* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [AI and Cybersecurity](https://www2.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/)
* Forrester TEI: Unlock 257...

# Forrester TEI: Unlock 257% ROI with Cortex XSIAM

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fforrester-tei-unlock-257-roi-with-cortex-xsiam%2F)  
[](https://twitter.com/share?text=Forrester+TEI%3A+Unlock+257%25+ROI+with+Cortex+XSIAM&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fforrester-tei-unlock-257-roi-with-cortex-xsiam%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fforrester-tei-unlock-257-roi-with-cortex-xsiam%2F&title=Forrester+TEI%3A+Unlock+257%25+ROI+with+Cortex+XSIAM&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/forrester-tei-unlock-257-roi-with-cortex-xsiam/&ts=markdown)  
\[\](mailto:?subject=Forrester TEI: Unlock 257% ROI with Cortex XSIAM)  
Link copied  
By [Greg Smith](https://www.paloaltonetworks.com/blog/author/greg-smith/?ts=markdown "Posts by Greg Smith")  
Oct 16, 2025  
4 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown)  
[Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown)  
[Forrester](https://www.paloaltonetworks.com/blog/tag/forrester/?ts=markdown)  
[ROI](https://www.paloaltonetworks.com/blog/tag/roi-2/?ts=markdown)  
[SecOps](https://www.paloaltonetworks.com/blog/tag/secops/?ts=markdown)  
[security operations](https://www.paloaltonetworks.com/blog/tag/security-operations/?ts=markdown)  
[SIEM](https://www.paloaltonetworks.com/blog/tag/siem/?ts=markdown)  
[SOC](https://www.paloaltonetworks.com/blog/tag/soc/?ts=markdown)  
[TEI](https://www.paloaltonetworks.com/blog/tag/tei/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/10/forrester-xsiam-thumbnail.png)What would your CFO say to a **257% return** on investment over three years and a **payback period of less than six months** ? According to a 2025 Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Palo Alto Networks, that's what a composite organization based on interviewed customers achieved with Cortex^®^XSIAM™.

### **A Different Kind of Security Platform**

Modern security operations are drowning in data but starving for insight. Legacy SIEMs force analysts to dig through silos, chase alerts, and fight fires instead of preventing them. [Cortex XSIAM](https://www.paloaltonetworks.com/resources/techbriefs/cortex-extended-data-lake) turns that model on its head, bringing all your data, AI, automation, and key SecOps capabilities together on one unified SOC platform.

Built on the cloud-native [Cortex Extended Data Lake (XDL)](https://www.paloaltonetworks.com/resources/techbriefs/cortex-extended-data-lake), XSIAM ingests and normalizes security telemetry from every corner of the enterprise---endpoint, network, cloud, and identity---providing complete visibility and faster, data-driven decisions.

### **The Financial Impact**

Based on interviews with global customers, Forrester's analysis, which models a composite organization with $5 billion in annual revenue and 13 SecOps FTEs, determined that Cortex XSIAM delivered:

* **257% ROI over three years**
* **$5.6 million** net present value (NPV)
* **\< Six months** payback period

It's not just about better security, it's about better business outcomes.

## **Where the ROI Really Comes From**

### **Improved Security Posture**

By year three, organizations enhanced their security posture by 60%, avoiding over $2.2 million in potential breach costs. For CISOs, this means more resilient defenses. For CFOs, it means fewer financial surprises.

> *We haven't had a single outage related to a cyber event since deploying XSIAM. The platform gives us better visibility and context across our environment, and that's helped us stay ahead of threats. Our posture is stronger, and we're finally able to be proactive instead of reactive. -- Director of SecOps, Specialty Retailer*

### **Efficient Threat Detection and Response**

Mean Time to Remediation (MTTR) decreased by 85%, valued at over $1.2 million. One VP noted that detection and remediation times dropped from over six hours to just 40--50 minutes. Alert volume needing Tier 1 SOC attention dropped by 85% by year 3, saving over $930,000 for the composite organization, while investigations requiring SecOps involvement reduced by 70%. This resulted in quicker threat neutralization and significant operational cost savings.

> *We went from 25,000 alerts per quarter that had to be manually reviewed to around 4,500 --- an 80% improvement. That's not fewer events, just better correlation and stitching.* --*Director of SecOps, Specialty Retailer*

### **Empowering Analysts and Addressing Talent Gaps**

AI-driven automation alleviates alert fatigue, allowing analysts to focus on strategic tasks like threat hunting, improving job satisfaction and retention. By automating manual processes, Cortex XSIAM addresses talent shortages and escalating operating costs, while also improving security outcomes.

> *XSIAM reduced our 'mean time to meaningful work' from hours to 20 minutes. Analysts get all the correlated data upfront, without digging. --- VP of Security Platform, IT Services*

### **Cost Savings from Tool Consolidation**

Tool sprawl isn't just an IT headache---it's also expensive. The Forrester study found that the composite organization based on interviewed customers saved over **$3.1 million** in three years by consolidating legacy systems.

> *We saved a couple million dollars a year on tooling right off the bat, which the CFO loved. Plus, the new cloud-native licensing model offers greater data capacity at lower costs.* *--- Director of SecOps, Specialty Retailer*

## **Reducing Risk with Speed, Scale, and Observability**

In cybersecurity, every second counts. Forrester's findings show how XSIAM gives teams the edge---analyzing massive data volumes in real time, surfacing relevant signals instantly, and reducing risk at scale.

By unifying SIEM, XDR, SOAR, and threat intelligence into a single AI-driven platform, XSIAM helps analysts see what others miss, respond in minutes, and move from reactive to proactive defense.

> *My CFO reminds me how much we spend---and I remind him how much we're saving by investing in Cortex. It works, the support is solid, and the labor savings alone make it more than worth it. --- VP of SecOps, Technology Services Firm*

## **SOC Transformation and Beyond**

To us, the Forrester TEI study reflects our commitment to delivering a modern security operations platform that provides measurable impact and a real competitive edge. The numbers tell part of the story---faster detection, fewer alerts, better visibility, and millions in savings---but the greater value lies in how Cortex XSIAM transforms the way teams work. By unifying data, AI, automation, and SecOps on a single platform, Cortex XSIAM delivered a 257% ROI---while enabling teams to focus on what truly matters: protecting your organization's future.

### **Read the full study** to discover the comprehensive benefits of modernizing security operations with Palo Alto Networks Cortex XSIAM:[Forrester Total Economic Impact™ Study](https://www.paloaltonetworks.com/resources/research/forrester-total-economic-impact-xsiam)

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www2.paloaltonetworks.com/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex: New Innovations for Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-innovations-for-security-operations/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Defending against Phantom Taurus with Cortex](https://www2.paloaltonetworks.com/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown)

[#### What's New in Cortex: The Latest Innovations for the World's #1 SecOps Platform (Feb '25 Release)](https://www2.paloaltonetworks.com/blog/security-operations/whats-new-in-cortex-the-latest-innovations-for-the-worlds-1-secops-platform-feb-25-release/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language