Cato XDR: Finally, A Tool Built by People Who Actually Read the Logs! 

Ever feel like some tools are designed by people who’ve never had to use them? Like those public restroom hand dryers that leave your hands wetter than before, or CAPTCHAs that make you question if you even know what a bicycle looks like—it’s like a bad joke at our expense. 

In the 2022 Devo SOC Performance Report, questions were raised about the biggest challenges faced by security operations center (SOC) teams. Among the questions, 31% of SOC leaders identified information overload as the top pain point, while 26% of SOC leaders pointed to too many alerts to chase as another key pain point. 

Here at Cato, we decided to flip the script. Instead of just using an XDR tool that was developed by someone who thinks flashy dashboards are more important than actually helping you do your job, we built one that does. That XDR tool is Cato XDR.  

In this blog post, we’ll take you on Cato’s journey of building an XDR tool with purpose and breaking down how we crafted each feature to actually work in the real world by taking into consideration the known pain point for analysts. 

Key Challenges  

The SOC Analyst Turnover Treadmill 

A key challenge for SOC teams is the short tenure of SOC analysts, who typically stay just 1 to 2 years. Data from Arcanna.ai shows that many junior SOC analysts plan to leave after three months and last until 18 months until they quit. This turnover also affects seasoned SOC analysts, with 48% admitting that they need to move on.  

This constant churn forces SOC managers to spend time training new hires, while experienced staff juggle their own duties with mentoring. According to the 2022 Devo SOC Performance Report, 30% of SOC staff say they have an ability to recruit and retain expert personnel, compounding stress on existing teams. These issues underscore the need for an intuitive XDR tool to minimize training time for both newcomers and veterans. 

Solving the Data Puzzle 

Another key challenge for SOCs is managing multiple internal environments while trying to bring all the data into a single, cohesive view. Making meaningful correlations that highlight cross-platform phenomena often requires an additional point solution just for that purpose. According to the 2022 Devo SOC Performance Report, 31% of SOC staff reported an ability in prioritizing threats, which directly impacts the allocation of resources to the most critical incidents. In cybersecurity, time is of the essence. For instance, an attacker can escalate privileges and move laterally within a network in under an hour, putting sensitive data at risk.  

Cato’s Approach 

Our approach with developing Cato XDR was to build a tool that is both efficient and highly understandable to SOC analysts. A major focus was on designing the story page—the core of any investigation. We define a story as a contextual compilation of related security events constructed within the Cato XDR. Each story provides a narrative of security incidents, helping analysts understand the sequence and scope of events for a thorough investigation, and select an effective response. The page’s design follows a funnel concept, guiding the user from broad, high-level details down to the most granular information. 

Story Structure 

• Begins with high-level details, such as the indication of attack (IOA) and the source/destination, helping analysts quickly grasp the scope of the story. 

• Includes a Communicating IOCs (Indicators of Compromise) table, allowing analysts to drill down into each IOC for deeper analysis with a premade list that includes an enrichment of third-party data sources. 

• Concludes with access to raw logs, providing the lowest level of granularity for comprehensive investigation. 

Figure 1. Example of a detection and response story in Cato XDR

Analyst Drawer (Story Management) 

Designed with the understanding that story classification is a process, we start from the highest level of granularity: 

• Verdict: Determining if the story is malicious or benign. 

• Attack Vector Type: Identifying the type of attack. 

• Behavior Classification: Classifying the specific behavior observed. 

Attributes are pre-filled with relevant details and recommended actions, allowing SOC analysts to quickly resolve issues without wasting time searching for information or proper phrasing. 

Figure 2. Example of a story action in Cato XDR

This design approach ensures that every part of Cato XDR deepens the investigation process, making it more accessible and streamlined for analysts at all levels. 

Moreover, Cato XDR is designed to provide security value in a way that is both straightforward and informative for its end users. 

Cross-Account Dashboard 

• Creates a clear queue of accounts that need immediate attention. 

• Utilizes a custom ranking formula that prioritizes accounts based on criticality, volume, and percentage of stories. 

• Helps analysts focus on the most urgent cases, efficiently distributing their attention to where it’s needed most. 

By providing a structured view for cross-account story management, we’ve are enabling analysts to make quick, informed decisions on which threats to address first, saving valuable time to detect and mitigate attacks before they escalate.

Figure 3. Example of a stories overview in Cato XDR 

Cross-Account Workbench 

• Displays all stories from multiple native and third-party data sources on a single console, enhancing visibility across environments. 

• Filters stories by status and sorts them by criticality in either single account or multi-account mode.  
• Delivers broad insights across various story types and accounts at a glance. 

Figure 4. Example of a stories workbench in Cato XDR 

Built by Analysts, for Analysts 

To wrap things up, every example above (and there’s even more) was carefully tailored to align with the strategies and workflows of analysts—designed with real-world methods in mind. By creating Cato XDR, which is rooted in actual experience, we’ve not only enhanced the customer experience but also reduced the need for constant feature requests and updates.  

It’s a win-win: analysts get an XDR tool that works for them right out of the box.