T
Lumara in Action
The QRadar Migration Question: Your Options After the April 2026 Deadline
Some Australian SOC teams have already migrated. Others are still weighing it up. If you’re running QRadar SaaS or QROC and the April 2026 deadline came and went without a decision, you’re not alone. You still have options.
What’s Changed
In September 2024, IBM sold the intellectual property for QRadar SaaS to Palo Alto Networks. As part of that transition, Palo Alto gave QRadar on Cloud (QROC) customers until 14 April 2026 to migrate to Cortex XSIAM.
That deadline has now passed. Some QROC customers have moved. Many haven’t. For those who haven’t, the next forcing function is closer than the April date suggested: IBM’s end-of-support for QRadar EDR and QRadar XDR cloud services on 31 August 2026.
What Many Organisations Still Don’t Realise
IBM continues to support thousands of customers running QRadar in on-premises environments. Those deployments were not part of the IP sale to Palo Alto Networks. IBM retains full rights to develop, support, and invest in QRadar on-prem, with no plans to end the product:
“QRadar on-premise remains a core focus of IBM. Active development, strategic investment and full support for the platform will continue, with no plans for end-of-life.”
Source: IBM Security Blog, May 2025.
That is a stable, long-term alternative to a full XSIAM re-platform. The catch is having the right partner to host it.
The Vendor Diversity Question
Palo Alto Networks keeps building out a broad security stack, through internal development and ongoing acquisitions, including CyberArk. They’re working to deepen customer dependence on their ecosystem.
Is that where your long-term roadmap is heading? Does it line up with your vendor diversity or independence policies? Worth asking before a full re-platform.
Operational Trade-Offs to Weigh
Before committing to a full re-platform, it is worth understanding the operational trade-offs. Some of these were sharper in 2025 than they are now. Palo Alto Networks has been iterating on XSIAM, so treat the list below as a point-in-time picture worth pressure-testing against your own pilot or proof of concept. The shape of the trade-off has not changed, even if individual items have moved:
Third-party log ingestion. XSIAM is strongest on Palo Alto’s own EDR and firewall telemetry. Comprehensive ingestion from third-party cloud, SaaS, and on-prem sources is improving but historically narrower than QRadar’s mature integration library. Worth pressure-testing against your actual log source list before signing.
Detection portability. QRadar offense correlation and the rules library are well-trodden ground for most Australian SOC teams. XSIAM analyst workflows are different enough that you should plan for a re-tuning period, not a clean translation of existing detections.
Console experience. XSIAM consolidates EDR, network, and cloud telemetry, but the navigation pattern is different from a single-pane SIEM. A hands-on test with your analysts is more useful than a sales demo.
Vendor concentration. XSIAM is bundled with Palo Alto’s EDR/XDR stack. That works for organisations consolidating onto one vendor. It works less well for organisations whose vendor diversity or independence policies push the other way.
Reporting and dashboards. Out-of-the-box reporting in XSIAM has historically been leaner than QRadar’s, which matters for compliance reporting against Essential Eight, ISO 27001, or NIST CSF 2.0. Build effort for custom dashboards belongs in your migration estimate.
The point is not that XSIAM is the wrong tool. The point is that a re-platform of this size needs a clear-eyed view of what changes operationally, not just what changes commercially.
The Clock is Ticking, But You Still Have Options
Two dates matter. 14 April 2026 was the Palo Alto Networks deadline for QRadar on Cloud customers to migrate to Cortex XSIAM. That deadline has passed. 31 August 2026 is IBM’s end-of-support for QRadar EDR and QRadar XDR cloud services. That one is roughly three months away.
If you are running QRadar SaaS or QROC and the April deadline came and went without a decision, your next move does not have to be XSIAM. Our team offers a direct migration path for QROC customers into our cloud-hosted QRadar environment, run by Australian analysts. You keep the SIEM you know, on a managed service, without being pushed into a new ecosystem on someone else’s timeline.
For the full end-of-life timeline, see PANW’s official summary.
How Secure ISS Keeps Your QRadar Running
We offer a direct migration path for QRadar QROC customers into our secure, cloud-hosted QRadar environment. The same SIEM you know, run by Australian analysts, with the migration handled end-to-end.
We preserve your existing setup. Correlation rules, offenses, data sources, and integrations carry over without a major redesign.
Licensing handled. We transition your existing licensing or provide a managed model with a simple monthly fee.
Fast, low-disruption migration. Our team uses automation to lift-and-shift QROC environments into our cloud with minimal downtime.
No retraining required. Your team keeps existing workflows, dashboards, and compliance processes. No unfamiliar tools.
ISO 27001-aligned, 24/7. Australian SOC, sovereign infrastructure, scalable platform.
How This Fits with Lumara
Our managed QRadar service runs as the SIEM engine inside Lumara SecOps Cloud, our broader security operations platform. Lumara Fabric handles cross-domain correlation, automated enrichment, and detection rules mapped to Essential Eight, ISO 27001, and NIST CSF 2.0. Lumara Operate is the 24/7 Australian SOC team behind it. QRadar customers get continuity on the SIEM they trust, with a broader platform layer and Australian analysts around it.
What We’re Offering
We’re running a free QRadar QROC Migration Readiness Assessment for organisations weighing the move. The session walks through your current setup, your timeline against the August IBM deadline, and what a lift-and-shift into our cloud-hosted QRadar would look like in your environment. No pitch, no commitment.
Prefer to talk to someone first? Contact our team at soc@secure-iss.com.
IBM and QRadar are trademarks of International Business Machines Corporation. Palo Alto Networks and Cortex XSIAM are trademarks of Palo Alto Networks, Inc. All other product names, logos, and brands are property of their respective owners and used here for identification purposes only.
