Improve Your SOC Efficiency by 450x with​ Better Detection and Response of True Threats

Security operations center (SOC) teams face a daily barrage of incomplete and inaccurate alerts that lack vital contextual information, many of them false positives. As a result, analysts miss critical threats and take longer to investigate and respond to them, increasing the risk of a breach.

Schedule demo Watch XDR Video


R4IoT: XDR Automatically Detects and Responds

R4IoT is a proof-of-concept ransomware created by Forescout Vedere Labs that exploits an IoT device to gain access and move laterally in an IT network before impacting the OT network. Siloed security tools cannot fully detect cross-device threats like this. See how Forescout XDR automatically detects and responds to R4IoT.

XDR - Extended Threat Detection and Response

Business Value

Forescout XDR is an eXtended detection and response solution that converts telemetry and logs into high fidelity, SOC-actionable probable threats.

It automates the detection, investigation, hunt for and response to advanced threats across all connected assets – IT, OT/ICS, IoT and IoMT – from campus to cloud to data center to edge. Forescout XDR combines essential SOC technologies and functions into a unified, cloud-native platform, viewable and actionable from a single console.

Reduce business risk​

Reduce the risk and magnitude of a successful attack, business disruption or data breach by eliminating alert noise so you can quickly and accurately detect, investigate and respond to the broadest range of advanced threats.

Lower costs​

Consolidate point solutions (data lake, security analytics, SOAR, UEBA, threat intel platform) and reduce costs related to data onboarding, rules management and analyst turnover with a solution that simplifies and supports their workflow.​

Optimize security operations​

Streamline the analyst function and speed complex investigation and threat-hunting processes with enriched, normalized and contextualized data correlated to produce a small number of detections that warrant investigation – all in a unified console that integrates with case management systems and other security tools.​

Leverage multi-vendor security investments​

Derive more value from existing solutions and make better use of asset data and threat intel via automation across case management and incident response systems, sensors (network, endpoint, cloud) and enforcement points. ​

Support compliance​

Combine long-term log storage with automated threat detection and threat intelligence to close the potential gap between when a breach or disruption is noticed and when a response action is taken.​

XDR Customer Confidence

Aimbridge Hospitality Quote

“Forescout XDR, delivered as a managed service, is a strategic part of our layered defense strategy. It combines essential storage of raw telemetry, in support of compliance mandates, with advanced threat detection and response capabilities to further reduce risk and help us meet cyber insurance requirements. Its ability to automatically and reliably identify true threats from a broad range of data sources across our highly distributed and global IT environment, and to present these with detailed contextual information that streamlines the investigation and response process, is both impressive, and essential in today’s threat environment.”

— Andrew Arthurs, CIO, Aimbridge Hospitality

Preview the Solution

Watch CTO Justin Foster run through key features in Forescout XDR.

The Forescout Advantage

Icon: keyboard and mouse connected to a cloud.Vendor and EDR Agnostic Data Ingestion

  • Supports the products and vendors you’ve already invested in
  • Can ingest data from any managed and unmanaged device (IT, OT/ICS, IoT, IoMT)
  • Ensures more comprehensive, powerful, flexible, and effective threat detection

Icon: laptop computer with gears on the screen.450x Better Detections

  •  Advanced data pipeline enforces a common information model (CIM) to normalize ingested data and auto enrich with user info, IP attribution, geolocation, critical asset information
  • 2-stage threat detection engine uses a blend of 5 techniques to reduce noise & improve fidelity

Icon: circle with three arrows pointing to three circles.Full Spectrum Response

  • Powerful investigation tools
  • Native integrations with case management solutions
  • Automate responses via Forescout solutions to touch all managed & un-managed devices

Icon: padlock on a shield.Up Front Risk Reduction

  • Integration with other Forescout solutions reduces the attack surface, and the risk of a compromised or non-compliant device connecting to your network in the first place
  • Continuously monitors all connected assets with dynamic access policies

Icon: hand holding a bar graph.Simple, Predictable, and Accessible Pricing

  • No penalties for sending more logs to Forescout XDR, to support better detection
  • License fee is based on the total number of endpoints (IP/MAC address) in your organization
  • Pricing includes 7+ day log storage, and longer-term storage options are available
Webinar: Improving SOC Efficiency by 450x with Forescout XDR

Webinar: Improving SOC Efficiency by 450x with Forescout XDR

Threat detection and response has become increasingly important, and increasingly difficult, even for seasoned and large SOC teams. Watch this 30-minute webinar to discover how Forescout XDR uniquely addresses today’s detection and response challenges by not only converting daily alerts into high-fidelity detections of true threats but by also enabling SOC teams to automate response processes across the extended enterprise.

