How to transform your SOC through XDR and MDR

In a recent CRA webcast, host Paul Asadoorian and Palo Alto Networks' Alice Nguyen and Salina Wuttke explained that MDR and XDR are increasingly paired because neither humans nor point tools can reliably keep up with today's multi-environment, automation-accelerated threat chains.

Wuttke opened with highlights from the latest incident-response report from Unit 42, Palo Alto Networks' threat-intelligence team. Based on more than 750 investigations, the report emphasizes the compression of attacker timelines and the growing difficulty of investigations that span endpoints, identity, cloud, network, and SaaS.

"Threat actors are going from initial access to data exfiltration in less than an hour," said Wuttke.

 In this environment, she explained, the old incident-response model, in which alerts arrive slowly and analysts manually correlate signals step-by-step, breaks down.

Wuttke thinks the core problem isn't skill or effort, but human limits: Defenders can't "manually correlate those signals fast enough across that entire attack surface" as attackers exploit gaps created by fragmented tooling and visibility.

This is where XDR matters, Nguyen said. She described Palo Alto Networks' Cortex XDR as a response to the "data-silo problem," unifying telemetry so analysts don't have to pivot among endpoint tools, firewall logs, cloud consoles, identity systems, and email security.

XDR aims to reduce the noise of isolated events, she said, by correlating activity into fewer, higher-confidence incidents.

"Instead of waking up at 500 isolated alerts, now you're going to see five high-confidence incidents," Nguyen said.

She added that the Cortex XDR platform maps a "causality chain" from initial entry to lateral movement, shifting teams away from reconstructing what happened toward validating and remediating quickly.

In this way, MDR is the expert layer that makes XDR operational at all hours and in ambiguous cases. Wuttke said Unit 42 MDR analysts and threat hunters go beyond reviewing alerts and escalating tickets and actually work "natively inside" the XDR platform.

She said the emphasis is proactive threat hunting, rapid containment, and clear reporting, especially when attacks blend into normal operations, and added that well-funded groups increasingly "hide inside the systems that companies are already using and trusting," abusing valid credentials and legitimate workflows where "everything just looks normal."

MDR teams, she argued, are built to find the "doesn't quite add up" signals that pure alerting misses, and to act immediately in response.

"The solution is a single operational system where AI is handling that scale," Wuttke said, "and then Unit 42 experts are applying human judgment, and then they're investigating, and then they're taking action during times when automation just isn't enough."

Faster containment and less SOC-team fatigue are the goals, the panelists agreed. Asadoorian described alert fatigue as emotionally and operationally corrosive. He recalled his days as an analyst, spending hours chasing dead ends and feeling defeated at the end of the day even after having done "good work."

By combining XDR correlation with MDR expertise, Wuttke said, the goal is to focus scarce human attention on incidents that truly matter. She brought up the example of the Green Bay Packers NFL team, which she said improved investigation throughput and reduced response time dramatically after adopting the platform-plus-expert model.

A common MDR frustration is that organizations still must do detection tuning, playbook maintenance and SOC operations. Wuttke brought up a new Palo Alto Networks offering called Managed XSIAM, which she says can deliver an automated, "fully managed SOC" approach, including onboarding, data mapping, detection engineering, automation and ongoing optimization alongside response and investigation.

"It's a big, giant, beautiful platform that has SIEM, SOAR, XDR, everything built in," she said.