From Exposure to Agentic Investigation: Mastering the Next-Generation of XDR

Welcome everyone. Thank you for joining our session. My name is Yang Le Young

our session. My name is Yang Le Young and I am the director of product marketing for Cortex XDR. I'm thrilled to be joined by Yohai Katan, director of

XDR product management, and Imran Mazund, senior technical marketing manager. And together, we're exploring a

manager. And together, we're exploring a new milestone for Cortex XDR that sets a new standard for investigation efficiency, data protection, and

cross-platform defense. Our session

cross-platform defense. Our session focuses on mastering the next generation of XDR. We didn't just join the XDR category, we

pioneered it. Cortex XDR delivers a

pioneered it. Cortex XDR delivers a prevention first approach to modern endpoint defense. While our six-year

endpoint defense. While our six-year track record of continuous innovation is unmatched, we remain focused on the future, which is building the foundation

for tomorrow's AIdriven sock. Our

development is threatled. Moving from

real world intelligence to active coverage in hours, not days. We're not

just keeping pace, we're defining the future. This is the next chapter of

future. This is the next chapter of Cortex XDR. Speaking of the next chapter of Cortex XDR, you just heard from our chief product and technology officer,

Lee Clarage, and the co-founder and CEO of Koi, Amit Aserof, talked about how Cortex XDR and Koi are reinventing endpoint security. We're excited about

endpoint security. We're excited about this partnership to help our customers improve the security posture of their endpoints and more. Introducing endpoint

security that's evolved to a new standard. Cortex XDR 5.0 provides a

standard. Cortex XDR 5.0 provides a re-imagined user experience. Natively

embedded Cortex Agentics alongside advanced endpoint DLP and exposure management for Cortex XDR customers.

This helps customers accelerate time to resolution with an AI enhanced analyst experience, streamline risk prioritization with unified exposure

management, and safeguard web and endpoint activity from data leakage.

Now, I'm going to turn it over to my colleague Yohai to dive deeper into these innovations. Thanks, Yang, for

these innovations. Thanks, Yang, for this great overview and for getting us started. Now, let's dive into the actual

started. Now, let's dive into the actual new and exciting capabilities that we have introduced as part of Cortex XDR 5.0. We have been hard at work building

5.0. We have been hard at work building features that don't just add incremental value, but fundamentally change the way security teams operate from how they

investigate threats to how they manage their overall risk. A great place to start is with the evolution of the day-to-day analyst experience. With

Cortex XDR 5.0, O, we're introducing immersive AI to fundamentally accelerate time to resolution. We know analysts are often stretched thin by the sheer

complexity of modern data navigation.

We've always led the market with our ability to group issues into cases, but in 5.0, we have completely redesigned the case view to make those relationships even more visual and

intuitive. The standout feature here is

intuitive. The standout feature here is our in context AI agentic assistant. It

doesn't just provide a static summary.

It acts as a digital partner that guides the analyst, suggesting next steps and providing instant breakdowns of complex incidents. It ensures that every

incidents. It ensures that every analyst, regardless of experience level, can shut down attacks faster than ever before. But providing a better view is

before. But providing a better view is only half the battle. To truly scale the sock, we need to change how the work itself gets done. And that brings us to

the Agentics platform. This shift in workflow is embodied in the new Agentics platform which represents a move from a simple automation to a truly autonomous

workforce.

Think of this as adding a team of specialized AI agents to your sock. Our

goal is to solve the operational efficiency gap by offloading the manual repetitive tasks that consume your team's day. You cannot command these

team's day. You cannot command these agents to perform complex workflows autonomously.

Everything from initial triage and deep data enrichment to host containment.

This allows your human analysts to focus on highle strategy and threat hunting.

While agentics handles the heavy lifting of incident response at machine speed.

To understand how these agents can operate across your entire environment so effectively, let's look under the hood of the architecture. To see the brains behind this workforce, we need to

look at the underlying architecture. The

strength of Agentics lies in its connectivity.

It isn't a silo tool. It's based on a foundation of over a thousand integrations. Using a native multimodel

integrations. Using a native multimodel control plane, Agentics can execute actions across your entire stack.

