Palo Alto Networks Unit 42
World-class threat intelligence and MDR backed by the Cortex XDR/XSIAM platform
- Service
- MDR
- Response
- Contain threats
Best for
Large enterprise organizationsUsually replaces
Internal incident response teamCheck first
Premium pricing positions the service beyond the reach of most SMBsCoverage
Covers
- Unit 42 threat intelligence from 200+ elite researchers and analysts
- Cortex XSIAM AI-driven SOC platform combining SIEM, SOAR, ASM, and XDR
- Proactive threat hunting powered by frontline incident response insights
Pros and limits
Works well
- Unrivaled threat intelligence from one of the most prolific security research teams in the industry
- Tight native integration between MDR service and Cortex XDR/XSIAM platform eliminates tool sprawl
- FedRAMP High authorized platform — one of only a few AI-driven SOC platforms with this certification
Watch out for
- Strongest value when fully committed to the Palo Alto Networks ecosystem
- Standard MDR remediation is limited to agent-level actions; deeper response may require paid IR hours
- Ad-hoc request flexibility has been noted as limited by some customers
Pricing
- Starting price
- ~$80/endpoint/year (Cortex XDR Pro)
- Billing model
- Per-endpoint, Tiered, Custom
- Minimum contract
- 12 months
- Proof of concept
- Available
- Onboarding
- 14-30 days
Requires Cortex XDR or XSIAM platform license; Unit 42 MDR is an add-on service with custom pricing based on environment scope
Connects with
- SIEM
- Cortex XSIAM (proprietary)
- EDR / Endpoint
- Cortex XDR Pro (native)
- Cloud
- AWS, Azure, GCP
- Other
- Prisma Cloud, Palo Alto NGFW, Cortex XSOAR, ServiceNow, Splunk
Questions
What is the difference between Unit 42 MDR and Cortex XDR?
Cortex XDR is Palo Alto Networks' detection and response platform — the technology layer that collects and correlates telemetry from endpoints, network, cloud, and identity sources. Unit 42 MDR is the managed service layer on top of Cortex XDR, where Palo Alto's elite analysts monitor, hunt, investigate, and respond to threats 24/7 on behalf of the customer.
Does Unit 42 offer incident response beyond MDR?
Yes. Unit 42 provides standalone incident response retainer services separate from MDR. Their IR team handles over 750 major cyber incidents per year and is an approved provider for more than 70 cyber insurance carriers. IR retainer clients get priority access to Unit 42 responders during a breach.
What is Cortex XSIAM and how does it relate to Unit 42 MDR?
Cortex XSIAM (Extended Security Intelligence and Automation Management) is Palo Alto Networks' AI-driven SOC platform that unifies SIEM, SOAR, ASM, and XDR into a single solution. Unit 42 Managed XSIAM is the fully managed version of this platform, where Unit 42 analysts operate XSIAM on the customer's behalf, providing an end-to-end managed SOC experience.