Security teams are losing a race against threat actors who move faster than they can respond. As attackers use AI to automate their techniques, the window between initial access and full compromise has shrunk to minutes. We see the impact of this speed in the data, where preventable gaps, such as limited visibility or excessive trust, cause over 90% of breaches1. To stay ahead, we must move beyond manual, reactive defense.
The endpoint sits at the center of this problem. It's where attacks land, where lateral movement begins, and where the clearest signal of compromise lives, making it the most critical source of truth for any modern security strategy. But endpoint visibility alone isn't enough. Sophisticated attacks move across devices, identities, applications, and data simultaneously, hiding in the gaps between tools that were never designed to talk to each other. Stopping them requires correlating telemetry across every one of these layers — a comprehensive approach to a workspace security platform that treats the entire environment as a single, connected surface.
Today, we are proud to unveil Cortex XDR 5.0, setting a new standard for investigation efficiency, data protection, and cross-platform defenses.
Key Highlights of the 5.0 Release
- Agentic AI workforce for XDR: Command AI agents to perform tasks like triage, enrichment, and host containment.
- AI-Enhanced Analyst Experience: Accelerate time-to-resolution with a redesigned user experience.
- Endpoint Data Loss Prevention (DLP) [Add-on]: Safeguard web and endpoint activity from data leakage, even when devices are offline.
- Unified Exposure Management for Cortex XDR [Add-on]: Prioritize risk reduction by analyzing the full attack surface, active threats, and existing security controls.
- Linux & macOS Protection Updates: Automated on-write protection blocking malicious binaries before they are stored.
- Advanced Email Security Enhancements [Add-on]: Stop sophisticated email-based attacks with a new command center and updated remediation engine.
1. Agentic AI workforce for XDR
With the full capabilities of AgentiX now natively embedded in Cortex XDR, security teams can manage a workforce of AI agents that plan, reason, and execute complex workflows autonomously. These agents act as your team’s expert security assistants, available 24/7, handling triage, enrichment, and containment to help speed investigation and response. To ensure comprehensive coverage, this release includes a fleet of specialized system agents for endpoint, email, and network environments. For teams that need to go further, a no-code custom agent builder lets you tailor agents to your specific operational needs and the new Automation Engineer takes this a step further, enabling security teams to generate functional code and scripts from plain language prompts. Every agent action is governed by the same roles and permissions as your human analysts, with human-in-the-loop approval for impactful actions and a complete audit log for full transparency.
Whether it is generating custom scripts or conducting cross-platform forensics, these specialized AI agents help you solve the operational efficiency gap by offloading the manual tasks that consume an analyst’s day. The power of this workforce is driven by a native multi-model control plane, ensuring agents never operate in a silo. This connectivity transforms what used to be a half-day crisis into a resolution that takes minutes.
2. Agentic-first Analyst Experience
Beyond the underlying technology, Cortex XDR 5.0 redesigns the day-to-day analyst experience by transforming the console into an intelligent, collaborative workspace. The rebuilt case management workflow guides analysts through triage, prioritization, and response, reducing the steps between an open alert and a closed case. AI-driven summarization translates complex alerts into plain language, while visualizations map the connections between alerts, assets, and users so analysts always know where to look next.
At the center of this experience is the Agentic Assistant, embedded directly into the investigation workflow to provide expert-level guidance at every step. The Case Investigation agent will proactively suggest next steps and cut through the complexity of multi-stage incidents, so analysts can make faster, more confident decisions. Those decisions feed directly into the Resolution Center, a dedicated hub that consolidates remediation actions into a single, structured response, eliminating the handoff friction between investigation and resolution.
3. Endpoint Data Loss Prevention (DLP)
A massive shift is underway in the DLP landscape, driven by a move away from legacy compliance-based models toward comprehensive data governance. This change is fueled by three key challenges: the proliferation of GenAI, where new tools emerge too quickly for traditional filtering; the rise of dedicated desktop applications, which bypass standard browser-based security; and the growing demand for agent consolidation. As organizations look to eliminate endpoint lag and bridge the gap between offline activity and cloud security, the industry is pivoting toward unified, single-agent platforms.
Now available as a dedicated add-on, Endpoint DLP for Cortex XDR classifies and protects sensitive data directly on the device. Because our classification engine lives entirely on the endpoint, sensitive data is never sent to an external scanner. It's classified and protected on the device itself, even when offline. Organizations get robust data protection without compromising employee privacy or adding another agent to manage, with deep visibility into local applications that can distinguish between authorized corporate syncs and personal account uploads. When sensitive data is flagged by a policy, like a user attempting to upload a financial report to a private cloud drive, the XDR agent doesn't just block and move on. It delivers a real-time prompt explaining why the action was blocked, turning a potential security incident into a coaching moment that cuts false-positive alerts for the SOC.
4. Unified Exposure Management for Cortex XDR
For most security analysts, vulnerability management means toggling between tools and manually correlating data. Legacy endpoint vulnerability assessments miss unmanaged assets. Network scans don't account for endpoint context. External attack surface tools operate in their own silo. By the time a team manually pieces it all together, the window to act has already closed. The result is a SOC overwhelmed by thousands of low-priority CVEs, with no clear way to identify which risks are actually exploitable.
Exposure management is now available as a Cortex XDR add-on, providing a unified experience that eliminates the need for standalone tools or manual data correlation. By combining deep XDR agent assessments with network, external, and third-party scans, it provides the broad visibility needed to surface exposures across every vector. AI-driven prioritization then correlates vulnerabilities with exploitability likelihood, business context, and third-party threat intelligence. Built-in controls verification closes the loop by automatically validating whether your existing security stack is effectively mitigating specific risks, so analysts can stop chasing low-priority noise and focus on exposures that are critical and exploitable. When the platform surfaces a recommendation, security teams can act on it immediately, applying the suggested control or compensating control detection, enabling a protection feature, or deploying a virtual patch directly from the console, without leaving the workflow.
5. Enhanced Linux & macOS Protection
Security shouldn’t be platform dependent, which is why this release introduces major protection updates for Linux and macOS designed to neutralize multivector threats the moment they touch your systems. New on-write protection automatically scans ELF, PE, and Mach-O files using local analysis and WildFire, blocking malicious binaries before they can even be stored in your environment. Beyond file prevention, we are also making it easier to identify stealthy command-and-control behavior by profiling network baselines for these operating systems to spot abnormal communication patterns that deviate from the norm.
To further harden these environments, Cortex XDR now leverages enhanced behavioral analytics to stop attackers from harvesting system secrets and user credentials. The system highlights and blocks unauthorized attempts to access sensitive files or execute brute-force attacks in real time. These updates ensure that regardless of the operating system, your entire environment is guarded by the most advanced analytics in the industry, closing the security gaps that often exist in non-Windows environments.
6. Advanced Email Security Enhancements
Email remains one of the most active entry points for attackers, yet most security teams are still managing threats reactively. The Advanced Email Security add-on module has been upgraded to provide a more scalable detection layer for cloud environments. A new interactive Email Security Command Center shows a centralized dashboard that allows analysts to assess and manage their security posture in real time. This command center provides immediate visibility into the health of the email environment, enabling teams to monitor email threats and response actions as they unfold. Our new real-time remediation engine enables policy-driven actions that quickly neutralize email threats based on predefined security logic. Automating these responses closes the vulnerability window, ensuring malicious emails are neutralized before users can interact with them.
Cortex XDR 5.0 sets a new benchmark for workspace security, protecting the people, devices, applications, data, and identities that define the modern hybrid workers' environment against modern AI-driven attacks. By unifying agentic autonomy, proactive exposure management, and seamless data protection into a single platform, we eliminate the preventable gaps adversaries exploit. This release redefines the endpoint as the core of a proactive defense, moving beyond traditional detection and response to provide a foundation for future security operations.
Register for Symphony ’26 to explore Cortex 5.0 and watch our expert technical session: "Mastering the Next Generation of XDR.”
We recently announced our intent to acquire Koi to secure the agentic endpoint. Learn more.