Transforming Security Operations with Groundbreaking Agentic AI Capabilities Across the Cortex Platform (Nov ’25 Release)
We're thrilled to announce the release of Cortex XSIAM 3.3, which natively embeds Agentic AI throughout our industry-leading security operations platform for unprecedented speed and efficiency gains. This release also dramatically enhances your data management capabilities with the debut of federated search across all major cloud data repositories, along with other major updates across the portfolio.
Cortex XSIAM 3.3: Meet Your AI Agent Workforce
The latest version of Cortex XSIAM introduces Cortex AgentiX - the industry's most secure platform to build, deploy and govern the AI agent workforce of the future. AgentiX delivers dynamic incident response capabilities by leveraging autonomous agents, trained on over 1.2 billion real-world executions and protected by robust guardrails. These autonomous agents can dynamically plan, reason, and take action to resolve security challenges, accelerating your incident response like never before.
In conjunction with AgentiX, the new Cortex MCP Server makes it easy to leverage Cortex's powerful features directly into your Large Language Model (LLM) apps. It uses the Model Context Protocol (MCP), a standard for how AI models work with other applications and tools, enabling you to communicate with your Cortex tenant using natural language.
Federated Search in Cortex Extended Data Lake (XDL)
Federated Search in Cortex XDL allows customers to easily query external datasets stored in AWS, GCP, or Azure. This feature enables users to search and analyze remote data directly from XSIAM using XQL, without the need to ingest the data or incur additional storage costs.
Federated Search cuts overhead by letting security teams query massive volumes of data directly from external storage (AWS, GCP, Azure) using XQL from the Cortex console. This capability ensures critical long-term compliance and data retention by keeping years of historical audit data accessible at an economic cost. Best of all, it supercharges investigations over extended time spans, enabling analysts to run ad-hoc queries spanning months or years for comprehensive incident response.
Expanded Investigation and Detection Flexibility
Cortex XSIAM and XDR now provide comprehensive support for investigations with Forensics for Linux, allowing forensic customers to run complete investigations with deeper artifact collection and analysis across endpoints that run on Windows, macOS, and Linux operating systems, ensuring deeper artifact collection and analysis from Linux endpoints.
Furthermore, the platform offers Flexible Customization for Analytics Rules, enabling security teams to align detection rules precisely with their organization's unique risk profile by easily adjusting the severity of alerts generated by the powerful, built-in analytics engine.
Cortex XDR 4.3: Strengthen Defenses Against Advanced Attacks
We’re excited to announce the release of Cortex XDR 4.3, featuring new defenses against advanced attack techniques, deeper customization for analytics, and extended security coverage for more operating systems and hardware architectures.
Flexible Customization for Analytics Rules
Flexible customization for analytics rules allows customers to easily adjust the severity of alerts generated by powerful, built-in analytics rules, thereby enabling them to align detection rules with their organization's unique risk profile. This also helps security teams align detection rules precisely with their organization's unique risk profile, ensuring generated alerts are relevant to their specific business context. The simplified adjustment of alert severity for built-in analytics rules achieves this alignment, which results in the ability to prioritize threats based on their unique risk profile and environment.
New Defenses, Extended Coverage, and Real-Time Threat Prevention
Cortex XDR 4.3 introduces the XDR Agent for Windows on ARM64, extending industry-leading prevention and detection to Windows devices running on ARM processors. ML-Based JScript File Examination enhances defense against advanced threats; this new machine-learning module analyzes and blocks malicious JScript files before execution. Furthermore, for customers with the ITDR add-on, Malicious LDAP Query Protection enables the XDR agent to provide real-time prevention against reconnaissance activities, such as those performed by tools like BloodHound's SharpHound collector, that target Windows Domain Controllers.
Xpanse 2.11: Improve Attack Surface Control with AI Infrastructure Detections
The Cortex Xpanse 2.11 release introduces powerful new capabilities that help you understand and control your digital attack surface. We enhanced visibility with new AI infrastructure detections, added deeper attack surface testing capabilities, and streamlined workflows through improved alert management and bulk actions.
Attack surface control improvements start with new attack surface testing intrusiveness levels that allow users to safely test and adjust the intensity of exposure checks across environments. To keep pace with modern infrastructure, the release also adds AI infrastructure detections for MCP Servers, MCP Inspector, and more.
Cortex Xpanse 2.11 streamlines workflow and triage using faster triage with bulk actions to manage alerts and assets more efficiently. It also improves visibility by displaying misconfiguration and enumeration alerts in the Threat Response Center for single-view prioritization, and complements this with new service version enumeration and filtering to quickly isolate software for hygiene work.
Cortex XSOAR 8.12: Optimize and Streamline Workflows
Cortex XSOAR 8.12 focuses on optimizing collaboration and threat intelligence integration by introducing conflict-free playbook editing, which prevents concurrent modifications and ensures smooth team development of automation workflows. Clarity within playbooks boosts unique task logos that help users quickly distinguish between different action types like integration commands and custom scripts. Finally, a new Unit 42 Threat Intelligence content pack consolidates and replaces several deprecated packs, providing high-value integrations that leverage Unit 42’s world-class research and analysis.
These are just the highlights from a feature-packed month. For a detailed breakdown of the latest features and enhancements across the Cortex portfolio, please refer to the full release notes. To learn more about these and other innovations across the Cortex portfolio, visit https://www.paloaltonetworks.com/cortex.