ArcSight detection content depth
Two decades of regulated SOC content. Insider threat, account compromise, lateral movement, data exfiltration, credential misuse. Programs inherit the content base rather than starting from scratch.
OpenText • Security operations
OpenText Core Threat Detection and Response
Core Threat Detection and Response is the cloud-native ArcSight rebrand: SaaS SIEM for cloud-first SOCs, with detection content, investigation workflow, and response automation in one platform integrated with the rest of the OpenText SecOps line.
Through Merito, Core TDR gets onboarded against the customer's actual log sources, ArcSight content gets tuned to the threat landscape rather than running defaults, and the SaaS SIEM integrates with NDR, UEBA, and threat intelligence as one OpenText SecOps program.
- Best for
- SOC leaders modernizing off ArcSight ESM onto SaaS SIEM, Cloud-native security teams building greenfield SOC capability, SecOps architects integrating SIEM with NDR, UEBA, and threat intelligence
- Hosting
- SaaS
- Time to value
- First log sources onboarded and detection live in two to four weeks. Custom detection content and response playbooks live in four to eight weeks. Enterprise SOC rollout typically runs three to nine months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Core Threat Detection and Response in the enterprise stack
Core Threat Detection and Response is the SaaS SOC platform inside the OpenText SecOps line. It carries the ArcSight cloud lineage rebranded for the cloud-native era. Where Enterprise Security Manager (ArcSight ESM) remains the on-prem flagship for high-throughput regulated SIEM, Core Threat Detection and Response is the SaaS-first option for programs that have moved past on-prem SIEM constraints. The product covers detection content, investigation workflow, and response automation in one platform.
ArcSight detection content is the operational depth. ArcSight has been deployed in regulated SOC environments for two decades, and the rule library covers the threat patterns regulated programs actually face: insider threat, account compromise, lateral movement, data exfiltration, credential misuse. Programs adopting Core Threat Detection and Response inherit that content base rather than starting from scratch the way a fresh SIEM deployment would.
Cross-product correlation across the SecOps line is the platform claim. Core Threat Detection and Response correlates with Network Detection and Response (NDR for east-west traffic), Core Behavioral Signals (Interset UEBA), Core Adversary Signals (MITRE ATT&CK content), Threat Intelligence (curated IOC feeds), and Security Log Analytics (long-retention forensic store). Programs running the full SecOps line get unified SOC operations; programs running Core TDR standalone get the SIEM capability without the cross-product depth.
What breaks Core Threat Detection and Response adoption is treating it as a Splunk replacement. Splunk dominates SIEM market share for cloud-native enterprises, and programs already running mature Splunk pipelines often do not have a compelling delta to justify migration. Core TDR fits programs that are already on ArcSight and modernizing to SaaS, programs subject to OpenText catalog consolidation, or programs that find Splunk pricing punishing at log volume. Merito surfaces that during scoping rather than positioning Core TDR as a generic Splunk alternative.
Ideal use cases
- SaaS SIEM for cloud-native SOCs
- Modernizing off ArcSight ESM on-prem onto Core TDR SaaS
- Cross-product SOC operations across NDR, UEBA, threat intel, and long-retention logging
- Detection content inheriting from ArcSight regulated SOC depth
- Regulated SOC evidence under SOC 2, FedRAMP, HIPAA, PCI DSS
What it is best at
Where OpenText Core Threat Detection and Response earns its seat
Cross-product SecOps integration
Native correlation with NDR, Core Behavioral Signals (UEBA), Core Adversary Signals (MITRE), Threat Intelligence, and Security Log Analytics inside the OpenText SecOps line.
SaaS-first cloud-native operations
No on-prem SIEM tax. Programs cut over from ArcSight ESM modernization to SaaS-shaped SOC operations with detection content, investigation, and response in one platform.
Detection-content tuning
Configurable rule sets, detection-as-code authoring, and tuning workflows so the SOC adapts content to the threat landscape rather than running default rules forever.
Application Security Aviator pattern
Aviator-shaped AI augmentation across the SOC for detection clustering and investigation acceleration.
