Cortex XDR by Palo Alto Networks Reviews

We primarily use the product as endpoint security which we have deployed on all servers and locations. This is not limited to the endpoint, however, as it has further integration with the firewalls and email solutions. Therefore, it can give us quick visibility in case there is any malicious or suspicious activity happening.

The solution offers a very high-performance. 

The solution has analytics that watch patterns and trends. If there is a change in user behavior or communication, it has the ability to track that. 

The solution has a very helpful isolation feature. If any system gets compromised, with one click I can access the system and isolate it from other networks, and then go into further forensic investigation of the current threat without compromising anything else.

There are a lot of lead solutions in this space, however, Palo Alto is number one.

The initial setup is pretty easy.

The solution should enhance the ADR and reporting. As of right now, they are giving reports, which are okay, however, there are other ways to get better reporting. That is an area where I already requested that Palo Alto work on.

In reporting they should have a customizable dashboard due to the fact that C-level people don't like reporting to the IT department. They prefer to have a real-time dashboard. That kind of dashboard needs to have various customizations. 

They should extend the solution for URL filtering, as other endpoint security products are doing that already. Nowadays, users are working from home and therefore we have plenty of traffic back through the data center just for URL filtering security. If that functionality could be there in the endpoint, then we would be happy. It would ensure users working from home couldn't access malicious websites. 

We've been using the solution for one year. Before that, we were using Palo Alto Trap.

The solution is very stable. I pretty much depend on product stability. Over the last six months, we have been able to see it's that Palo Alto is more stable than most. There is no such issue in that regard. 

This is a very stable product, whether it is running on a database or email system or on any platform. It works perfectly fine.

The solution is very scalable. This is due to the fact that it is being managed through the cloud making it easy to deploy to a thousand endpoints. There is no issue at all. As long as there's enough space for the solution to expand, it can grow out to any size you need.

Technical support from Palo Alto is perfect. However, we have first-level support from a third-party. They sometimes take time to respond, which is not ideal. That said, when we get aligned with the tech support from Palo Alto, that really works well. Their level one support is with other vendors, and level two and level three support is with Palo Alto. That's how they are set up. They deal with bigger issues.

Overall, we've been pretty satisfied with technical support.

We're service providers. We offer a variety of solutions to our clients, including Palo Alto, Cisco, Microsoft, and McAfee, depending on their needs. We don't just use or recommend one particular endpoint protection product.

About a year back I implemented Cisco and Palo Alto for our customer. Cisco AMP is also a good solution while it is running with the grid, however, I have not been involved with using it for three years.

In routing and switching, Cisco is good. However, Cisco AMP, which is an endpoint security, requires you to work with many other AMP solutions from Cisco. 

My first preference would be Palo Alto and my second preference would be Cisco AMP.

The initial setup is not complex at all. It is very straightforward and very easy to implement. I implemented it for 1000 or so users, and it took only about one month to execute. Even when we were in a pandemic situation where users were at home, we did it that quickly. It is very easy to deploy.

The pricing is actually very reasonable. Palo Alto is very invested in some commercial endeavors and they have simplified their license. A team license can be used on-cloud, or on-prem. We have not faced segregation on any technologies, so a simple license gets any user anywhere without limitations. It is easy to increase the license as it's a cloud service. You just speak to your account manager and they can increase the licenses for you.

While we deal with the cloud deployment model, we've also often used the on-premises deployment.

I'd advise other companies to use the solution. It really is the best one out there.

Overall, I'd rate the solution nine out of ten. The reporting is a bit weak, and it's my understanding they are working on that. However, performance-wise and security-wise, this is the best product.

This product is part of a package that makes up our security solution.

The interface is easy to use and it is more up to date than our previous solution.

Although I would say this product is highly-rated, it could probably do more because nothing does everything that you want.

We have been using this product for about four months.

We think that this product will help us grow. We think that it meets our needs currently, and we can grow with it over time. There 12 people in the IT department who currently manage it. 

The support is excellent. We had a couple of issues that we had to call for and I would say that they are highly rated.

Our older solution was from Fortinet. It was out of date and more difficult to use. The IT staff say that the Palo Alto product is better.

