Truth in IT
    • Sign In
    • Register
        • Videos
        • Channels
        • Pages
        • Galleries
        • News
        • Events
        • All
Truth in IT Truth in IT
  • Data Management ▼
    • Converged Infrastructure
    • DevOps
    • Networking
    • Storage
    • Virtualization
  • Cybersecurity ▼
    • Application Security
    • Backup & Recovery
    • Data Security
    • Identity & Access Management (IAM)
    • Zero Trust
    • Compliance & GRC
    • Endpoint Security
  • Cloud ▼
    • Hybrid Cloud
    • Private Cloud
    • Public Cloud
  • Webinar Library
  • TiPs
  • DRAW

Palo Alto Networks: How North Dakota Built a State-Wide SOC with Cortex XDR

Palo Alto Networks
07/14/2026
0 (0%)
Share
  • Comments
  • Download
  • Transcript
Report Like Favorite
  • Share/Embed
  • Email
Link
Embed

Transcript


entities that are on your network, but you're now also protecting every citizen in the state because you're dealing with their data. So I lead, manage, and maintain the security operation for all seven branches of government. When I started in this role, I very clearly set out a mission. I had about 20,000 endpoints, and then what I had to try to do was grow that coverage to 250,000 endpoints. I needed to align all the cities, counties, schools, all use the same product and all use the same dashboards. We had a SIM over here, firewalls over here, data a little bit of everywhere, and trying to pull all that information together and make it make sense and find the issues inside of it and be able to automate was massive for us. The Cortex portfolio has really helped our SOC mature. With so many threads coming in, having that tool set has really been a big benefit for us. We've been along the journey 10 to 15 on the firewall level the last five years with XDR from the infancy. I remember when we first flipped on Cortex XDR, we had 16,000 incidents, and with the help of Palo Alto and the hard work of cyber analysis and response team, we were able to tune that down to less than 100 incidents open at all times. Our threat intelligence team has been starting to use Xpanse more and more as they find new APT groups that are targeting certain types of systems or they find new vulnerabilities that are out there. You know, just trying to double check and validate that the information that we have inside of our CMDBs and other systems matches up. Before we had Unit 42 managed threat hunting, we'd spend hours looking through incidents, no way to prioritize, but with managed threat hunting, you know, an incident would come in and help us prioritize on where to focus, even what types of attacks to look for. And now because of that, we've modeled our entire team off of how to look for a threat. We've done cyber ranges where they don't have Palo Alto tools and we're like, man, this is a lot harder. But then when you come back with Cortex XDR and with XSOAR, you're like, this is easy. We have about 60% of all of our total incidents in XSOAR are automatically closed via automation. It would be about anywhere between 8 to 10 analysts that we don't have to go and hire because XSOAR is able to do that for us. It's not only cut our cost, but it's allowed us to build a more efficient operation. But we operated about maybe half the cost of a similar size Fortune 30 company. And that's from that consolidation that we've been able to do and buying on scale and working together all as one whole estate. Going into the next year, the big thing that we're really looking at doing is the implementation of XIM. AI has lowered the bar as far as making it much easier for threat actors to gain access. So for us to really keep up with that and to meet that onslaught of attacks that we see, we need to move to what's next. And our mission was to build, manage, and maintain the best state cyber operation center in the United States. Working with Palo Alto, we've been able to help build that vision and bring that forth.

TL;DR

  • North Dakota scaled security coverage from 20,000 to 250,000 endpoints by standardizing all cities, counties, and schools on the same Cortex platform and dashboards.
  • The team reduced open incidents from 16,000 to under 100 through tuning and achieved 60% automated closure via XSOAR, saving the equivalent of 8-10 analyst positions.
  • Unit 42 managed threat hunting transformed how the team prioritizes incidents and models threat detection, with staff noting how much harder operations are without Palo Alto tools.

Summary

This customer story showcases how the State of North Dakota transformed its security operations center to protect all seven branches of government and extend coverage from 20,000 to 250,000 endpoints across cities, counties, and schools. The state's cybersecurity leader describes the journey of consolidating disparate security tools—SIEMs, firewalls, and scattered data sources—into a unified Cortex platform. Key results include reducing open incidents from 16,000 to under 100 through tuning, achieving 60% automated incident closure via XSOAR, and eliminating the need for 8-10 additional analysts. The team leverages Xpanse for attack surface management and Unit 42 managed threat hunting for prioritization. Operating at roughly half the cost of a comparable Fortune 30 company, North Dakota now plans to implement XSIAM to counter AI-enabled threats while pursuing their mission to build the best state cyber operation center in the United States.

Chapters

0:00 - Mission and Scope
0:37 - Consolidation Challenge
1:02 - XDR Implementation Results
1:39 - Managed Threat Hunting Impact
2:09 - Automation and Cost Savings
2:40 - Future Plans with XSIAM

Key Quotes

0:00 "As a state government, you're not protecting necessarily just the agencies or just the entities that are on your network, but you're now also protecting every citizen in the state because you're dealing with their data."
1:07 "I remember when we first flipped on Cortex XDR, we had 16,000 incidents, and with the help of Palo Alto and the hard work of cyber analysis and response team, we were able to tune that down to less than 100 incidents open at all times."
2:09 "We have about 60% of all of our total incidents in XSOAR are automatically closed via automation. It would be about anywhere between 8 to 10 analysts that we don't have to go and hire because XSOAR is able to do that for us."

