Palo Alto Cortex Xpanse Alternative: Comparison With Attaxion

Together with CrowdStrike’s Falcon Surface, Cycognito Platform, and Mandiant’s Advantage Attack Surface Management, Palo Alto Cortex Xpanse is one of the most well-known external attack surface management solutions on the market.

That is well deserved – Cortex Xpanse is extremely feature-rich and offers plenty of flexibility and customization for cybersecurity teams. However, not every cybersecurity team is ready to invest the time and effort required to configure Cortex Xpanse to match their needs. 

That’s why organizations, often with smaller cybersec teams, look for Cortex Xpanse alternatives, and Attaxion often comes up in their searches as one of the most robust yet easy-to-configure EASM solutions. In this guide, we put the two EASM competitors side by side, comparing their pricing and asset discovery capabilities, as well as what they can offer when it comes to vulnerability detection, prioritization, remediation, and continuous monitoring.

Pricing PART 1

Pricing

When it comes to pricing, Attaxion and Palo Alto are very different.

Palo Alto Cortex Xpanse vs Attaxion: Pricing
AttaxionPalo Alto Cortex Xpanse
Monthly pricingFrom USD $129/monthNot publicly available
Yearly pricingFrom USD $1,290Not publicly available
Free trial✅ (30 days)
Assets covered40Not publicly available

Palo Alto Cortex Xpanse Pricing

Palo Alto doesn’t disclose Cortex Xpanse pricing – you can only reach out to sales to get a quote. However, searching over the internet can give some insight into what to expect, at least the magnitude of it. A digital marketplace on a UK government website lists 76,000 pounds (roughly $100,000) as a price per “unit” per year for Cortex Xpanse. 

For an additional $443,000 per year, you can get a “resident engineer” to support it. Palo Alto also sells “deployment services”, which is basically a paid onboarding services and some initial configuration. 

Of course, if you’re buying multiple Palo Alto Networks products at the same time, such as Prisma Cloud and Cortex Xpanse, you’re likely to get a better deal. But overall, Palo Alto Cortex Xpanse is on the expensive side of the EASM spectrum.

Attaxion Pricing

Attaxion is on the opposite side of that spectrum. Its transparent public pricing depends on the number of assets it discovers and scans in the organization’s external attack surface. It starts as low as $1,290 per year for up to 40 assets and scales as the organization’s asset count increases.

The highest tier available in the public pricing is “Business” with 360 assets for $9,490/year, and for everything above that you’ll need to contact sales.

For all tiers, you get free personal onboarding, with Attaxion representatives helping you to set up, integrate, and use the platform.

How They Compare

With an almost 80-fold difference in starting price, Attaxion is obviously a more budget-friendly option. The steep price Palo Alto Networks is asking for Cortex Xpanse prevents small and medium-sized companies from using it, making it accessible only for large enterprises. 

Attaxion caters to all company sizes, from smallest to largest, making it an accessible Cortex Xpanse alternative for businesses with smaller cybersecurity budgets.

Asset Coverage PART 2

Asset Discovery

Asset Discovery with Palo Alto Cortex Xpanse

Palo Alto Cortex Xpanse uses a variety of reconnaissance methods coupled with open-source intelligence and payload-based asset discovery. It requires you to provide a few assets as input and then relies on reconnaissance to discover more using payloads to do a full protocol handshake. The initial asset setup is a part of the “deployment services” package, so Palo Alto Networks employees do that together with you. 

It can also discover the organization’s cloud attack surface using connectors to cloud providers like Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Cortex Xpanse uses machine learning to establish relationships between assets, relying on it both to find more assets and to verify that they actually belong to you, thus lowering false positives. For each asset, it provides evidence that shows why it decided that this asset is a part of your external attack surface.

Asset attribution with Cortex Xpanse. Source: paloaltonetworks.com
Asset attribution with Cortex Xpanse. Source: paloaltonetworks.com

Palo Alto Networks states that Cortex Xpanse provides you with “the most complete, current, and accurate inventory of your global internet attack surface” as well as “broader and more accurate asset discovery than any other solution on the market.” However, in Gartner Peer Reviews you can find complaints about asset false positives.

Asset Discovery with Attaxion

Attaxion works in a similar way, requiring you to provide a single or few root assets and then relying on a variety of cyber reconnaissance techniques to discover more assets belonging to your organization. Unlike Palo Alto, Attaxion relies on both open-source and proprietary intelligence sources.

Attaxion doesn’t use payloads in asset discovery, which makes it less intrusive than Cortex Xpanse (and it relies on using multiple discovery methods to offer high certainty). It even allows you to choose between not really intrusive (active) and totally non-intrusive (passive) scanning modes.