The initial setup was straightforward.

We worked with a reseller. They came in, we told them what we wanted to do and they set it up to our spec. The person who came in and helped support us was highly skilled and it worked seamlessly.

We pay about $50,000 USD per year for a bundle that includes Cortex XDR.

We evaluated Palo Alto and Trend Micro, and we opted for the Palo Alto Cortex XDR.

I don't use this product on a daily basis but we like what we have so far and I would definitely recommend it to other users.

My advice is to make sure that you have a good implementor and that the reseller you're purchasing from gives you a highly-qualified engineer.

Overall, we are happy with this product but that said, nothing does everything that you want.

I would rate this solution a nine out of ten.

I primarily use this solution for my clients. I don't use the solution myself.

I can call the tweak responses or other items that the customer doesn't like very easily due to the fact that this solution is on the cloud

It collects and caches and the knowledge of machine learning from different customers to take to the cloud. It makes it better to use for everybody. It allows for quick learning and updates and can, therefore, offer zero-day malware security. This sharing of metadata helps make the solution very safe.

Even the firewalls have their signatures. It takes from different resources and takes note of everything. 

The exploits and malware technology are really good. 

It's my understanding that this solution is at end-of-life.

It's hard to use as a product. It's not easy or straightforward. Especially when I deal with a government sector or other sensitive industries. They do not accept that it's so easy to share metadata outside their organization. They prefer on-prem even if it is not as powerful due to the fact that they perceive it as being more secure.

The solution can never really be an on-premises solution based simply on the way it is set up. It needs metadata to run and improve. Having an on-premises solution would cut it off from making improvements.

The deployment is pretty hard. Competitors like Trend Micro or Symantec have features on their console that make them easier to use. This solution does not offer items that would increase its usability.

Before I moved to technical sales, I handled implementation, and I remember it being very difficult. They need to improve this aspect.

The solution provides a lot of false positives. The average amount of false positives you get is 5%. It would be great if this could be lowered.

I've been using the solution for a year and a half.

Security people usually think it's a very powerful solution. However, government teams always worry about the security of the cloud and always need to send approvals. Since this solution is not a normal endpoint, it can be a bit tricky for compliance purposes.

At the same time, it does its job. It's very good at vulnerability management.

That said, it is really not really flexible to make deployments on certain platforms. It's really complicated. Sometimes the solution falls off.

We've contacted technical support in the past and they are very good. They are usually quite capable of closing the issue for us. They're also great if we're working out a new configuration or doing a completely new implementation. We're satisfied with their level of service.

The initial setup is not straightforward. It's not that it's complex per se. It's difficult. 

The IVR needs to be reached on the outside. You need to make it to the server and that's connected to the database that communicates with the agent properly. You have to push the agents and put the sensors inside the network. 

We're an integrator; we implement this solution for our clients.

We have a partnership with Palo Alto. I'm a consultant, I'm pre-sales as a technical sales engineer. I try to show the value of any product for the customer. I don't actually use the solution myself.

The solution does not have an on-premises option. It's only available on the cloud.

For XDR new users just need to make sure they have the right policies in place. The solution does offer pre-configured policies. Organizations will want to make sure it is actually fitting them in the places where they will be working best. It's important as well that they don't make it a default selection. Users need to make sure that it's really configured and whitelisted and everything fits the organization. 

I'd rate the solution eight out of ten. I'd rate it higher, however, the deployment process is poor even though the features are decent. Competitors like Carbon Black have much easier deployments.

We primarily use the solution for our endpoint server and endpoint protection.

There aren't many features we find valuable on the solution.

They have a new GUI which is just fantastic.

The solution eats memory of the computer, unlike anything I've ever seen. It eats more memory than Chrome. 

I have a lot of users that are eating my memory each hour every day and it's causing us problems. We have to go and buy more memory for each computer. When you have a lot of computers like we do, is not a very good situation.

Some of the computers are only using 4 GB of memory, so if you put aside the differences, most only have some Chrome, some internet, and Office and that's it. And yet, the memory is getting eaten.

