Contents:
If you’re in the market for an endpoint detection and response (XDR) solution, there’s a good chance you’ll find yourself wondering whether Sophos vs Palo Alto XDR is the right tool for you.
These are some of the most popular options on the market, so it’s only natural to consider whether they have the right functionality to help you build an effective response.
But while both products are well-liked among their user bases, neither can truly be considered a one-stop shop for cybersecurity.
It’s important, therefore, to understand the features and tools available and the requirements of your business, so you can ensure you’re making a properly-informed decision.
So where do you start? That’s the question we’re looking to answer in this blog. To do that, we discuss:
About Palo Alto Networks: Cortex XDR
Palo Alto is an established cybersecurity vendor with global reach. Founded in 2005, it has since grown to become a stalwart of the cybersecurity scene, with a wide range of products and services on offer.
In the last decade, Palo Alto has pursued a strategy of fast growth through acquisitions, with almost 20 since 2014. This strategy has defined its approach in the years since.
Originally, the company was known for providing firewalls, but it now offers a much broader set of tools and functionality across several cybersecurity categories. The scale of the company also creates another key benefit; the company has a wealth of data to analyze new and emerging threats.
But it’s not all plain sailing. The acquisition-based approach has created a messy web of overlapping tools and products, which can create real confusion for prospective customers and website visitors.
Nowhere is this more true than with the XDR solution; Cortex XDR. The product is an evolution of Palo Alto’s older Traps tool, which has a much more limited feature set, largely focused on reactive antivirus tools.
However, both products remain supported and promoted, which can lead to some real confusion about which is the best.
This EDR solution stands out as highly effective in the market, excelling at managing and deploying a large number of endpoints.
Though Traps still exists, its features have largely been rolled into Cortex XDR, a much more modern and comprehensive tool for endpoint and threat detection.
This sits alongside other flagship Palo Alto tools for cloud security (Prisma Cloud), network security (Strata), hybrid workforce management (Prisma Sase), and managed detection and response (Unit 42).
Here are the main features on offer through Cortex XDR:
- Threat detection;
- Root cause analysis;
- Extended threat hunting;
- Incident management;
- Deep forensics.
Cortex XDR: Pros
The features of Cortex XDR are largely focused on detecting and responding to realtime threats. Indeed, the strong functionality in this area is often cited as a huge draw among its customer base. Here are some of the main benefits of the product:
- Advanced telemetry – Palo Alto’s scale means it has access to a huge dataset of real and emerging threats. This information is re-invested into the extended threat detection features, to create a more accurate and advanced defense.
- Multilingual support – Palo Alto’s customer base largely consists of large enterprises around the world. As such, their multilingual support and documentation is extensive.
- Wider Palo Alto suite – Cortex XDR integrates well with other products in the Palo Alto suite, principally including Prisma Cloud, Strata, and Prisma Sase. However, with functionality split over several products, this segmented approach can quickly create multiple overlapping licenses and costs.
- Customization – The product is also highly customizable, which is a key reason why it’s more popular among enterprise customers. The flip side of this is it generally requires a highly-developed specialist security team to understand how to effectively use these tools.
- Managed support – Managed detection and response is available through Palo Alto’s Unit 42 service, which covers Cortex XDR. The complexity of the product often means MDR is necessary to use the platform if you don’t already have a specialist security team. Palo Alto’s MDR service requires an additional license and subscription.
Cortex XDR: Cons
There is a noticeable performance impact on lower-end systems where the Cortex XDR agent is installed.
Cortex XDR User Review
Cortex XDR is well-known as an effective cybersecurity tool, particularly for large enterprise customers. But the platform also comes with a few well-documented challenges that mean it’s far from the best solution for all organizations:
- Complexity – Users often mention that the complex functionality makes the platform quite difficult to use, with a steep learning curve. This often means it’s best suited to companies with highly developed internal security teams. Alternatively, many customers choose to add Palo Alto’s MDR service, which creates extra costs.
- Costs – Though Palo Alto doesn’t publish pricing information, it is often reported to be one of the most expensive products on the market. Functionality is also split across multiple products, which means customers generally need to purchase multiple overlapping subscriptions to get the full security functionality and support.
- On-premises support – Cortex XDR doesn’t fully support on-premises endpoints, despite supporting hybrid environments via Broker VM. This can create uncomfortable gaps in coverage for some organizations, or require them to supplement the solution with additional third-party products.
- Performance issues – Some reviewers have noted issues with the stability and reliability of the platform, particularly on less up-to-date operating systems. Others have noted issues when running software installations and updates.
Overall, while there are several benefits to this product, it isn’t for everybody.
