Cortex XDR by Palo Alto Networks Reviews

The primary use case is endpoint security. The product is my main endpoint, IP, and threat management.

In organizations where they don't implement a NAC, this product helps stop threats at the endpoint level. Everything goes through the endpoint. By the time you get something to a server, you are compromised at your perimeter, and you might be compromised at your ID or main control. With a third-party, you need a NAC, so you can put on something like McAfee or you need authorization so the organization can scan your computer, then you can connect to the network.

We can't do that for a daily operation. We can't just have personnel waiting for someone to connect, and say, "We need to scan your computer before you go into our network." We don't have time for that." So, you need to implement a NAC. However, if you don't implement a NAC from day one of your business, it is very complicated to do it after many years because the NAC is not like a security software. You have to go server by server and do an assessment. Meanwhile, you need to protect your organization. So, you can use tools like Traps to manage your security, even stopping the threat at the last contact. 

For organizations which do not have a NAC implemented, there has to be some type of endpoint security, and it needs to be tough, like Traps. With Traps, you can search events, manage them quickly, and locate any half exceptions. Trap's traffic is encrypted. 

We like the features where you can quickly locate exceptions and can configure process exceptions. You are building your own defense. Therefore, you are not only relying on Palo Alto, but you are applying day-to-day operations of configured language that a tool can understand.

If the user leaves our premises or network, Palo Alto Traps will still be on that endpoint and will still apply our policies. For example, if you take that endpoint out of our network, go to a Starbucks with a company laptop, then connect to our our virtualized gateway. That local endpoint will still have our network policies.

I'm so used to IPS IDS endpoint security that I don't see anything else that catches my attention other than it's working fine. It's a very good tool. It's the best one that we have.

It has Android support.

There are some limitations on the Traps agents. Traps for Windows has limitations and Traps for Linux too. Traps doesn't work with McAfee. You need to remove McAfee to install Traps. This is very common, and its nothing that should be an issue. Some antivirus engines recognize Traps as an threat component, so maybe they need to shake hands somewhere.

With Windows 7 and Windows 8 64-bit, when you want to install Traps, because its Windows, it will crash. They need a little more flexibility with antivirus engines.

It is very stable.

You can grow as much as you want.

We have four users: a cybersecurity analyst, two infrastructure security personnel, and a security administrator.

The technical support is very good.

We were previously using Malwarebytes and McAfee. We are still using them along with Traps.

The initial setup was straightforward, after we had to remove McAfee first.

The deployment took a couple of weeks. We centralized all our perimeter firewalls first, then we started deploying the agent.

We needed two personnel for deployment and maintenance: an infrastructure security person and a security administrator.

Our third-party installer was very efficient.

Traps pays for itself within the first 16 months of a three-year subscription. This is attributed to OPEX savings, as security teams spent less time trying to identify and isolate malware for analysis as a result of a reduction in malware incidents, false positives, and breach avoidance. Security teams will spend less time and effort managing and mitigating breaches. They will be able to avoid having to activate their organization’s incident response team.

It is "expensive" and flexible.

We evaluated the following other large endpoint security companies: Kaspersky Endpoint Security, CrowdStrike Falcon Endpoint Protection, Symantec Endpoint Protection, and McAfee Endpoint Security.

If you have Malwarebytes and you want to control a malware that you have on your computer, Malwarebytes will quarantine that malware. However, it depends how infected you got.

Test normal behavior of the Traps agents (injection and policy) and confirm that there has been no change in the user experience.

We use it for primary endpoint protection.

Its multi-layer approach helps my organization with anti-malware, exploit protection, and restrictions. A good analogy would be like peeling back an onion, getting through those layers. It gives you the confidence that it will stop exploits, ransomware, worms, or viruses from compromising endpoints, essentially providing peace of mind.

The multi-layered approach to the product is its best feature. Each layer has a different method of protecting its endpoint. 

With cloud integration, there were several improvements made:

• Previously, the endpoint would leave the environment, not being on our VPN, essentially unable to interact with the server to upload files. It was unable to retrieve new file verdicts. It was using a thing called "local analysis" to determine if something was a malicious file or not. There was no dynamic analysis. With the cloud implementation, we now have connectivity to the server at any moment, as long as we have an internet connection.
• A new user interface, which is a lot easier to use. Making it similar to managing a firewall.
• Additional OS support.