Whether that's a deep email investigation or complex crossplatform forensics, these agents follow dynamic plans with built-in guard trails, allowing them to

proactively enrich cases with context or respond instantly to an analyst command.

It's about moving from searching for answers to having the solution prepared and ready for your review. While we're

automating the response to threats, we're also tightening the net around the most sensitive asset in your organization, your data. Protecting that

data is the core focus of our new endpoint DLP module, where data security becomes a native part of your detection response workflow. We've achieved this

response workflow. We've achieved this by using our existing single agent architecture, which means you get robust data protection without adding any agent

bloat to your endpoints.

This module actually classifies and prevents data excfiltration directly at the source. Because the classification

the source. Because the classification engine lives on your device, your sensitive data remains protected even when a laptop is offline or off the

corporate network. It bridges the gap

corporate network. It bridges the gap between traditional security and data privacy.

You might be wondering why we chose to integrate DLP so deeply in in the XDR console. It comes down to visibility and

console. It comes down to visibility and reducing the friction for your team. The

reason we took this integrated approach is that traditional DLP typically requires a massive amount of management overhead. Between managing cyber agents

overhead. Between managing cyber agents and constantly tuning complex policies, it can become a major administrative burden. Our approach is privacy first

burden. Our approach is privacy first and efficiency focused. By performing

100% of the classification on the endpoint, we keep sensitive data local and ensure maximum privacy.

We've also introduced user empowered controls that educate employees in real time. If a user tries to move a

time. If a user tries to move a sensitive file, they're prompted with a policy reminder, reducing accidental leaks without actually stopping business

productivity. It's one unified platform

productivity. It's one unified platform that eliminates the need for a separate clunky DLP management stack.

While protecting data is critical, true resilience starts with understanding where you are vulnerable before attack even begins. By transitioning from

even begins. By transitioning from active threats to proactive defense, we're fundamentally evolving how we handle risk. We're moving away from

handle risk. We're moving away from legacy isolated endpoint vulnerability assessments toward a unified exposure management framework. Today's security

management framework. Today's security teams are often buried in vulnerability noise because they're forced to juggle disconnected tools.

To solve this, we are integrating exposure management directly into XDR. This creates a single source of truth that combines deep agent-based

assessments from our unified cortex agent with broad network visibility. By

transitioning from active threats to proactive defense, we're fundamentally evolving how we handle risk. We are

moving away from legacy isolated endpoint vulnerability assessments toward a unified exposure management framework.

Today's security teams are often buried in vulnerability noise because they're forced to juggle disconnected tools. To

solve this, we're integrating exposure management directly into the XDR workflow.

This creates a single source of truth that combines deep agent-based assessments from our unified cortex agent with broad network visibility.

This shift allows us to move beyond an endpoint only view to provide total visibility across all vectors.

surfacing exposures on both managed and unmanaged assets. By leveraging AIdriven

unmanaged assets. By leveraging AIdriven prioritization, we can cut through the noise of thousands of low priority CVEEs and reduce that volume by up to 99%,

pinpointing only the risks that are actually exploitable. While exposure

actually exploitable. While exposure management hardens your environment, we're also continuing to push the boundaries of core detection for every operating system. Finally, we look at

operating system. Finally, we look at our major protection updates for Linux and Mac OS designed to neutralize multiffactor threats the moment they touch your systems.

New onright protection automatically scans ELF PE and macro files using local analysis and wildfire blocking malicious binaries before they can even be stored

in your environment. We're also making it easier to identify stealthy command and control behavior by spotting unusual network connections. This new detection

network connections. This new detection suite profiles network baselines for Linux and Mac OS to identify abnormal communication patterns that deviate from the norm.

Lastly, we're focused on stopping attackers from harvesting system secrets and user credentials. Using enhanced

behavioral analytics, Cortex XDR now highlights and blocks unauthorized attempts to access sensitive files or execute brute force attacks.

These updates ensure that no matter the OS, your environment is guarded by the most advanced analytics in the industry.

To see all that in action, I want to invite Enron to walk you through a demo.

>> Today, I'm going to show you the Cortex Agentex demo on XDR. It's 8:00 a.m. on a

Monday. You have barely opened your laptop when a link hits your inbox from the CISO. It's a breaking report on the

the CISO. It's a breaking report on the Medusa ransomware group. The latest

campaign is shredding through the industry and the question is already waiting for you. Are we hit? In a

traditional sock, your next 4 hours are gone. You would be manually scrapping

gone. You would be manually scrapping IoC's from blocks, writing complex queries and jumping between different consoles just to see if a specific file

hash exist in your environment. But

today with Agentic Assistant, you can accomplish that task and more in just a few minutes. Let me show you how. For

few minutes. Let me show you how. For

this demo, we configure the XDR agent in monitor mode. You open the Agentic

monitor mode. You open the Agentic Assistant and paste the blog link. Ask

the agent to summarize the medicine of block and tell you if you're impacted.

Watch the threat intel agent go to work.

It doesn't just give you a summary. It

builds a dynamic plan. You can see its reasoning process in real time. The

agent finishes its scan and the news isn't good. It found a match. One of the

isn't good. It found a match. One of the medal link hashes is currently active in an open incident. You pivot into the

case details immediately. The AI smart score hits you. 98. Smart Score is our AIdriven case prioritization engine that intelligently combines insights from

your specific environment with all the global thread data that we see to determine the appropriate risk score.

You see that the user WhatsApp has access multiple resources via SSO within a short period of time from a country where the user doesn't work. In any

other tool, this would be nine different cases. But here, it's one clear battle

cases. But here, it's one clear battle plan. Now, you need to know how far

plan. Now, you need to know how far Medusa has spread. You switch to the endpoint investigation agent. Because

this agent has elevated permissions, it can perform the deep dive forensics that used to take you hours. You ask, find every unique host this user tried to

access today. This is immersive AI. The

access today. This is immersive AI. The

agent queries the data and reports back.

Watson's account attempted to access over 250 host in the last 30 minutes.

That's not a user. That's Medusa looking for a place to drop their encrypted payload. You need to kill this attack

payload. You need to kill this attack before this start exfiltrating data to the leak site. You don't need to open your identity or EDR consoles. You tell

the assistant, "Isolate the host and disable the user." Because Cortex has over 1,000 deep integrations, the agent knows exactly what to do. It reaches out

to Octa to revoke Watson sessions and triggers the XDR agent to isolate the infected machine from the network. What

used to be a half a day crisis was resolved in just minutes. You have moved from reactive hunting to autonomous resolution with Agentics.

Now I'm going to show you the Cortex exposure management demo on XDR. Security teams today aren't suffering from a lack of data. They're suffering

from a lack of focus. You have got cloud logs in one place, scanner reports in another, and a parameter that's constantly shifting. Cortex exposion

constantly shifting. Cortex exposion management collapses those silos, gives you a unified view of your cloud, on-prem, endpoint, and perimeter risk.

Welcome to the exposion management command center. Think of this as your

command center. Think of this as your mission control. At a glance, you can

mission control. At a glance, you can see exactly where your exposure is trending and more importantly, which specific areas require your immediate attention to reduce the risk with the

least amount of effort. Now, when you move into the issues view, you're looking at your team's strategic to-do list, it's a curated queue based on

built-in best practices and your own custom internal policies. From here, you can manage vulnerabilities, and orchestrate a response. You can assign

owners, trigger automated workflows to fix the problem before an attacker even knows it's there. Now, let's look under the hood of a single issue. The

vulnerability intelligence feed enriches the issue. We don't just tell you a

the issue. We don't just tell you a vulnerability exist. We tell you its

vulnerability exist. We tell you its context. Notice the Cortex vulnerability

context. Notice the Cortex vulnerability risk score, CVRS. Unlike a common vulnerability scoring system, CVSS score

that stays the same for years. CVRS

evolves as threat actors develop new exploits or as your internal environment changes. If your team needs to defend

changes. If your team needs to defend their priorities to leadership, the why is right here. We combine CVSS, exploit

prediction scoring system, EPSS, exploit maturity, real world threat intelligence, and crucially your own compensating controls. The reality is

compensating controls. The reality is you can't always patch a server the second a vulnerability is found, but you can protect it. So in this example, the

asset is exposed because it has no protection. You are advised to deploy

protection. You are advised to deploy the XDR agent that immediately wraps the asset in a layer of prevention while your team schedules the permanent patch.