1 Detection per Hour, from 50 Million Logs

Forescout XDR combines vendor- and EDR-agnostic support for more than 180 data sources in our cloud-based data lake, with cost-effective log retention and management, automated data normalization and enrichment, and a two-stage threat detection engine to weed out false positives and identify true threats, along with more than 1,500 verified detection rules and models that are regularly updated.​

Forescout XDR combines essential SOC technologies and functions into a single, unified, cloud-native console. ​

Data Ingestion

Data ingestion

Natively supports Forescout eyeSight, eyeInspect and Medical Device Security data – and over 180 vendor- and EDR-agnostic sources including:
security, infrastructure, enrichment, applications and cloud/SaaS

  • Security: Firewall, network IDS/IPS, EDR, EPP, server/workload/container
    security, web proxy and email security
  • Infrastructure: Windows security, AD authentication, IAM, DHCP, DNS, cloud audit trail and network metadata
  • Enrichment: Identity (LDAP), asset inventory and classification, configuration management, vulnerability scan results, IOCs
  • Applications: Database, ERP, CRM and APIs
  • Cloud/SaaS: AWS, Microsoft Azure, Google Cloud, Microsoft 365, Google Workspace and any other SaaS application
XDR Data Onboarding

Data onboarding

Helps ensure that you extract maximum detection value to support your most important use cases. Forescout data engineers work alongside your team to plan and prioritize the data sources to be onboarded, then help configure the data pipeline and ensure your data is being properly parsed, cleansed, normalized and enriched. ​

XDR Advanced Data Pipeline

Advanced data pipeline

Applies a rigorous data science-centric approach to manage data flowing from enterprise-wide sources into thethreat detection engine.

  • Enforces a common information model (CIM) to normalize ingested data.
  • Enriches data with IP address, geolocation, ADObject properties, configuration and other contextual data to maximizes detection and enable faster correlations across data sources.
  • Uses an ETL (extract-transform-load) process for faster, stabler, more efficient data analysis than more common ELT (extract-load-transform) processes.

MITRE ATT&CK framework integration

Allows you to instantly see how different data sources map to the tactics, techniques and procedures (TTPs) of the MITRE ATT&CK framework. This makes it easy to prioritize the initial data sources that should be ingested for broad or specific TTP coverage, to identify potential blind spots that adversaries can exploit and to determine which additional data sources would further elevate your coverage.

Cloud Based Data Lake
Cloud-based data lake

Massively scalable, purpose-built, indexed data lake with tiered data storage (hot, warm, cold) and rapid, full-text search. This provides cost-effective short-term and optional longer-term (7 days to 1 year+) log retention and management of either raw telemetry or enriched data, in support of security and compliance requirements.

Threat detection engine

Two-stage threat detection engine applies five detection techniques to automatically generate high-fidelity, high-confidence true threats that warrant investigation, while weeding out false positives.

  • Cyber intel: More than 70 sources to look for backdoors, command-and-control traffic or phishing.
  • Signatures: Match object attributes to a known bad object to identify threats inside raw telemetry, uncleanable malware, ransomware, etc.
  • UEBA: Looks for abnormal behaviors that match a digital pattern, footprint, human activity or network behavior with known bad behavior.
  • Statistics and outliers: Uses clustering, grouping, stack counting, baseline and variation, outlier detection, logistic regression and other methods to detect anomalous activity.
  • Algorithms: Uses context-aware AI and ML techniques such as supervised/unsupervised learning or deep learning to detect malicious or anomalous
    activity and predict attacks.
XDR Detection Rules
Detection rules

Includes more than 1,500 verified, out-of-the box detection rules and models for your data sources. These rules have been tested on production data to ensure they operate effectively and deliver value on Day One. Custom detection rules give you the power and flexibility to quickly create indicator, detection and health rules that address your unique requirements, with a guided user experience. ​

XDR Infographic Threat Intel Diagram

Threat intelligence

>70 Global sources and classified, corroborated and scored

Forescout XDR references IOCs from over 70 high-quality sources worldwide, including from Vedere Labs, Forescout’s team of global research experts. These IOCs are classified, corroborated and scored to provide finished intelligence that is automatically leveraged across the threat detection, hunting and investigation process. You have access to detailed threat reports from Forescout researchers that profile key threat actors and threats. Anonymized IOC data can also be shared among opt-in community members, including industry-specific ISACs, via a built-in community threat exchange.

