Cortex XDR offers superior endpoint protection and response.
Select one of the following Cortex XDR variants depending on two primary factors: the location of your infrastructure and the nature of the workload, standard versus containerized.
Cortex XDR Pro EP (on-premises) is designed for on-premises hosts, encompassing physical or virtual machines running directly on infrastructure that your organization owns and manages in its own data centers or facilities. Use Cortex XDR Pro EP when the host is a physical server or workstation in your data center or office, or when the host is a non-containerized virtual machine running on on-premises hypervisors such as VMware ESXi or Hyper-V.
Cortex XDR EP Cloud (cloud and containers) is designed for hosts running in a cloud environment and any containerized workload, regardless of where the container runs. Use Cortex XDR EP Cloud when the host is a virtual machine or instance running in a cloud environment, like AWS EC2, Azure VM, or GCP Compute Engine. Use Cortex XDR EP Cloud when the workload is a container, such as a Docker or Kubernetes pod, even if that container is actively running on on-premises infrastructure.
To view the product license and add-ons associated with your tenant, go to → .
Capabilities and add-ons
Cortex offers a modular set of license packages that work interchangeably with each other, allowing them to become add-ons to subsequent products seamlessly, with the base product being Enterprise Runtime Security (XDR).
Key features include:
Feature | Description |
|---|---|
Enterprise Runtime Security | Comprehensive endpoint and server protection by combining AI-driven analytics, endpoint controls, next-generation antivirus, and automated investigation to detect and respond to threats across various environments. |
Core Analytics | Detects anomalies and threats using machine learning and behavioral models across endpoint, network, and identity data. |
Use the following add-ons to expand your capabilities and to enable for more granular investigation.
Security add-ons
Security add-on | Description |
|---|---|
Data Collection | Collects and normalizes data, creating a unified foundation for analytics, investigation, and detection. |
Cloud Posture Management | Agentless comprehensive visibility across your cloud environment. Includes:
|
Cloud Runtime Security | Full cloud protection, detection and response. Includes:
For more information about Cortex Cloud Posture Management and Cortex Cloud Runtime Security licensing, see Understand license plans. |
Application Security | Comprehensive protection for your software development lifecycle (SDLC) from code-to-cloud, offering visibility, detection, contextual analysis, prioritization, prevention, and remediation. |
Attack Surface Management | Provides internet-facing assets and ASM enrichment, external services, external IP ranges, attack surface rules and alerts, ASM widgets, and report capabilities. |
Identity Threat Detection & Response | Enables asset role configuration, advanced analytics alert layout, Risk Management dashboard, User/Host Risk view, designated analytics for compromised accounts, and insider threat coverage. This solution helps organizations proactively secure identities, accelerate threat response, and reduce security operations complexity. |
Forensics | Detect attacker activity by reviewing key artifacts such as event logs, registry keys, browser history, etc. Forensics simplifies investigations so you can trace every move an adversary made and swiftly contain threats from one place without needing to pivot between security tools. |
Host Insights | Host Insights combines Vulnerability Management, Host Inventory, and a powerful Search and Destroy feature to help you identify and contain threats. It offers a holistic approach to endpoint visibility and attack containment, helping reduce your exposure to threats so you can avoid future breaches. |
Extended Threat Hunting | Investigates everyday activities in real time and analyses patterns to discover new threats, aiming to proactively minimize risk for an organization. |
Extended Compute Units | Additional compute resources beyond the annual allocation. You can purchase more units or enable dynamic allocation for flexible access. This ensures uninterrupted service, supports scaling during peak workloads, and optimizes resource management to maintain performance during high-demand periods. |
Exposure Management | Gain comprehensive visibility, actionable prioritization, and automation-first remediation to help security teams proactively assess and respond to organizational exposures. |
Advanced Email Security | Investigate and respond to threats within modern, distributed email infrastructures. The module is a scalable, API-based solution that passively analyzes cloud-hosted email environments to detect threats. It ingests data from messages, attachments, and user identities to identify early-stage threats and high-risk behaviors without requiring any changes to mail flow. |
DLP (Data Loss Prevention) | The Cortex Data Loss Prevention (DLP) module provides a unified and flexible solution to prevent sensitive data exfiltration. It continuously enforces policies on endpoints (even offline) across web, local, and USB channels, protecting both on-premise and cloud environments. |
Capacity add-ons
Capacity add-on | Description |
|---|---|
Data Retention | Ensures extended access to data, strengthening threat investigation, compliance, and long-term visibility. |
Extended Compute Units | Additional compute resources beyond the annual allocation. You can purchase more units or enable dynamic allocation for flexible access. This ensures uninterrupted service, supports scaling during peak workloads, and optimizes resource management to maintain performance during high-demand periods. |
Endpoint Event Forwarding | Enables exporting the raw telemetry collected by XDR Agents and event data from cloud endpoints to external systems (if relevant). |
GB Event Forwarding | Enables exporting parsed logs to an external SIEM for storage, so you can keep data in your own storage in addition to the Cortex XSIAMdata layer, for compliance requirements and machine learning purposes. |