metamorworks - stock.adobe.com

IBM sells QRadar SaaS assets to Palo Alto Networks

The deal with Palo Alto Networks comes one year after IBM announced QRadar Suite, an AI-enhanced security platform that combined existing SIEM and XDR products.

IBM on Wednesday agreed to sell its QRadar SaaS assets to Palo Alto Networks as part of a new partnership between the two companies.

QRadar is a longstanding part of IBM's product line, originally launched as a security information and event management (SIEM) product before it was expanded to offer additional capabilities such as extended detection and response (XDR). The most recent launch involving QRadar came one year ago with the announcement of QRadar Suite, a subscription offering that combines various QRadar products such as SIEM and XDR with AI enhancements.

As part of Wednesday's announcement, the two companies explained that preexisting QRadar SaaS customers will have their subscriptions and deployments transferred to Palo Alto Networks' equivalent platform, Cortex XSIAM. IBM will continue to support on-premises QRadar customers. Furthermore, IBM will receive incremental payments from Palo Alto Networks for QRadar on-prem customers that choose to migrate.

And for both SaaS and on-prem customers that migrate, the two companies promised "no-cost migration services" to those that qualify.

The companies also announced Wednesday that, as part of this expanded partnership, Palo Alto Networks will become IBM's preferred cybersecurity partner for internal security products and services. The two companies said they will establish a joint security operations center that offers managed SOC services to customers.

In addition, Palo Alto Networks will incorporate IBM Watsonx large language models (LLMs) into its Cortex XSIAM platform. Cybersecurity vendors across the industry have embraced generative AI and LLMs over the last 18 months since the public launch of OpenAI's ChatGPT in the fall of 2022.

"The security industry is at an inflection point where AI will transform businesses and deliver outcomes not seen before. It's a moment to accelerate growth and innovation," said Nikesh Arora, chairman and CEO of Palo Alto Networks, in a press statement. "Together with IBM, we will capitalize on this trend, combining our leading security solutions with IBM's pioneering watsonx AI platform and premier services to drive the future of security platformization with complete, AI-powered, secure-by-design offerings."

Financial terms were not disclosed. The deal is expected to close by the end of September.

Update: A spokesperson for IBM told TechTarget Editorial that the news accelerates IBM's ability to focus on its hybrid cloud and AI security business.

"IBM and Palo Alto Networks have been collaborating across cybersecurity to help clients strengthen their security postures. This expansion will enable the two companies to work more closely together on advanced threat management," the spokesperson said. "This news helps accelerate IBM's sharpened focus on data security, identity and access management for hybrid cloud and AI -- which is core to our security business going forward."

A spokesperson for Palo Alto Networks told TechTarget Editorial that the goal is to migrate QRadar SaaS customers to its Cortex XSIAM platform.

"This agreement gives Palo Alto Networks access to 1,000 security consultants that will help IBM customers migrate to our PrecisionAI ready security platform, Cortex XSIAM and SASE 3.0 platforms," the spokesperson said. "The consultants will be able to provide industry-specific customized solutions with our platforms and ensure that customers can combat AI threats in real-time leveraging AI security technology."

Forrester Research principal analyst Allie Mellen told TechTarget Editorial that IBM was surrendering its SIEM business, and that "as soon as contractual obligations run out, existing QRadar SaaS customers need to embrace XSIAM or migrate to a different vendor."

"IBM has faltered in recent years as it attempted to shift QRadar to the cloud. Customers were frustrated with a perceived lack of innovation from IBM Security, leading to its release of QRadar Log Insights and QRadar SIEM SaaS. Its security focus is being shifted away from the focal point of its security product portfolio, which is a massive change for IBM Security," she wrote in an email. "This is the biggest concession of a SIEM vendor to an XDR vendor so far and signals a sea change for the threat detection and response market."

As far as Palo Alto Networks goes, Mellen said the acquisition was about QRadar's customer base.

"According to the announcement, current 'qualified' QRadar SaaS customers will be provided a no-cost migration path to Cortex XSIAM by IBM and PANW," she said. "Not only that, but 'qualified' QRadar on-prem customers will be offered a no-cost migration option as well. PANW clearly does not have long-term plans for the QRadar SaaS offering."

Eric Parizo, managing principal analyst at Omdia, said in an email that the news was a "jaw-dropper" and one of the most surprising moves he'd seen in the enterprise cybersecurity space in many years.

"IBM just spent the last three years, investing many millions of dollars and countless man-hours, essentially rebuilding QRadar from the ground up as a cloud-based platform based on OpenShift. For IBM to then turn around and sell QRadar to Palo Alto Networks, seemingly with little to no warning for customers, is shocking, and frankly not in line with the customer-centric ethos IBM is known for," Parizo wrote. "I would imagine there are many confused and frustrated QRadar customers tonight looking for answers."

Parizo said the deal gives Palo Alto Networks a "huge market share jump" in the SIEM space as well as a massive mindshare increase. For IBM, he felt CEO Arvind Krishna "ultimately decided that the revenue from a long-term partnership providing security services for Palo Alto Networks was more lucrative than competing in an NG-SIEM market where Microsoft's rapid rise is quickly altering the landscape."

Updated following initial publication.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.

Dig Deeper on Security analytics and automation