[CONTENT]
$
USD
Total Economic Impact
Cost Savings And Business Benefits Enabled By Cortex XSIAM
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Palo Alto Networks, September 2025
Total Economic Impact
A FORRESTER TOTAL ECONOMIC IMPACT STUDY COMMISSIONED BY Palo Alto Networks, September 2025
Given today’s digital-first landscape, organizations face an increasingly complex and high-stakes cybersecurity environment. Security operations centers (SOCs) are under constant pressure to detect, investigate, and respond to incidents faster and more accurately. Cortex XSIAM from Palo Alto Networks overcomes these challenges by unifying SIEM, XDR, SOAR, threat intelligence, and exposure management into a single AI-driven, cloud-native platform — reducing response times, cutting complexity, and lowering costs. Its behavioral analytics and machine learning capabilities enable the proactive detection of threats, simultaneously alleviating the operational burden on SOC teams. By automating routine tasks and stitching together enriched, contextualized incidents, Cortex XSIAM has the potential to transform the SOC.
Across industries, siloed security tools create blind spots, slow response, and leave organizations vulnerable to rising attacks. The volume, velocity, and variety of threats continue to grow, while the attack surface expands across hybrid infrastructures, cloud environments, and globally distributed workforces. Traditional security information and event management (SIEM) solutions rely heavily on rule-based detection, generate high volumes of false positives, and require extensive manual correlation across disparate data sources. SOC analysts spend hours stitching together fragmented alerts to form a coherent incident narrative, delaying response and increasing risk. Meanwhile, the cost and complexity of maintaining legacy platforms — especially those with hardware dependencies or rigid licensing models — can hinder scalability and agility.1
Palo Alto Networks’ Cortex XSIAM ingests and normalizes data across all possible security and IT sources across endpoint, network, cloud, identity, and beyond — both first and third party — into the unified Cortex Extended Data Lake (XDL). The platform then applies AI and analytics to this data to natively deliver all major security and operations (SecOps) capabilities — including SIEM; extended detection and response (XDR); security orchestration, automation, and response (SOAR); threat intelligence; email security; and exposure management — in one unified user experience. The platform’s analytics and machine learning capabilities enable proactive prevention and real-time detection of threats, simultaneously alleviating the operational burden on SOC teams. By simplifying operations, automating routine tasks, and empowering AI for decision-making, Cortex XSIAM can transform security operations, empowering analysts to focus on higher-value activities like threat hunting and SOC optimization.
Palo Alto Networks commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study and examine the potential return on investment (ROI) enterprises may realize by deploying Cortex XSIAM.2 The purpose of this study is to provide readers with a framework to evaluate the potential financial impact of Cortex XSIAM on their organizations.
To better understand the benefits, costs, and risks associated with this investment, Forrester interviewed four senior security leaders who use Cortex XSIAM in their organizations. For the purposes of this study, Forrester aggregated the experiences of the interviewees and combined the results into a single composite organization, which is a global technology services firm with 10,000 employees and $5 billion in annual revenue, operating across multiple regions and serving clients in highly regulated industries such as healthcare, finance, and telecommunications.
Prior to deploying Cortex XSIAM, organizations struggled with fragmented security architectures, limited threat visibility, and escalating costs tied to legacy SIEM platforms and tools. Analysts were overwhelmed by high volumes of false-positive alerts and forced to manually correlate alerts across siloed tools, leading to inefficiencies, burnout, and slow incident response. Tool sprawl and selective data logging created compliance risks and left critical threats undetected. These limitations made it difficult for security teams to scale operations, maintain coverage, and respond effectively to the growing complexity of modern cyberthreats.
With the deployment of Cortex XSIAM, the composite organization transforms security operations by unifying SIEM, SOAR, XDR and endpoint detection and response (EDR), and threat intelligence platform (TIP) into a single, cloud-native platform that eliminates tool fragmentation and manual workflows. Its AI-powered analytics and automated alert consolidation meaningfully reduce false positives, streamline incident response, and improve visibility across the enterprise. The platform’s flexible, ingestion-based licensing model lets organizations collect and store all the data they need for end-to-end security operations, without hidden costs. Built-in workflow automation accelerates remediation and reduces analyst fatigue. With rapid deployment, scalable architecture, and integrated capabilities, Cortex XSIAM empowers organizations to shift from reactive security to proactive, high-efficiency operations.
Quantified benefits. Three-year, risk-adjusted present value (PV) quantified benefits for the composite organization include:
Improved security posture by 60%. The composite organization leverages Cortex XSIAM’s AI-powered analytics, unified data ingestion, and storage enabled with Cortex XDL, as well as native automation to enhance visibility and accelerate threat response. These capabilities enable proactive threat containment and compliance assurance across the organization’s global footprint, thus reducing breach risk by 60% by Year 3. Over three years, the improved security posture is worth more than $2.2 million to the composite organization.
Improved efficiency for triage and tier 1 SOC by reducing alert volumes by 85%. The composite organization reduces the volume of alerts requiring tier 1 SOC review by 85% by Year 3. This efficiency is enabled by Cortex XSIAM’s AI-driven automated alert consolidation, fully native SOAR capabilities, and unified data model that meaningfully reduce false positives and manual triage. Analysts are able to shift focus from repetitive tasks to strategic threat hunting and defense. Over three years, improved efficiency for triage and tier 1 SOC is worth $930,000 to the composite organization.
Significant improvement in efficiencies of case management. The composite organization reduces the number of cases (more comprehensive incidents, as defined by Palo Alto Systems) requiring SecOps investigation by 70% and cuts mean time to remediation (MTTR) by 85% by Year 3. Cortex XSIAM’s threat context, root cause analysis (causality view), and automated resolution empower analysts to resolve threats faster and more effectively. Over three years, improved case management is worth $1.2 million to the composite organization.
Cost savings from eliminating legacy platforms worth $3.1 million. The composite organization retires legacy SIEM, SOAR, EDR/XDR, TIP, identity threat detection and response (ITDR), and network detection and response (NDR) tools, and reduces associated licensing and maintenance costs. Cortex XSIAM’s unified, cloud-native platform brings together a slew of best-of-breed cybersecurity capabilities, supported by a flexible data ingestion model and reduced overhead infrastructure. These efficiencies streamline operations and reduce vendor complexity. Over three years, cost savings from legacy tool elimination are worth $3.1 million to the composite organization.
Unquantified benefits. Benefits that provide value for the composite organization but are not quantified for this study include:
Scalable growth enablement. The composite organization seamlessly scales security operations across new locations, endpoints, and workloads. Cortex XSIAM’s cloud-native architecture and modular design support rapid deployment and onboarding with minimal effort. This flexibility allows the organization to grow both organically and inorganically, without security becoming a bottleneck.
Enhanced visibility and contextual awareness. Cortex XSIAM’s unified data (built on Cortex XDL) and AI-driven incident enrichment provide analysts with actionable insights and full-context incident views. This improved situational awareness strengthens threat detection and response for the composite organization.
Improved analyst experience and retention. The composite organization reduces analyst burnout and increases job satisfaction and retention by automating labor-intensive, repetitive tasks. Cortex XSIAM’s incident enrichment and alert consolidation can allow analysts to focus on high-value work like threat hunting and strategic analysis. This shift can improve morale and help retain skilled cybersecurity talent.
Strong vendor support and engineering collaboration. The composite organization benefits from responsive support and direct collaboration with Palo Alto Networks’ engineering teams. Cortex XSIAM’s deployment and customization are accelerated through expert guidance and rapid iteration. This partnership ensures that the platform evolves with the organization’s needs.