For managed assets, Cortex XDR prevents attacks in real time. If an agent is installed, but a specific prevention policy isn't toggled on to stop this specific exploit, Cortex will tell you

exactly how to flip the switch. Finally,

you might ask, is this vulnerability actually exploitable? To answer that, we

actually exploitable? To answer that, we have attack surface testing, a while other tools guess, a validates. It runs

safe benign tests based on real world attacker techniques to see if they can actually reach the target and parameter control is behaving as expected. We have

evidence of a successful test because we have proven this can be exploited. The

CVRS score automatically jumps to the top of the list. We have removed the guesswork, giving your team the absolute certainty they need to act fast. Cortex

exposure management is about giving you the clarity to see your environment through the eyes of an attacker and the tools to shut them out before

they ever get a foot in the door. Now

I'm going to talk about Cortex endpoint DLP and I will do a demo of that.

The modern workspace has evolved but legacy DLP hasn't kept up.

It is failing the sock because it's blind to the tools users actually use today like generative AI apps and P2P

encrypted private instant messaging tools like Telegram.

Let me show you how Cortex endpoint DLP is uniquely architected to secure this modern workflow. Let's get right into a

modern workflow. Let's get right into a DLP issue on Cortex XDR. Instead of hunting through logs, you get the full story immediately. You can see the major

story immediately. You can see the major assets related to this issue. Instantly

identifying the specific user involved and the exact file in question. And

looking at the user activity, we can see exactly how the prevention played out.

The user was presented with a data leak violation dialogue. the action was

violation dialogue. the action was blocked and they accepted that notification meaning the education loop is working. Below that you see precisely

is working. Below that you see precisely why it was blocked. You can view the specific data profiles that triggered the detection and the exact indicators

found within the file. In this case, it is sensitive email address. You can even see the mask snippet of the data right here in the console for instant verification. And if you need to go

verification. And if you need to go further, you have the option to retrieve the full file for a deeper forensic analysis. You have all the context

analysis. You have all the context needed to understand the attempted data leak. Let's look at another issue. A

leak. Let's look at another issue. A

user attempted to upload sensitive data to a private cloud drive such as their iCloud drive in violation of the organization data policy. We can clearly see the specific data patterns that

triggered the blog. financial report

containing banker routing numbers. As

before, this action was blocked instantly and the user was notified immediately. Now that you have seen the

immediately. Now that you have seen the issue, let's look at the rule behind it.

This is where our solution really stands out. Our robustness in terms of data

out. Our robustness in terms of data profile and our extensive catalog of web applications make policy creation incredibly powerful. Take a look at this

incredibly powerful. Take a look at this rule here. The summary tells you exactly

rule here. The summary tells you exactly what it does in plain English. It's

simple, intuitive, and gives you complete clarity on your security posture without needing to decipher complex logic. Now, let's see what the

complex logic. Now, let's see what the end user actually experiences. When they

attempt to upload sensitive data, for example, to iCloud Drive, the response is instant. They receive a block message

is instant. They receive a block message that explicitly explains why the action violates the organization's policy, turning a security block into a

teachable moment. But we also know

teachable moment. But we also know businesses need to move fast. Let's look

at a scenario involving chat GPT. When

the user attempts to upload a document, they receive the educational notification. However, we prioritize

notification. However, we prioritize business continuity. If this is a

business continuity. If this is a legitimate task, the user has the option to overwrite the block and provide a justification and complete the upload,

ensuring that the security never becomes a bottleneck.

Cortex endpoint DLP secures the modern workflow where legacy tools fail. From

blocking risky gen AI apps to unify investigations with XDR and educating users in real time, we give you complete visibility and control without slowing

down the business.

To learn more about XDR, reach out to the sales representative for a P.

Thank you for watching.