Cortex CDR—Stronger Runtime Protection, Enhanced Threat Detection and Robust Automation Backed by the World’s Most Deployed SOAR

Cloud attackers no longer need days or even hours. One exposed service or overpermissive identity can open the door, and in minutes, data is gone—often before the first alert reaches the SOC.

Most cloud security tools can’t keep pace. They focus on configuration hygiene and overlook what matters most during an active attack—real-time detection and response.

Cortex Cloud Detection and Response (CDR) addresses that gap. Recent enhancements add local ML-based runtime malware protection for Linux workloads, expand detection coverage with over 600 new high-fidelity detectors and integrate industry-leading native automation that lets teams contain threats in minutes.

Each improvement targets a critical point of failure in cloud defense such as the lack of visibility inside workloads, shallow or outdated detections' and slow, manual response workflows. Together, they help security teams see more, act faster and close gaps before attackers exploit them.

In today’s blog post, we break down the key updates.

Prevent Workload Attacks with Best-in-Class Runtime Protection

Agentless solutions surface vulnerabilities and misconfigurations, but without real-time visibility, they can’t detect or stop active threats inside workloads.

Cortex CDR provides two options for runtime protection on Linux—a kernel-space agent for exploit prevention and integrity monitoring and an eBPF-based agent that runs entirely in user space, avoiding kernel dependencies.

The eBPF agent now includes local analysis of Linux executables using a lightweight model that leverages big data, ML and threat analysis across both public and private cloud environments. Performing on-host analysis, it blocks malicious code in real time with minimal performance impact, ensuring your Linux workloads stay protected without disruption.

Expanded Threat Detection That Surfaces Real Attacks

Posture tools can highlight risk but rarely detect active threats. Most generate alerts about what might go wrong without surfacing what’s already happening.

Cortex CDR’s newly added 600+ cloud threat detectors are all mapped to the MITRE ATT&CK framework and continuously updated through Unit 42 research. The platform now includes more than 10,000 detectors, extending Cortex CDR’s comprehensive cloud threat detection to give both CloudSec and SeOps teams broad coverage across multicloud and hybrid environments.

These detectors go beyond misconfigurations and flag real-world attack behavior. They identify privilege abuse in IAM roles, credential theft, suspicious API spikes, data exfiltration from public storage and stealthy execution inside workloads. Each detection includes context on the kill chain stage, helping teams focus on what’s active, not just possible.

Industry-Leading Response Automation Built into Every Detection

Finding an issue means little if teams can’t act on it. Delays in coordinating across tools, teams, or workflows turn minor exposures into major incidents.

Cortex CDR now includes native SOAR integration, allowing teams to respond directly to detected security cases—no separate tools, no custom code, no delay. Every alert comes with scoped response actions to, for example, shut down a compromised workload, revoke risky IAM permissions or remediate misconfigurations with one click. Playbooks can trigger automatically based on rules you define or execute manually with full context in view.

Each response links back to the case view, which consolidates alerts, assets and actions in one place, eliminating the need to pivot across systems. With detection and response tightly integrated, remediation time drops from hours to minutes—and without slowing investigation or increasing overhead.

A Faster, More Effective Approach to Cloud Threat Defense

Cortex CDR now delivers stronger workload protection, broader threat detection and faster response—all integrated into a single platform built for cloud-scale operations.

• Runtime protection that blocks malicious Linux executables in real time
• Detection coverage expanded with 600+ new high-fidelity detectors across hybrid and multi-cloud environments
• Integrated automation that ties response actions directly to alerts, cutting remediation time from hours to minutes

Security teams can now detect active threats earlier, respond without delay and contain incidents before they escalate.

Learn More

Download the Cortex CDR solution brief for an at-a-glance breakdown of its capabilities and what real-time visibility and protection can do for your organization. And if you haven’t seen Cortex CDR in action yet, allow us to give you a personalized demo.