Users should be particularly aware of the high price point, steep learning curve, and the number of separate subscriptions that are required to get full protection and support.
About Sophos: Intercept X
Sophos is another established name in the cybersecurity scene. The company offers a wide-ranging and sophisticated set of cybersecurity tools, which are available across multiple products and packages within the wider Sophos suite.
Unlike, Palo Alto, Sophos products are generally popular among small and medium-sized organizations.
Sophos’ flagship XDR tool is known as Intercept X. It combines the standard XDR feature set (such as that of Cortex XDR) with endpoint detection and response (EDR) tools.
This helps consolidate features that might otherwise be split across several products.
Generally, Intercept X has a wider scope than most tools on the market, with features to cover endpoint, workspace, networking, XDR, and more.
It also integrates well with other products from the wider Sophos suite. Users may find this more appealing than Palo Alto, which splits cloud security, hybrid cloud deployments, network security, and XDR tools across multiple separate products.
Some features are also available in parallel products like Sophos XG Firewall, which can create some confusion about which is the right choice.
However, a word of caution: wider scope doesn’t necessarily mean complete. Intercept X might be a comprehensive XDR tool, but it’s not necessarily a comprehensive cybersecurity platform.
The EDR functionality is less extensive than in some competing products. The platform also doesn’t include wider security functionality like privileged access management and vulnerability management. Users may find themselves having to string together multiple overlapping subscriptions to get the full suite of defenses.
Here are some of the main features on offer:
- Endpoint management;
- Policy configuration;
- Threat investigation;
- Anti-ransomware and anti-exploitation;
- Critical attack warnings;
- Device encryption;
- Account health check;
- Adapative attack protection.
Intercept X: Pros
Intercept X is generally well-liked among its customer base and is well-rated by independent analysts. Much of this comes down to the strength of the antivirus and ransomware detection features and the consolidated approach of the platform. Here are the main benefits:
- Strong detection tools – The antivirus and ransomware detection features are generally extensive and well-developed. This means customers are satisfied with its ability to effectively detect and respond to real-time threats.
- Product roadmap – Sophos takes a proactive approach to developing new tools and features. Recent feature additions include Active Adversary Protection and the Account Health Check Tool.
- Support – Like with Cortex XDR, MDR is available as an additional paid service, alongside the standard Intercept X subscription. However, reviewers generally rate the quality of the support, which includes 3rd party integrations (now including Microsoft security services) as well as reactive incident response in higher-tier packages.
- Marketplace and integrations – Naturally, Intercept X integrates effectively with other Sophos products, as well as 3rd party add-ons and integrations via the Sophos Marketplace. This ability to customize a bespoke solution is popular among some customers. However, it’s important to be aware this may lead to a confusing web of overlapping tools, which can create silos and increase costs.
Intercept X: Cons
Sophos OOTB policies are very strict and they don’t offer anything less strict without you creating new custom policies. I’m sure this is deliberate because the product starts you out in the safest way possible, but it means that you will have lots of calls to your tech support desk when you first deploy it unless you do somewhat extensive testing beforehand.
Like all tools, Intercept X has its strengths and weaknesses. While reviewers and users are generally quite satisfied, some notable issues are often mentioned:
- Customization – Users have noted that the out-of-the-box policies can be quite stringent and that the product is less easy to customize than rivals like Cortex XDR. The product also lacks the ability to customize granular detection rules or change the level of detection severity. This can create extra strain on your IT team and make it more difficult for organizations with particularly specialized requirements.
- Functionality gaps – While the antivirus and malicious traffic detection tools are generally popular, this isn’t consistently true of all features. The endpoint detection and response (EDR) tools, for instance, are less developed than in some competing products.
- Price – Intercept X is also generally considered to be one of the more expensive products on the market.
- Siloed approach – The product features advanced features – but Intercept X isn’t a complete, synchronized security suite. With notable gaps like privileged access management and vulnerability management, many organizations have to supplement the product with additional Sophos or third-party tools (often via the Sophos Marketplace). This can increase costs, confusion, and licenses.
Sophos vs. Palo Alto: Reviews
Intercept X and Cortex XDR generally rate well across all major review sites. Here’s a snapshot of the headline figures:
Gartner:
- Cortex XDR: 4.6/5 stars (369 reviews total, Source: Gartner)
- Intercept X: 4.8/5 stars (1637 reviews total, Source: Gartner)
G2:
- Cortex XDR: 4.7/5 stars (44 reviews total, Source: G2)
- Intercept X: 4.6/5 stars (442 reviews reviews total, Source: G2)
TrustRadius:
- Cortex XDR: 8.7/10 stars (52 reviews total, Source: TrustRadius)
- Intercept X: 8.9/10 stars (202 reviews total, Source: TrustRadius)
A direct comparison of these review scores isn’t going to reveal a huge amount of detail, since both rate fairly consistently well.
