Autonomous Security Operations Brings Major Enhancements Including New Identity and Privilege-based SOC Response Capabilities Across the Cortex Platform
The latest Cortex portfolio release introduces a suite of new features and enhancements designed to streamline workflows, bolster security, and provide deeper insights than ever before. From revolutionary AI-driven analysis to seamless cross-platform integrations, the Cortex Portfolio May 2026 release is all about making your operations smarter and more efficient.
Cortex XSIAM 3.5: Stopping AI Threats with an Agentic SOC
Cortex XSIAM 3.5 takes security operations another step toward autonomy. This release moves detection and response closer to prevention with proactive AI agents, stronger governance controls, and new Idira integration for privilege-aware response.
Streamlining SOC Analyst Workflows
What if your SOC could stop known threats without waiting for analysts? New Autonomous Playbooks automatically analyze and remediate Cortex Analytics’ alerts with the precision of a seasoned SOC analyst. These fully managed workflows allow teams to respond in real time while eliminating the burden of building, tuning, and maintaining custom playbooks.
Modern SOCs need AI that acts, not just waits for instructions. With Agentic Response, you can automatically trigger AI agents to investigate and respond to threats using automation rules. Your AI agents can build multi-step investigation plans, analyze novel threats, and take response actions in real time. Built-in human-in-the-loop approvals for sensitive actions ensure your team always stays in control.
Enhanced XQL helps you uncover patterns and anomalies faster while reducing the repetitive work that slows investigations down. More than 30 new mathematical functions enable deeper real-time analysis, helping analysts baseline behavior and identify outliers. Autosave and personalized views preserve analyst workflows, settings, and in-progress investigations so your team can pick up exactly where they left off without constantly rebuilding queries.
To improve visibility during investigations, a new Case Timeline View automatically captures attack activity, analyst actions, evidence, attachments, and XQL results in a centralized workspace. This helps teams maintain context throughout the investigation lifecycle while reducing manual documentation and simplifying collaboration.
Natural Language Visualization lets your analysts turn simple prompts into charts and build custom widgets in seconds. By eliminating manual queries and coding, security teams can quickly make sense of massive volumes of data, helping analysts spot patterns faster and accelerate decision making across the SOC.
Strengthening Identity and Access Control Across the SOC
Security teams often need to contain threats without broadly disrupting users or business operations. Cortex XSIAM now introduces more precise, identity-aware response capabilities designed to help SOC teams isolate threats while minimizing operational impact. New integration with Idira Endpoint Privilege Manager through the Cortex Marketplace allows organizations to validate identities and dynamically restrict privileges in real time during an incident, helping teams disrupt attacks earlier in the kill chain.
Cortex XSIAM also introduces Granular Per-Object Access controls, allowing administrators to define specific permissions for user groups across assets such as playbooks, scripts, saved queries, and report templates. These controls help organizations enforce least-privilege access across the SOC while improving governance and reducing unnecessary exposure to sensitive workflows and data.
Enhanced Application Log (EAL) ingestion is now available at no additional charge, reducing the cost of ingesting Palo Alto Networks NGFW and Prisma SASE data into Cortex XSIAM by an estimated 10–15%. EAL delivers deep application-layer telemetry, including DNS queries, HTTP user agent details, and DHCP information. It enables detections that are impossible with traditional traffic logs alone, such as insider threats, brute force attacks, command-and-control activity, and exfiltration.
With the exception of Autonomous Playbooks, the capabilities highlighted in Cortex XSIAM 3.5 are also available across Cortex XDR, Cortex Cloud, and Cortex AgentiX. EAL ingestion is only applicable to Cortex XSIAM and Cortex XDR.
Cortex XDR 5.1: Strengthen Defenses Against Advanced Attacks
The newest release of XDR brings major enhancements to our file integrity offerings, the Advanced Email Security module, as well as improvements to the overall user experience.
File Integrity Monitoring for XDR
Traditional File Integrity Monitoring (FIM) burdens security teams with agent bloat and false positives from routine patching. Cortex XDR solves this by building FIM directly into the platform, allowing you to ditch heavy, legacy agents while still checking critical compliance boxes like PCI-DSS. Unlike standalone tools that offer blind alerts, Cortex XDR now provides total context: when a file changes, you instantly see the "who, what, and how" through a complete XDR timeline, effectively turning compliance logs into actionable threat intelligence. An additional license is required for this capability.
