnose and react to threats has been centralized.
    • Security operations center tasks can be automated. This allows you to assign management and analyst staff to the most essential tasks. The effectiveness of your organization will be increased, which will result in a rise in your company’s overall security and productivity.
    • Many kinds of data can be stitched together by this platform. Network, endpoint, cloud, and identity data can be combined to offer a more complete picture of the threats that are discovered.
    • Integrated threat intelligence management can notify you about threats in real time. Now you can diagnose and address issues as they arise. You can also assign values to the threats so that your resources are being used in the most effective manner possible.

    Reviews from Real Users

    Palo Alto Networks Cortex XSOAR’s centralized monitoring interface and automation are two features that help it stand out. This might help explain why one quarter of the Fortune 500 companies choose Palo Alto Networks Cortex XSOAR over the competition.

    Peerspot users note the effectiveness of these features. One user wrote, “We were looking for a single pane of glass type of solution that would allow us to physically be in one appliance - be able to work in concert with other servers that we have within our environment. We wanted orchestration and automation. The single pane of glass was the most important part.” Another noted, "The automation part and the playbook creation part are awesome. The way it is responding to the customers and incidents is also very good. In the SOC environment, I guess it will carry out around 50% of the work."

    Splunk SOAR offers features like automation and orchestration of manual tasks, speeding up work, detection and response to advanced and emerging threats. 

    Go from overwhelmed to in-control

    Automate manual tasks. Address every alert, every day. Establish repeatable procedures that allow security analysts to stop being reactive and focus on mission-critical objectives to protect your business.

    Force multiply your team

    Orchestrate and automate repetitive tasks, investigation and response to increase efficiency and productivity, and do more with the people you already have. Make a team of three feel like a team of 10.

    From 30 minutes to 30 seconds

    Work faster with Splunk SOAR. Respond to threats in seconds. Lower your mean time to respond (MTTR) by automating security tasks and workflows across all of your security tools.

    End-to-end security operations made easy

    Take advantage of Splunk Enterprise Security and Splunk SOAR joining forces to provide a seamless and intuitive SecOps platform to prevent, detect and respond to advanced and emerging threats.

    Sample Customers
    Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.
    Cellcom Israel, Blue Cross and Blue Shield of Kansas City, esri, Cylance, Flatiron Health, Veeva, ADT Cybersecurity
    Recorded Future, Blackstone
    Top Industries
    Financial Services Firm22%
    Computer Software Company11%
    Manufacturing Company8%
    Comms Service Provider8%
    Computer Software Company16%
    Financial Services Firm10%
    Manufacturing Company7%
    Financial Services Firm20%
    Educational Organization15%
    Comms Service Provider10%
    Financial Services Firm13%
    Computer Software Company12%
    Manufacturing Company8%
    Financial Services Firm35%
    Computer Software Company18%
    Energy/Utilities Company6%
    Financial Services Firm14%
    Computer Software Company14%
    Manufacturing Company10%
    Company Size
    Small Business33%
    Midsize Enterprise21%
    Large Enterprise47%
    Small Business25%
    Midsize Enterprise16%
    Large Enterprise59%
    Small Business36%
    Midsize Enterprise18%
    Large Enterprise47%
    Small Business21%
    Midsize Enterprise14%
    Large Enterprise65%
    Small Business29%
    Midsize Enterprise18%
    Large Enterprise53%
    Small Business18%
    Midsize Enterprise13%
    Large Enterprise69%
    Buyer's Guide
    Palo Alto Networks Cortex XSOAR vs. Splunk SOAR
    May 2024
    Find out what your peers are saying about Palo Alto Networks Cortex XSOAR vs. Splunk SOAR and other solutions. Updated: May 2024.
    771,946 professionals have used our research since 2012.

    Palo Alto Networks Cortex XSOAR is ranked 2nd in Security Orchestration Automation and Response (SOAR) with 42 reviews while Splunk SOAR is ranked 3rd in Security Orchestration Automation and Response (SOAR) with 31 reviews. Palo Alto Networks Cortex XSOAR is rated 8.4, while Splunk SOAR is rated 8.0. The top reviewer of Palo Alto Networks Cortex XSOAR writes "Enables the investigators to go through the review process a lot quicker". On the other hand, the top reviewer of Splunk SOAR writes "Takes most of the work away, but the time they take to implement new features is a little bit of concern". Palo Alto Networks Cortex XSOAR is most compared with Cortex XSIAM, Fortinet FortiSOAR, ServiceNow Security Operations, Swimlane and IBM Resilient, whereas Splunk SOAR is most compared with Cortex XSIAM, ServiceNow Security Operations, Torq, Tines and Cisco SecureX. See our Palo Alto Networks Cortex XSOAR vs. Splunk SOAR report.

    See our list of best Security Orchestration Automation and Response (SOAR) vendors.

    We monitor all Security Orchestration Automation and Response (SOAR) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.