[CONTENT]
$
USD
Executive Summary
Cost Savings And Business Benefits Enabled By Cortex XSIAM
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY palo alto networks, september 2025
Executive Summary
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY palo alto networks, september 2025
In today’s digital-first landscape, organizations face an increasingly complex and high-stakes cybersecurity environment. Security operations centers (SOCs) are under constant pressure to detect, investigate, and respond to incidents faster and more accurately. Cortex XSIAM from Palo Alto Networks overcomes these challenges by unifying SIEM, XDR, SOAR, threat intelligence, and exposure management into a single AI-driven, cloud-native platform — reducing response times, cutting complexity, and lowering costs. Its behavioral analytics and machine learning capabilities enable the proactive detection of threats, simultaneously alleviating the operational burden on SOC teams. By automating routine tasks and stitching together enriched, contextualized incidents, Cortex XSIAM has the potential to transform the SOC.
Across industries, siloed security tools create blind spots, slow response, and leave organizations vulnerable to rising attacks. The volume, velocity, and variety of threats continue to grow, while the attack surface expands across hybrid infrastructures, cloud environments, and globally distributed workforces. Traditional security information and event management (SIEM) solutions rely heavily on rule-based detection, generate high volumes of false positives, and require extensive manual correlation across disparate data sources. SOC analysts spend hours stitching together fragmented alerts to form a coherent incident narrative, delaying response and increasing risk. Meanwhile, the cost and complexity of maintaining legacy platforms — especially those with hardware dependencies or rigid licensing models — can hinder scalability and agility.1
Palo Alto Networks’ Cortex XSIAM ingests and normalizes data across all possible security and IT sources across endpoint, network, cloud, identity, and beyond — both first and third party — into the unified Cortex Extended Data Lake (XDL). The platform then applies AI and analytics to this data to natively deliver all major security and operations (SecOps) capabilities — including SIEM; extended detection and response (XDR); security orchestration, automation, and response (SOAR); threat intelligence; email security; and exposure management — in one unified user experience. The platform’s analytics and machine learning capabilities enable proactive prevention and real-time detection of threats, simultaneously alleviating the operational burden on SOC teams. By simplifying operations, automating routine tasks, and empowering AI for decision-making, Cortex XSIAM can transform security operations, empowering analysts to focus on higher-value activities like threat hunting and SOC optimization.
Palo Alto Networks commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Cortex XSIAM.2 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Cortex XSIAM on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four senior security leaders who use Cortex XSIAM in their organizations. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a global technology services firm with 10,000 employees and $5 billion in annual revenue, operating across multiple regions and serving clients in highly regulated industries such as healthcare, finance, and telecommunications. It maintains a 24/7 SOC staffed by a team of cybersecurity professionals. Prior to deploying Cortex XSIAM, the composite relied on a fragmented mix of legacy SIEM, endpoint protection, and SOAR tools. The composite deploys Cortex XSIAM (in Year 0, the initial period) as a cloud-native, integrated platform that unifies its SIEM, XDR, SOAR, threat intelligence platform (TIP), and other capabilities, supporting 10,000 endpoints and capable of ingesting 1,700 GB of data.
For more information, read the full study: “The Total Economic Impact™ Of Palo Alto Networks Cortex XSIAM,” a commissioned study conducted by Forrester Consulting on behalf of Palo Alto Networks, September 2025.
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
Interviewees said that prior to using Cortex XSIAM, their organizations struggled with fragmented security architectures, limited threat visibility, and escalating costs tied to legacy SIEM platforms and tools. Analysts were overwhelmed by high volumes of false-positive alerts and forced to manually correlate alerts across siloed tools, leading to inefficiencies, burnout, and slow incident response. Tool sprawl and selective data logging created compliance risks and left critical threats undetected. These limitations made it difficult for security teams to scale operations, maintain coverage, and respond effectively to the growing complexity of modern cyberthreats.
