Palo Alto Networks vs Thales (S21sec)
Palo Alto Networks is a Platform vendor that requires its own security platform. Thales (S21sec) is a Services firm that works with your existing tools. Palo Alto Networks targets Mid-market and Enterprise organizations; Thales (S21sec) serves Enterprise. Palo Alto Networks includes 5 attack surfaces in base pricing (Endpoint, Cloud, SaaS, Identity, Network), compared to 2 for Thales (S21sec) (Network, OT/ICS).
Buyer brief
Palo Alto Networks is a Platform vendor that requires its own security platform. Thales (S21sec) is a Services firm that works with your existing tools. Palo Alto Networks targets Mid-market and Enterprise organizations; Thales (S21sec) serves Enterprise. Palo Alto Networks includes 5 attack surfaces in base pricing (Endpoint, Cloud, SaaS, Identity, Network), compared to 2 for Thales (S21sec) (Network, OT/ICS).
Palo Alto Networks is the choice if you want a single-vendor stack with deep integration. Thales (S21sec) is better if you have existing tools and want flexibility.
At a glance
| FIELD |  |  |
|---|---|---|
| Best fit | Enterprise organizations already invested in the Palo Alto ecosystem (NGFW, Prisma, WildFire) wanting native MDR | Critical infrastructure and public-sector buyers that need Thales/S21sec regional cyber detection and response |
| Price | Cortex XDR Pro platform: ~$81/endpoint/yr; MDR extra | Custom quote |
| Response authority | 6/6 actions · Configurable | 2/6 actions · Configurable |
| Stack | Requires own platform | Works with existing stack |
| Data access | Full query access | Reports only |
| Warranty | Available | None listed |
- Best fit
- Enterprise organizations already invested in the Palo Alto ecosystem (NGFW, Prisma, WildFire) wanting native MDR
- Price
- Cortex XDR Pro platform: ~$81/endpoint/yr; MDR extra
- Response authority
- 6/6 actions · Configurable
- Stack
- Requires own platform
- Data access
- Full query access
- Warranty
- Available
- Best fit
- Critical infrastructure and public-sector buyers that need Thales/S21sec regional cyber detection and response
- Price
- Custom quote
- Response authority
- 2/6 actions · Configurable
- Stack
- Works with existing stack
- Data access
- Reports only
- Warranty
- None listed
Detailed comparison
| FIELD | Palo Alto NetworksPLATFORM | Thales (S21sec)TECH-AGNOSTIC |
|---|---|---|
| Fit | ||
| Target size | Mid-market, Enterprise | Enterprise |
| Sentiment | Positive | Mixed |
| Your stack | ||
| Approach | Requires their platform | Works with your tools |
| EDR integrations | Cortex XDR (native, required for full endpoint D&R)Third-party EDR telemetry (MSIAM 2.0, Feb 2026) | Customer endpoint security tools |
| SIEM integrations | Cortex XSIAM (native) | Customer SIEM platformsThales SOC tooling |
| Coverage | EPEndpoint: CoveredCloudCloud: CoveredIDIdentity: CoveredSaaSSaaS: CoveredNetNetwork: CoveredOTOT/IoT: Optional add-on | EPEndpoint: LimitedCloudCloud: LimitedIDIdentity: LimitedSaaSSaaS: LimitedNetNetwork: CoveredOTOT/IoT: Covered |
| Response | ||
| Response type | Active Remediation | Active Remediation |
| Approval policy | Configurable | Configurable |
| Response actions | IsolateKill processContainDisable accountsQuarantineCustom playbooks | ContainCustom playbooks |
| IR included | Separate | ✓ Included |
| Cost | ||
| Price range | Cortex XDR Pro: ~$81/endpoint/year reported (platform only, pricing sources vary). Unit 42 MDR service is additional custom pricing. Total cost depends on endpoints, tier, coverage scope, and contract terms. | Not published |
| Minimum seats | None | None |
| Breach warranty | ✓ | – |
| More details | ||
| Requires own agent | Yes | No |
| Endpoints | ✓ Included | ~ Limited |
| Cloud workloads | ✓ Included | ~ Limited |
| Identity | ✓ Included | ~ Limited |
| SaaS apps | ✓ Included | ~ Limited |
| Network | ✓ Included | ✓ Included |
| OT/ICS | + Optional | ✓ Included |
| Threat hunting | ✓ Included | ✓ Included |
| Response SLA | Not disclosed | Not disclosed |
| 24/7 coverage | ✓ | ✓ |
| Pricing model | Subscription-based, custom pricing. Cortex XDR/XSIAM platform license required as prerequisite, with Unit 42 MDR service as additional subscription. | Custom quote for Thales Cyber Detection and Response, Managed Security Services, SOC and MDR. Public prices are not published. |
| Hidden cost warnings | Cortex XDR/XSIAM platform license is a significant prerequisite cost on top of MDR service fee. Cortex Data Lake storage costs are separate and scale with data volume. Renewal price increases reported by community (up to 225% per some Gartner reviews). Best experience requires native Cortex XDR agent, third-party EDR support available via MSIAM 2.0 but with reduced fidelity. Enterprise pricing only, not accessible for SMBs | The current S21sec domain routes to Thales-branded services, so buyers wanting legacy S21sec-specific delivery should confirm contracting entity, SOC location and delivery team.. Public pages do not publish prices, minimum terms, service credits, MTTD/MTTR or formal MDR SLAs.. Thales offers a broad cybersecurity services portfolio; buyers should separate base MDR scope from CTI, DRPS, DFIR, CERT, ICS monitoring and advisory services.. Named endpoint, identity and cloud containment actions are not public and should be confirmed tool by tool.. Data retention, raw log access, offboarding and detection-content export rights are not described publicly. |