If someone catches something like malware, or something else, I want to know if the file was spread to other machines and what the target was. I want to be able to get ahead of the spread. This solution doesn't do enough to protect us against these types of vulnerabilities or to give us much information about the spread. The tool really does need some more reverse engineering features.

There's an overall lack of features.

The initial setup could use improvement. Currently, I must go to each machine and deploy everything manually. We are in 2020, not in 1980. It seems like such a dated way of doing large deployments.

I've been using the solution for a year and a half.

When I was experimenting with stability early on, I did run into issues when testing the solution in the sandbox.

Eventually, it catches one of the executive files and if you go to the management section of the solution and you release this file, it takes seven or eight tries to do it. You need to keep trying, again and again, using the same procedures to release the file for usage. That was in the beginning and we still have this issue, even though they made a new GUI for management. It's still not resolved.

We have several hundred users.

I had some issues initially in the sandbox when I was testing scalability.

I have reached out to technical support in the past. I find dealing with them is like talking to a wall. They aren't terrible, however, you don't really get any guidance. They ask over and over to get us to send them dump files and we do over and over. After all of the back and forth, nothing is really resolved to our satisfaction. You're paying for their services, and you don't get the level of service you would expect. It's a pain point.

The initial setup was not complex. It was very straightforward.

The deployment did take a lot of time due to the fact that we had seven hundred computers. 

We simply use the solution as a customer.

I would not recommend the solution. I'd advise other companies to rather go with Palo Alto's firewall as a better option. I've already advised others not to touch it. It's not worth it at all to even consider using it.

I'd rate the solution six out of ten. Their new GUI is very nice, however, as a professional service, it's lacking in a lot of areas.

I've found the security protection modules there, have been the most valuable.

I started using it from 4.1, but it didn't change that much. Some features and some fixes have been added to 4.2, but not that much. They need to improve reporting, the end-point reporting. They could also enhance their notification statuses. In the current version, you will see some threat alerts, or if anything is executable, but you will not see behavioral analysis. You will see what was being blocked, and that's it. If Traps logs something, you will get a notification. Otherwise, you have to generate the dump file and investigate on your own.

In the next release, I would like to see more UI improvements. Their UI is a bit basic. When we are speaking about Palo Alto Networks they are a big company, so they can surely improve the UI a little bit. The UI, the reports, the log system can all be improved. But overall, when we speak about security and protection, they are one of the top providers.

It's very stable. I've never experienced downtime for the ASM console or ASM core. But we experienced this for the database, and it was not clear in Trap's interface. So, Trap's server stopped working, stopped getting jobs, stopped the enforcing policies because the database was full. We did not get any alert for that, so you will not see any alert on the ESM console that says that your database is about to fill up. It was not reachable and there was no warning or indication for this. You have to go to some tools internally and check in the command line, to see. You will see some errors for the DB, and you will realize that it's a DB issue. I've never experienced any issue with the Traps itself, but with the database.

It's very easy to scale if you have file availability. If it's more clear, we can do high availability, but it's a bit tricky. We deployed this for 4,000 endpoints, and it was very easy. Two ASM core servers were enough to deploy it for 4,000 plus endpoints. These are enterprises, not SMBs. They're government institutions.

I would not say that technical support is bad, but it's not that good. It could be better.

Basically, they don't provide customer support tools just to investigate the logs. From a reseller or authorized center for Palo Alto, I can't get that much information from the logs because it's a bit complicated. If they have support tools, for example, to analyze the logs as they have for the Palo Alto firewall. They don't have for this for Traps. They need to have some tools to analyze the logs. We can generate something called tech support files from Traps, but it's useless. Nothing's there. You will not get that much from the tech support file.

But for the firewall, if we get the tech support file and upload it to somewhere they have some tools, we can get many useful logs and alerts. For Traps, this is not possible.

The initial setup was straightforward. They are using MySQL database, and I think it's a disadvantage because you need to buy a license for MySQL also to deploy it. They don't have this concept of file availability between DS and core servers.

We are a reseller. We are implementing it on customer premises for our clients.

The main advice I can share is to watch out for your database and make sure to give it enough resources. That's it.

