Palo Alto Cortex XDR is priced per endpoint per year, with the entry Cortex XDR Pro tier starting around $81/endpoint/year and the overall range running roughly $9 to $36/endpoint/month (about $108 to $432/endpoint/year) across tiers. The Prevent tier is custom-quoted. The figure that surprises buyers is data ingestion: Cortex meters log volume separately (per-TB), so the effective cost can land well above the per-endpoint headline. These are aggregated buyer-reported figures; Palo Alto does not publish a standard list.
Palo Alto Cortex XDR pricing tiers
| Tier | Price | Real EDR? | Notes |
|---|---|---|---|
| Cortex XDR Prevent | Custom quote | No | NGAV + exploit/behaviour prevention. Endpoint-only, no full EDR data. |
| Cortex XDR Pro (per endpoint) | from ~$81/endpoint/yr~$6.75/mo+ | Yes | The EDR tier: telemetry, analytics, investigation, response. |
| Cortex XDR Pro (higher tiers) | up to ~$432/endpoint/yrup to ~$36/mo | Yes | Broader correlation, identity analytics, longer retention. |
| Cortex XDR Pro per TB | Custom (per-TB data) | Yes | Data-ingestion model. Log volume is metered separately. |
The entry tier that delivers genuine EDR (continuous telemetry, behavioural detection, threat hunting, and response actions) is Cortex XDR Pro (from ~$81/endpoint/year). Cheaper tiers in the table are NGAV or prevention-only and do not give you the post-incident investigation trail that defines EDR.
What it costs at your size
Worked annual figures at the entry EDR tier, before negotiation. Use these to size the budget line, then run your own numbers in the budget calculator, which layers deployment, tuning, and internal operating cost on top of the licence.
| Organisation | Endpoints | Tier | Annual licence | Per endpoint / mo |
|---|---|---|---|---|
| Small business | 200 | Cortex XDR Pro | ~$16,000+ | ~$6.75+ |
| Mid-market | 1,000 | Cortex XDR Pro | ~$81,000+ | ~$6.75+ |
| Upper mid-market | 5,000 | Cortex XDR Pro | ~$405,000+ | ~$6.75+ |
| Enterprise | 25,000 | Cortex XDR Pro | ~$2.0M+ | ~$6.75+ |
| Plus data ingestion | any | per-TB add-on | metered on top | varies |
Licence only. Deployment, tuning, IR retainer, and internal operating cost sit on top: see the five TCO categories. At SMB scale the licence is roughly half of true all-in cost.
Four ways to bring the Palo Alto Cortex XDR number down
Model the data charge before you sign
Cortex meters log ingestion per TB on top of the per-endpoint licence. For chatty environments this can match or exceed the endpoint cost. Get a quote that includes a realistic data-volume estimate, not just the per-seat number.
Right-size the tier
The range spans $9 to $36 per endpoint per month. Most endpoint buyers need Pro, not the highest correlation tiers. Do not pay for identity analytics and extended retention you will not operationalise.
Lean on a Palo Alto platform consolidation deal
If you already run Palo Alto firewalls or Prisma, Palo Alto offers platform-consolidation pricing. A combined renewal is your strongest discount lever on Cortex.
Negotiate retention down
Longer telemetry retention drives both tier and data cost. Match retention to your actual compliance requirement (often 90 to 180 days) rather than buying a year by default.
When Palo Alto Cortex XDR is the right pick, and when it is not
- + You already run Palo Alto firewalls or Prisma and want a consolidated Palo Alto security platform.
- + You need deep cross-layer correlation (endpoint, network, cloud, identity) in one analytics engine.
- + You have the SOC maturity to operationalise a heavy, data-rich XDR platform.
- + You can model and absorb the per-TB data-ingestion cost.
- − You are a budget-sensitive SMB: Cortex sits at the premium end and the data charge compounds it.
- − You only need endpoint EDR: a per-device EDR like Falcon Pro or Defender P2 is simpler and cheaper.
- − You cannot predict your log volume: the per-TB meter makes the bill hard to forecast.
- − You are on Microsoft 365 E5: Defender for Endpoint P2 is already paid for and far cheaper.