XSOAR is one of the most expensive SOARs on the market. You need a dedicated team just to keep it running. Palo Alto is pushing everyone to XSIAM. And the platform hasn't shipped anything new in years. You're funding their next acquisition, not your SOC.
"It doesn't have any integrations. It lacks multiple integrations. It is been decommissioned by Palo Alto. There's no more trying to support it. There will be no more additional items added. The initial setup was complex."
"This solution requires a dedicated team to create and modify the playbooks and other underlying configurations (mapper, classifier etc.). The pre-built playbooks are too generic to be used directly and require quite a few changes, instead of which one can work on creating a new one."
"There are several factors that inline me to rate xSOAR below average. The platform's interface is quite complex and not easy to navigate. The search feature is restrictive in terms of the results and reporting is so difficult that we've had to resort to writing our own code off the platform to generate the kind of reports we need."
"Signed contract when it was still called Demisto, after the change the tool and support seemed go down. It's not a bad tool IF you can dedicate a team of engineers to developing playbooks, as the pre-built ones are to generic to be useful in anything outside a basic environment."
"I want to make note that it seems like Palo Alto Networks is moving to a full A La-cart licensing model where just about every feature in the product has a separate key and license to purchase/maintain and monitor. I have had firewalls bricked because it became cost prohibitive to license them."
"The ease of use of the product plus support creates the most powerful security orchestration and automation platform. The team built a product with support to make sure the product is not stagnant but actually providing outcomes which we did not get with Splunk, Palo Alto (Demisto) or Tines which we have owned or tried. Already paying for itself within a couple of months."
G2 Verified Review
/01
"The platform is straightforward to use. It was quite intuitive for my team to get started. The skill level required is much lower than we needed with our SOAR."
G2 Verified Review
/02
"What truly sets Blink Ops apart is their unparalleled speed with the fastest TTA (Time to Automation) in the market, surpassing competitors by as much as a hundred fold."
Tal Morgenstern, Partner at Lightspeed Venture Partners
/03
"Perfect 5-star rating in GigaOm's 2024 SOAR Radar Report for implementation of AI Security Automation. 400% year-over-year revenue growth."
GigaOm Radar Report 2024
/04
The XSOAR Reality Check
Numbers from real XSOAR deployments. Not from marketing slides.
1
One of the Most Expensive SOARs
Per-user pricing that scales against you. Prices jumped post-Demisto acquisition. And PA acquisitions are known for renewal surprises.
2
6-7yr - Old Tech Under the Hood
Demisto was acquired in 2019. The core architecture hasn't changed. No agents, no reasoning, no agentic workflows. Good luck getting feature requests approved.
3
Team - Needs a Sec Eng Department
Most orgs end up running a dedicated security engineering team just to keep XSOAR operational. That's not a tool. That's a tax.
The Real Problems with Cortex XSOAR
From actual XSOAR users on PeerSpot, Gartner, and G2. Not our opinion.
Low-Code Until It's Not
XSOAR does have a visual editor. For basic stuff it works. But anything complex, custom parsing, conditional logic, real-world edge cases, prepare to write Python. Most teams end up needing developers to maintain playbooks.
"Having a code-based background is beneficial as the platform is very code-centric for playbooks."
One of the Most Expensive SOARs on the Market
Per-user pricing that punishes growth. Prices went up after the Demisto acquisition. And if you know PA's acquisition history, expect another bump at renewal. Add professional services on top and it gets ugly fast.
"Pricing increased significantly after the Demisto acquisition."
You Need a Sec Eng Department to Run It
This isn't a tool one person manages. Most teams end up running a dedicated security engineering function just to maintain XSOAR. Playbook development, integration maintenance, debugging, upgrades. It's a full-time operation.
"You need someone 100% dedicated to XSOAR to get results."
Dashboards Are Weak
Reporting and dashboards are consistently flagged as a pain point. Limited customization, hard to get the views you need.
"Dashboard customization is limited. Reporting needs major improvement."
Pre-Built Content Needs Rework
Marketplace playbooks look great in the demo. Then you try to use them in your environment. Expect days of rework per playbook.
"Pre-built playbooks needed tons of work to use in a real environment."
6-7 Year Old Tech. No Agents. No Roadmap.
Demisto was acquired in 2019. The core architecture is the same. No AI agents, no reasoning, no agentic workflows. PA's investment is going into XSIAM. XSOAR standalone is coasting. And if you've ever tried to get a feature request approved at Palo Alto... good luck with that.
Cortex XSOAR vs. BlinkOps
One needs a security engineering department to maintain. The other gives your team superpowers out of the box.
Capability
BlinkOps
Cortex XSOAR
AI Agent Builder
No-code agent builder. Define role, responsibilities, abilities, constraints. Deploy custom AI agents for triage, enrichment, response.
No agent builder. 6-7 year old architecture. PA is investing agent capabilities into XSIAM, not XSOAR.
AI Workflow Builder
Builder Copilot. Describe what you want in plain English. AI generates full multi-step workflows in seconds.
Visual playbook editor for basics. But anything complex requires Python. No AI-assisted generation.
AI Workflow Modifier
Modify existing workflows with natural language. AI transforms outputs, generates JQ from plain English.
Manual edits. Modify Python scripts or reconfigure visual steps by hand.
Analyst Copilot
AI copilot inside case management. Full incident context, enrichment, response actions via chat.
Basic AI assistant through Cortex ecosystem. Not a dedicated copilot for case investigation.
Agentic Workflows
Hybrid: deterministic steps + micro-agent reasoning in the same workflow. Agent handles ambiguity, automation handles speed.
Playbook-only. All logic is pre-defined. No reasoning capability within workflows.
Dynamic Workflow Creation
Agents select and execute workflows based on real-time context. No hardcoded decision trees.
Sub-playbooks with conditional branching. Still rule-based, every path manually defined.
Integrations
30,000+ built-in integrations. Custom integrations in minutes.
~500 marketplace integrations. Best within Cortex ecosystem, weaker outside it.