But both products have their respective pros and cons, and it’s helpful to dig through some of the most recent reviews for both providers to understand which organizations they most appeal to.
To do this, we’ve aggregated comments and ratings across G2, Reddit, and TrustRadius.
Where Cortex XDR is concerned, reviews and Reddit discussions generally agree that the product offers more extensive and effective functionality:
Cortex XDR is a great product in detections and has fewer false positives and alerts [vs. Intercept X]. Comes out of the box configured and can be hardened based on need. It also includes endpoint device control like USB-blocking and a host-based firewall.
Cortex XDR User Review, via Reddit
But there were also a handful of issues that consistently came up in discussions. Users agree that the non-Windows support could be more extensive (with particular issues on Linux).
There is also plenty of discussion about the performance of the system, with issues noted around its performance on less developed systems, as well as during updates and scans.
There is a noticeable performance impact on lower-end systems where the Cortex XDR agent is installed.
Cortex XDR User Review, via G2
For Intercept X, reviewers paint a similarly mixed picture. Its XDR features are clearly extensive and effective at catching realtime attacks, which many testimonials note:
Catches ransomware in the act by detecting malicious data encryption. Also provides advanced behavior analysis and monitoring.
Intercept X User Review, via G2
When it comes to the drawbacks, a few points were commonly noted. Many reviewers mentioned that the platform was resource-intensive which, like Cortex XDR, can impact performance on older devices.
At the same time, the lack of customization also creates issues. Users generally find a higher rate of false positives when compared with Cortex XDR. This is likely down to the strict default policies the product sets and the difficulty in adjusting the threat severity levels and granular detection rules.
Machine learning models typically have a high false positive rate… not all features and functionalities are covered in extended support.
Intercept X User Review, via G2
Sophos vs Palo Alto: Is There An Alternative?
There are plenty of good reasons to invest in a platform like Cortex XDR or Intercept X. But as we’ve discussed elsewhere in this piece, both products have considerable functionality gaps.
If you’re looking for a platform that can solve all of your cybersecurity problems in one place, then you may want to look elsewhere.
Heimdal®’s goal is to eliminate the complexity created by multiple overlapping tools and subscriptions. Traditional cybersecurity providers like Sophos and Palo Alto develop great products to deal with specific problems – but they’re not creating a single, consolidated, security platform.
Heimdal® isn’t interested in creating separate products for network security, cloud security, XDR, vulnerability management, or whatever else you might need. Instead, all our industry-leading security tools are available via one product: Heimdal® XDR. Here’s what you need to know:
Features include:
- Network security;
- Endpoint security;
- Vulnerability management;
- Privileged access management;
- Email and collaboration security;
- Threat hunting;
- Unified endpoint security.
There are plenty of reasons to consider Heimdal® as an alternative to both Sophos and Palo Alto:
- Unified security: Our XDR platform offers consolidated security, unlike traditional solutions, enhancing visibility across your IT infrastructure and drastically reducing the time to detect and respond to security threats.
- Supercharge detection & response: Through a unified view and advanced AI/ML detection, our XDR detects threats faster and more accurately, facilitating quick automated responses and reducing incident remediation time.
- Reduce Complexity & Costs: Integrated into the Heimdal® Unified Security Platform, our XDR streamlines security management, cuts costs, and optimizes IT resources by consolidating multiple security technologies.
Ready to get started? Get in touch to request your demo today.
FAQs
Is Sophos a good firewall?
Sophos is generally well-liked among its user base, who generally note the high performance of tools like firewalls, antivirus, and anti-exploitation. However the endpoint detection tools are less effective than in other platforms, and there’s no functionality for privileged access management and vulnerability management.
Why makes Palo Alto firewall different?
Palo Alto is a highly customizable tool, with some of the market’s most effective XDR functionality. However, the breadth of this functionality means the product is among the most expensive in the market – and generally requires a specialist security team to manage.
Sophos vs Palo Alto: Which is best for threat prevention?
Sophos Intercept X and Palo Alto Cortex XDR are both popular products among their users. Users of Intercept X generally appreciate the strong antivirus and ransomware detection features, as well as the combination of EDR and XDR functionality.
Cortex XDR is generally considered a more feature-rich and customizable platform – though one that comes with a higher price point. The wealth of functionality and customization options can make it quite difficult to use, however.