After the investment in Cortex XSIAM, the composite organization transforms security operations by unifying SIEM, SOAR, XDR and endpoint detection and response (EDR), and TIP into a single cloud-native platform that eliminates tool fragmentation and manual workflows. Its AI-powered analytics and automated alert consolidation meaningfully reduce false positives, streamline incident response, and improve visibility across the enterprise. The platform’s flexible, ingestion-based licensing model lets organizations collect and store all the data they need for end-to-end security operations, without hidden costs. Built-in workflow automation accelerates remediation and reduces analyst fatigue. With rapid deployment, scalable architecture, and integrated capabilities, Cortex XSIAM empowers organizations to shift from reactive security to proactive, high-efficiency operations.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Improved security posture by 60%. The composite organization leverages Cortex XSIAM’s AI-powered analytics, unified data ingestion, and storage enabled with Cortex XDL, as well as native automation to enhance visibility and accelerate threat response. These capabilities enable proactive threat containment and compliance assurance across the organization’s global footprint, thus reducing breach risk by 60% by Year 3. Over three years, the improved security posture is worth more than $2.2 million to the composite organization.
Improved efficiency for triage and tier 1 SOC by reducing alert volumes by 85%. The composite organization reduces the volume of alerts requiring tier 1 SOC review by 85% by Year 3. This efficiency is enabled by Cortex XSIAM’s AI-driven automated alert consolidation, fully native SOAR capabilities, and unified data model that meaningfully reduce false positives and manual triage. Analysts are able to shift focus from repetitive tasks to strategic threat hunting and defense. Over three years, improved efficiency for triage and tier 1 SOC is worth $930,000 to the composite organization.
Significant improvement in efficiencies of case management. The composite organization reduces the number of cases (more comprehensive incidents, as defined by Palo Alto Systems) requiring SecOps investigation by 70% and cuts mean time to remediation (MTTR) by 85% by Year 3. Cortex XSIAM’s threat context, root cause analysis (causality view), and automated resolution empower analysts to resolve threats faster and more effectively. Over three years, improved case management is worth $1.5 million to the composite organization.
Cost savings from eliminating legacy platforms worth $3.1 million. The composite organization retires legacy SIEM, SOAR, EDR/XDR, TIP, identity threat detection and response (ITDR), and network detection and response (NDR) tools, and it reduces associated licensing and maintenance costs. Cortex XSIAM’s unified, cloud-native platform brings together a slew of best-of-breed cybersecurity capabilities, supported by a flexible data ingestion model and reduced overhead infrastructure. These efficiencies streamline operations and reduce vendor complexity. Over three years, cost savings from legacy tool elimination are worth $3.1 million to the composite organization.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Scalable growth enablement. The composite organization seamlessly scales security operations across new locations, endpoints, and workloads. Cortex XSIAM’s cloud-native architecture and modular design support rapid deployment and onboarding with minimal effort. This flexibility allows the organization to grow both organically and inorganically, without security becoming a bottleneck.
Enhanced visibility and contextual awareness. Cortex XSIAM’s unified data (built on Cortex XDL) and AI-driven incident enrichment provide analysts with actionable insights and full-context incident views. This improved situational awareness strengthens threat detection and response for the composite organization.
Improved analyst experience and retention. The composite organization reduces analyst burnout and increases job satisfaction and retention by automating labor-intensive, repetitive tasks. Cortex XSIAM’s incident enrichment and alert consolidation can allow analysts to focus on high-value work like threat hunting and strategic analysis. This shift can improve morale and help retain skilled cybersecurity talent.
Strong vendor support and engineering collaboration. The composite organization benefits from responsive support and direct collaboration with Palo Alto Networks’ engineering teams. Cortex XSIAM’s deployment and customization are accelerated through expert guidance and rapid iteration. This partnership ensures that the platform evolves with the organization’s needs.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Cortex XSIAM configuration costs. The composite organization incurs annual licensing and data ingestion costs based on 10,000 endpoints and 1.7 TB of data. These costs are driven by Cortex XSIAM’s core modules, including SIEM, SOAR, XDR, and TIP. The platform’s flexible pricing model supports broad telemetry ingestion without events-per-second (EPS)-based penalties. Over three years, configuration costs total $1.8 million.