Stability has improved over the years, as there were noticeable bugs in earlier releases, such as 3.x. With the later releases, versions 4.1 through 5, they have polished the product. It has gotten much better.

When major releases come out with new features, it is a fairly simple process to upgrade these releases.

It is 100 percent utilized with every feature turned on. We leverage their product to the fullest extent.

Scalability is great with servers and workstations. At a moment's notice, you can add hundreds of endpoints. With Traps 5 being on the cloud, there is no scalability risk. You're not going to overload it, as it is a cloud portal. It is their problem, not yours. If you have any issues, call support. I'm confident I can push the client out to 1000 machines, and it will still check in.

We have over 2500 people in our organization using Traps (the entire organization).

The technical support has gotten better over the years. When they first started Traps, the support was overseas, and there was a language barrier being from the United States. Over the years, they have distributed that support throughout their company. Now, we will call and get someone in the United States, so there is no language barrier, which is an improvement. 

I feel like the support group has definitely improved over the years. If I call now, I'm positive I'm going to get someone who knows the product very well and is going to help me to resolve whatever issue I'm seeing. We have had weird issues, and they actually have done forensic analysis of what was going on. They have adjustments to future dynamic updates because of these issues. Thus, we have had an impact on the product by bringing them an issue, then having them correct it.

We previously used McAfee vs Palo Alto. McAfee is a traditional antivirus. It provided little to no value. We didn't see it stop anything. It wasn't blocking anything. The management was difficult to use because of the virus definitions, where you had to sync every endpoint each day with these updates.

I set up Traps 5 without even looking at the administrative guide. I set it up using logic. Looking at it, reading it, testing it and pushing it out. I set it up in an afternoon with a colleague of mine.

It is easy to implement. It also has dynamic updates, making it smarter. Therefore, there is not much work to be done once you get it configured and pushed out. You can manage it with a small crew of people. Because of its ease of use, businesses might require a full-time employee to manage it. 

It's just one of the tools in the toolbox, and it save us time.

They made it very easy to set up, because you just log into the portal and activate it. They have an automated process to spin up your environment in the cloud. It all happens behind the scenes. 

From a user perspective, it is a click of a button. You just put in the key that was paid for and click a button, then it runs through the setup. Then, they essentially give you a button on your portal, you click it, and it brings you to your management console. Everything is already set up. They manage the upgrades, which is another bonus when being in the cloud, because when it was on-premise, you have to care and feed the server, patch it, upgrade it, and manage the database.

It takes 10 minutes for everything to initialize, since it is a brand new environment. You get to pick your URL, and Palo Alto manages the certificates. When your endpoints connect to the URL, it's just a trusted signed public certificate authority. As long as your endpoints are patched and up-to-date, they trust that certificate. 

Palo Alto is making it easier to implement and manage. They're making it easier to upgrade. The dynamic updates came within the last year or two. Previously, you have to upgrade the actual endpoint software to get more features. 

With dynamic updates, it's an automatic process. It makes the software logic smarter. 

When I first set up Traps four years ago, it took a lot longer because I had to set up a server with the operating system. That takes time. I had to install the software and configure it. I had to have a database, which took time and involved other people. There was a client to deploy to endpoints. Then, there was a certificate to set up for the portal to have our endpoints to communicate with the portal over our SSL. There were a lot of steps.

We did our implementation in-house. We required three to four people for the initial deployment: database administrator, network engineer, server administrator, and security analyst. Afterwards, it takes two people to maintain the solution, but it could be done with one person. We use two people for quality control.

For implementation strategy, if it was a new push or a build, set up your cloud portal, then do a test group, such as a pilot. Set up your policies how you would want them. From there, with your test group, you want to see if any alerts come in and what your endpoints are doing. Then, depending on your company, do a site-by-site implementation. It is integrated with Active Directory, so you can also do group implementation.

We have peace of mind knowing that ransomware isn't spreading through our environment.