Asset list in Attaxion
Asset list in Attaxion

Root assets need to be verified, just like in the case with Palo Alto, but the process is much faster. For example, verifying the domain that matches the one in the email you signed up with only takes one click and a few seconds.

Attaxion can also discover so-called “root asset candidates” – root assets that may belong to your organization. May or may not – that’s up to you to decide and either verify them so that Attaxion can discover dependent assets or discard them. Attaxion gives each root asset candidate a probability score – the higher, the more likely that this asset belongs to your organization.

Like Cortex Xpanse, Attaxion also integrates with unmanaged cloud providers such as AWS, GCP, and Azure so that it can find digital assets belonging to your organization. What makes it different is that it also has an integration with DigitalOcean.

What Attaxion and Palo Alto certainly have in common is not shying away from bold slogans. Attaxion states that it has “#1 attack surface coverage.” So far, in all our tests, it has proven to be true.

How They Compare

Cortex Xpanse employs complex technology and plenty of manual processes to achieve a low false positives rate and high asset coverage. However, even with all of that there are still occasional complaints about creating an incomplete asset inventory and having some false positives.

Attaxion is also not entirely false-positive-free when it comes to asset discovery (nobody is), but we’ve never heard or seen complaints about discovering fewer assets than any other solution on the market. And, avoiding some of the manual processes, Attaxion allows you to get started much faster.

Overall, asset discovery is Attaxion’s strongest side, so it’s no surprise that here it can compete with Cortex Xpanse and even offer some benefits over Palo Alto’s solution, like faster time to value and additional integrations.

Vulnerability Detection and Prioritization PART 3

Vulnerability Scanning

Vulnerability Scanning with Palo Alto Cortex Xpanse

Cortex Xpanse runs daily vulnerability scans against the list of assets it has discovered. You can choose whether to run scans across the entire discovered assets scope or only some targets of your choice.

Palo Alto doesn’t disclose what kind of vulnerability scanner they use, so we assume it’s something proprietary. There aren’t many complaints about false positives when it comes to how Cortex Xpanse handles vulnerability detection. 

For attack surface testing (daily scans that the EASM platform runs against the discovered assets), Cortex Xpanse uses benign payloads to ensure that a vulnerability is actually exploitable. That means that it relies on payload-based vulnerability scanning that has both pros (much higher certainty) and cons (possibility of triggering intrusion detection or intrusion prevention systems).

Vulnerability Scanning with Attaxion

Attaxion also relies on a proprietary, but non-payload-based scanner which allows for vulnerability scanning without significant disturbances in the network. 

It runs vulnerability scans continuously across all the assets that it has in the asset list (both discovered and added manually).

Attaxion’s vulnerability scanning dashboard
Attaxion’s vulnerability scanning dashboard

Attaxion syncs the vulnerability data with Mitre’s CVE and CWE databases to stay up to date with the latest cyber risks. It also creates a list of technologies used in your external attack surface and shows whether a certain technology is vulnerable.

How They Compare

Cortex Xpanse has a strong, payload-based vulnerability scanner and flexible settings that allow you to choose which targets to scan. It’s also more customizable.

Attaxion offers less customization, but manages to find more vulnerabilities with a low false positive rate.

Overall, Cortex Xpanse and Attaxion are roughly equal when it comes to vulnerability detection, with Cortex Xpanse possibly being a little more precise yet more intrusive than Attaxion.

Remediation PART 4

Vulnerability Prioritization and Remediation

Vulnerability Prioritization and Remediation with Palo Alto Cortex Xpanse

Cortex Xpanse offers a variety of metrics that can help you prioritize vulnerabilities. For every vulnerability, in addition to the CVSS score, it provides EPSS score, exploit maturity data, and information about exploitation in the wild. There’s also a custom scoring option if a user wants to manually assign a different score to an identified risk.

In addition to that, Cortex Xpanse provides data about the level of certainty that a vulnerability actually exists, which ranges from “confirmed” to “inferred.” The certainty estimates come from attack surface testing scans.

Based on all vulnerabilities found in the organization’s attack surface, Cortex Xpanse generates a global risk score.

Incident response dashboard in Cortex Xpanse. Source: paloaltonetworks.com
Incident response dashboard in Cortex Xpanse. Source: paloaltonetworks.com

When it comes to remediation, Cortex Xpanse allows to assign different types of vulnerabilities to different users – either manually or using playbooks that it offers to create. It adds the necessary information to describe the efforts required for vulnerability remediation or mitigation to simplify the process.

Perhaps, the most interesting capability of Palo Alto Cortex Xpanse is the ability to automatically patch some vulnerabilities like, for example, CVE-2023-25136 in OpenSHH. To automate this process, you need to integrate Cortex Xpanse with AWS. Then Cortex Xpanse can scan all vulnerable AWS EC2 instances in your organization and address the issues.

