Built-in Threat Intelligence enriched with CrowdStrike Threat Graph, which uses trillions of telemetry events to correlate known adversaries, malware families, and attack techniques.

Includes adversary attribution: Shows whether an attack is linked to known threat actors (e.g., nation-states, cybercriminal groups).

Falcon OverWatch (optional): Proactive human-led threat hunting that can identify stealthy attackers missed by automation.

WildFire: Cloud-based malware analysis for zero-day threats. 
Advanced Threat Prevention: This is a core security service within Palo Alto NGFWs that provides protection against exploits.
AutoFocus: A threat intelligence service that provides in-depth context and analysis of threats.
Unit 42: Palo Alto Networks' threat intelligence team

Endpoint Security. AI-powered threat hunting with real-time protection.

Identity Protection. Monitors identity-based threats and lateral movement.

Antivirus. NGAV uses machine learning and indicators of attack (IOAs) to detect and prevent malware, ransomware, and zero-day threats without relying solely on signatures.

Endpoint Security. AI-powered prevention, detection, and response across all endpoints.

Identity Protection. Monitors and secures user identity with behavior-based access controls.

Antivirus. Uses machine learning to detect and block known and unknown malware.

Real-Time Response. Instantly terminates malicious processes and isolates compromised endpoints.
Remote Remediation. Allows analysts to investigate, delete files, and execute scripts remotely via Falcon Real Time Response (RTR).
Forensics. Offers forensic-level insights for root cause analysis and fast response.
Integrated Playbooks. Automates responses based on detections for consistent and rapid remediation.

Real-Time Response. Enables immediate threat containment and action across endpoints to minimize impact.
Remote Remediation. Allows centralized threat removal and system recovery without on-site intervention.
Forensics. Provides detailed attack timelines and behavioral analytics for deep threat investigation.

Cloud-native platform, Falcon operates through a Software-as-a-Service (SaaS) model hosted on CrowdStrike's cloud infrastructure.
Local agent (less than 20 MB), no reboots required.

Cloud-native service. The Cortex XDR architecture is delivered as a SaaS model—no on‑prem servers, databases, or licenses required. Automatic scaling, updates, analytics.
Lightweight agent enforce policies and report to the cloud with a centralized cloud console. 

Palo Alto is renowned for their robust security features. However, users often note that they may be cost-prohibitive for small businesses. They suggest that while Palo Alto endpoint security offer excellent protection, the high price point and complexity might not align with the needs and budgets of smaller organizations.

Cortex XDR's ability to identify both known and unknown threats by leveraging machine learning and behavioral analytics producing strong detections and low false positives. Additionally, XDR is difficult to bypass, indicating strong preventative capabilities.

Integration with Palo Alto Firewalls. For organizations already using Palo Alto firewalls, the seamless integration with Cortex XDR and the ability to tie data together via the data lake is a significant advantage.

High Licensing Costs. High cost of Palo Alto's products and significant increases in licensing fees, which are becoming prohibitive for some organizations. The shift from Threat Prevention (TP) to Advanced Threat Prevention (ATP) brough along substantial price jumps.

Management Complexity. Cortex XDR requires significant tuning and expertise to avoid excessive alerts and false positives. The complexity of its features can be overwhelming.