  1. IOC data from a broad range of reliable sources
  2. IOC intel correlated into a searchable database of “known bad” domains, URLs and IPv4 and IPv6 addresses
  3. Each IOC dynamically assigned a confidence score based on source quality
  4. Confidence-scored IOC intel leveraged by threat detection engine and customer SOC teams to accelerate threat detection and investigation


Behavior-based analytics are used to detect significant changes to behavior or anomalous activity for an entity. Standard profiles and behaviors are built for users and hosts across time, and any activity that is anomalous to these standard baselines is triggered as suspicious.​



Orchestrates the SOC process from detection through investigation and response with built-in case management and notifications.

  • Automates security through enrichment sources such as IP geolocation, user and asset information, and correlation to multiple intelligence
  • Leverages Forescout eyeSight and eyeControl for automated orchestration
    and response workflows across all managed and unmanaged devices.
  • If desired, continue to leverage your existing SOAR through integration
    with Palo Alto Cortex XSOAR and other SOARs.
XDR Case Management

Case management

Provides workflows, tight integration, transparency and seamless communication and collaboration during detection handling and incident management.

  • Based on the NIST Incident Response Life Cycle, Forescout XDR supports integrations with ServiceNow, RSA Archer, Jira Software, ManageEngine ServiceDesk Plus, Palo Alto Cortex XSOAR, TheHive and ConnectWise.
Forescout XDR Improves SOC Efficiency: Product Screenshot

Dashboards & Reports

Preconfigured and customizable persona-based dashboards provide KPIs relevant to a variety of roles, including analysts/IR, engineers, SOC manager, compliance and risk managers, and executives. Proactive dissemination and sharing of reports and/or metric delivers insight into the hands of those responsible for manageing SOC operations as well as exectutive team members.

Forescout Platform Device Cloud


Nothing to deploy, with new features, fixes and rules delivered seamlessly and bi-weekly

  • Ease of management
  • Faster release cycle and updates
  • Reliability and security
  • Cost effectiveness
  • Hyper-scale
XDR Multi-tenant Logical Separations


Logical separations (or tenants) easily created based on country, office location or business unit, for example. You can also generate aggregate views and perform queries and analyses across tenants and business units, right up to the global level. ​
Particularly beneficial for large enterprises, multinationals, MSSPs and organizations with regional SOCs.

Unified global architecture

Unified global architecture

Data residency and compliance requirements readily met, with cost-effective support for regional security operations. Specify where you want your logs to be stored among 25 regions across the Americas, Europe and Asia-Pacific – while still being able to view and query your data globally.

SIEM Integration

True threats identified by Forescout XDR can be fed to an existing SIEM for centralized orchestration and incident response. ​

Forescout XDR includes continuous software and content updates
Continuous software and content updates

New features, functionality and fixes, along with new detection rules and models, are seamlessly delivered every few weeks, without requiring any operational support or causing disruption.

Forescout Assist Screenshot

Add 24/7 Remote Monitoring with Assist for Forescout XDR

Our team of experts operates as a remote, seamless extension of your SecOps team, to provide around-the-clock monitoring of your threat environment using Forescout XDR. Services include security monitoring and triage, log source monitoring, threat investigation, incident management and threat hunting.

Forescout XDR Dashboard

Schedule an XDR Demo

Get a personalized tour of our XDR solution and see how we can help you automate cybersecurity.

111,000 alerts per day = 450 alerts per hour. Source: “The 2020 State of Security Operations,” Forrester Consulting”.
The actual number of alerts a SOC receives depends on a many factors including the number, type and location of security controls deployed, the tuning of those controls (which is a function of analyst capacity, risk tolerance and level of expertise), the number of employees/devices and industry.

2Based on aggregate data averaged over a one-year period (Dec 2021-2022), across 30 enterprises, representing a range of company sizes and industries.


Demo Request Forescout Platform Top of Page