Core capabilities
OpenText Core Threat Detection and Response capabilities, grouped by outcome
Detection and content
What ArcSight cloud actually does on the threat landscape.
ArcSight detection content
Two decades of regulated SOC content covering insider threat, account compromise, lateral movement, data exfiltration, and credential misuse.
Detection-as-code authoring
Custom detection rules authored as code, version-controlled, and tested against historical data.
MITRE ATT&CK alignment
Native MITRE ATT&CK mapping through Core Adversary Signals integration.
Cloud-native log source coverage
AWS CloudTrail, Azure Activity Log, GCP Cloud Audit, Microsoft 365, Workday, Salesforce, and other cloud-native sources.
Investigation and response
Beyond detection into actual SOC operations.
Investigation workflow
Case management, evidence linking, and analyst assignment workflow inside the platform.
Response automation
SOAR-shaped response automation with playbooks, integrations, and approval gates.
Cross-product enrichment
NDR signal, UEBA scoring, threat intel, and forensic context attached to investigations.
Operations and compliance
SaaS SOC with regulated compliance posture.
Multi-tenant cloud-native operations
SaaS-first delivery with cloud-native scaling and operational simplicity compared to on-prem SIEM.
Compliance reporting
Audit-ready evidence for SOC 2, FedRAMP, HIPAA, PCI DSS, and ISO 27001.
Long-retention integration
Hot detection inside Core TDR; long-retention forensic data inside Security Log Analytics for hunt and investigation.
Aviator AI augmentation
Detection clustering, investigation acceleration, and analyst workflow assistance.
Where it fits in the stack
How OpenText Core Threat Detection and Response connects to the rest of your landscape
OpenText SecOps line (native)
Native- OpenText Network Detection and ResponseNDR signal correlated into Core TDR investigations.
- OpenText Core Behavioral SignalsInterset UEBA scoring attached to investigations.
- OpenText Core Adversary SignalsMITRE ATT&CK content native in detection rules.
- OpenText Threat IntelligenceCurated IOC feeds inside Core TDR enrichment.
- OpenText Security Log AnalyticsLong-retention forensic store for hunt and investigation.
Cloud and enterprise sources (certified)
Certified- AWS CloudTrail, Azure Activity Log, GCP Cloud AuditCloud-native log source ingestion.
- Microsoft 365, Google Workspace, Workday, SalesforceSaaS application log ingestion.
- EDR (CrowdStrike, SentinelOne, Microsoft Defender)Endpoint detection signal correlation.
- ServiceNow, JiraIncident and case management integration.
Custom integrations
Custom- Internal log sources and proprietary applicationsCustom log ingestion and parser development.
- Custom SOAR and response workflowsInternal SOAR platform integration and bespoke response playbooks.
- Federal compliance reportingFedRAMP-aligned compliance evidence packages.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First log sources onboarded and detection live in two to four weeks. Custom detection content and response playbooks live in four to eight weeks. Enterprise SOC rollout typically runs three to nine months.
- Prerequisites
- Log source inventory and ingestion priority list
- Named SOC and SecOps owner
- Detection-content tuning policy
- Response-automation playbook landscape
- Compliance-evidence requirements
- What Merito usually handles
- Core Threat Detection and Response runs as SaaS with FedRAMP-authorized editions for federal customers. Merito handles tenant setup, log source onboarding, detection-content tuning, response-playbook design, and cross-product SecOps integration.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Threat Detection and Response is SaaS-licensed by log volume ingested, retention, and edition. Pricing depends on data volume, response automation scope, and FedRAMP edition. License acquisition flows through Merito; the SOC program is scoped under a separate engagement.
- Editions and modules
Core Threat Detection and Response commercial
SaaS SIEM with detection, investigation, and response in one platform.
Best for: Programs modernizing off ArcSight ESM or building cloud-native SOC capability.
Core Threat Detection and Response Government Cloud (FedRAMP)
FedRAMP-authorized edition for federal customers and federal contractors.
Best for: Federal SOC programs requiring FedRAMP-authorized SaaS SIEM.
