Secure Cloud Analytics to Cisco XDR: Customer FAQ
Cisco is evolving Secure Cloud Analytics (SCA) into Cisco XDR to give customers a more unified, scalable, and effective security experience. This change is not simply moving features from one product to another. Cisco XDR is designed to improve how customers investigate, correlate, tune, and respond to threats across network, endpoint, cloud, and identity—all from a single experience.
For customers, this means:
- Broader visibility and richer context across domains
- Faster, simpler investigations
- Stronger detection results with clearer evidence and transparency
- Improved long‑term scalability and tuning capabilities
Some workflows will change as part of this evolution. Customers who use webhooks today for notices or exports will need to recreate those workflows in XDR workflows.
Critical: Customers using NVM webhooks must migrate to XDR workflows by May 15, 2026 to avoid interruption to notices or exports. Additional migration phases will follow between Q4 2026 and Q1 2027.
Key dates to remember
- Early April 2026: Migration notice to customers
- May 15, 2026: Deadline for NVM webhook users
- Q4 2026–Q1 2027: Additional migration waves
For a task‑based view of where common SCA workflows live in XDR, see the SCA to XDR UX Map: Common tasks view.
Customer impact at a glance
If you currently… | What changes in XDR | What you need to do | When | Support |
Use webhooks for notices or exports | XDR workflows become the control point | Recreate workflows in XDR | May 15, 2026 (NVM users) | Cisco Support, CX, migration guides |
Use NVM detections | NVM migrates first | Validate NVM notices and exports in XDR | Starting April 2026 | Targeted guidance |
Use other engines or integrations | Later migration waves | Monitor communications | Q4 2026 – Q1 2027 | Future notices |
Use legacy reports or context pages | Some move, some retire | Review deprecation guidance | Future waves | Account team & support |
1. What is included in the migration?
The migration covers the core experiences customers use every day to view, investigate, manage, and export detections:
- Alerts moving into XDR incidents and detection findings
- Webhooks moving to XDR workflows
- Event Viewer capabilities moving to XDR Investigate
- Devices moving to XDR Asset Insights
- Gradual retirement of lower‑usage reports and pages
2. What else will move over time?
Additional capabilities will transition as Cisco converges SCA into XDR:
- Integrations moving into XDR (GCP complete; AWS and Azure next)
- On‑premises sensors in later phases
- Detection configuration workflows (e.g., subnets, watchlists, IP scanners) in future engine migrations
3. What happens to detection configuration settings?
For the first phase:
- NVM detection settings move to XDR on May 15, 2026
- Other settings remain in SCA temporarily and continue to function for NVM alerts shown in XDR
4. Will I have access to both SCA and XDR?
Yes, there will be an overlap period where you can use both. Cisco will retire older experiences only after customers have time to adopt the XDR workflows.
5. Why move from SCA to XDR?
Customers have consistently asked for:
- Broader context across domains
- A more unified investigation experience
Cisco XDR is the platform designed to deliver that outcome.
6. Is this just a lift‑and‑shift?
No. This is an experience transformation, focused on improving investigation, detection quality, and operational clarity—not simply relocating pages.
7. Am I entitled to Cisco XDR?
Yes. Existing SCA customers are entitled to access Cisco XDR as part of this transition.
This is intended to be a net value add, not a replacement or loss of capability.
8. Do I need to redeploy SCA?
No. This is not a rip‑and‑replace. You will activate XDR and extend your existing environment rather than start over.
To begin, follow the Cisco XDR activation process. Some customers may need to accept updated terms during activation.
9. What improves with detections in XDR?
Customers should expect:
- Richer evidence and context
- Greater transparency into why detections fired
- More granular tuning over time
Detection findings also export richer data aligned to OCSF, replacing the more limited SCA alerts and observations model.
10. Why does this matter if I mainly export alerts?
Because the exported data itself improves—more context, clearer evidence, and better fidelity for downstream systems like SIEM or SOAR.
11. What do I need to do now?
- If you use NVM webhooks:
Start migrating notices and exports to XDR workflows now. - If you don’t use NVM webhooks:
No immediate action required—review the April 2026 notice and monitor future updates.
12. What’s changing? Notifications, exports, and integrations
XDR workflows become the single control point for:
- Notifications (email, Slack, Webex)
- Exports to SIEM, SOAR, and other systems
- Customers will map existing webhook behavior into XDR workflows.
13. Detections vs. incidents—what’s the difference?
- Detection findings: Best for export, automation, machine consumption
- Incidents: Best for analyst workflows and human notifications
- Both can be exported from XDR.
14. What may be retired over time? In many cases, capabilities move into XDR rather than disappear.
Examples include:
- AWS dashboards and visualizations
- Email‑based reports
- Legacy Meraki and Umbrella context views
15. How should I prepare?
- Document current notices, exports, and integrations
- Identify webhook‑based workflows
- Review migration guidance as new waves are announced
Support and resources:
- Targeted outreach for impacted use cases
To get started:
