The Benefits of a Broad & Open Integration Ecosystem

An open integration approach for extended detection and response (XDR) empowers organizations to harness the full potential of their security ecosystems. This open approach provides security analysts with the agility to leverage the best tools and access the best information to protect their particular environments. This not only increases team efficiency but also the speed at which they can react to potential threats and reduces dwell time. Cisco XDR stands out in this arena by offering unmatched integration capabilities with not only Cisco solutions but a broad array of third-party tools. This is not a one-and-done endeavor — it requires constant planning and execution from committed product management and development teams, adding new and enhancing existing integrations.

To date, we have seen strong demand for this approach and more than 900 organizations worldwide now leverage Cisco XDR to protect the integrity of their IT infrastructure. Part of the reason for this broad appeal is that we meet security practitioners where they are, allowing them to get maximum value from the people and the tools that they already have. That capability is, of course, predicated on our ability to work with those tools, regardless of vendor.

In the last six months, Cisco XDR has added or significantly enhanced 21 integrations with products from Cisco and ten different third-party technical partners, sharing telemetry and security detections while increasing interoperability to deliver powerful outcomes in minutes instead of days.

The new integrations align primarily with five product areas – Endpoint Detection and Response (EDR), Email Threat Defense, Network Detection and Response (NDR), Next-Generation Firewall (NGFW), and Security Information and Event Management (SIEM) – that are critical for Security Operations Center (SOC) operators. They also include other key security and collaboration tools to deepen the understanding of security operators and incident responders while increasing team efficiency and reducing dwell time. The capabilities these integrations deliver to Cisco XDR include:

Incident Detection — If the tool captures system or network telemetry, or detects security-relevant activities or events, Cisco XDR can ingest that information into the pool of data for analysis, or put those detections into the customer’s combined incident queue, so the threat can be neutralized using the full breadth of Cisco XDR’s incident response tools.
Security Controls and Response — If the tool manages access to systems, networks, data, or other organizational assets, Cisco XDR enables responders and operators need to be able to leverage those capabilities to protect those assets from known and unknown threats, both reactively and proactively (e.g. clicking a button in Cisco XDR that blocks an IP by setting a new rule on a firewall).
Threat Investigation — If the tool has information about threat artifacts, whether it is gleaned from within the customer environment (e.g. DNS logs showing communication with a known C&C) or from threat intelligence tools like a malware sandbox or botnet tracker (e.g. finding out the details of the malware that likely initiated the connection), Cisco XDR can ingest that information. This can be critical to an organization’s need to be informed about current and potential future threats in meaningful ways that drive optimal defenses.
Collaboration — If the team is already using any of the top chat or collaboration tools, Cisco XDR can join or even create channels to post information about new or updated incidents and can even take commands and present the results via those channels.
Automation — All the above security outcomes, and more, can be leveraged by Cisco XDR in both automated and semi-automated ways to drive faster response times to a variety of threats and conditions.

All these critical functions are performed by every SOC. Cisco XDR helps these teams make better use of the tools that drive those functions by providing a common framework from which to leverage each product’s specific contributions. The more tools our customers can leverage in that context, the smoother and faster their performance will be.

Open > Native

For that reason, since inception, Cisco XDR has followed an Open XDR philosophy, or to be more precise, Hybrid XDR. With Cisco’s broad portfolio of top-tier security tools, we could have gone the Native XDR route and require customers to buy the Cisco stack to get any reasonable amount of XDR outcomes. However, that would not be in the best interests of customers who pursue a best-of-breed approach, value vendor diversity, or are in the process of migrating to Cisco security suites but want to get the benefits of XDR right now.

Cisco XDR has open and documented protocols based on industry standards. We have open and documented RESTful APIs with API prototyping tools built into the product. It is our goal to not only offer a wide array of out-of-the-box integrations, but to allow our partners and customers to easily add their own integrations, making their products and even bespoke in-house tools XDR-capable.

Accelerate Velocity with High Confidence

For that reason, last year we introduced a program for Cisco Verified integrations. These integrations are written by trusted Cisco partners to bring their products into the Cisco XDR ecosystem and are vetted by Cisco XDR Engineering and Quality Assurance teams prior to release. You can see the authorship details of all integrations on the Administration/Integrations page.

Based in part on the efficiency driven by these capabilities, the latest list of new or upgraded Cisco XDR integrations includes some integrations that were written by Cisco, and some by our partners. The deliveries in the first half of the Cisco fiscal year (August 2024 to January 2025) include:

Application, Identity and Device Management: Cisco Secure Access, Jamf Pro, Microsoft Intune
Cloud Detection and Response: Cisco Secure DDoS Protection, Cisco Secure WAF
EDR: SentinelOne Singularity
Email Security: Microsoft Defender for Office365
Enterprise Backup: Rubrik
IT Service Management (ITSM): ServiceNow
NDR: Cisco Secure Network Analytics, NETSCOUT Omnis Cyber Intelligence (OCI)
NGFW: Cisco Meraki MX, Palo Alto Networks
SIEM: Cisco Splunk Cloud
Vulnerability Management: Cisco Vulnerability Management (CVM) — formerly Kenna
Other: Endace, our first integration with a packet capture product