Costs. Three-year, risk-adjusted PV costs for the composite organization include:
Cortex XSIAM configuration costs. The composite organization incurs annual licensing and data ingestion costs based on 10,000 endpoints and 1.7 TB of data. These costs are driven by Cortex XSIAM’s core modules, including SIEM, SOAR, XDR, and TIP. The platform’s flexible pricing model supports broad telemetry ingestion without EPS-based penalties. Over three years, configuration costs total $1.8 million.
Initial deployment costs. The composite organization deploys Cortex XSIAM in two months using three internal FTEs and professional services from Palo Alto Networks. The cloud-native architecture and prebuilt integrations streamline implementation and reduce complexity. This upfront investment enables rapid time to value and platform readiness. The total initial deployment cost is $219,000.
Ongoing platform maintenance. The composite organization allocates 0.5 FTEs annually to maintain and optimize Cortex XSIAM. Maintenance activities include tuning automations, creating custom detection rules, and enhancing playbooks. The SaaS delivery model minimizes infrastructure upkeep and shifts focus to proactive optimization. Over three years, ongoing maintenance costs total $193,000.
The financial analysis that is based on the interviews found that a composite organization experiences benefits of $7.5 million over three years versus costs of $2.2 million, adding up to a net present value (NPV) of $5.3 million and an ROI of 244%.
Reduction in volume of incidents and reduction in MTTR for cases needing SOC attention by Year 3
Return on investment (ROI)
Benefits PV
Net present value (NPV)
Payback
| Role | Industry | Region | Revenue | Employees | Cortex XSIAM Configuration |
|---|---|---|---|---|---|
| Director of SecOps | Specialty retailer |
• HQ: North America • >2,000 stores globally |
~$150 billion | >400,000 |
• SIEM, SOAR, XDR • >150,000 agents • >64,000 GB of data |
| VP of security platform | IT services |
• HQ: North America • >80 global locations |
~$15 billion | >75,000 |
• SIEM, SOAR, XDR • >400,000 agents • >48,000 GB of data |
| VP of global security | BPO enterprise |
• HQ: North America • >100 global locations |
~$10 billion | >400,000 |
• SIEM, SOAR, XDR • >300,000 agents • >24,000 GB of data |
| VP of SecOps | Technology services |
• HQ: North America • Operations in more than five countries |
~$1 billion | <10,000 |
• SIEM, SOAR, XDR • >3,000 agents • >1,200 GB of data |
Forrester interviewed senior decision-makers at four organizations who oversee cybersecurity operations for their organizations. Besides having senior management roles, these individuals were acutely aware of the security challenges prior to the deployment of Cortex XSIAM and well versed in the results that their organizations were experiencing. In general, these organizations were large enterprises with global footprints.
Before adopting Palo Alto Networks’ Cortex XSIAM, organizations faced a convergence of challenges that strained their security operations and limited their ability to scale effectively. Legacy SIEM platforms often struggled with data volume growth, leading to prohibitive costs and reduced visibility due to selective logging. Operational inefficiencies were widespread, with analysts spending excessive time manually correlating and investigating alerts, navigating fragmented toolsets, and responding to high volumes of false positives. The prior environments lacked automation, which created bottlenecks in incident detection and remediation, contributing to SecOps analyst burnout and leading to talent retention issues. Additionally, fragmented data sources and tool sprawl undermined compliance efforts and increased the risk of downtime or breaches. Collectively, these issues posed challenges for secure operations and scalable growth for these organizations.
Interviewees noted how their organizations struggled with common challenges, including:
Lack of scalability and cost constraints. A consistent and pressing challenge across the interviewed organizations was the inability of their legacy security platforms to scale efficiently in response to rapidly growing data volumes without incurring unsustainable costs. These prior solutions, including well-known SIEMs, often relied on rigid pricing models based on events per second (EPS) or data ingestion thresholds, which forced teams to limit log collection and compromise visibility. As data volumes surged — some organizations projected daily ingest growth from 18 to 50 TBs — the cost of maintaining adequate coverage became prohibitive. The VP of security platform for an IT services provider said, “We were looking at probably at least another $9 million a year just for the SIEM based on our projections, and the staffing wasn’t going to change.” This combination of escalating costs, limited scalability, and stagnant operational efficiency made it clear that existing solutions were no longer viable for modern, data-intensive security environments.
Operational complexity and inefficiencies. A significant challenge cited by most interviewees was the lack of automation in their prior security environments, which led to inefficient workflows, excessive manual effort, and analyst burnout. Legacy SIEM platforms often required analysts to manually correlate alerts, gather logs, and stitch together context across disparate tools — resulting in long mean time to detect (MTTD) and MTTR, and a high volume of false positives. One interviewee described the process as “very linear,” where analysts would pick alerts from a queue and work on them in isolation, often unaware of related activity being investigated by others. The absence of integrated automation and contextual enrichment meant that relatively straightforward tasks like phishing response or endpoint isolation demanded significant human intervention.
Security and visibility gaps. Interviewees reported significant security and visibility gaps in their prior environments, largely stemming from fragmented toolsets, limited telemetry, and pricing models that discouraged comprehensive data ingestion. Due to selective data logging, critical events were missed or lacked sufficient context, forcing analysts to manually piece together disparate signals across tools. Interviewees described how analysts worked in silos without the ability to correlate related activity, increasing the risk of undetected threats. The VP of global security for the BPO enterprise said: “The legacy solution was working on events per second. While this meant we were logging less, it also meant we were seeing less.” These visibility gaps not only hindered threat detection but also left organizations more vulnerable to advanced attacks and compliance failures.
Inefficiencies from fragmented tools. In their prior environments, the interviewees consistently struggled with inefficiencies stemming from fragmented security toolsets that lacked a unified database or interface. These siloed systems required analysts to manually correlate data across disparate platforms, slowing down investigations and increasing the risk of missed or delayed threat detection. The absence of integration meant that even basic tasks — such as triaging alerts — were labor-intensive and error-prone. Interviewees noted how analysts operated in isolation, often unaware of related activity being investigated by others. The VP of global security for the BPO enterprise noted that “managing multiple data sources was very, very difficult to do, with updates frequently breaking integrations and compounding operational complexity.” These fragmented environments not only reduced efficiency but also limited visibility, making it harder to respond to threats in a timely and informed manner.
High analyst workload and burnout. A recurring challenge across the interviewed organizations was the high workload placed on security analysts in their prior environments, which often led to burnout and talent retention issues. Analysts were overwhelmed by the volume of alerts — many of them false positives — and had to manually correlate data across fragmented tools, leaving little time for higher-value activities like threat hunting or strategic analysis. This repetitive, reactive work environment not only reduced operational efficiency but also made it difficult to keep skilled professionals engaged. The director of SecOps for the specialty retailer explained: “We were constantly fighting alert fatigue. Our analysts were stuck doing monotonous, repetitive tasks that wore them down. Now, with automation and correlation built in, they’re finally able to focus on the hard problems that keep them motivated.” This shift was seen as critical not just for productivity but also for retaining top talent in a highly competitive field.
Alerts And Incidents Reframed
In the cybersecurity world there are general definitions for events, alerts, and incidents:3
Event: A cybersecurity event is any observable occurrence in a system or network. This includes both normal and abnormal behavior.
Alert: An alert is a notification that a security event or series of events may be suspicious or indicative of a potential security issue.
Incident: An incident is a confirmed or suspected breach of security policies or standard security practices that threatens the security, integrity, or availability of information or systems.
Interviewed customers mostly discussed the capabilities and benefits of Cortex XSIAM in this traditional verbiage. However, there was an acknowledgement that the unique aspects of Cortex XSIAM were potentially changing the context of those traditional terms. Based on how these capabilities impact the investigation of events, and in compliance with the SEC mandate on incident disclosure, Palo Alto Networks uses an updated terminology:
Issue: Replaces alert, as a notification of a security event or series of events.
Case: A combination of enriched incidents that require remediation by an SOC analyst.
The interviewees searched for a solution that could:
Provide an integrated, cloud-native architecture platform. Interviewees’ organizations sought to eliminate the complexity of managing disparate point tools in the cybersecurity stack. They wanted a cloud-native platform with a unified data lake and interface — one that scaled easily, improved overall visibility, and reduced infrastructure overhead.
Deliver AI-powered analytics and threat detection. Interviewees emphasized the importance of moving beyond rule-based detection to AI-driven analysis. They cited Cortex XSIAM’s ability to stitch together data and alerts into meaningful incidents as a key capability for eliminating manual triage.
Embed automation and playbook-driven responses for enhanced productivity. A key requirement cited by interviewees was having built-in automation and customizable playbooks that enabled rapid, consistent responses to common threats like phishing and malware. Interviewees attributed this to reduced manual effort and improved response times.
Enable tools consolidation and drive cost efficiencies. Interviewees emphasized the need to retire multiple legacy tools (e.g., SIEM, SOAR, EDR), thus reducing licensing and maintenance expenses.
Enhance analyst experience by shifting focus to value-added tasks. Interviewees aspired to reduce alert fatigue and enable analysts to focus on higher-value tasks with Cortex XSIAM. After the deployment, they stated that the platform helped their organizations alleviate burnout and improve retention.
Drive scalable growth for the organization. Interviewees looked for a platform that would enable their organization to grow at scale. They stated that Cortex XSIAM’s cloud-native, integrated platform simplified deployment across global environments and supported rapid onboarding of newly acquired entities with minimal effort.
Based on the interviews, Forrester constructed a TEI framework, a composite company, and an ROI analysis that illustrates the areas financially affected. The composite organization is representative of the interviewees’ organizations, and it is used to present the aggregate financial analysis in the next section. The composite organization has the following characteristics:
Description of composite. The composite is a global technology services firm with 10,000 employees and $5 billion in annual revenue, operating across multiple regions and serving clients in highly regulated industries such as healthcare, finance, and telecommunications. It maintains a 24/7 SOC staffed by a team of cybersecurity professionals. The firm is subject to strict compliance requirements, including PCI DSS, HIPAA, and ISO 27001, and must maintain high levels of visibility, uptime, and threat response across its distributed infrastructure.
Prior state. Prior to deploying Cortex XSIAM, the composite relied on a fragmented mix of legacy SIEM, endpoint protection, and SOAR tools — some of which were on-premises and required meaningful manual correlation, regional maintenance, and complex integrations. These limitations led to high analyst workload, alert fatigue, compliance risks due to log loss, and difficulty scaling operations during acquisitions or business growth. The composite also faced rising costs from managing over 20 disparate tools and struggled to maintain consistent security coverage across its global footprint.
Deployment characteristics. To address these challenges, the composite deploys Cortex XSIAM (in Year 0, the initial period) as a cloud-native, integrated platform that unifies its SIEM, XDR, SOAR, TIP, and other capabilities, supporting 10,000 endpoints and capable of ingesting 1,700 GB of data. The deployment is completed in two months using only three dedicated FTEs.
Key modeling assumptions. To quantify the economic and productivity benefits that the composite organization derives from deploying Cortex XSIAM, Forrester uses the following assumptions in the financial model:
10,000 employees
$5 billion in annual revenue
10,000 agents licensed
1.7 TB of data ingestion licensed
13 SecOps FTEs before deploying Cortex XSIAM
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| R1 | Number of employees (baseline) | Composite | 10,000 | 10,000 | 10,000 | |
| R2 | Annual revenue (baseline) | Composite | $5,000,000,000 | $5,000,000,000 | $5,000,000,000 | |
| R3 | Operating margin | Composite | 12.0% | 12.0% | 12.0% | |
| R4 | Number of agents licensed | R1*100% | 10,000 | 10,000 | 10,000 | |
| R5 | Gigabytes of data ingestion | Composite | 1,700 | 1,700 | 1,700 | |
| R6 | SecOps FTEs before Cortex XSIAM | Composite | 13.0 | 14.0 | 15.0 | |
| R7 | Fully burdened annual salary for a tier 1 SecOps professional | Research data | $147,500 | $147,500 | $147,500 | |
| R8 | Fully burdened annual salary for a senior SecOps professional | Research data | $215,000 | $215,000 | $215,000 | |
| R9 | Fully burdened annual salary for an IT ops professional | Research data | $122,500 | $122,500 | $122,500 | |
| R10 | Effectiveness of Cortex XSIAM | Composite | 70% | 85% | 100% |
| Ref. | Benefit | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|
| Atr | Improved security posture | $737,279 | $895,268 | $1,053,256 | $2,685,803 | $2,201,471 |
| Btr | Improved efficiency for triage and tier 1 SOC | $313,820 | $376,584 | $444,598 | $1,135,002 | $930,551 |
| Ctr | Improved efficiency of case management | $473,908 | $485,640 | $508,753 | $1,468,301 | $1,214,415 |
| Dtr | Cost savings from eliminating legacy resources | $1,249,500 | $1,249,500 | $1,249,500 | $3,748,500 | $3,107,322 |
| Total benefits (risk-adjusted) | $2,774,507 | $3,006,991 | $3,256,108 | $9,037,606 | $7,453,759 |
Evidence and data. Interviewees consistently noted that one compelling benefit from deploying Cortex XSIAM was the marked improvement in their organization’s overall security posture. In the prior state, limited automation and fragmented tooling hindered visibility and response, weakening their overall security posture and increasing vulnerability to threats. The security gains with Cortex XSIAM stemmed from key capabilities such as AI-powered analytics, which detected and correlated threats that rule-based systems often missed. The platform’s ability to ingest and analyze vast volumes of telemetry data — without the constraints of legacy EPS-based pricing — gave teams deeper visibility across their environments. Combined with automation playbooks, integrated threat intelligence, and unified EDR, Cortex XSIAM helped customers proactively identify, contain, and remediate threats faster and more reliably.
The VP of global security for the BPO enterprise explained: “The propensity of a threat materializing in our legacy environment was much higher. With Cortex XSIAM’s AI-based detection and cloud architecture, we’ve significantly reduced our vulnerability to zero-day attacks and compliance risks. It’s hard to quantify exactly, but the difference in posture is very real.”
Asked to quantify the impact of Cortex XSIAM on their organization’s security posture, the VP of security platform for the IT services provider elaborated: “In our internal testing, [an alternative tool] failed 106 out of 15,500 ransomware simulations, while Cortex XDR failed only zero to three. That’s a massive improvement in our security posture.” The back-of-the-envelope math on that datapoint implies a 16x improvement in security visibility or coverage.
The VP of SecOps for the technology services provider observed, “We replaced multiple tools and now have a single pane of glass with better coverage and faster response — our security posture is significantly stronger than before.”
Modeling and assumptions. This benefit focuses on the improvement in security outcomes for the composite organization with Cortex XSIAM replacing a slew of legacy point solutions. To objectively measure the improved security posture — or reduced risk of a breach — with a cybersecurity solution, Forrester relies on regression data analysis of specific findings from Forrester’s Security Survey, 2024. Based on the interviews, Forrester assumes the following about the composite organization:
Row A1: Regression analysis of the reported total cumulative costs of all breaches experienced by security decision-makers’ organizations in the past 12 months. The composite organization’s revenue is used as the input to the regression formula.4
Row A2: Regression analysis of the likelihood of experiencing one or more breaches, using the frequency that organizations experienced breaches in the past 12 months, as reported by security decision-makers. The composite organization’s revenue is used as the input to the regression formula.5
Row A3: Percent of breaches by primary attack vector for breaches, as reported by security decision-makers whose organizations experienced at least one breach in the last 12 months.6
80% of the breaches and security vulnerabilities identified above are addressable with the deployment of Cortex XSIAM, given the breadth and depth of the platform.
