Skip to main content
Skip table of contents

XDR Services Overview

What is XDR?

Network and system protections only tell part of the story. Modern cybersecurity threats involve compromising more than just a single endpoint – lateral movement, cloud service exploits, and advanced persistent threats are the new norm. XDR or Extended Detection and Response extends endpoint and network detection and response (EDR and NDR respectively) and correlates log event and telemetry data from across your environment to deliver comprehensive security insights to detect even the most advanced threats.

Armor XDR Solution

Armor’s XDR solution is a managed, cloud-native, and DevOps-centric solution that provides detection and correlation capabilities across all aspects of your operation. As detailed below, this includes:

  • Deployment and configuration of a cloud-native Security Information and Event Management (SIEM) solution
  • Deployment and management of detection and correlation models and rules
  • Integration of threat intelligence and other enrichment data sources
  • Deployment and configuration of analytics tools for threat hunting and rule tuning
  • Deployment and management of automation playbooks

Standalone and Full-Service Options

Our XDR solution is typically combined with our SOC solution (collectively XDR+SOC) to ensure that incidents generated by the XDR solution are properly investigated and remediated.

Read more about our managed SOC solution


Integrations can include ingesting the logs and telemetry data from a system as well as integrating with a system’s API to perform automated tasks. Below is a list of example system archetypes that can be integrated into the Armor XDR solution. We can integrate with your existing tools or recommend new solutions to fill detection and protection gaps.

Endpoint Protection and Detection

  • Anti-Virus and Anti-Malware
  • File Integrity Monitoring (FIM)
  • Endpoint Log Management
  • Vulnerability Scanning
  • Host Intrusion Detection (HIDS/IDPS)
  • Asset Inventory and CMDB Systems

Network Protection and Detection

  • Firewalls
    • Cloud-Native Network Security Groups and Network ACLs
    • On-Premise Network Firewalls
  • Network Intrusion Detection (NIDS/IDPS)
  • Zero-Trust and Service Mesh Transports
  • On-Premise Routing and Switching

Application Protection and Detection

  • Web Application Firewalls (WAF)
  • Container and Serverless Orchestration/Runtimes
  • Application Telemetry
  • Vulnerability Scanning
  • API Security Scanning

Identity and Access Management Systems

  • Cloud-Native IAM and Identity-as-a-Service Providers
  • On-Premise Identity Management (such as Active Directory, LDAP, etc.)

Log Source Integrations

Armor works with you to ingest the logs and event data from sources throughout your environments so that those events can be analyzed and correlated in the chosen SIEM platform. This event data is first ingested, then parsed and normalized before being passed through the platform’s various analytics capabilities.

Read more about log source integrations

Detection & Correlation Rules

As part of the XDR subscription, Armor provides a library of advanced detection and correlation rules that are designed to run on your chosen SIEM platform. These rules can detect everything from basic indicators to behavioral anomalies and Advanced Persistent Threats (APTs). Additionally, XDR Professional and Enterprise subscribers have access to our team of experts who can craft custom rules for their specific requirements.

Read more about our detection and correlation rules

Cyber Threat Intelligence (CTI)

Armor provides our XDR subscribers with curated feeds of threat intelligence data that integrate into the chosen SIEM platform to ensure that it has the latest intelligence upon which our detection and correlation assertions are based. These feeds use the standard STIX/TAXII protocol and can be integrated into other aspects of your security stack as well.

Read more about our threat intelligence feeds


In addition to CTI, Armor utilizes several types of enrichment data depending on the types of events that a log source produces. These data sources include both static databases that are periodically updated based on each dataset’s expiry and dynamic, on-demand datasets that are polled as-needed by a specific enrichment routine. Some examples of types of enrichment data include:

  • Customer-provided asset classification
  • Customer-provided user profile information
  • Customer-provided network topology information
  • IP reputation
  • IP metadata (ASN and GeoIP)
  • Reverse DNS
  • Passive DNS
  • Binary hash lookup tables
  • Binary static analysis
  • Executable dynamic analysis
  • Dynamically generated UEBA behavioral profiles


Security Orchestration and Automated Response (SOAR) is an important part of how security operations can achieve scale. As patterns emerge in the investigation and response procedures for each type of alert, these tasks can be automated to ensure your teams are focused on the work that matters. Armor includes standard automations and integrations including notifications and ChatOps, and can work with you to build custom automations that will address security workflow bottlenecks.

Read more about our orchestration and automated response capabilities

Dashboards & Reporting

Understanding your cybersecurity and risk posture is critical. Armor’s included library of dashboards and reports, and our consultative review process makes this easy. In addition to our out-of-the-box library, Armor can work with you to understand your specific requirements and develop custom dashboards and reports that meet those needs.

Read more about dashboards and reporting

Deployment Model

Armor’s XDR+SOC solution is deployed with an Infrastructure-as-Code (IaC) model using Terraform (and Terragrunt). This modular approach ensures that deployments are predictable, repeatable, thoroughly-tested, and have security best practices built-in.

Read more about Armor’s IaC deployment model

Upon signing up as a customer, you will receive access to our IaC libraries and can use the included tools to integrate the continuous deployment of the stack with your existing CI/CD pipeline, or we’re happy to manage the deployment for you. Customers can change this preference at any time – for example, taking over pipelines as their DevOps capabilities mature, or out-sourcing in order to dedicate resources to a specific project.

Armor-Managed Deployments

Customers may choose to have Armor manage the initial deployment and application of updates to their XDR solution. This can be deployed using CI/CD tools you already use or Armor can host a pipeline for you and delegate access to it – maintaining end-to-end transparency.

Customer-Managed Deployments

Customers may also choose to manage the deployment and updates themselves. You may reference the step-by-step deployment guides for your chosen cloud:

Additionally, there are several guides available with step-by-step instructions for setting up CI/CD pipelines in various platforms such as GitHub Actions, Azure DevOps, GitLab, CircleCI, and more.

Shared Responsibility Model

Armor works with our customers (and their partners and providers) to ensure their environments are secure and compliant using a shared responsibility model. This model allows our customers to focus on the aspects of the stack that they are uniquely qualified or positioned to maintain, and rely on Armor to provide the reference architecture and guidance stemming from our expertise.

Read more about our Shared Responsibility Model

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.