Case Study

Sitecore achieves 90% SOC automation with Cortex XSOAR

Sitecore are ambitious to innovate everything they do – including their cybersecurity. Using Cortex XSOAR, the leading digital experience software company have achieved 90% automation of security events in their security operations centre (SOC) – with an average time to fix of only nine minutes. Though up to 45,000 events are recorded per week, just two analysts can manage all of Sitecore’s incidents.

In brief



Organization Size

2,200 staff; 27 locations worldwide



Featured Products and Services

End-to-end digital experience software


Automate repetitive, low-skill activities; free up time to focus on critical threats; and proactively refine defences against future attacks.

    • Reduce alert noise and highlight critical incidents.
    • Eliminate repetitive, manual tasks.
    • Facilitate analyst investigation and collaboration.
    • Map external threats to SOC incidents.

Palo Alto Networks Cortex XSOAR

Download PDF Share

Incident management untouched by transformation

Adam Button, senior product manager at Sitecore, takes pride in the company’s visionary approach to all things cybersecurity. One area, however, was untouched by transformation: minor tasks in the security operations centre (SOC). For Adam and his team, it was crucial to automate these repetitive, low-skill activities, liberating time to concentrate on critical threats and reimagine how incidents are processed. Adam had seen how successful this concept could be in a previous role and was keen to implement this design at Sitecore.


Modern, dynamic security platforms

Sitecore are a global leader in end-to-end digital experience software. Unifying data, content, commerce, and experiences, the company’s SaaS-enabled digital experience platform (DXP) empowers brands like L’Oréal, Microsoft, United Airlines – and 5,000 others – to deliver unforgettable interactions. Sitecore have 2,200 employees across 27 locations worldwide.

Sitecore’s DXP is at the cutting-edge of innovation, combining customer data, artificial intelligence (AI), and marketing automation to deliver the experiences customers crave. It’s a similar story with the company’s cybersecurity strategy. Sitecore are a security innovator, using modern, dynamic security platforms to safeguard the data, applications, and people underpinning the DXP.

“We are a true pioneer in security: from embedding security into our development lifecycle as part of a shiftleft strategy to optimising the way we manage security operations, we are continually breaking boundaries. I genuinely believe customers are drawn to Sitecore owing to our commitment to, and investment in, cybersecurity,” says Adam.

The challenge for Sitecore was to reimagine incident response in their SOC, which monitors security across six customer products spanning approximately 4,500 clients. However, it was no longer sustainable to put people at the frontline of incident response.


The first reason for introducing a SOAR platform into the SOC was to continue that ambition for innovation. The second was cost. Finding available staff is very hard; there is a shortage of very good security operatives. Not many companies have the bottomless budget to provide 40 or 50 SOC engineers to monitor systems.

–Adam Button, Senior Product Manager, Sitecore


Automation-first incident response mindset

The SOC team needed to shift to an automation-first incident response approach. The requirements were to:

  • Reduce alert noise and surface critical incidents.
  • Eliminate repetitive manual tasks.
  • Facilitate analyst investigation and collaboration.
  • Map external threats to SOC incidents by leveraging threat intelligence.


Two analysts manage 45,000 events per week

Sitecore have deployed Cortex XSOAR to transform security orchestration, automation, and response. It unifies SOC automation, case management, collaboration, and threat intelligence management. The SOC sees up to 45,000 events per week, which are managed by just two Sitecore analysts.

Intelligent automation means the SOC can effectively manage alerts across all sources, standardise processes with playbooks, act on threat intelligence, and automate response options for almost any use case.

“Cortex XSOAR takes care of repetitive, time-consuming tasks so we can focus on improving our security posture. Every time we see a Zero Day attack, we write a playbook for it. We are constantly innovating and updating – to the point we can almost see things coming now,’ explains Adam.

The platform ingests aggregated alerts and indicators of compromise (IoCs) from multiple sources before executing automated playbooks to enrich cybersecurity data and respond to incidents. For example, insights from the Palo Alto Networks Prisma Cloud CNAPP are fed into XSOAR, with tickets from the cloud-native application protection platform automatically created to solve QA and test deficiencies. Likewise, external threat analytics from Recorded Future allow the team to look at CVE scores and write playbooks ahead of problems occurring. Inputs also include Veracode code scanning and a ServiceNow CMDB.


This is 360-degree security in action. I don’t only want to react to events coming in; I wanted to see what lies ahead. With Cortex XSOAR we can manage alerts across all sources.

–Adam Button, Senior Product Manager, Sitecore


Achieved 90% automation of security events

Sitecore are experiencing dramatic improvements in SOC operational management using Cortex XSOAR. These include:

  • Accelerated incident investigations: Cortex XSOAR delivered 90% automation of security events with an average time to fix of only nine minutes. “This is unheard of in the industry,” says Adam. “We believe Sitecore to be among the first companies to achieve this degree of automation, and it elevates us to be a premier provider of security for our products.”
  • Orchestrated, highly accurate incident response: Sitecore’s SOC is recording an exceptionally low error rate of only 10%.
  • Maximised operational efficiency: The SOC is seeing up to 45,000 events per week. The SOC team – comprising just two engineers – handles less than 10% of these incidents manually.
  • Improved investigation quality: Collaborative investigation enables Sitecore analysts to assist one another, learn from each incident, and take decisive action more quickly.
  • Documented all actions: Adam explains, “We produce biweekly reports from the SOC for distribution to the business. We can evidence all the claims that we make regarding 90% automation.”
  • Delivered holistic threat intelligence management: Cortex XSOAR monitors and acts upon multiple sources. In Sitecore’s case, this includes Palo Alto Networks Prisma Cloud CNAPP, external threat analytics from Recorded Future, Veracode code scanning, and other sources.


We are covering all angles with Cortex XSOAR. We internally monitor our DXP products before an issue can occur; we look at issues out in the wild; and we look at issues notified by our SIEM and SOAR. We take security extremely seriously at Sitecore.

–Adam Button, Senior Product Manager, Sitecore

Learn more about Cortex XSOAR on the website, where you can also read many more customer stories.