IBM QRadar Deal Is Exactly What Palo Alto Networks Needs For XSIAM: Analysis

While Palo Alto Networks XSIAM has shown early promise in the SIEM market, the deal with IBM is poised to give the platform the accelerant that Nikesh Arora has been looking for.

Considering that SIEM is a market that’s existed for decades, I think it’s fair to say Palo Alto Networks has gotten off to a rapid start in the category. In just a year-and-a-half since launching its XSIAM offering, Palo Alto Networks has amassed bookings of $400 million for the SIEM alternative tool, as CEO Nikesh Arora said this week.

But for Arora and the rest of the leadership at the industry’s largest pure-play security vendor, things clearly weren’t moving fast enough.

[Related: As Palo Alto Networks Absorbs IBM QRadar, Traditional SIEM Is Fading: Analysis]

Now, with the announcement that Palo Alto Networks plans to acquire IBM’s QRadar SaaS business, it seems Arora and co. have found the accelerant they’ve been looking for.

The $500 million deal, as Arora said during a call with analysts earlier this week, “hopefully cements our place in the SIEM/SOC category at a pace that nobody would have anticipated.”

It’s of course no secret that SIEM (security information and event management) has long been a market ripe for disruption. Cisco’s $28 billion acquisition of Splunk and other recent consolidation deals in SIEM have been prompted in part by the entrance of new players such as Microsoft, CrowdStrike and, yes, Palo Alto Networks.

In other words, the AI-powered approach taken by Palo Alto Networks with Cortex XSIAM has already been generating strong interest among partners and customers.

But among other things, it hasn’t been enough to land XSIAM (extended security intelligence and automation management) on the influential Gartner Magic Quadrant for SIEM earlier this month. (“Palo Alto Networks did not meet commercial requirements for inclusion in this Magic Quadrant,” Gartner analysts wrote.)

IBM QRadar, on the other hand, found a spot in the highly sought after “leaders” quadrant on the ranking (a fact that Arora expressed familiarity with during the earnings call).

The size of the QRadar SaaS business is comparatively modest, generating about $100 million in revenue last year. The substantial on-premises QRadar customer base is the “larger prize” (Arora’s words) for Palo Alto Networks, however. And the vendor now has an on-ramp to migrate those customers to XSIAM, with IBM itself at the ready to help make it happen.

The bottom line: With the QRadar deal, Palo Alto Networks would seem to have found a much shorter route to becoming a top player in the SIEM market. As Forrester Principal Analyst Allie Mellen told me this week, Palo Alto Networks is “supercharging their path forward with getting all of these customers from IBM.”

Meanwhile, for IBM, the deal is an exit from a shrinking business. The company reported revenue declines for threat management in 2023 as a whole and for the first quarter of the year, while overall security revenue slipped 2.8 percent and 2.5 percent, respectively.

IBM’s planned $6.4 billion acquisition of HashiCorp signals the direction things are headed in, security-wise, for the tech giant. As IBM CEO Arvind Krishna told the Wall Street Journal, the company is looking to expand its data security business with the HashiCorp acquisition, while at the same time, moving away from the market for security operations tools.

In an interview with my colleague Mark Haranas this week, IBM Channel Chief Kate Woolley acknowledged that all of this will mean changes for some of its QRadar partners. However, IBM and Palo Alto Networks are working together to support IBM partners in the transition, she said.

“So once the acquisition closes, our partners will have the opportunity to join Palo Alto Networks’ partner program, if they’re not already part of that, so they will be able to then sell Palo Alto’s Cortex XSIAM,” said Woolley, general manager of IBM Ecosystem. “[We’ll] work in partnership with Palo Alto [Networks] to look at: where does it make sense to modernize those clients onto the Cortex XSIAM offering or where does it make sense for them to stay where they are?”