The product checks a lot of boxes for compliance efforts. The value is there, because these days no one can afford to experience a breach or have a compromised endpoint. Since these would have to be reported, depending on your industry, it would look bad for the company.

We didn't have to pay any additional fee for the cloud instance. It just came with the renewal, which was nice.

If ransomware were to spread throughout your company, you would not want your file shares to be encrypted nor your servers to be affected. My advice would be get Traps on your servers and on your workstations. Go with version 5 and the cloud instance, then turn on all the features that you can. Some of them come by default disabled out-of-the-box, but you want to turn on all of the features, such as local analysis, file quarantine, WildFire, malicious and grayware blocking and quarantine, restrictions (don't allow executables to run from USB drives, unless it's whitelisted). Turn on all the exploit protections with dynamic updates, and just let it just update. Since we all know the next version of Flash Player is going to have a vulnerability which no one knows about until it's discovered. Then, at that point, it could have already been out there for a while.

With Traps, it could potentially determine the exploit before it's even a known vulnerability. Turn on every single feature you can without taking an impact to performance. Once it's fine-tuned and doing its thing, I have never witnessed Traps not working properly.

They have put in improvements over the years. We have been using the product for over four years now (since I've been with the company). They have added support for additional operating systems, such as Android, macOS, and Linux. They used to be Windows only. They put improvements where they no longer require you to have an on-premise server, so you can host it on the cloud. Thus, when endpoints leave the environment, they can connect to a cloud host and have full connectivity to your policies.

When Traps does sandbox tests, it checks the verdict against their sandbox: WildFire. Having it in the cloud is great, because then the machine doesn't have to be on a VPN or within the company walls with connectivity to an on-premise server. Therefore, having the cloud implementation was definitely an improvement.

When Palo Alto acquires a technology, they implement it into Traps and make the product better. They have done this in the past, and there are cool things coming in the future from these acquisitions.

Our primary use case is anti-malware and anti-exploit.

Traditional anti-virus is signature-based, whereas Traps is behavior-based. Therefore, it doesn't necessarily whitelist things, it looks for anything with bad behavior. Thus, we've had a significant increase in blocking with a decrease in false positives, because it's looking at how the files work, not just a list of files that it's been told to look for.

The anti-exploit is impenetrable. We chose Traps because it is the only product that we were not able to get anything past.

Going from version 4 to version 5, they had a major change in their user interface. Version 5 is now all cloud managed, while it has a very intuitive, useful interface, it doesn't have all the features that were in the version 4 interface. For example, we lost being able to automatically trigger upgrades, like creating manual groups to upgrade with. It doesn't currently have the ability to use the Active Directory to create groups. 

It's fairly stable. They do have bugs which come up every once in a while, but they're usually good about getting them taken care of within a release.

It is definitely scalable.

Primarily, it is just being used by myself. The help desk also uses it. There are probably a total of around ten users.

We've deployed it to about 1500 endpoints so far. There is a possibility that we may expand our usage, but not in the foreseeable future. We are at pretty much at 100 percent deployment at this point.

I would describe Palo Alto's technical support as audio waterboarding. They have the worst support, as a company, that I have ever worked with, as they are difficult to get a hold of and keep on the phone. They don't know what they are talking about when you get them on the phone. They don't like to respond to messages when you send them to them. They like to "research problems" for weeks on end, then pass you off to somebody else.

We were previously using Sophos for antivirus, and are still using Sophos for antivirus, but we're using Traps to augment it.

The initial setup was pretty straightforward on version 4, but on version 5, it is almost idiot-proof.

The initial deployment of getting the servers and everything up took about a week, but getting everything deployed was somewhere closer to six weeks.

We implemented it in-house. We incrementally did some systems to make sure that it wouldn't block anything that it shouldn't. After that, we used Active Directory to push it to everything else.

Very little staff is required for deployment and maintenance, as Traps is self-maintaining.

I feel that we have seen ROI. There have been a number of blocked, bad files that could have gotten through, but were stopped by Traps.

The pricing seems fair, and I do like the licensing model. You use wherever they are, and it is elastic. So, if you have 1100 computers today, you can license that. Therefore, as long as you're below your licensing cap, you're fine.

