[advisory]Illustrative ranges only. Pricing ranges and examples on this page are illustrative market ranges aggregated from public industry research. They are not quotes, not vendor-specific, and should not be used as a basis for procurement decisions. Always request a direct quote from the vendors you shortlist.
Palo Alto Networks does not publish a per-endpoint price card for Cortex XDR. Every figure on this page is triangulated from reseller-disclosed pricing, public procurement references, and buyer survey data gathered through June 2026. Cortex XDR is sold per endpoint per year in two tiers, Prevent and Pro, with data ingestion, managed threat hunting (Cortex XDR Managed Threat Hunting), and incident response retainer sold as separate line items.
The two subscription tiers
| Tier | Per endpoint / month | What it is |
|---|---|---|
| Prevent | $6 - $10 | Endpoint protection: NGAV, host firewall, device control, exploit and behaviour prevention. EDR-equivalent. |
| Pro | $10 - $18 | Adds cross-layer XDR analytics over network, cloud, and identity telemetry, root-cause analysis, managed investigation. The true XDR tier. |
Bands reflect commonly-reported reseller pricing as of June 2026. The widely-cited median Cortex XDR contract sits near $41,000 per year. Negotiated multi-year and volume deals routinely run 20 to 35% below the bands above. See /sources.
Four worked cost scenarios
Annual Cortex XDR Pro licensing at a mid-band $13 per endpoint per month, before ingestion add-ons, onboarding, or multi-year discount. Use these as a starting bracket, not a quote.
| Environment | Endpoints | Pro licence / year | Likely negotiated |
|---|---|---|---|
| Small business | 250 | $39,000 | $30,000 - $35,000 |
| Mid-market | 1,500 | $234,000 | $165,000 - $195,000 |
| Lower enterprise | 5,000 | $780,000 | $520,000 - $640,000 |
| Enterprise | 25,000 | $3,900,000 | $2,300,000 - $2,900,000 |
Five optimisations that genuinely cut the Cortex bill
- Bring a live competing Falcon bid. Cortex discounts most aggressively against a real CrowdStrike Falcon Insight XDR quote on the table. Buyers routinely report 25 to 35% movement when the competitive process is genuine, near zero when it is not.
- Cap ingestion before you sign. Negotiate the per-GB overage rate and a bundled daily allowance sized 30% above current telemetry. Uncapped ingestion overage is the single most common Cortex budget surprise in year two.
- Buy Prevent where Pro is wasted. Endpoints that never feed cross-layer detection (air-gapped, kiosk, single-purpose) can sit on Prevent. Mixed-tier licensing is allowed and cuts the blended rate.
- Commit multi-year only against a roadmap. Three-year terms unlock the deepest discount but lock the rate; only commit if your endpoint count is stable or growing. A shrinking estate erases the discount.
- Bundle with existing Palo Alto spend. If you already run PA NGFWs or Prisma, fold Cortex into the enterprise agreement. Platform bundling typically beats standalone Cortex pricing by 10 to 20%.
Right pick when
- You already run Palo Alto NGFWs or Prisma Cloud and want native telemetry correlation.
- You are consolidating four or more point tools onto one analytics platform.
- You need strong cloud and identity detection breadth, not endpoint-only coverage.
- You have a SOC mature enough to use behavioural analytics and root-cause analysis.
Wrong pick when
- Your environment is endpoint-only with minimal cloud or identity telemetry.
- You want bundled MDR in the licence; Cortex managed hunting is a separate add-on.
- You are deeply Microsoft-stack and Defender XDR is already mostly paid for via E5.
- Your estate is shrinking, which erases the multi-year discount that makes Cortex competitive.
// Q&A appendix
Frequently asked questions
01.How much does Cortex XDR cost per endpoint in 2026?+
Palo Alto Cortex XDR is priced per endpoint per year and is not published as a public list price. Aggregated reseller and procurement data in 2026 puts Cortex XDR Prevent in the $6 to $10 per endpoint per month band and Cortex XDR Pro in the $10 to $18 per endpoint per month band. The widely-reported median contract is around $41,000 per year. Multi-year and volume commitments routinely cut 20 to 35% off these bands. These are aggregated public-research figures, not a quote.
02.What is the difference between Cortex XDR Prevent and Cortex XDR Pro?+
Cortex XDR Prevent is the endpoint-protection tier: next-generation antivirus, host firewall, device control, and exploit and behavioural prevention on the endpoint. Cortex XDR Pro adds the cross-layer XDR analytics that define the category: behavioural analytics over network, cloud, and identity telemetry, root-cause analysis, and managed investigation. Pro is the tier most buyers mean when they say Cortex XDR; Prevent on its own is closer to an EDR than an XDR.
03.Is Cortex XDR more expensive than CrowdStrike Falcon?+
At equivalent functional tier the two land within roughly 10 to 20% of each other, and which is cheaper depends entirely on negotiation leverage and bundle context. CrowdStrike Falcon Enterprise, which includes Falcon Insight XDR, lists around $184.99 per device per year; Cortex XDR Pro lands in a similar $120 to $216 per endpoint per year band before discount. Cortex tends to discount harder when there is a live Falcon competing bid, and vice versa. Run both as a competitive process.
04.Does Cortex XDR charge separately for data ingestion?+
Yes. Cortex XDR bundles a baseline daily ingestion allowance per endpoint, and third-party and high-volume log sources above that allowance are billed separately, typically as Cortex XDR ingestion add-on units. Environments with verbose cloud audit logging or heavy third-party telemetry should expect ingestion to add 20 to 40% on top of the per-endpoint licence. Ask for the per-GB overage rate in writing before signing.
05.What does a real Cortex XDR deployment cost for 1,000 endpoints?+
A 1,000-endpoint Cortex XDR Pro deployment lands at roughly $120,000 to $180,000 per year in licensing at list-equivalent bands, before ingestion add-ons and onboarding. Negotiated multi-year pricing commonly brings the licence line to $90,000 to $140,000. Add onboarding and professional services of $10,000 to $40,000 in year one, plus ingestion overage if telemetry runs high. Always model year-one and steady-state separately.
06.Is Cortex XDR worth it over standalone EDR?+
Cortex XDR is worth the premium over standalone EDR when you are consolidating four or more point tools, when cross-layer detection across cloud and identity materially cuts your mean time to detect, or when you already run Palo Alto NGFWs and Prisma and want native telemetry correlation. For an endpoint-only environment with minimal cloud and no tool-consolidation goal, Cortex XDR Prevent or a cheaper EDR is usually the better economic call.