The gross reduction of breach risk is 60% with Cortex XSIAM deployed. The net reduction (row A6) is based on the effectiveness ramp of the Cortex XSIAM platform: 42% reduction in Year 1, 51% in Year 2, and 60% by Year 3.
Risks. Forrester recognizes that these results may not be representative of all experiences and that the improved security posture will vary among organizations depending on the following factors:
Organizations in highly regulated industries are likely to be more closely monitored, and an improved security posture would be more beneficial.
The size of an organization — as determined by revenue and/or number of employees — is likely to impact the size of regulatory fines imposed or the financial impact of a significant security incident.
The prior state of an organization’s overall cybersecurity stack will determine the degree of improvement by deploying Cortex XSIAM.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $2,201,471.
Reduction of significant incident risk with Cortex XSIAM by Year 3
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| A1 | Cumulative cost of breaches for the composite | Forrester Research | $3,853,000 | $3,853,000 | $3,853,000 | |
| A2 | Likelihood of experiencing one or more breaches | Forrester Research | 67% | 67% | 67% | |
| A3 | Percent of breaches originating from external attacks, internal incidents, or external ecosystem attacks or incidents | Forrester Research | 100% | 100% | 100% | |
| A4 | Percent of those attacks addressable with Cortex XSIAM | Composite | 80% | 80% | 80% | |
| A5 | Annual risk exposure addressable with Cortex XSIAM | A1*A2*A3*A4 | $2,065,208 | $2,065,208 | $2,065,208 | |
| A6 | Net reduction of breach risk with Cortex XSIAM | Interviews | 42.0% | 51.0% | 60.0% | |
| At | Improved security posture | A5*A6 | $867,387 | $1,053,256 | $1,239,125 | |
| Risk adjustment | ↓15% | |||||
| Atr | Improved security posture (risk-adjusted) | $737,279 | $895,268 | $1,053,256 | ||
| Three-year total: $2,685,803 | Three-year present value: $2,201,471 | |||||
Evidence and data. All interviewees stated that adopting Cortex XSIAM resulted in dramatic efficiency improvements for triage and tier 1 SOC. In their prior environments, interviewees’ organizations were overwhelmed by high volumes of alerts — many of which were false positives — requiring manual triage and consuming valuable analyst time. Cortex XSIAM addressed this challenge through its AI-powered analytics, which accurately detected attacks and automatically grouped alerts into enriched incidents (cases), significantly reducing noise and enabling faster, more informed decision-making. Additional synergies were attained through native SOAR capabilities and a unified data lake (Cortex XDL). Interviewees reported reductions of up to 80% in alert volumes requiring human intervention, allowing their SOC teams to shift focus from repetitive triage to higher-value tasks like threat hunting and proactive defense. This transformation in alert handling was cited as being central to improving both operational efficiency and analyst morale.
The VP of security platform for the IT services provider summarized their organization’s experience as follows: “We were seeing about 4,000 alerts a day before, and now we’re down to 400 to 600. Our false positive rate dropped from 60% to 80% to around 20%. That’s a massive shift — our analysts now get to meaningful work in 20 minutes instead of spending hours gathering logs and correlating data.”
The VP of global security for the BPO enterprise observed: “The platform supports automation — phishing alerts, for example, trigger playbooks that pull emails, reset passwords, and notify managers. All of that happens automatically.”
Modeling and assumptions. This benefit quantifies the productivity improvement for the tier 1 SOC analysts by eliminating a high volume of false-positive alerts, enabling auto-resolution of alerts, and automatically grouping relevant alerts into enriched incidents that require further investigation (which will be addressed in Benefit C). Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization’s SOC team handles 1,000 alerts per week in its prior state, translating to 52,000 alerts per year.
The net reduction in the overall volume of alerts through automation is 60% in Year 1, 72% in Year 2, and 85% in Year 3, based on the effectiveness ramp of the Cortex XSIAM solution.
The average time needed to triage and investigate an alert in the prior state is 10 minutes.
The time savings captured in this benefit (row B5) only calculates the savings from tier 1 SecOps analysts not having to deal with alert management. Additional time would be saved in the automated grouping of relevant alerts.
The fully burdened hourly rate for a tier 1 SecOps professional is $71 (rounded).
The time savings computed for this benefit implies that 2.5, 3.0, and 3.5 tier 1 SecOps analysts would be freed up in Year 1, Year 2, and Year 3, respectively.
Risks. Forrester recognizes that these results may not be representative of all experiences and that SOC team productivity gains will vary among organizations depending on the following factors:
The alert volume for a given organization will vary based on the size, the regulatory environment of the industry, and the sophistication of the cybersecurity technology stack.
Productivity benefits may vary based on the sophistication of the composite’s SOC team.
The average time for triage and investigation, in the prior state, may vary based on the legacy tools.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $930,551.
Reduction in volume of alerts needing tier 1 SOC attention by Year 3
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| B1 | Security alerts before Cortex XSIAM | Composite | 52,000 | 52,000 | 52,000 | |
| B2 | Net reduction in alert volume after Cortex XSIAM | Interviews | 60% | 72% | 85% | |
| B3 | Security alerts no longer required to be investigated by tier 1 SecOps | B1*B2 | 31,200 | 37,440 | 44,200 | |
| B4 | Time to investigate and triage average security alert previously (minutes) | Composite | 10 | 10 | 10 | |
| B5 | Time saved due to fewer security alerts requiring tier 1 SecOps investigation (hours) | (B3*B4)/60 | 5,200 | 6,240 | 7,367 | |
| B6 | Fully burdened hourly salary for a tier 1 SecOps professional (rounded) | R7/2080 | $71 | $71 | $71 | |
| Bt | Improved efficiency for triage and tier 1 SOC | B5*B6 | $369,200 | $443,040 | $523,057 | |
| Risk adjustment | ↓15% | |||||
| Btr | Improved efficiency for triage and tier 1 SOC (risk-adjusted) | $313,820 | $376,584 | $444,598 | ||
| Three-year total: $1,135,002 | Three-year present value: $930,551 | |||||
Evidence and data. Interviewees agreed that a major benefit realized by deploying the Cortex XSIAM platform was the significantly improved efficiency of case management. Unlike with their legacy tools, where analysts were inundated with isolated alerts requiring manual correlation, Cortex XSIAM’s AI-driven analytics and automation stitched related alerts into enriched, context-rich incidents (cases). This shift enabled their SOC teams to bypass manual and repetitive triage and engage directly with actionable incidents, accelerating resolution times and reducing the human effort required. Interviewees noted that with Cortex XSIAM the total number of incidents increased, but a majority got auto-resolved; and the time to remediation was significantly improved for incidents that required further investigation. Interviewed customers reported up to 80% reductions in time to detect and remediate incidents — dramatically reducing manual work and slashing response time.
The VP of SecOps for the technology services provider shared these data points: “Over the last 60 days, we processed 213 billion events, 21,000 alerts, and 9,800 incidents. Every incident was either auto-closed, auto-remediated, or enriched with context before reaching an analyst.”
