Unbiased Testing. Unbeatable Results.

ONLY Cortex Delivers 100% Protection and Detection in MITRE Engenuity

Symphony logo

AI and automation:
The future of SecOps.

Come see where security operations are headed next.

The Future of Digital Forensics

Investigate, respond and recover right away with rich forensics data at your fingertips.


To swiftly investigate incidents, you need instant access to all forensic artifacts, events and threat intelligence in one location.

  • Manual data collection and analysis slow down response

    Today’s open-source tools force your team to gather evidence from a motley assortment of agents and scripts. You need a solution that deploys in minutes.

  • Blind spots complicate investigations

    Your incident responders need to examine everything – including logs from air-gapped endpoints and the cloud – to gather deep forensics data and historical artifacts.

  • Disjointed AV, EDR & forensics agents burden endpoints

    Single-purpose agents for forensics, endpoint protection, and detection and response can bog down performance and add complexity.

Man looking at phone

Cortex XDR stopped the SolarWinds attack.

See our approach


Uncover the truth with detailed forensics evidence

Cortex XDR Forensics makes triage and forensic analysis easy by collecting all the artifacts you need and displaying them in an intuitive workbench. Designed by incident responders, it simplifies investigations so you can trace every move adversaries make without pivoting between tools.
  • Post-incident data collection
  • Artifact analysis from air-gapped endpoints
  • One cloud-delivered agent for NGAV, EDR and forensics
  • Forensics
  • Long-term data retention
    Long-term data retention
  • Triage
  • Investigation
  • Response and recovery
    Response and recovery

Why Cortex XDR Forensics

Streamline Data Collection and Analysis

To resolve an incident, you need to find the entry point and track down remnants even if adversaries tried to cover their tracks. The Cortex XDR Forensic module, integrated into the Cortex XDR agent, gathers comprehensive data and displays investigative details in an intuitive forensics workbench.

  • Rich forensics evidence:

    Instantly access a wealth of artifacts, including event logs, registry keys, browser history, process execution, drives, command history and more.

  • Offline data collection:

    Download a complete forensics snapshot of an air-gapped endpoint, upload it to Cortex XDR, and analyze it together with other forensics data.

Streamline Data Collection and Analysis

Unify forensic analysis, hunting and response

Avoid swivel-chair syndrome by gathering all data for triage and investigation in one solution. You can view forensics evidence, endpoint, network, cloud and user events from a single pane of glass. Once your team has verified a threat, they can contain it quickly.

  • Powerful hunting:

    Using XQL Search, query across all forensics data, including endpoint, network, cloud and identity data.

  • Integrated response:

    Stop the spread of malware, restrict network activity, sweep across all endpoints in real time with Search and Destroy, or recover from an attack with Host Restore.

Unify forensic analysis, hunting and response

Deploy swiftly and collect data effortlessly

The cloud native Cortex XDR solution lets you get started in minutes and avoid the need to deploy on-premises log collectors. You can install Cortex XDR Forensics without needing to reboot your endpoints and store forensics data in a scalable cloud-based data lake.

  • Cloud deployment:

    Easily gather forensics artifacts without needing to set up log servers or run complex endpoint scripts.

  • A single agent:

    Simplify desktop administration with one agent for endpoint protection, detection, response and forensics. Dive deeper in the IR & Data Breach Report

Deploy swiftly and collect data effortlessly

Respond and recover quickly

Use the solution trusted by Unit 42 Consulting

Use the solution trusted by Unit 42® Consulting

  • Gather deep forensics evidence during or after an incident occurs

  • Store data for months or years in a cloud data lake

  • Continuously monitor events to detect ongoing attacks

  • Recover from incidents with one agent for NGAV, detection, response and forensics