The automatic remediation doesn’t apply to all issues, but rather to a select few. Also, it requires initial setup which takes time and effort. However, for large organizations, security automations like this can save time in the long run and speed up reacting to pressing problems.

Vulnerability Prioritization and Remediation with Attaxion

Attaxion takes a similar approach when it comes to vulnerability prioritization, but a different one when it comes to remediation.

For prioritization, Attaxion offers roughly the same toolkit, providing CVSS and EPSS scores for each CVE as well as information about whether a vulnerability belongs to the CISA KEV catalog (known exploited vulnerabilities).

When it comes to remediation, however, Attaxion focuses not on automating remediation but on simplifying it for the IT & security team. So, it doesn’t require integrations with your infrastructure, instead relying on integrating with Atlassian Jira to allow 1-click support ticket creation. It provides remediation advice and links to vulnerability intelligence sources.

How They Compare

While Cortex Xpanse and Attaxion offer more or less the same functionality when it comes to vulnerability prioritization, remediation is where Cortex Xpanse is a much more feature-rich solution.

Creating playbooks and integrating Cortex Xpanse with other security tools and the rest of infrastructure is a tedious process that takes plenty of time and effort, but once completed, it can reduce the workload for the security team.

Attaxion doesn’t overload the security team with complex setup and requires only a few integrations. On the other hand, it cannot remediate vulnerabilities and close ports on its own, empowering the cybersecurity team rather than doing the work for it.

Continuous Monitoring PART 5

Continuous Monitoring

Continuous Monitoring with Palo Alto Cortex Xpanse

Cortex Xpanse has scanning cadences, looking for ports in the global IPv4 space twice a week and performing daily scans on customer-attributed assets for the most common ports. Users can opt in to a feature called Known Assets Monitoring (KAM), which adds a weekly scan of about 2,800 ports on customer-attributed assets.

To show the results of the scanning, Cortex Xpanse allows users to build customizable dashboards, generate reports, and send alerts over email or various messengers. 

Source: paloaltonetworks.com
Source: paloaltonetworks.com

Everything is customizable, which is both a blessing and a curse. On the one hand, Cortex Xpanse is a very flexible solution with a lot of options a user can tweak to suit their needs. On the other hand, it is quite complex and requires a lot of time to set up. There are also user reports mentioning non-ideal support, which could be a problem, given the complexity of the platform.

Continuous Monitoring with Attaxion

Attaxion doesn’t have cadences – instead, it continuously scans the organization’s attack surface for new assets and vulnerabilities.

To make sure you can react in a timely manner to the newly discovered issues, Attaxion can send notifications over email and Slack. It also has dashboards that show updates and statistics about the organization’s external attack surface. Like Cortex Xpanse, it allows you to create reports as well.

Notifications with Attaxion

The benefits of continuous scans are the speed at which you get notifications about new issues.

How They Compare

Both tools make sure you stay on top of the new developments in your organization’s external attack surface. Attaxion doesn’t provide the same level of customization as Palo Alto Cortex Xpanse and as many integrations, yet may be easier to use.

Conclusion PART 6

Conclusion

Both Palo Alto Cortex Xpanse and Attaxion are external attack surface management platforms, but they take completely opposite approaches to this discipline.

Cortex Xpanse is one of the most sophisticated EASM platforms on the market, and a very expensive one. Its stronger sides are its broad set of deep and functional integrations and the ability to automate more taks than what most EASM tools can. From the functionality perspective, it doesn’t have any particular weak sides besides the inherent complexity of configuring and using features. 

But it’s not only about features. Cortex Xpanse is aimed at enterprises who have big enough security budgets to afford such an expensive tool (one of many cybersecurity tools the team needs) and enough people in the security department to set everything up. They also shouldn’t be in a hurry to get to any results – the setup process takes a while.

Once all the integrations are in place and all the playbooks are configured, Cortex Xpanse does a great job of helping the security team manage their external attack surface. It can significantly reduce the efforts needed to manage and remediate vulnerabilities at scale, has a high asset coverage and powerful yet flexible vulnerability scanning and remediation capabilities.

Attaxion is a great Cortex Xpanse alternative for teams with smaller budgets, less free engineering hands, or just for those who want to get the results faster. It offers similar or even better asset coverage with a low false positive rate and comparable vulnerability scanning and prioritization capabilities.

While Attaxion doesn’t automatically remediate vulnerabilities and has fewer integrations, it’s easier to use, requires significantly less time and effort to set up, and brings value much faster than Cortex Xpanse.

If resources such as time, budget, and cybersecurity staff are not a constraint for you, Palo Alto Cortex Xpanse may be a better choice. If, however, any of these are limited in your organization, Attaxion might be a better, easier, and more budget-friendly alternative.

Ready to try Attaxion EASM? Start a 30-day free trial, or request a personal demo.