I would rate this solution eight out of 10.

I used the product at my previous company until November 2018.

After deploying Traps, we saw the performance of the network improve by 65 to 70 percent. There was a drop in the latency rate over the application, when accessed via our users. We received feedback from users that usually when they were downloading a bunch of things or browsing the Internet, ad popups would spring up which are a gateway to bring viruses and stick in temp files. This improved a lot because Traps occasionally gives an alert to them to be careful, such as don't go on play on this site and download malicious things. The overall performance of the entire organization was improved because of this.

When I was monitoring Traps, during the period after we deployed it fully on our organization, there was around 125 users on it. We could see in a whole day that there was around 10 to 15 threats which kept popping up. Because I work in the hotel industry, we have a lot of emails which come through worldwide. They are for reservations and booking. Out of those 50 emails, five to six emails are malicious emails which have the extension of .exe files or other encrypted files. They could have had macros enabled in those files as well. Traps would alert us to these malicious files.

The network was infected when we were using Traps. One of the reservation computer was infected with ransomware. It was detected by the Traps. In Traps, it shows up that they investigated the file which was in a zip format. We uncompressed it to view the file and saw Traps detected this infection. It does analysis of all the files to an in-depth level, which was helpful for us to detect and avoid that infection being spread around.

A majority of its features are very good, well-designed, and programmed. Most of the machine learning has features where we took a deep analysis on kernel level scanning. It has shown that if in case of anything happens, like first-level operation fails or it went to the next level that it will protect the machine. You can see the artificial intelligence working on it. 

There are some default policies which sometimes affect our applications and cause them to run around. In the hotel industry, we use a different type of data versus Oracle and SQL. By default, there are some policies which stop us from running properly. Because of this, the support level is also not that strong. We have to wait to get a results. 

Originally, we wanted to uninstall Traps because we could not run our operations because Traps, by default, had blocked applications and files. This is still a thing, as we still have to give flexibility to certain policies which are pre-defined in the Traps application.

Traps is quite a stable product. Once it was properly deployed and configured, you have nothing to be worried about.

When the product was updated, I also worked on the latest version.

It is scalable. 

We had 150 end users. The end users ranged from the manager level to the supervisor level. These users include salespeople who carry their laptops when travel out of the country on business trips.

In this region, I find there are not many good engineers available for Traps. The one guy who specializes in the work functionality, if any issue comes up, might not be available in the country. Therefore, it's a challenging to get the specialized person who knows how to troubleshoot and get the fix. Otherwise, we have to wait for at least 24 hours to get support and results. If an issue comes up because of a new version which we deployed and updated has any changes, we need support immediately, not in 24 hours. For example, we don't know  what changes were made to which parameters, what we need to disable or activate, and if they blocked any of the applications, then our operation will get stuck.

We were the victim of ransomware. Prior to that we were using an antivirus application from Sophos, which was not able to detect that ransomware engine which encrypted our servers and client machine. So, it was a disaster, and we started looking for another solution which could perform better and give us zero-day threat alerts. I researched which would be the better solution and came across Traps. We ran version 3.5 for a period of one month, where we tested it against malware, viruses, etc. The performance of the Traps has proven itself to work very well in detection.

The initial setup is very straightforward. 

The deployment took five minutes to be fully functional and configured. It was just one simple utility which we had to install on the computers. It was not a complex thing once we had it installed. We created a whitelist policy for whatever applications were there. This was a one-time job to streamline the access levels to be allowed. Once the one-time job was done, it gets pushed out to the entire organization. 

During the PoC stage, we discussed with the engineer how we wanted it because we had an Active Directory and all the user accounts were connected to the directory. We deployed the data from Traps onto one of the server, then data to the Active Directory. From there, we pushed all the agents to all the users, then we took the file and deployed it. Whenever the users login, it gets deployed and installed. The deployment went very well and was properly executed.

The deployment was done by two engineer from Palo Alto and me. They assured me by installing in two to three machines. There were very simple steps to follow, like three to four steps, for the installation. Afterwards, they took care of deploying Traps for all the users.

The admin has been responsible for maintaining it.