Initial deployment costs. The composite organization deploys Cortex XSIAM in two months using three internal FTEs and professional services from Palo Alto Networks. The cloud-native architecture and prebuilt integrations streamline implementation and reduce complexity. This upfront investment enables rapid time to value and platform readiness. The total initial deployment cost is $219,000.
Ongoing platform maintenance. The composite organization allocates 0.5 FTEs annually to maintain and optimize Cortex XSIAM. Maintenance activities include tuning automations, creating custom detection rules, and enhancing playbooks. The SaaS delivery model minimizes infrastructure upkeep and shifts focus to proactive optimization. Over three years, ongoing maintenance costs total $193,000.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $7.7 million over three years versus costs of $2.2 million, adding up to a net present value (NPV) of $5.6 million and an ROI of 257%.
Reduction of significant incident risk with Cortex XSIAM by Year 3
Reduction in volume of alerts needing tier 1 SOC attention by Year 3
Reduction in volume of incidents needing SOC attention by Year 3
Net reduction in MTTR for cases needing SOC team resolution by Year 3
How Cortex XSIAM Is Transforming The SOC
Interviewees noted that Cortex XSIAM was fundamentally reshaping how their organizations operate SOCs, addressing long-standing inefficiencies and enabling a more strategic approach to threat management. They described how the platform’s AI-powered alert correlation and analytics dramatically reduced the volume of false positives, allowing analysts to bypass manual triage and focus on meaningful threats. Unlike basic SIEM alert correlation, stitching evaluates multiple elements of each event for higher accuracy, enabling better cross-data analytics, improved detection, and faster investigations. This process automatically stitches together data, creating “causality chains” that automatically link related events, processes, files, and network connections across different security layers. Stitching allows analysts to investigate the root cause and timeline of an alert with a single click, eliminating the need for manual data correlation. In a crucial next step, SmartGrouping leverages this stitched data to extract even more artifacts and to accurately group individual alerts into meaningful, actionable cases. As a result, SOC teams are provided with a complete picture of attacks and can investigate and respond faster.
VP of global security, BPO enterprise
Interviewees emphasized that Cortex XSIAM’s native automation and unified architecture streamline both triage and incident response. The platform reduced the number of uncurated incidents requiring manual investigation and shortened MTTR, with many incidents resolved or enriched before reaching an analyst. This transformation enables SOCs to operate with greater speed, precision, and resilience. Interviewees consistently described how their teams now work smarter — not harder — thanks to the platform’s ability to eliminate repetitive tasks and surface actionable intelligence.
Interestingly, two of the benefits from the full TEI study — improved efficiency for triage and tier 1 SOC (benefit B) and improved efficiency of case management (benefit C) — collectively speak to quantifying the benefit of the transformed SOC. Taken together, the composite organization can redeploy 5.5 SOC analysts in Year 1, 6.3 in Year 2, and 7.1 in Year 3. These are not cumulative but reflect a redeployment cost savings of 42% to 47%.
VP of security platform, IT services
Collectively, these improvements represent an ongoing transformation of the SOC, driven by Cortex XSIAM’s integrated capabilities and cloud-native design. XSIAM helps the SOC transition to a more proactive, intelligence-driven command center powered by AI-driven automation. Interviewees viewed this shift not as a one-time upgrade but as a continuous evolution toward a more agile, scalable, and effective security posture.
1 Source: The Security Analytics Platforms Landscape, Q4 2024, Forrester Research, Inc., December 12, 2024; The Operational Technology Security Solutions Landscape, Q1 2024, Forrester Research, Inc., February 6, 2024; The Extended Detection And Response Platforms Landscape, Q4 2023, Forrester Research, Inc., November 22, 2023; The State Of Threat Intelligence, Forrester Research, Inc., April 13, 2023.
2 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
Readers should be aware of the following:
This study is commissioned by Palo Alto Networks and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Cortex XSIAM.
Palo Alto Networks reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Palo Alto Networks provided the customer names for the interviews but did not participate in the interviews.
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF