A Look at the AI-driven Breakthroughs, Milestones, and Customer Success That Reshaped Security Operations in 2025
Agentic AI has rewritten the laws of attack and defense. Adversaries now automate reconnaissance, invent exploits on demand, and execute full campaigns at speeds up to 100× faster than before.
Traditional SOCs weren’t built for this. Siloed tools force analysts to hop between consoles, chase context in spreadsheets, and respond through ticket queues, slowing response to a crawl. The SOC needed a new playbook to outpace AI-fueled threats, and in 2025, Cortex XSIAM® delivered it.
This was the year customers saw the promise of the autonomous SOC turned into reality. Agentic AI and automation delivered a step-change in SecOps efficiency. Customers moved beyond manual processes to a model where investigations unfold automatically, analysts move at machine speed, and AI guides response with human oversight for sensitive actions. The results speak for themselves, demonstrated by superior customer outcomes, analyst validation and defining moments at every turn.
Customers Embrace AI-Driven Security Operations
This was the year customers fundamentally transformed how their SOCs operate. Instead of stitching together tools and managing manual workflows, they unified their security operations around Cortex XSIAM, moving all security data into an AI-ready, extensible data foundation designed for autonomy at scale.
With their data finally unified, customers could drive faster, more efficient detection, investigation, and response with agentic AI and automation, slashing MTTR. Operational overhead dropped as the SOC shifted from repetitive work to streamlined, machine-led operations.
The impact was measurable and immediate. According to a Forrester Total Economic Impact™ study, Cortex XSIAM customers achieve a 257% ROI, a sub–six-month payback, and 73% cost savings compared to traditional approaches. That transformative power is why Cortex XSIAM became the fastest-growing product in Palo Alto Networks history, surpassing $1B in cumulative bookings in 2025.
Customer Perspectives from the Forrester TEI:
“We saved a couple million dollars a year on tooling right off the bat, which the CFO loved. Plus, we’ve been able to leverage early-career talent instead of hiring $250K experts — that’s just not sustainable.” —DIRECTOR OF SECOPS, SPECIALTY RETAILER
“The ROI is very visible. The board sees metrics like mean time to detect and remediate, and they understand how much faster and more effective we’ve become.” —VP OF GLOBAL SECURITY, BPO ENTERPRISE
“I think Palo Alto Networks does have the Holy Grail right now [with Cortex XSIAM]. I didn’t find anything better when we were looking — and it works. That’s the key.” —VP OF SECOPS, TECHNOLOGY SERVICES
Empowering Customers Through Relentless Innovation
To keep pace with AI-fueled threats, customers needed a faster, more efficient way to operate their SOCs. Building the autonomous SOC meant giving teams the ability to move at machine speed while staying firmly in control. This year, customers achieved that capability.
In February, customers gained end-to-end protection from code to cloud to SOC with the introduction of Cortex Cloud, which unified cloud detection and response, cloud posture, and XSIAM together in one platform. Two months later, Cortex XSIAM 3.0 introduced the industry’s first AI-driven SOC platform spanning proactive and reactive security, replacing legacy approaches to vulnerability management and email security with industry-leading AI and automation.
Introduced in October, Cortex AgentiX laid the foundation for the autonomous SOC. AgentiX allows customers to build, deploy, and govern the agentic workforce of the future to solve virtually any security or IT challenge. AgentiX technology is embedded natively in Cortex XSIAM and trained on over 1.2 billion real-world playbook executions and a decade of security automation leadership. Powered by this rich data and expertise, agents can plan, reason, and execute complex solutions like a human expert, but at machine speed.
Before they can transform their security operations, customers first need to be deployed and operational. New AI-powered deployment tools introduced in 2025 and developed and managed by the Palo Alto Networks Professional Services team let customers do exactly this, in record time. These tools help teams migrate faster, replace legacy SIEMs with less disruption, and achieve measurable detection, investigation, and response outcomes in 90 days or less.
Results Customers Can Trust, Backed by Independent Validation
Industry analysts have reinforced what customers already know: Cortex XSIAM is redefining the SOC. Over the past 15 months, firms including GigaOm, CRN, Frost and Sullivan, and Omdia recognized Cortex XSIAM as a leader for the capabilities customers rely on to operate AI-driven security operations with confidence.
That same customer-proven execution earned Cortex XSIAM a strong debut in the Gartner SIEM Magic Quadrant, reflecting its ability to deliver results in real-world environments. By unifying XDR, SOAR, agentic AI, attack surface management, and more into a single platform, customers are able to simplify operations, reduce tool sprawl, and move beyond traditional SIEM limitations.
Customers benefit from this consistency across the platform. Core capabilities within Cortex XSIAM—including endpoint protection, extended detection and response, security orchestration, and attack surface management—have been repeatedly recognized by analysts. Gartner has named Cortex XDR® a Leader in the Magic Quadrant for EPP for three years running, with Forrester, KuppingerCole, and GigaOm likewise recognizing Cortex XDR, Cortex XSOAR® and Cortex Attack Surface Management as leaders in their respective categories.
Independent security tests also delivered exceptional results: 100% technique-level detection in MITRE ATT&CK Round 6, a AAA rating and 100% ransomware prevention from SE Labs, and the highest combined prevention and response scores in AV-Comparatives’ EPR tests. Together, these outcomes demonstrate that Cortex XSIAM—with embedded XDR—stops the most advanced threats.
Key Milestones
In 2025, customers operated their SOCs at a new level of scale and efficiency. The milestones below reflect how customers unified all their security data for unbounded visibility, automated routine work, and used AI-driven workflows to orchestrate across their ecosystem, reduce manual effort and accelerate response.
- 15PB/day data ingestion
- 1.2B+ playbook executions
- 10,000+ detectors and 2,600+ ML models
- 1,000+ integrations
- FedRAMP High authorization
Customers are seeing measurable results. Hear from the Green Bay Packers.
Experience Cortex XSIAM for Yourself and Unlock the Autonomous SOC
Customers use Cortex XSIAM to transform their SOC and reduce operational friction as they move toward autonomy. Explore how it works, request a demo.
2025 was an extraordinary year. We can’t wait to see what 2026 brings.