XDR ROI Calculator

With XDR as a cybersecurity tool that integrates data across multiple security layers email, endpoints, servers, cloud workloads, and network systems we are able to provide more effective threat detection and response. This calculator assist organization in justifying their investment in XDR technology by demonstrating its value in monetary terms, both in cost savings and risk mitigation. The XDR ROI Calculator has key built in deliverables to present cost savings analysis, efficiency gains, incident reduction, and improved productivity, demonstrating the benefits of automating with Cisco XDR. XDR provides benefits in all areas of Threat Detection, Investigation, and Response (TDIR)

XDR ROI Calculator - Cisco

Labor Saving TD

info-icon Normally, when an incident arises in a SOC the incident is presented in the order it is received without priority. A level one analyst dedicates a certain amount of their time to triage the incident and set the appropriate priority. This can take a significant amount of time if the incident involves multiple products and consoles.
info-icon How many staff members are currently involved in the Triage process.
info-icon With Cisco XDR in place, the customer security team can process more incidents in a day or is seeing more incidents due to the additional visibility and new security controls.
info-icon Prior to XDR the customer spent X hours a day triaging incidents. This percentage reflects the amount of time the customer saves by XDR automatically assigning priority to events.
info-icon This percentage reflects the number of additional incidents the customer is seeing due to Cisco XDR. If there is no change the number is 100. If they see 25% more incidents due to having NDR, or XDR detecting things they missed, you would set this to 125%. By changing this number it updates row 6.

Note: Savings based off Level 1 Analyst

Hours Saved with XDR

    

FTE Saved with XDR

    

Total Saved with XDR

    

Accelerate Investigate and Remediate

info-icon How many incidents/events does the SOC normally handle each week. Prior to XDR.
info-icon How many additional incidents a week does XDR allow them to process.
info-icon How much time does a level 2 analyst spend investigating and remediating an event on average.
info-icon How many staff members help investigate incidents or events.
info-icon How much time does a level 2 analyst spend investigating an event on average. We normally see 2hrs investigating an issue across multiple products.
info-icon How much time does a level 2 analyst spend remediating an event on average.

Note: Savings Based off of Level 2 Analyst

Hours Saved with XDR

    

FTE Saved with XDR

    

Total Saved with XDR

    

Avoid Cost of Data Breach

info-icon Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.
info-icon https://gdpr-info.eu/issues/fines-penalties/
info-icon Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.
info-icon Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.
info-icon Base numbers provided by the Ponemon Institute. Percentage may be different per customer. This number can be adjusted if the customer has previously experienced a breach. For instance 1 breach in the last 10 years is a 10% risk of breach per year.
info-icon Default 10% reduction with XDR6
Default 20% reduction with XDR + Automated Ransomeware
info-icon If XDR is enabling the customer SOC to see more incidents than it was able to see before add that percentage here. Business as usual is 100% However, if the SOC previously saw 10 a week, and now they see 11, the number should be 110%. Cisco XDR is providing visibility into previously unseen malicous behaviours and potentially stoping a breach from occuring.

Total Saved with XDR

    

Avoid Business Interruption

info-icon Average cost, or customer supplied number. A 2014 Gartner survey estimated the average cost of downtime at $5,600 per minute, which translates to around $336,000 per hour.
info-icon Reduction in downtime causing events due to finding, respoding, and resolving critical incidents at a faster pace.
info-icon Can be found in the companys financial statements

Total Margin Saved with XDR

    

Automate with XDR

info-icon The number of repeatable tasks a SOC analyst does per month. For instance, we do the same 5 steps every time we respond to a phishing incident.
info-icon How many security analysts perform this function
info-icon Using XDR Workflows to automate X number of repeatable tasks saves FTE hours. If you automate 1 out of 5 tasks that is a 20% reduction.