The return on investment is from the user side because we have seen the performance of it increase the delivery time of the product if we are using too many web-based and on-premise applications. In indirect ways, we saw the return of investment in terms of performance and user satisfaction increase.

It is cost-effective compared to similar solutions. It fits for the small businesses through to the big businesses.

I have worked with different product lines: McAfee, ESET Endpoint Security, and Sophos. However, I find the Traps to be much better in comparison to all the other competitors available in the market. 

I did PoCs on products called Cylance and CrowdStrike. Although, I consider these products and they were also good, when it come to cost and budgetary factors, Traps has been proven to be better than the other two products. It is quite cost-effective and delivers all the entire solution which we require.

Overall, Traps is a very good application when you compare endpoint security solutions available in the market. You can see your value for your money. You can see the results and sleep peacefully. You don't have to worry about a ransomware attack. Traps is very well-designed. It also does good things with deep machine learning. If it finds any malicious activity, it will alert you.

Based on our feedback and recommendations, our sister companies had been looking forward to replacing their current solution with the Traps.

My current company is in the process of evaluating the solution.

Advanced endpoint protection.

Traps has drastically reduced our endpoint attack surface via advanced detection capabilities, sandboxing of never before seen programs, and by drastically limiting where executables can launch in the first place. We have not had any malware successfully execute on an endpoint since deploying Traps.

Wildfire, advanced detection capabilities, and whitelist/blacklist features. These features have provided us an easy way to lock down our systems to prevent execution of unknown code and scripts and to prevent launching of code from end user writable directories.

The application whitelisting/blacklisting feature is based purely on path and filenames. Changing a filename can bypass it easily. The uninstall admin password for the client is passed in clear text during install. 

There is a severe gap in functionality between Windows, Linux, and Mac versions. For example all folder restriction settings are Windows only. Traps 5.0+ does not have SAML / LDAP integration. This is ridiculous for an enterprise product. 

Traps 5.0 does not integrate with Palo Alto's Panorama product, which was a big selling point of Traps 4.0. Traps 5.0 has no ability to send an email to alert of detections. Instead customers have to jump through hoops to use Palo Alto's log management service to forward logs into a 3rd party SIEM and then build your alerts from there. No EDR functionality, though this is supposedly coming.

Mostly positive. We've had some episodes early on where upgrades caused some issues with the backend database, but that seems to have cleared up. This issue would not impact the Traps 5.0 users as it is SaaS based.

This software exists on every workstation and server in our company with ~10,000 people using the solution. For on-prem, we run 3 nodes and it handles the load just fine. We could always add more nodes if necessary. For the SaaS solution, that is all on Palo Alto's side.

Setup was pretty straight forward. The product is very granular and customers can turn on features as they are ready/comfortable in order to keep the deployment simple. For organizations with a good understanding of their infrastructure, deployment should be pretty simple.

We deployed Traps ourselves. We went big bang and deployed all features at once. We had a strong understanding of our systems and were able to provide whitelisting settings up front that made sense. There was a bit of post-deployment work to resolve things that were missed, but all things considered the deployment strategy went smoothly and was the right call.

For an endpoint security service, that is hard to state. We have not seen a malware infection since deployment.

I feel it is fairly priced.

We evaluated 

• Palo Alto Networks Traps vs Carbon Black
• Palo Alto Networks Traps vs Cylance
• Palo Alto Networks Traps vs CrowdStrike
• and Palo Alto Networks Traps vs Sophos X.

I think Traps has the best mix of features by price in the industry. It is not flawless by any means, but Palo Alto seems committed to it and are improving it. Traps 5.0 is promising, though they have a ways to go before I'd be willing to implement it.

We use the solution for telemetry and for its anti-virus capability.

The solution allows us to make investigations. Other XDR solutions also provide similar capabilities but for investigation, Cortex XDR is better.

The product's pricing could be better.

I have been using the tool for several years.

The solution is stable. I would rate its stability a nine out of ten. 

The product is scalable. 

The technical support team is good.

The initial setup was easy.

The tool is worth its money. 

I would rate the solution an eight out of ten.