Advanced Prevention for macOS and Linux
The latest release of Cortex XDR significantly hardens your cross-platform footprint with two major security enhancements: Kernel Monitoring Defense for macOS and expanded Java Malware Protection for Windows and Linux. By implementing deep, near-real-time behavioral monitoring at the kernel level, Cortex XDR can now detect and stop unauthorized privilege escalation attempts on macOS before attackers gain root access. Additionally, our expanded Java protection provides a unified defense that intercepts and blocks malicious Java-based threats before execution, ensuring consistent, automated protection across your entire server and desktop landscape.
Advanced Email Security: Streamlining Triage with the Email Investigation Agent
To streamline email security, the industry's primary threat vector, the latest Cortex Advanced Email Security module integrates deep visibility with rapid response tools directly within a unified platform. Central to this update is the Malicious Emails Inventory, a purpose-built view designed for rapid analysis and preliminary remediation. By centralizing email data alongside endpoint and network intelligence, analysts can now leverage integrated WildFire reports to understand file behavior and execute single-click actions to delete emails or block senders globally without ever leaving the screen.
To further accelerate defense, the Email Investigation Agent leverages AI to move beyond static playbooks and reason across your environment. It automatically clusters related user-reported phishing attempts into single campaigns, providing deep context on why emails were flagged and recommending precise remediation steps. By cross-referencing these insights with Microsoft 365 mailboxes, the agent distinguishes true campaigns from benign noise, ensuring your team stays focused on high-priority threats. These features are available via the Advanced Email Security add-on; an additional license is required.
Cortex Exposure Management: Improve Workflow Control, Scanning Coverage, and ASM Actionability
This release of Cortex Exposure Management improves how organizations discover, track, and remediate security exposures across their environments.
Issue SLAs and Exceptions
As exposure volumes grow, many organizations still rely on spreadsheets, email threads, and disconnected approval processes to track remediation deadlines and document accepted risk. This release of Exposure Management introduces Issue SLAs and Issue Exceptions, enabling teams to operationalize remediation governance through structured, auditable workflows.
Teams can now define authoritative remediation timelines and formalize risk deferrals within a centralized governance framework. By replacing informal tracking processes with time-bound policies and integrated approval workflows, organizations can more effectively measure progress against compliance mandates such as PCI-DSS and HIPAA while ensuring that exposures are either remediated on schedule or intentionally managed through approved risk acceptance processes.
Vulnerability Ingestion API and CIS Benchmark Scanning
Security teams often struggle with siloed visibility across scanners, configuration tools, and infrastructure environments. To eliminate these blind spots, Cortex Exposure Management introduces a new Vulnerability Ingestion API that enables rapid, self-service onboarding of third-party scanner data without custom engineering support. Organizations can quickly unify vulnerability data and build a more complete view of their attack surface.
Our integrated network scanner now extends CIS Benchmark Scanning to Windows hosts, enabling CIS-based hardening assessments across on-premises systems. Teams can identify missing best practices, validate configuration hygiene, and enforce standardized hardening policies across on-premises systems. Together, these enhancements improve visibility and accelerate remediation.
Cortex Xpanse 2.12: Validate Exposures Faster and Streamline Asset Management Workflows
The Cortex Xpanse 2.13 release introduces powerful new capabilities to help you validate exposures faster and streamline asset management workflows, making it easier to move from insight to action.
A key highlight is the introduction of Alerts for Attack Surface Test (AST) results, allowing teams to immediately operationalize confirmed findings. By generating alerts directly from test results, SOC teams can eliminate manual handoffs and move straight into remediation, reducing response times for high-priority vulnerabilities.
In addition to faster validation, this release optimizes administrative workflows and addresses emerging risks in the modern enterprise. Asset Management Enhancements simplify how users upload, review, and organize assets, ensuring a cleaner and more actionable inventory of the digital footprint. We’ve also expanded our AI Infrastructure Coverage with new Attack Surface Rules for platforms like OpenClaw and Hugging Face, providing the visibility needed to secure AI-related exposures before they can be exploited.
These are just the highlights from a feature-packed month. For a detailed breakdown of the latest features and enhancements across the Cortex portfolio, please refer to the full release notes. To learn more about these and other innovations across the Cortex portfolio, visit /cortex.