Too many alerts. Too many tools. Too little time.
Given its scale of 5,000 cloud instances and 1,000 workstations, Coveo’s infrastructure presented a complexity that outpaced the manual capabilities of a small SOC team. Challenges included:
- Siloed solutions and constant context switching, requiring analysts to jump between disconnected systems for network, cloud, and endpoint monitoring.
- Alert overload with no unified view, overwhelming the team with noise and requiring it to manually piece together signals from across the stack.
- A struggle to keep pace with a high-velocity R&D team, whose developers move fast with cutting-edge tools that can introduce new attack surfaces.
- Onboarding moved at a glacial pace, where new analysts had to spend up to a year learning the intricacies of each separate tool before becoming productive.
“The consolidation of all of our products into a single platform has really been beneficial. The alerts we get are far more detailed, and we get the full picture much faster, which in turn makes our team much faster. And from that, we get better metrics of all kinds, MTTRs, MTTDs. And on top of that, we reduce the burden on the team of having to context switch all the time.”
Cédric Brisson
SOC Lead, Coveo
Building on a trusted foundation to transform the SOC.
Coveo’s relationship with Palo Alto Networks began with next-generation hardware and software firewalls, a foundation that has proven its value in both security posture and operational continuity. Analysts have benefited from the firewalls’ single-trace visibility which enables them to follow a complete execution chain from workstation to cloud without stitching together logs from separate systems. The consistency of the NGFWs, combined with the reliability of the support team, encouraged Coveo to look further across the Palo Alto Networks portfolio as it sought to replace its previous SIEM. After evaluating multiple vendors, Coveo selected Cortex XSIAM for its data stitching, analysis, and response actions, allowing analysts to concentrate on the most significant cases. Working with the Professional Services team, Coveo went from a standing start to fully deployed in three to four months.
In adopting XSIAM, Coveo moved away from a fragmented multivendor environment to a unified platform strategy. This approach was critical for a company that’s one of the largest AWS spenders in Canada, managing a massive attack surface with a small team. SOC Lead Cédric Brisson explains, “We prefer buying tooling that is efficient and gives us great insight into our assets rather than hiring a ton of people with inferior tools and having them work overtime.” By embracing platformization, Coveo ensured that its security could scale alongside its cloud growth.
Path to Platformization
SOC transformation
Cortex XSIAM
Cloud security
Cortex Cloud
Agentic AI and automation
Cortex AgentiX
Network security
Next-Generation Firewalls (NGFWs)
- Hardware Firewalls
- Software Firewalls
A unified platform increases visibility across the environment
AgentiX takes analyst efficiency to a new level
Cortex XSIAM now ingests 34 times more data per day than the previous SIEM while reducing noise and lowering data ingestion costs. Automated investigation playbooks handle 65 cases per day without analyst intervention, and the median time to resolution has dropped to six seconds. The team has gone from closing 60% of its cases to over 99%, meaning virtually no alert goes uninvestigated.
The operational impact has been equally profound. Analysts who previously worked until midnight to keep up with the workload now operate during standard business hours. The 30 hours saved per person per week have been reinvested into proactive security, research, and innovation. Staff onboarding has seen a dramatic improvement too. Instead of spanning nearly a year, it takes just three months to teach analysts the nuances of each siloed tool. New team members can focus on becoming experts in a single platform rather than generalists across 10, and the institutional knowledge that previously existed only in analysts’ heads is now embedded in the platform itself.
“Cortex XSIAM has allowed a team of three to cover what most organizations would dedicate an entire department to. And we do it better. We went from chasing alerts until midnight to having the bandwidth to do real security work – while actually having fun. That’s the difference a platform makes.”
Cédric Brisson
SOC Lead, Coveo
-
Extending unified visibility in the cloud
A development culture built around speed has made maintaining consistent security across 5,000 cloud instances a challenge. Brisson believes Cortex Cloud is the next step in unifying security from code to cloud to SOC. Since Cortex Cloud and XSIAM are two components of a unified platform, the team will gain complete visibility into cloud and endpoint to ensure cases are reported with low latency.
Security events from the cloud environment and workstations are tracked together, enabling Coveo’s analysts to follow a complete execution chain regardless of where an attack originates and where it moves. Additionally, the unified command center allows security and development teams to speak the same language and provide consistent metrics on SOC performance that are easy to understand and present to leadership.
-
Boosting analyst efficiency with an agentic SOC
As an AI-first company, Coveo has a particular appreciation for what agentic AI can do inside a security operations center. With AgentiX natively embedded in XSIAM, Brisson views it as a natural evolution of XSIAM’s automation, providing analysts with autonomous agents capable of independent reasoning and planning. The most immediate ROI Coveo anticipates is in the quality of alert analysis. Instead of having to learn the intricacies of each system, analysts will be able to interact with a context-aware agent in natural language, and agents will execute the ask, surfacing context that a traditional playbook would never capture. Persona-based agents fine-tuned for security analysts, threat hunters, and other roles will allow each team member to automate manual tasks and receive the precise type of intelligence their work requires.
“I think our SOC analysts are going to benefit individually from the agents, especially the pre-configured ones fine-tuned for the platform. They can interact in natural language, ask questions, emit a hypothesis, and the agent will challenge or validate it. It's going to offer us a lot of time savings, which then translate into innovation opportunities.”
Cédric Brisson
SOC Lead, Coveo
A partnership for the future.
Coveo’s expansion across the Palo Alto Networks platform reflects a partnership built on trust, efficiency, and a shared commitment to innovation. The Professional Services team’s deployment efficiency, the responsiveness of the French-speaking account team, and the quality of direct access to subject matter experts have all made Palo Alto Networks a partner in the deepest sense of the word. Beyond the significant impact internally on Coveo's security operations, both companies also have been able to transform their joint customer organizations as go-to-market partners. Looking ahead, Coveo is exploring Prisma SASE as its next frontier, along with continued expansion of its XSIAM capabilities.
“When people get into security, it's not for the fun of triaging alerts. It's to work in cyber, to do cool stuff. Being able to have efficiency and peace of mind from Palo Alto Networks allows us to do that.”
Cédric Brisson
SOC Lead, Coveo
share this story
