What’s New for Cortex and Cortex Cloud (Apr ‘25)

Elevating Security Operations with the Latest Updates in Cortex and Cortex Cloud

Discover the cutting-edge advancements in security operations management with the latest releases of Cortex XDR 4.1/3.14, XSIAM 3.1/2.6, XSOAR 8.10, Xpanse 2.9, and Cortex Cloud 1.1. From new threat prevention capabilities and expanded platform coverage to enhanced automation features and attack surface tests, these updates are designed to streamline security operations, improve threat detection, and bolster cloud security posture management. Dive into the details of these innovative solutions and empower your organization with comprehensive security management tools.

XSIAM 3.1/2.6: Enhanced Multi-Tenancy, Visualizations, Reporting, and Integrations

The latest XSIAM^® release brings a new set of enhancements to the platform’s multi-tenancy capabilities, a slew of improvements to visualizations and reporting, as well as exciting third-party integrations. Note: XSIAM 2.6 includes all features released as part of Cortex XDR 3.14 listed below.

• Cross-region tenant pairing enables multi-tenant organizations to pair their parent and child tenants across different geographic regions, providing enhanced visibility and control for distributed security operations. To enable this capability, please contact your Palo Alto Networks account team.
• Re-architected playbook editor provides all critical functions for building automated workflows in one screen (e.g., downloading pre-built content packs, setting up integrations, defining triggers) to radically simplify building and deploying automation.
• The full playbook catalog is available to users from the playbook editor screen, so they can discover new automation opportunities for their SOC.
• The latest batch of enhancements to visualizations and dashboards makes it easier to access and monitor data, simplifying common SIEM use cases such as information analysis and compliance reporting.
• A new integration offers XSIAM customers an option to use Cribl for data pipeline management, delivering access to alternative data collection, routing, and processing capabilities.
• The new Cortex Command Center enables teams to identify posture risks and runtime threats across their entire environment, on-premises and in the cloud, with a comprehensive breakdown of assets by class, provider and region.

Cortex XDR 4.1/3.14: New Threat Prevention Capabilities, Expanded Platform Coverage, and Cloud Automation Enhancements

Cortex XDR 4.1/3.14 brings new threat prevention capabilities and exception granularity to the XDR agent, while expanding response automation.

• Embedded automation natively delivers industry-leading automated response capabilities to streamline operations, accelerate triage, and boost productivity. Now with a redesigned workflow, Cortex XDR has a single interface featuring pre-built and custom playbooks, automated quick actions, and case investigation war rooms.
• Strengthened defense against advanced threats by using an ML-based protection model for the XDR Agent on Windows that can detect and prevent adversary techniques using VBscript files at the execution stage.
• Advanced high-accuracy detection of malicious Linux executables using a local analysis model that leverages big data, ML, and threat analysis across both on-premise and cloud environments.
• Enhanced exception capabilities allow you to define precise exceptions for a specific scenario or leverage XDR’s automated recommendations ensuring smoother operations without compromising on security.

XSOAR 8.10: Updated Features for Streamlining Security Operations Automation

The latest release of Cortex XSOAR includes new features and automations to enhance your experience and simplify the journey toward automating security operations.

• For customers who need to store incidents beyond the default retention period, XSOAR can now automatically export incidents to external storage, enabling indefinite retention and continued access to historical incident data.
• The expanded API support enables organizations to reset the ROI widget, update existing lists, get a list, upload files, and clone playbooks, so they can better fine-tune automated incident workflows and integrations.

Xpanse 2.9: Expanded Coverage for Attack Surface Tests and Operating System Identification

Xpanse 2.9 introduces expanded coverage for attack surface testing and delivers new detections and usability enhancements.

• New attack surface tests for externally detectable CISA KEV CVEs allow customers to discover 260 different vulnerabilities known to be actively exploited in the wild, 190 of which have a CVSS score of 9.0 or higher.
• 40 new attack surface tests detect applications leveraging manufacturer default credentials across operations systems, IT, and networking devices.
• Operating system identification enables customers to identify and fingerprint the operating systems and version details of their internet-facing applications, helping them make informed decisions about security measures and prioritize patches or updates.

Cortex Cloud 1.1: Empowering Comprehensive Security Management with the Latest Updates in Cloud Security

Cortex Cloud 1.1 brings a host of improvements that will help you elevate your cloud security, such as the introduction of attack surface management (ASM), as well as enhancements to reporting, compliance, dashboarding, notifications, and automation.

Cloud Security Posture Management

• Internet Exposure Detection support has been added to Cortex Cloud for workloads running in AWS Lambda, AWS RDS, AWS Redshift, Azure SQL, Azure Cosmo DB and Managed Kubernetes Clusters (EKS, AKS and GKE) using Internet scan data
• Introducing support for the identification of exposed services in Kubernetes through ingress paths.

Remediation & Automation

• New built-in automation capabilities featuring executable commands, scripts, quick actions, and playbooks allow customers to accelerate the resolution of their security issues. Customers can use these capabilities directly from Cortex Cloud to mitigate common issues (e.g. publicly exposed S3 buckets) using issue investigation war rooms, or select them to auto-trigger a response to an issue using automation rules.

Compliance

• 30 new regulations are supported including NIST 800-53, NIST CSF, ISO 27001 and 27002, FedRAMP, and many more. This allows you to effortlessly verify that your workloads, data, AI models, and identities adhere to well-known regulations.
• Users can now create custom compliance detection rules using Python-based scripts, providing increased flexibility in defining and enforcing security best practices. This enables users to customize compliance requirements to suit their specific needs, ensuring alignment with organizational goals and regulatory standards.

Cloud Workload Protection

• Secure Serverless functions in FaaS infrastructure, from development to runtime. Gain seamless visibility into vulnerabilities and posture with agentless scanning. Monitor and protect functions in real-time with agent based security.
• The XDR agent now adds advanced detections of malicious Linux executables using a local analysis model that leverages big data, ML, and threat analysis across both public and private cloud environments.

Web Application & API Security

• Automatically analyze and detect API attacks and misconfigurations to surface security risks.
• Comprehensive API specification inventory, including a detailed view of API definitions.
• API testing helps improve both development and security efficiency. Users can seamlessly integrate testing into their workflows to quickly identify and resolve potential security issues through the Cortex CLI.

AI-SPM

• AI-SPM now detects AI API keys embedded in risky serverless functions, enabling organizations to identify and mitigate excessive AI agency and potential security risks.

Data Security Posture Management

• Expanded support for Snowflake asset types, along with new detection rules to further secure data across cloud databases as a service (DBaaS), ensuring stronger protection and compliance.

Dashboards & Reporting

• New dashboards are now available for the Data, Identity and AI Security Posture modules, providing key insights into top security issues related to sensitive data, human and non-human identities, and AI pipelines for better security posture management.

The enhanced features and capabilities included in our April 2025 release are just the tip of the iceberg for both Cortex and Cortex Cloud To learn more about these and other innovations across the Cortex portfolio, visit /cortex and /cortex/cloud.