The VP of global security for the BPO enterprise said: “In our legacy system, every device generated an incident. With XSIAM, alerts are stitched together into meaningful incidents, cutting down our incident volume by more than 50%. Analysts now receive enriched information upfront, enabling faster and more informed decisions.”
The director of SecOps for the specialty retailer stated: “The platform lets analysts work on harder problems. Instead of spending hours gathering logs, they get a full story in one incident ticket.”
The VP of security platform for the IT services provider said: “We used to have 120 incidents a day. Now we have 30 [a day] that require human effort, and another 170 are handled automatically.” They explained further: “Yes, incidents went up, but the number of incidents handled automatically also went up. XDR caught it, blocked it, quarantined it, deleted it — and all a human had to do was verify. So yes, more incidents, but fewer that require human effort.”
Modeling and assumptions. This benefit quantifies the productivity improvement for the core SOC analysts working on case management and resolution. Through better triage and tier 1 SOC efficiency (Benefit B) the composite organization only has to deal with “curated” incidents, or cases. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization’s SOC team handles 50 noncurated incidents per week in the prior state, translating to 2,600 incidents per year.
The gross reduction in incident volume — through automation and AI — is 70%. The net reduction in incident volume is 49% in Year 1, 60% in Year 2, and 70% in Year 3, based on the effectiveness ramp of the Cortex XSIAM solution.
The average time needed to investigate and remediate an incident in the prior state is 180 minutes (three hours). Row C5 captures the hours saved for the composite organization due to fewer security incidents needing investigation.
The net reduction in the time to investigate and remediate (MTTR) curated incidents, or cases, with Cortex XSIAM is 60% in Year 1, 72% in Year 2, and 85% in Year 3, based on the effectiveness ramp of the Cortex XSIAM solution. The similarity in this metric with the net reduction in alert volume for Benefit B is merely coincidental and not related.
Row C9 measures the time savings for the SOC team due to faster resolution of relevant security incidents.
The fully burdened hourly rate for a SecOps professional working on incident response is $103 (rounded).
The time savings computed for this benefit implies that 2.6, 2.7, and 2.8 SecOps analysts would be freed up in Year 1, Year 2, and Year 3 respectively, for higher value-added threat hunting and proactive defense.
Risks. Forrester recognizes that these results may not be representative of all experiences and that SOC team productivity gains will vary among organizations depending on the following factors:
The incident volume for a given organization will vary based on the size, the regulatory environment of the industry, and the sophistication of the cybersecurity technology stack.
Productivity benefits may vary based on the sophistication of the composites SOC team.
The average time for investigation and remediation, in the prior state, may vary based on the legacy tools.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1,214,415.
Reduction in volume of incidents needing SOC attention by Year 3
Net reduction in MTTR for cases needing SOC team resolution by Year 3
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| C1 | Security incidents before Cortex XSIAM | Composite | 2,600 | 2,600 | 2,600 | |
| C2 | Net reduction in incident volume after Cortex XSIAM | Interviews | 49% | 60% | 70% | |
| C3 | Security incidents no longer requiring SOC investigation after Cortex XSIAM | C1*C2 | 1,274 | 1,560 | 1,820 | |
| C4 | Time to investigate and remediate average security incident previously (minutes) | Composite | 180 | 180 | 180 | |
| C5 | Subtotal: time saved due to fewer security incidents requiring SOC investigation (hours) | (C3*C4)/60 | 3,822 | 4,680 | 5,460 | |
| C6 | Security incidents requiring SOC investigation after Cortex XSIAM | C1-C3 | 1,326 | 1,040 | 780 | |
| C7 | Net reduction in mean time to investigate and remediate (MTTR) after Cortex XSIAM | Interviews | 60% | 72% | 85% | |
| C8 | Time to investigate and remediate average security incident after Cortex XSIAM (minutes) | C4*(1-C7) | 72 | 50 | 27 | |
| C9 | Subtotal: time saved due to faster resolution of current security incidents (hours) | (C6*C8)/60 | 1,591 | 867 | 351 | |
| C10 | Total time savings for incident management by SecOps team (hours) | C5+C9 | 5,413 | 5,547 | 5,811 | |
| C11 | Fully burdened hourly salary for a SecOps professional (rounded) | R8/2080 | $103 | $103 | $103 | |
| Ct | Improved efficiency of case management | C10*C11 | $557,539 | $571,341 | $598,533 | |
| Risk adjustment | ↓15% | |||||
| Ctr | Improved efficiency of case management (risk-adjusted) | $473,908 | $485,640 | $508,753 | ||
| Three-year total: $1,468,301 | Three-year present value: $1,214,415 | |||||
How Cortex XSIAM Is Transforming The SOC
Interviewees noted that Cortex XSIAM was fundamentally reshaping how their organizations operate SOCs, addressing long-standing inefficiencies and enabling a more strategic approach to threat management. They described how the platform’s AI-powered alert correlation and analytics dramatically reduced the volume of false positives, allowing analysts to bypass manual triage and focus on meaningful threats. Unlike basic SIEM alert correlation, stitching evaluates multiple elements of each event for higher accuracy, enabling better cross-data analytics, improved detection, and faster investigations. This process automatically stitches together data, creating “causality chains” that automatically link related events, processes, files, and network connections across different security layers. Stitching allows analysts to investigate the root cause and timeline of an alert with a single click, eliminating the need for manual data correlation. In a crucial next step, SmartGrouping leverages this stitched data to extract even more artifacts and to accurately group individual alerts into meaningful, actionable cases. As a result, SOC teams are provided with a complete picture of attacks and can investigate and respond faster.
Director of SecOps, specialty retailer
Interviewees emphasized that Cortex XSIAM’s native automation and unified architecture streamline both triage and incident response. The platform reduced the number of uncurated incidents requiring manual investigation and shortens MTTR, with many incidents resolved or enriched before reaching an analyst. This transformation enables SOCs to operate with greater speed, precision, and resilience. Interviewees consistently described how their teams now work smarter — not harder — thanks to the platform’s ability to eliminate repetitive tasks and surface actionable intelligence.
Interestingly, the two benefits above — improved efficiency for triage and tier 1 SOC (benefit B) and improved efficiency of case management (benefit C) — collectively speak to quantifying the benefit of the transformed SOC. Taken together, the composite organization can redeploy 5.1 SOC analysts in Year 1, 5.7 in Year 2, and 6.3 in Year 3. These are not cumulative but reflect a redeployment cost savings of 39% to 42%.
VP of global security, BPO enterprise
VP of security platform, IT services
Collectively, these improvements represent an ongoing transformation of the SOC, driven by Cortex XSIAM’s integrated capabilities and cloud-native design. XSIAM helps the SOC transition to a more proactive, intelligence-driven command center powered by AI-driven automation. Interviewees viewed this shift not as a one-time upgrade but as a continuous evolution toward a more agile, scalable, and effective security posture.
Evidence and data. Interviewees emphasized that a key driver of cost savings for their organizations in adopting the Cortex XSIAM platform was the ability to eliminate legacy and overlapping security tools. By consolidating capabilities such as SIEM, SOAR, XDR, TIP, and exposure management into a unified, cloud-native platform, Cortex XSIAM reduced the need for multiple point solutions and their associated licensing, infrastructure, and maintenance costs. Several interviewees highlighted that Cortex XSIAM’s pricing model — particularly the inclusion of ingestion from Palo Alto Networks products for minimal incremental costs — enabled them to double their data capacity while spending less than they did on legacy platforms. This consolidation not only streamlined operations but also unlocked millions in annual savings, while simplifying vendor management and improving overall security posture.
The VP of security platform for the IT services provider elaborated: “We replaced 200,000 [second XDR provider] licenses with roughly 430,000 Cortex XDR for a lower total cost. Our security posture greatly improved because we now have a really good next-gen XDR on everything. I’ve consolidated to a single pane of glass.”
The director of SecOps for the specialty retailer explained how Cortex XSIAM replaced many legacy tools: “We used to have a separate SOAR product, XOR, but now it’s just part of the platform — no need for a separate team to operate it. We’re in the process of getting rid of [alternative EDR provider], which cost us $6 to $8 million annually, because it’s now included in the Cortex platform. We didn’t have to buy a separate attack surface management product — it’s part of the platform.”
The VP of SecOps for the technology services provider noted the extent to which their organization was able to collapse its cybersecurity tool stack: “We consolidated 21 tools into the Cortex platform, replacing legacy vendors like [legacy XDR, AV, SOAR] and others.” They went on to say: “We identified 45 control types, and Palo Alto Networks was able to provide 21 of those. So I was able to consolidate, whereas our parent organization had 80 different tools.”
Modeling and assumptions. This benefit quantifies the two types of cost savings the composite organization realizes by deploying the Cortex XSIAM platform: 1) eliminating the licensing costs of legacy SIEM, SOAR, EDR/XDR, and ITDR/NDR tools, and 2) the IT team’s effort to maintain the integration and interoperability of the legacy tools. Based on the interviews, Forrester assumes the following about the composite organization:
Based on the composite size and comparable data ingestion (for the same level of visibility as Cortex XSIAM), a competitive SIEM product would cost $600,000 per year (discounted at 40% to 50%).
Based on the composite size, a competitive SOAR product would cost $150,000 per year (discounted at 40% to 50%).
Based on the pricing of $60 per endpoint, a comparable XDR/EDR product for 10,000 endpoints would cost $300,000 per year (discounted at 50%).
Based on competitive pricing, a combination of ITDR and NDR tooling would cost $175,000 per year (discounted at 50%).
For the scope of the tools outlined and for an organization with the composite’s footprint, two IT ops FTEs would need to be dedicated to supporting these tools.
The fully burdened annual salary for an IT ops professional working on cybersecurity tools support is $122,500.
Risks. Forrester recognizes that these financial model results may not reflect the unique experiences of organizations transitioning to Cortex XSIAM, and the following factors may impact this cost savings benefit:
The cost savings from the point tools listed above will depend on the size of the organization and the organization’s ability to secure favorable pricing terms.
Some IT ops professionals may not be suited to supporting as well as providing integration services for a complex cybersecurity infrastructure.
Results. To account for these risks, Forrester adjusted this benefit downward by 15%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $3,107,322.
| Ref. | Metric | Source | Year 1 | Year 2 | Year 3 | |
|---|---|---|---|---|---|---|
| D1 | Cost savings from eliminating legacy SIEM tool | Composite | $600,000 | 600,000 | 600,000 | |
| D2 | Cost savings from eliminating legacy SOAR tool | Composite | $150,000 | $150,000 | $150,000 | |
| D3 | Cost savings from eliminating legacy EDR/XDR tools | Composite | $300,000 | $300,000 | $300,000 | |
| D4 | Cost savings from eliminating legacy ITDR and NDR tools | Composite | $175,000 | $175,000 | $175,000 | |
| D5 | FTE for maintaining and updating legacy tools | Interviews | 2.0 | 2.0 | 2.0 | |
| D6 | Fully burdened annual salary for an IT ops professional | R9 | $122,500 | $122,500 | $122,500 | |
| Dt | Cost savings from eliminating legacy resources | (D1+D2+D3+D4)+(D5*D6) | $1,470,000 | $1,470,000 | $1,470,000 | |
| Risk adjustment | ↓15% | |||||
| Dtr | Cost savings from eliminating legacy resources (risk-adjusted) | $1,249,500 | $1,249,500 | $1,249,500 | ||
| Three-year total: $3,748,500 | Three-year present value: $3,107,322 | |||||
Interviewees mentioned the following additional benefits that their organizations experienced but were not able to quantify:
Scaling for growth. Interviewees noted Cortex XSIAM’s ability to scale with their business — more locations, more endpoints, more workloads, etc. They saw the cloud-native design of Cortex XSIAM enabling seamless scaling across global operations without the logistical challenges of hardware deployment, and that the platform would not become a bottleneck as their organizations grew, organically and inorganically. The VP of global security for the BPO enterprise said: “We doubled our company size and deployed XSIAM in 45 days with just three to four FTEs. That’s the power of cloud.”
Improved visibility and contextual awareness. Benefit A quantifies the improved security posture for the composite organization based on probabilities and regression analysis of the financial impact of breaches. Interviewees consistently described how Cortex XSIAM improved their organization’s visibility without being able to quantify it or having a convenient metric to communicate the impact. They stated that the platform provided deeper visibility into the environment, enabling better detection and understanding of threats based on the unified data built on Cortex XDL and AI-driven incident enrichment. Interviewees noted improved telemetry and contextual data that enhanced decision-making. The director of SecOps for the specialty retailer said: “We see more traffic, more context, and more actionable insights. It’s the next layer of visibility we needed.”
Improved job satisfaction for the cybersecurity team. Interviewees noted how Cortex XSIAM significantly reduced the time and effort required for analysts to investigate and respond to incidents. The automated grouping of alerts into curated cases and enriched context allowed analysts to focus on meaningful work rather than repetitive tasks, leading to reduced burnout, improved job satisfaction, and better retention. The VP of security platform for the IT services provider said: “Before, an analyst would spend hours gathering logs and correlating data. Now XSIAM does all that before they even open the ticket. We call it ‘mean time to meaningful work.’”
Solid customer support and engineering collaboration. Interviewees whose organizations were early adopters highlighted the responsiveness and technical depth of Palo Alto Network’s engineering teams, especially during deployment and for customization endeavors. For these customers, direct access to R&D teams and rapid iteration were key differentiators. The VP of global security for the BPO enterprise said: “We had direct access to their [geographic] engineering team. They listened, adapted, and got us to parity in five months.” In a similar vein, the VP of SecOps for the technology services provider stated, “The platform works, support is solid, and we’ve removed overlapping vendors with their own pricing and subscription models.”
The value of flexibility is unique to each customer. There are multiple scenarios in which a customer might implement Cortex XSIAM and later realize additional uses and business opportunities, including:
Adaptable workforce enablement. Interviewees noted that Cortex XSIAM transformed the SOC, as noted in the Feature Spotlight, above. In that same vein, they observed that the platform’s intuitive interface and automation capabilities allow earlier-career analysts to be productive quickly, reducing reliance on hard-to-find power users. This flexibility in workforce deployment supports long-term scalability and resilience. The director of SecOps for the specialty retailer said: “We needed a platform that everybody could use — not just the 10% power users. With XSIAM, we’ve been able to leverage early-career folks and redeploy senior analysts to more strategic work.”
Rapid integration and deployment across diverse environments. Several interviewees mentioned that Cortex XSIAM’s modular architecture and prebuilt integrations enabled faster deployment across varied IT environments. Organizations were able to integrate newly acquired companies or migrate from legacy systems with minimal disruption and effort.
Flexible data ingestion model. Interviewees noted that unlike legacy SIEMs that charge based on events per second (EPS), Cortex XSIAM uses a gigabytes-per-day model. This allows organizations to ingest more data without worrying about cost spikes, enabling broader visibility and richer telemetry for threat detection and analysis. The VP of global security for the BPO enterprise said: “You don’t even think about it. You just pump the data — terabytes or petabytes per day — and start seeing more visibility, more enrichment, more telemetry.”
Flexibility would also be quantified when evaluated as part of a specific project (described in more detail in Total Economic Impact Approach).
| Ref. | Cost | Initial | Year 1 | Year 2 | Year 3 | Total | Present Value |
|---|---|---|---|---|---|---|---|
| Etr | Cortex XSIAM configuration costs | $0 | $705,600 | $705,600 | $705,600 | $2,116,800 | $1,754,723 |
| Ftr | Initial costs: platform deployment | $218,625 | $0 | $0 | $0 | $218,625 | $218,625 |
| Gtr | Ongoing costs: platform maintenance | $0 | $77,438 | $77,438 | $77,438 | $232,313 | $192,576 |
| Total costs (risk-adjusted) | $218,625 | $783,038 | $783,038 | $783,038 | $2,567,738 | $2,165,924 |
Evidence and data. Interviewees noted that their organization’s Cortex XSIAM subscription costs were primarily based on the volume of data ingestion and the number of endpoints covered (by the XDR capability).
Data ingestion capacity clearly defines the level of security coverage. The “interviews” table in the Customer Journey section provides approximations of what data capacity was licensed by the four interviewed organizations.
Endpoints are not simply laptops but can also include servers, virtual machines, and other devices.
Pricing is also affected by the amount of hot data (under 12 months), and cold data (more than 12 months).
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
The composite organization licenses the core Cortex XSIAM suite: SIEM, SOAR, EDR/XDR, ASM, ITDR, and NDR.
The composite licenses 10,000 endpoints for Cortex XDR, which happens to coincide with the number of employees.
The composite purchases 1.7 TB of data ingestion. A combination of hot and cold storage is factored into the pricing.
The pricing in row E1 reflects a meaningful discount, which is considered nominal for an organization of the composite’s size.
Pricing will vary. Contact Palo Alto Networks for additional details.
Risks. The risks that can potentially impact configuration costs include potential add-ons, larger configurations, more data ingestion, the mix of hot and cold data, and professional services that could increase the solution cost.
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $1,754,723.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| E1 | Licensing and data ingestion costs | Composite | $672,000 | $672,000 | $672,000 | |
| Et | Cortex XSIAM configuration costs | E1 | $0 | $672,000 | $672,000 | $672,000 |
| Risk adjustment | ↑5% | |||||
| Etr | Cortex XSIAM configuration costs (risk-adjusted) | $0 | $705,600 | $705,600 | $705,600 | |
| Three-year total: $2,116,800 | Three-year present value: $1,754,723 | |||||
Evidence and data. Interviewees noted that deploying Cortex XSIAM represented an investment of time and resources. However, they consistently described the process as smoother than expected — thanks to the platform’s cloud-native architecture, modular design and support from Palo Alto Networks’ professional services. Whether transitioning from legacy SIEMs or integrating newly acquired entities, interviewees found that Cortex XSIAM’s prebuilt integrations, scalable infrastructure, and automation capabilities reduced complexity and accelerated time to value. Most deployments ran in coexistence with legacy tooling until acceptance criteria were met. Teams used phased cutover by data source or use case, maintained rollback plans, and leveraged automated health checks. Interviewees reported that this approach reduced change‑management risk and limited unplanned downtime during the transition.
Many interviewees leveraged Palo Alto Network’s engineering and professional services teams to assist with correlation rule creation and configuration, enabling them to meet aggressive deployment timelines with relatively small internal teams.7 This combination of technical flexibility and expert support helped mitigate the upfront effort typically associated with complex cybersecurity platform deployments.
The VP of global security for the BPO enterprise stated: “When we acquired a company with 150,000 people, we deployed Cortex XSIAM in just 45 days using only three to four FTEs. That was possible because it’s cloud-based — just deploy a connector and start pumping logs.”
In terms of the deployment effort, the director of SecOps for the specialty retailer explained: “We had about four engineers on the SIEM and four on the SOAR side, but it wasn’t their only job. The full migration took around two months, and the biggest challenge was change management — getting people to think in terms of outcomes rather than steps.”
The VP of SecOps for the technology services provider stated: “It took two full-time people about four months to roll out Cortex. We ran it side by side with our legacy tools to ensure no gaps, and the actual deployment was technically easy — most of the effort was in coordination and communication.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Three IT admin FTEs spend 100% of their time for two months on deployment.
The fully burdened annual salary for a tier 1 SecOps professional needed to deploy Cortex XSIAM is $147,500.
The composite incurs a one-time implementation cost of $125,000, which comprises professional services fees paid to Palo Alto Networks for end-to-end deployment including assistance with correlation rules, etc.
Risks. The following risks can potentially impact the cost of deploying Cortex XSIAM:
The size of the organization and its specific configuration of the Cortex XSIAM platform, including add-on options.
The relative expertise of the organization’s cybersecurity team.
Results. To account for these risks, Forrester adjusted this cost upward by 10%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $218,625.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| F1 | Internal FTE effort for initial deployment of Cortex XSIAM | Interviews | 0.5 | |||
| F2 | Fully burdened annual salary for a tier 1 SecOps professional | R7 | $147,500 | |||
| F3 | Professional services for implementation from Palo Alto Networks | Interviews | $125,000 | |||
| Ft | Initial costs: platform deployment | (F1*F2)+F3 | $198,750 | $0 | $0 | $0 |
| Risk adjustment | ↑10% | |||||
| Ftr | Initial costs: platform deployment (risk-adjusted) | $218,625 | $0 | $0 | $0 | |
| Three-year total: $218,625 | Three-year present value: $218,625 | |||||
Evidence and data. While ongoing maintenance is a necessary cost for any cybersecurity platform, interviewees found Cortex XSIAM to be relatively low-effort to sustain, thanks to its cloud-native delivery model, automated updates, and integrated architecture. Unlike legacy systems that required constant hardware monitoring or manual patching, Cortex XSIAM’s SaaS-based infrastructure eliminated the need for upkeep of physical components and reduced the burden of system administration. Interviewees noted that most of their organizations’ maintenance effort centered on tuning automations, refining correlation rules, and enhancing playbooks — activities that directly contribute to improved security outcomes. This shift from reactive maintenance to proactive optimization has enabled teams to reallocate skilled resources toward more challenging and meaningful tasks.
Asked to estimate the average regulatory fine avoided by being security compliant, the director of SecOps for the specialty retailer stated: “I would say definitely $5 million at least. That’s a fair assessment based on the revenue and the kinds of fines I’ve seen in the past. Regulators extrapolate the impact over time and fine accordingly.”
The VP of SecOps for the technology services provider noted: “Ongoing maintenance is about 10% to 15% of effort across the suite. We’re leaning forward — less time spent keeping things running, more time spent optimizing.”
The VP of security platform for the IT services provider observed: “We keep six full-time people for platform maintenance, but that includes XOR too. Most of the effort is tuning automations and correlations — the platform itself is very stable.”
The VP of global security for the BPO enterprise stated: “We don’t worry about uptime — it’s a SaaS solution. The same 4 to 5 people who used to manage hardware are now focused on automation and faster remediation.”
Modeling and assumptions. Based on the interviews, Forrester assumes the following about the composite organization:
Two tier 1 SecOps professionals spend 25% of their time for ongoing maintenance.
The fully burdened annual salary for a tier 1 SecOps professional is $147,500.
Risks. The risks that can potentially impact incremental training and ongoing maintenance costs are the level of support needed by end users, including additional correlation rules and playbooks.
Results. To account for these risks, Forrester adjusted this cost upward by 5%, yielding a three-year, risk-adjusted total PV (discounted at 10%) of $192,576.
| Ref. | Metric | Source | Initial | Year 1 | Year 2 | Year 3 |
|---|---|---|---|---|---|---|
| G1 | Internal FTE effort for ongoing maintenance only | Interviews | 0.5 | 0.5 | 0.5 | |
| G2 | Fully burdened annual salary for a tier 1 SecOps professional | R7 | $147,500 | $147,500 | $147,500 | |
| Gt | Ongoing costs: platform maintenance | G1*G2 | $0 | $73,750 | $73,750 | $73,750 |
| Risk adjustment | ↑5% | |||||
| Gtr | Ongoing costs: platform maintenance (risk-adjusted) | $0 | $77,438 | $77,438 | $77,438 | |
| Three-year total: $232,313 | Three-year present value: $192,576 | |||||
| Initial | Year 1 | Year 2 | Year 3 | Total | Present Value | |
|---|---|---|---|---|---|---|
| Total costs | ($218,625) | ($783,038) | ($783,038) | ($783,038) | ($2,567,738) | ($2,165,924) |
| Total benefits | $0 | $2,774,507 | $3,006,991 | $3,256,108 | $9,037,606 | $7,453,759 |
| Net benefits | ($218,625) | $1,991,470 | $2,223,954 | $2,473,070 | $6,469,869 | $5,287,835 |
| ROI | 244% | |||||
| Payback | <6 months |
The financial results calculated in the Benefits and Costs sections can be used to determine the ROI, NPV, and payback period for the composite organization’s investment. Forrester assumes a yearly discount rate of 10% for this analysis.
These risk-adjusted ROI, NPV, and payback period values are determined by applying risk-adjustment factors to the unadjusted results in each Benefit and Cost section.
The initial investment column contains costs incurred at “time 0” or at the beginning of Year 1 that are not discounted. All other cash flows are discounted using the discount rate at the end of the year. PV calculations are calculated for each total cost and benefit estimate. NPV calculations in the summary tables are the sum of the initial investment and the discounted cash flows in each year. Sums and present value calculations of the Total Benefits, Total Costs, and Cash Flow tables may not exactly add up, as some rounding may occur.
From the information provided in the interviews, Forrester constructed a Total Economic Impact™ framework for those organizations considering an investment in Cortex XSIAM.
The objective of the framework is to identify the cost, benefit, flexibility, and risk factors that affect the investment decision. Forrester took a multistep approach to evaluate the impact that Cortex XSIAM can have on an organization.
Interviewed Palo Alto Networks stakeholders and Forrester analysts to gather data relative to Cortex XSIAM.
Interviewed four decision-makers at organizations using Cortex XSIAM to obtain data about costs, benefits, and risks.
Designed a composite organization based on characteristics of the interviewees’ organizations.
Constructed a financial model representative of the interviews using the TEI methodology and risk-adjusted the financial model based on issues and concerns of the interviewees.
Employed four fundamental elements of TEI in modeling the investment impact: benefits, costs, flexibility, and risks. Given the increasing sophistication of ROI analyses related to IT investments, Forrester’s TEI methodology provides a complete picture of the total economic impact of purchase decisions. Please see Appendix A for additional information on the TEI methodology.
Benefits represent the value the solution delivers to the business. The TEI methodology places equal weight on the measure of benefits and costs, allowing for a full examination of the solution’s effect on the entire organization.
Costs comprise all expenses necessary to deliver the proposed value, or benefits, of the solution. The methodology captures implementation and ongoing costs associated with the solution.
Flexibility represents the strategic value that can be obtained for some future additional investment building on top of the initial investment already made. The ability to capture that benefit has a PV that can be estimated.
Risks measure the uncertainty of benefit and cost estimates given: 1) the likelihood that estimates will meet original projections and 2) the likelihood that estimates will be tracked over time. TEI risk factors are based on “triangular distribution.”
The present or current value of (discounted) cost and benefit estimates given at an interest rate (the discount rate). The PV of costs and benefits feed into the total NPV of cash flows.
The present or current value of (discounted) future net cash flows given an interest rate (the discount rate). A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.
A project’s expected return in percentage terms. ROI is calculated by dividing net benefits (benefits less costs) by costs.
The interest rate used in cash flow analysis to take into account the time value of money. Organizations typically use discount rates between 8% and 16%.
The breakeven point for an investment. This is the point in time at which net benefits (benefits minus costs) equal initial investment or cost.
Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
1 Source: The Security Analytics Platforms Landscape, Q4 2024, Forrester Research, Inc., December 12, 2024; The Operational Technology Security Solutions Landscape, Q1 2024, Forrester Research, Inc., February 6, 2024; The Extended Detection And Response Platforms Landscape, Q4 2023, Forrester Research, Inc., November 22, 2023; The State Of Threat Intelligence, Forrester Research, Inc., April 13, 2023.
2 Total Economic Impact is a methodology developed by Forrester Research that enhances a company’s technology decision-making processes and assists solution providers in communicating their value proposition to clients. The TEI methodology helps companies demonstrate, justify, and realize the tangible value of business and technology initiatives to both senior management and other key stakeholders.
3 Source: NIST Computer Security Resource Center; Glossary, NIST.
4 Source: Forrester’s Security Survey, 2024. Respondents were asked, “Using your best estimate, what was the total cumulative cost of all breaches experienced by your organization in the past 12 months?” Base: 1,660 global security decision-makers who have experienced a breach in the past 12 months.
5 Source: Forrester’s Security Survey, 2024. Respondents were asked, “How many times do you estimate that your organization’s sensitive data was potentially compromised or breached in the past 12 months?” Base: 2,769 global security decision-makers.
6 Source: Forrester’s Security Survey, 2024. Respondents were asked, “Of the times that your organization’s sensitive data was potentially compromised or breached in the past 12 months, please indicate how many of each fall into the categories below.” Base: 1,542 global security decision-makers who have experienced a breach in the past 12 months.
7 Cortex XSIAM provides over 10,000 detections and 2,600 ML models, replacing up to 70% of composite organization’s previous correlation rules. AI-assisted migration helps convert existing rules to Cortex XSIAM correlation rules. And over 1,000 out-of-the-box playbooks speed up configuration of workflows.
Readers should be aware of the following:
This study is commissioned by Palo Alto Networks and delivered by Forrester Consulting. It is not meant to be used as a competitive analysis.
Forrester makes no assumptions as to the potential ROI that other organizations will receive. Forrester strongly advises that readers use their own estimates within the framework provided in the study to determine the appropriateness of an investment in Cortex XSIAM. For any interactive functionality, the intent is for the questions to solicit inputs specific to a prospect’s business. Forrester believes that this analysis is representative of what companies may achieve with Cortex XSIAM based on the inputs provided and any assumptions made. Forrester does not endorse Palo Alto Networks or its offerings. Although great care has been taken to ensure the accuracy and completeness of this model, Palo Alto Networks and Forrester Research are unable to accept any legal responsibility for any actions taken on the basis of the information contained herein. The interactive tool is provided ‘AS IS,’ and Forrester and Palo Alto Networks make no warranties of any kind.
Palo Alto Networks reviewed and provided feedback to Forrester, but Forrester maintains editorial control over the study and its findings and does not accept changes to the study that contradict Forrester’s findings or obscure the meaning of the study.
Palo Alto Networks provided the customer names for the interviews but did not participate in the interviews.
Erach Desai
September 2025
ABOUT FORRESTER CONSULTING
Forrester provides independent and objective research-based consulting to help leaders deliver key transformation outcomes. Fueled by our customer-obsessed research, Forrester’s seasoned consultants partner with leaders to execute on their priorities using a unique engagement model that tailors to diverse needs and ensures lasting impact. For more information, visit forrester.com/consulting.
© Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies.
https://mainstayadvisor.com/go/mainstay/gdpr/policy.html
PDF