Note: Savings based off Level 3 Analyst

Hours Saved with XDRR

    

FTE Saved with XDR

    

Total Saved by Automating with XDR

    

Savings Detail

Labor Costs - fully loaded FTE cost

Annual Pay

Annual Hours

Level 1 (Service Desk/NOC)

 ${{name1}} {{name2}}

Level 2 (Subject Matter Expert)

 ${{name3}} {{name4}}

Level 3 (Architect / Engineer)

 ${{name5}} {{name6}}
Dollars Hours
Security and Time Savings
Downtime Savings
Risk Mitigation

Security and Fraud (Security Analysts and SOC)

Total Hours Saved

Total Value

1 - Level 1 labor saving from faster detection and research of security alerts

-

-

2 - Accelerate investigation and remediation of security events

-

-

3 - Avoid costs associated with data breaches

-

-

4 - Avoid financial impact from fewer security outages

-

-

5 - Automate routine manual tasks with security

-

-

Item Description

  1. Normally, when an incident arises in a SOC the incident is presented in the order it is received without priority. A level one analyst dedicates a certain amount of their time to triage the incident and set the appropriate priority. This can take a significant amount of time if the incident involves multiple products and consoles.

  2. How many staff members are currently involved in the Triage process.

  3. With Cisco XDR in place, the customer security team can process more incidents in a day or is seeing more incidents due to the additional visibility and new security controls.

  4. Prior to XDR the customer spent X hours a day triaging incidents. This percentage reflects the amount of time the customer saves by XDR automatically assigning priority to events.

  5. This percentage reflects the number of additional incidents the customer is seeing due to Cisco XDR. If there is no change the number is 100. If they see 25% more incidents due to having NDR, or XDR detecting things they missed, you would set this to 125%. By changing this number it updates row 6.

Item Description

What time savings has XDR provided by bringing information from multiple sources into the incident and providing needed context. How much time did it save them by clicking a button to open a war room, or remediate an issue. Normal, results are going from 2Hrs to 15Mins on average. Resulting in a 87.5% time savings. Its best to gather results from a POV.

  1. How many incidents/events does the SOC normally handle each week. Prior to XDR.

  2. How many additional incidents a week does XDR allow them to process.

  3. How much time does a level 2 analyst spend investigating and remediating an event on average.

  4. How many staff members help investigate incidents or events.

  5. How much time does a level 2 analyst spend investigating an event on average. We normally see 2hrs investigating an issue across multiple products.

  6. How much time does a level 2 analyst spend remediating an event and creating an after action incident report. The reporting is done automatically through Cisco AI Assistant saving the analyst time.

Item Description

  1. Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.

  2. https://gdpr-info.eu/issues/fines-penalties/

  3. Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.

  4. Base numbers provided by the Ponemon Institute. Percentage may be different per customer. Or, they may have information from a previous breach event.

  5. Base numbers provided by the Ponemon Institute. Percentage may be different per customer. This number can be adjusted if the customer has previously experienced a breach. For instance 1 breach in the last 10 years is a 10% risk of breach per year.

  6. XDR + Automated Ransomware
    With ransomware becoming a daily occurrence Cisco has partnered with backup and recovery vendors ensuring XDR can integrate and provide value. With automated ransomware recovery enabled organizations can quickly detect, contain, and restore systems affected by ransomware without requiring manual intervention. In a data breach scenario, we see a 20% - 50% cost reduction when XDR is paired with automated ransomware recovery.
    How Automated Ransomware Recovery Works:

    • Detection & Isolation
    • Backup & Data Protection
    • Automated Restoration
    • Threat Analysis & Prevention
    Ransomware Partners

  7. If XDR is enabling the customer SOC to see more incidents than it was able to see before add that percentage here. Business as usual is 100% However, if the SOC previously saw 10 a week, and now they see 11, the number should be 110%. Cisco XDR is providing visibility into previously unseen malicous behaviours and potentially stoping a breach from occuring.

Item Description

  1. Average cost, or customer supplied number. A 2014 Gartner survey estimated the average cost of downtime at $5,600 per minute, which translates to around $336,000 per hour.

  2. Reduction in downtime causing events due to finding, respoding, and resolving critical incidents at a faster pace.

  3. Can be found in the companys financial statements

Item Description

  1. The number of repeatable tasks a SOC analyst does per month. For instance, we do the same 5 steps every time we respond to a phishing incident.

  2. How many security analysts perform this function

  3. Using XDR Workflows to automate X number of repeatable tasks saves FTE hours. If you automate 1 out of 5 tasks that is a 20% reduction.

Additional XDR Tools