| Data portability | Limited | Partial |
| Contract terms | Annual, Multi-year | Custom cyber detection and response engagement, Managed Security Services, SOC and MDR, Critical-infrastructure cybersecurity services |
| Channels | PortalEmailPhone | EmailPhonePortal |
| Data access | Full query access | Reports only |
| Dedicated analyst | ✓ | – |
| SOC regions | North AmericaEuropeAsia-Pacific | EuropeMEAAPAC |
| Onboarding | 4-8 weeks typical for enterprise | Not published. Thales describes customer-centric service roadmaps and selecting/deploying detection and response technologies, but no standard MDR onboarding timeline. |
| Industry focus | Government/Public SectorFinancial ServicesHealthcareTechnologyCritical Infrastructure | Critical InfrastructureGovernmentDefenseEnergyManufacturingAviationSpaceFinancial ServicesTelecommunicationsHealthcareTransportationAutomotiveUtilitiesMaritime |
| MTTD | Not formally published. Customers report up to 90% reduction. 2x faster than average MDR participant (Frost & Sullivan 2024). Green Bay Packers case study: 5-minute response time. | Not published |
| MTTR | Not formally published. Green Bay Packers case study: median resolution time 42 minutes with Cortex XSIAM. Customers report up to 90% reduction in MTTR. | Not published |
| Community view | PeerSpot 8.4/10 (Cortex XDR platform, not MDR-specific). Frost & Sullivan Frost Radar Leader Global MDR 2024 and 2025. Strong detection capabilities and threat intelligence praised. Pricing is the most consistent complaint. No G2 MDR listing. No Reddit discussion specific to Unit 42 MDR found. | The current public evidence is strong for Thales-branded global SOC, MDR, CTI, DFIR and critical-infrastructure detection and response, but weak for S21sec as a standalone public MDR brand. Buyers should validate current delivery model, SOC location, response authority, pricing and whether the contract is with Thales/S21sec in the relevant country. |
| Compliance | SOC 2+ (aligned to HIPAA, GDPR, PCI DSS, UK NCSC)ISO 27001FedRAMP ModerateDoD IL5StateRAMP | DORATIBER-EUPCI DSSEASA Part-ISEASAICAOUNECE |
| Certifications | SOC 2+ (with HIPAA Security Rule alignment)ISO 27001FedRAMP Moderate (Cortex XDR, Cortex Data Lake, Prisma Access, Prisma Cloud, WildFire)DoD IL5StateRAMPGovRAMP | 8 threat intelligence and AI-driven SOCs around the worldSOCs in France, Morocco, the Netherlands, Belgium and Luxembourg, Portugal and Spain, and New Zealand and Australia |
| Founded | 2005 | – |
| Data retention | Cortex Data Lake: ~$11,000 per 1TB. Retention configurable by customer. | Not published. Public pages do not describe default log retention, raw log access, storage tiers or export terms for Thales SOC and MDR. |
| API available | ✓ | – |
| Website | Visit → | Visit → |
FAQ
What is the main difference between Palo Alto Networks and Thales (S21sec)?
Palo Alto Networks is a Platform vendor that is platform-native (requires their own security stack). Thales (S21sec) is a Services firm that is technology-agnostic (works with your existing tools). Palo Alto Networks covers 5 attack surfaces in base pricing vs. 2 for Thales (S21sec).
How do Palo Alto Networks and Thales (S21sec) differ in response capabilities?
Palo Alto Networks supports 6 autonomous actions (account disable, custom playbooks, endpoint isolation, file quarantine, network containment, process termination) and approval is configurable. Thales (S21sec) supports 2 autonomous actions (custom playbooks, network containment) and approval is configurable. Incident response is not included with Palo Alto Networks and included with Thales (S21sec).
How does Palo Alto Networks pricing compare to Thales (S21sec)?
Palo Alto Networks pricing: Cortex XDR Pro: ~$81/endpoint/year reported (platform only, pricing sources vary). Unit 42 MDR service is additional custom pricing. Total cost depends on endpoints, tier, coverage scope, and contract terms.. Thales (S21sec) pricing: Not published. Watch for with Palo Alto Networks: Cortex XDR/XSIAM platform license is a significant prerequisite cost on top of MDR service fee; Cortex Data Lake storage costs are separate and scale with data volume. Watch for with Thales (S21sec): The current S21sec domain routes to Thales-branded services, so buyers wanting legacy S21sec-specific delivery should confirm contracting entity, SOC location and delivery team.; Public pages do not publish prices, minimum terms, service credits, MTTD/MTTR or formal MDR SLAs..
Should I choose Palo Alto Networks or Thales (S21sec)?
Choose Palo Alto Networks if: enterprise organizations already invested in the Palo Alto ecosystem (NGFW, Prisma, WildFire) wanting native MDR. Choose Thales (S21sec) if: critical infrastructure and public-sector buyers that need Thales/S21sec regional cyber detection and response. Palo Alto Networks is not ideal for sMBs or budget-constrained organizations (significant platform prerequisites plus MDR service fee). Thales (S21sec) is not ideal for buyers that need a standalone legacy S21sec-branded MDR package.
Daylight Security
AI-native MDR for buyers comparing active remediation across endpoint, cloud, identity, and SaaS. Daylight works with existing EDR/SIEM stacks and uses ChatOps-native collaboration, so it can be a useful third reference point in this comparison.