FAQ

How did North Dakota reduce its incident volume so dramatically?

Through a combination of tuning Cortex XDR with Palo Alto support and their cyber analysis team, they reduced open incidents from 16,000 to under 100. Additionally, XSOAR automation now closes 60% of total incidents automatically, eliminating the need for manual analyst review on routine alerts.

What cost savings has North Dakota achieved with this approach?

The state operates at roughly half the cost of a comparable Fortune 30 company's security operation. The automation alone saves the equivalent of 8-10 analyst positions, while platform consolidation and buying at scale across the entire government estate further reduces costs.


Categories:
  • » Data Protection » Backup & Recovery
  • » Data Protection
Channels:
News:
Events:
Tags:
  • Security Operations
  • Customer Story
  • Data Protection
  • Threat Intelligence
  • Security Operations Center
  • XDR Implementation
  • SOAR Automation
  • State Government Cybersecurity
  • Managed Threat Hunting
  • Attack Surface Management
  • Platform Consolidation
  • SOC Efficiency
Show more Show less

Browse videos

  • Related
  • Featured
  • By date
  • Most viewed
  • Top rated
  •  

              Video's comments: Palo Alto Networks: How North Dakota Built a State-Wide SOC with Cortex XDR

              XStreaminars (watch here)

              • Jul
                28

                Illumio + Netskope: Zero Trust in the Age of AI Autonomy

                07/28/202601:00 PM ET
                • Jul
                  29

                  Ask Your Cloud Anything: Unlocking Governance Silos in your Environments

                  07/29/202601:00 PM ET
                  More events

                  Industry Events (watch there)

                  • Jul
                    14

                    Crafting a Championship-Caliber Security Team for Lasting Defense

                    07/14/202601:00 PM ET
                    • Jul
                      14

                      Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data

                      07/14/202602:00 PM ET
                      • Jul
                        22

                        Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue

                        07/22/202601:00 PM ET
                        More events

                        Upcoming Webinar Calendar

                        • 07/14/2026
                          01:00 PM
                          07/14/2026
                          Crafting a Championship-Caliber Security Team for Lasting Defense
                          https://www.truthinit.com/index.php/channel/2025/crafting-a-championship-caliber-security-team-for-lasting-defense/
                        • 07/14/2026
                          02:00 PM
                          07/14/2026
                          Understanding the Crucial Role of Context in Safeguarding AI-Accessible Data
                          https://www.truthinit.com/index.php/channel/2037/understanding-the-crucial-role-of-context-in-safeguarding-ai-accessible-data/
                        • 07/21/2026
                          04:00 AM
                          07/21/2026
                          Strategies for Managing AI Governance and Securing App-to-LLM API Traffic
                          https://www.truthinit.com/index.php/channel/1967/strategies-for-managing-ai-governance-and-securing-app-to-llm-api-traffic/
                        • 07/22/2026
                          06:30 AM
                          07/22/2026
                          Insights and Strategies in Data Protection and Privacy Management
                          https://www.truthinit.com/index.php/channel/2000/insights-and-strategies-in-data-protection-and-privacy-management/
                        • 07/22/2026
                          01:00 PM
                          07/22/2026
                          Insights from Attackers During the FIFA World Cup: A HUMAN Dialogue
                          https://www.truthinit.com/index.php/channel/2029/insights-from-attackers-during-the-fifa-world-cup-a-human-dialogue/
                        • 07/28/2026
                          01:00 PM
                          07/28/2026
                          Illumio + Netskope: Zero Trust in the Age of AI Autonomy
                          https://www.truthinit.com/index.php/channel/2031/illumio-netskope-zero-trust-in-the-age-of-ai-autonomy/
                        • 07/29/2026
                          04:00 AM
                          07/29/2026
                          Real-Time Strategies for Safeguarding Against Prompt Injections
                          https://www.truthinit.com/index.php/channel/1968/real-time-strategies-for-safeguarding-against-prompt-injections/
                        • 07/29/2026
                          01:00 PM
                          07/29/2026
                          Ask Your Cloud Anything: Unlocking Governance Silos in your Environments
                          https://www.truthinit.com/index.php/channel/2048/ask-your-cloud-anything-unlocking-governance-silos-in-your-environments/
                        • 08/19/2026
                          12:00 PM
                          08/19/2026
                          Becoming Agent Ready: Insights from Cyera's Expertise
                          https://www.truthinit.com/index.php/channel/2036/becoming-agent-ready-insights-from-cyeras-expertise/
                        • 09/02/2026
                          12:00 PM
                          09/02/2026
                          Unified Data Security in Action: Uncover, Analyze, and Resolve Threats
                          https://www.truthinit.com/index.php/channel/2045/unified-data-security-in-action-uncover-analyze-and-resolve-threats/
                        • 09/30/2026
                          04:00 AM
                          09/30/2026
                          AI Command Center: Optimizing Visibility and Control in Your Operations
                          https://www.truthinit.com/index.php/channel/2024/ai-command-center-optimizing-visibility-and-control-in-your-operations/
                        Truth in IT
                        • Sponsor
                        • About Us
                        • Terms of Service
                        • Privacy Policy
                        • Contact Us
                        • Preference Management
                        Desktop version
                        Standard version