- Common expansion areas
- Add Network Detection and Response for east-west traffic visibility
- Add Core Behavioral Signals for UEBA depth
- Add Core Adversary Signals for MITRE ATT&CK content depth
- Add Threat Intelligence for curated IOC feeds
- Add Security Log Analytics for long-retention forensic store
Merito services
How Merito helps you win with OpenText Core Threat Detection and Response
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Core Threat Detection and Response Implementation
Tenant setup, log source onboarding, detection-content tuning, response-playbook design, cross-product SecOps integration.
Explore service02Upgrade and Migration
ArcSight ESM to Core Threat Detection and Response modernization including content migration.
Explore service03MAPS Assessment
SOC program scoping for Core TDR alongside Splunk, Microsoft Sentinel, Sumo Logic, and Devo.
Explore service04DevOps Consulting
Detection-as-code, response automation, and cross-product SecOps integration.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Core TDR.
Explore service06Managed Services
Long-term run support including detection-content tuning, response-playbook maintenance, and SOC operating-model evolution.
Explore service07Training and Enablement
Role-based training for SOC analysts, detection engineers, and SecOps architects.
Explore service08Staff Augmentation
Merito-placed SOC engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core TDR licensing
License Core TDR. Tune the ArcSight content. Same engagement.
Core TDR pricing arrives with tenant setup, log onboarding, detection-content tuning, response-playbook design, and cross-product SecOps integration that turn 20 years of ArcSight content depth into a working SaaS SOC.
Merito point of view
Core TDR is the SaaS SOC for ArcSight modernizers. It is not a generic Splunk replacement.
Merito has scoped SOC modernization programs where Core Threat Detection and Response is exactly the right answer (programs already running ArcSight ESM, programs subject to OpenText catalog consolidation, programs hitting Splunk pricing pain at log volume) and others where it is not (programs already running mature Splunk Cloud pipelines with no compelling delta to justify migration). Core TDR's strength is the ArcSight content depth and the SaaS modernization path, not generic SIEM head-to-head with the market leader.
Merito recommends Core TDR specifically for programs modernizing off ArcSight ESM, programs running OpenText Cybersecurity broadly, or programs that find Splunk pricing punishing. For greenfield cloud-native SOCs without OpenText footprint, Splunk Cloud and Microsoft Sentinel are usually stronger picks. Merito surfaces those alternatives honestly during scoping.
Cross-product SecOps integration with NDR, UEBA, MITRE content, threat intelligence, and long-retention logging is the platform claim that pays back when the program runs the full OpenText SecOps line. Programs running Core TDR standalone get SIEM; programs running it inside the line get unified SOC operations.
What buyers usually underestimate
- Picking Core TDR as a generic Splunk replacement without an OpenText modernization driver.
- Migrating off mature Splunk Cloud pipelines without an honest assessment of delta value.
- Skipping detection-content tuning and running default rules forever.
- Treating Core TDR as standalone SIEM and missing the cross-product SecOps integration value.
- Adopting Core TDR without designing the response-automation playbooks, leaving the SOC reactive.
Related from Merito
Continue exploring OpenText Core Threat Detection and Response on Merito
Related solutions
Related services
Related products
- OpenText Enterprise Security ManagerArcSight ESM on-prem for regulated SIEM workloads.
- OpenText Network Detection and ResponseNDR for east-west traffic visibility.
- OpenText Core Behavioral SignalsInterset UEBA depth.
- OpenText Security Log AnalyticsLong-retention forensic log analytics.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Threat Detection and Response FAQs
Consultation request
Talk to Merito about OpenText Core Threat Detection and Response
Share your current SIEM footprint, ArcSight modernization timeline if any, and SOC operating-model targets. A Merito OpenText specialist follows up within one business day.
ArcSight content
Two decades of SOC depth
Inherits the ArcSight detection-content library. Programs do not start from scratch.
Cross-product SecOps
NDR + UEBA + MITRE + threat intel
Native correlation across the OpenText SecOps line. Programs running the full line get unified SOC operations.
Next step
Modernize the SOC, do not migrate generic SIEM.
A Merito Core TDR engagement starts with detection-content tuning and cross-product SecOps integration. Generic SIEM migrations without the OpenText modernization driver rarely justify the disruption.