We looked at Palo Alto vs Sophos, which has a anti-malware system called Intercept X, but it did quite literally nothing. We thought about Symantec, but we didn't end up testing them against Traps.

The implementation is fairly straightforward and easy. With version 5, everything is now on the cloud. It is easy to work with and use. I would use mobile device management (MDM) or Active Directory (AD) to push the file everywhere when installing it, as it will auto go from there. The management is pretty low. Thus, it will be set it, and for the most part, you can forget it.

The level of security I get for my endpoints and servers is extremely valuable.

No signature updates of the AV needed, so no old signatures. No patching, very little operational effort needed.

Performance at the endpoint is much better than with the old AV.

No signature updates needed.

Stops the attack before it is executed.

Two years.

No.

No.

No.

Perfect.

Real experts.

Yes. We switched because the footprint was heavy, the protection rate decreases and the operational costs (incidence response) were high.

Yes, it took one hour to install the back end and the rollout was done by software deployment. Project lasted four weeks .

In-house.

Ask your local dealer.

Yes.

If you are already a Palo Alto Networks Firewall customer you can have perfect Integration between your clients/servers and your firewalls. Automated response without supporting and APIs.

The solution is like a next-level EDR. It can collect information from other solutions to have a global view of the risks and vulnerabilities.

The product has an intuitive dashboard. The first time a client interacts with the solution, they do not face any problems. It is easy for the client to navigate through the tool.

It is a complex solution to implement.

My organization sells the solution.

I did not have any problem with support.

Positive

I believe the implementation is not very easy, but it is not very complex either.

The price of the product is not very economical. It is suitable for clients that have a lot of money to invest.

Customers often ask for proof of concept. People wanting to use the solution should analyze the different tools that can be integrated with the product. At first, clients only consider it an EDR, but later, they might realize that the tool does not have all the capabilities they need. Overall, I rate the solution an eight out of ten.

The tool's use cases are relevant to security. 

The tool needs to be improved in terms of integration and interface. 

I have been working with the solution for five years. 

The solution is stable. 

I would rate the product's scalability a nine out of ten. 

The product's technical support is good. 

Positive

The tool's setup is easy. The solution's deployment took five days to complete. 

The solution is expensive. It's pricing is on a yearly-basis. 

I would rate the tool a seven out of ten. 

I'm testing the product right now. I use the solution for endpoint security.

Everything is fine. 

It'll not slow down your system when compared to others.

The initial setup is easy.

I'd like the solution to provide URL filtering and web-based prevention. We'd like to block web pages at a high level.

We would also like to have advanced tech protection and email scanning.

I've been using the solution for a year.

The product is very stable and the performance is good. It doesn't slow down the systems it runs on. There are no bugs or glitches. It doesn't crash or freeze. 

The solution can scale well.

More than 100 people are using the solution right now. 

We've never needed the assistance of technical support just yet.

I've also used McAfee MVISION Endpoint. 

I'm testing them both and finding the advantages and disadvantages between them.

The solution is very easy to set up.

You do have to pay for a license in order to use a solution. It's expensive.

We're a reseller.

We are using the latest, most up-to-date version, of the product.

I would recommend using it with another protection layer. Cortex should provide an additional layer of security apart from this. You might have to integrate with other vendors also.

If you are looking to deploy a security solution as a whole, this is a good option.

I'd rate the solution seven out of ten. If we had more advanced security features, I'd rate it higher.

We have deployed Cortex XDR for a couple of clients in manufacturing.

Cortex XDR lets us manage several clients from the same console, and its endpoint defense is more advanced than traditional antivirus.

The dashboard could be more user-friendly.

I've been using Cortex XDR for two years.

Cortex XDR is stable enough.

Cortex's scalability is good. We have about 200 users on it at the moment. 

Palo Alto support is great. 

Cortex XDR is trickier to configure than other Palo Alto products. This is one area where we are not so satisfied. We need two people to deploy and maintain the solution. 

Our clients pay for the license every year. It's just a standard fee with no additional costs. 

I rate Cortex XDR eight out of 10.