Installation overview - Learn how to install Cortex XSOAR On-prem, including system requirements and adding a license. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex

Installation overview - Learn how to install Cortex XSOAR On-prem, including system requirements and adding a license. - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product

Cortex XSOAR

Version

8.13

Creation date

2026-02-12

Last date published

2026-05-27

Note

As the data store is an integral part of Cortex XSOAR, you don't need to connect to an external Elasticsearch cluster. You do not need to procure, license, or manage a separate Elasticsearch instance. The necessary components are included within your Cortex XSOAR license.

Before installing Cortex XSOAR, ensure your environment meets all requirements, avoiding installation issues and enabling a smooth setup. Depending on your needs, decide whether to deploy a standalone node or a cluster of three nodes for optimal performance.

Deployment mode	Overview
Standalone	Standalone uses a single node, which is more suitable for small-scale data scenarios. A node is a virtual machine (VM) with a distinct host IP address that runs the Cortex XSOAR application. Deployment on a standalone environment involves setting up one VM. After deploying the relevant image file, a textual UI guides you through the installation process, which includes installing the cluster from one node and setting the node's IP address. Note Currently, if you deploy a single node (standalone), you can't switch to a cluster of three nodes.
Cluster	A cluster is a group of three nodes that are managed together and participate in workload management. It is suitable for large-scale data production environments and offers High Availability and load balancing. For more information about High Availability, see High Availability for Cortex XSOAR. For more information about load balancing, see Load balancing for Cortex XSOAR. Deployment on a cluster involves: Setting up multiple VMs Configuring the nodes After deploying the relevant image file, configure the nodes by opening the textual UI: In the Connect Nodes menu, connect the VMs (establish trust between all nodes in the cluster). In the Cluster Installation menu, select one node from which to install the cluster, including setting the IP addresses of each node. To implement High Availability for VMs deployed on Hyper-V or VSphere, set the FQDN IP address to either a virtual IP or a reverse proxy/ingress controller as a single entry point to distribute traffic across the nodes in the cluster.

Deployment mode

Overview

Standalone

Standalone uses a single node, which is more suitable for small-scale data scenarios. A node is a virtual machine (VM) with a distinct host IP address that runs the Cortex XSOAR application.

Deployment on a standalone environment involves setting up one VM. After deploying the relevant image file, a textual UI guides you through the installation process, which includes installing the cluster from one node and setting the node's IP address.

Note

Currently, if you deploy a single node (standalone), you can't switch to a cluster of three nodes.

Cluster

A cluster is a group of three nodes that are managed together and participate in workload management. It is suitable for large-scale data production environments and offers High Availability and load balancing.

For more information about High Availability, see High Availability for Cortex XSOAR. For more information about load balancing, see Load balancing for Cortex XSOAR.

Deployment on a cluster involves:

Setting up multiple VMs
Configuring the nodes
After deploying the relevant image file, configure the nodes by opening the textual UI:
- In the Connect Nodes menu, connect the VMs (establish trust between all nodes in the cluster).
- In the Cluster Installation menu, select one node from which to install the cluster, including setting the IP addresses of each node. To implement High Availability for VMs deployed on Hyper-V or VSphere, set the FQDN IP address to either a virtual IP or a reverse proxy/ingress controller as a single entry point to distribute traffic across the nodes in the cluster.

Note

Each node must meet the minimum specifications, depending on whether you require extra small, small, medium, or large scale. For more information, see System Requirements.

Supported deployment platforms

Cortex XSOAR supports the following image files, which are downloaded from Cortex Gateway:

Image file	Platform
OVA	Deploy on the following platforms: AWS: For more information, see Install Cortex XSOAR on a VM deployed on AWS. OCI: For more information, see Install Cortex XSOAR on a VM deployed on OCI. VMWare: For more information, see Install Cortex XSOAR on a VM deployed on VSphere.
VHD	Deploy on Microsoft Hyper-V. For more information, see Install Cortex XSOAR on a VM deployed on Hyper-V.

Post-installation

After installation, add your license to Cortex XSOAR and set up a secure HTTP connection, if required.

You can optimize system performance, such as adding or removing nodes in a cluster. For more information, see Post-installation and Optimize performance and robustness from the textual UI.