* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/category/cloud-security/)
* Anatomy of a Kubernetes A...

# Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-attack-detection-response%2F)  
[](https://twitter.com/share?text=Anatomy+of+a+Kubernetes+Attack%3A+How+Cortex+Cloud+Provides+End-to-End+Protection&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-attack-detection-response%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fkubernetes-attack-detection-response%2F&title=Anatomy+of+a+Kubernetes+Attack%3A+How+Cortex+Cloud+Provides+End-to-End+Protection&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-attack-detection-response/&ts=markdown)  
\[\](mailto:?subject=Anatomy of a Kubernetes Attack: How Cortex Cloud Provides End-to-End Protection)  
Link copied  
By [Ory Segal](https://www.paloaltonetworks.com/blog/author/ory-segal/?ts=markdown "Posts by Ory Segal")  
May 20, 2025  
9 minutes  
[Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)  
[KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)  
[Kubernetes Security](https://www.paloaltonetworks.com/blog/tag/kubernetes-security/?ts=markdown)  
[Real-Time Security](https://www.paloaltonetworks.com/blog/tag/real-time-security/?ts=markdown)

Attackers no longer strike in isolation. In cloud-native environments, they orchestrate multistage campaigns that move laterally across workloads and vertically through cloud control planes. For teams running Kubernetes clusters in the cloud, an attack that begins in a containerized workload can escalate fast --- breaching nodes, extracting credentials and gaining access to sensitive infrastructure.

[Weekly code deployments now define the norm for 77% of organizations](https://www.paloaltonetworks.com/resources/research/state-of-cloud-native-security-2023), creating a fast-moving attack surface that traditional security tools can't keep up with. Point solutions detect fragments of suspicious behavior but fail to connect events across the full attack chain.

In this blog post, we walk through a realistic [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes) attack that crosses security domains --- application, container, host, cloud and identity. It also shows how Cortex\*^®^\* Cloud detects the attack in progress, correlates activity across the kill chain, and enables rapid investigation and prevention through a unified platform approach.

## The Attack Scenario: Bank App Compromise

A fictional financial institution runs its core banking platform on a Kubernetes-based [microservices architecture](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices) deployed in AWS EKS. Its security team is about to face a multistage attack that exploits systemic gaps across the stack.
![A sophisticated attacker moves from a vulnerable web application through container isolation, host boundaries and cloud services, gaining escalated privileges that fragmented tooling fails to detect.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-1.png)
Figure 1: A sophisticated attacker moves from a vulnerable web application through container isolation, host boundaries and cloud services, gaining escalated privileges that fragmented tooling fails to detect.

### What Makes the Attack Sophisticated

Traditional security tools operate in isolation. [Container security](https://www.paloaltonetworks.com/cyberpedia/what-is-container-security) tools monitor pods. Cloud security tools evaluate configuration and IAM policies. Network tools inspect traffic. None of them alone can surface a threat that moves across layers.

This attack crosses five distinct control planes:

* **Application Layer:** Begins with an input deserialization vulnerability in a containerized workload
* **Container Layer:** Escapes isolation to gain unauthorized access to the host
* **Host Layer:** Exploits the underlying EC2 node
* **Cloud Control Plane:** Harvests AWS credentials through the instance metadata service
* **Identity Layer:** Abuses IAM to escalate privileges and persist in the environment

Without unified visibility, a security team would need a stack of siloed tools --- [WAF](https://www.paloaltonetworks.com/cyberpedia/what-is-a-web-application-firewall), [CWPP](https://www.paloaltonetworks.com/cyberpedia/what-is-cwpp-cloud-workload-protection-platform), host intrusion detection, cloud detection and response, [UEBA](https://www.paloaltonetworks.com/cyberpedia/what-is-user-entity-behavior-analytics-ueba) --- and still struggle to correlate the evidence. Signals stay disconnected. Analysts stay blind to the full chain of compromise.

### Attack Progression: Step-by-Step Breakdown

#### Stage 1: Initial Access

The attacker exploits an input deserialization flaw in a containerized web application, using crafted HTTP requests to upload and execute a web shell.

#### Stage 2: Cluster Reconnaissance

With access to the pod, the attacker runs curl commands to interact with the Kubernetes API server, extract secrets from other pods, and map the cluster.

#### Stage 3: Container Escape

Using a chroot escape, the attacker breaks out of the [container](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container) and gains access to the underlying EC2 host.

#### Stage 4: Credential Theft

From the host, they query the IMDSv1 [endpoint](https://www.paloaltonetworks.com/cyberpedia/what-is-an-endpoint) to extract temporary AWS credentials linked to the EC2 instance's IAM role.

#### Stage 5: Privilege Escalation

They enumerate permissions and perform a role self-attachment to grant elevated access to AWS resources.

## The Challenge of Fragmented Security

Had the bank's team relied on traditional point solutions, the attack likely would have gone undetected or been misdiagnosed entirely.

* **Web Application Firewall** may have flagged the deserialization attempt but lacked visibility into the web shell's post-exploitation activity.
* **Container Security**could have surfaced unhusual pod behavior but missed the container escape and cloud interaction.
* **A Host Intrusion Detection System**might have detected the escape but failed to correlate it with the initial compromise.
* **CloudTrail Log Analysis**may have caught anomalous API calls but lacked context to link them back to the container.
* **Identity Security**could have flagged the role self-attachment but wouldn't trace it to the originating pod

Each tool offers a partial view, leaving analysts to piece together a sprawling attack from disjointed events. They'd be chasing isolated alerts, unaware those alerts were fragments of a single campaign. The result --- delayed detection, incomplete understanding, and lost time when it matters most.

## Detection and Investigation with Cortex Cloud

Now let's see how the attack unfolds for security engineers using Cortex Cloud.

The security team receives a high-severity alert. The incident appears in the Cortex Cloud console as a single aggregated case, already mapped to related issues across the environment.
![Cortex Cloud Aggregated Case view for the incident](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-2.png)
Figure 2: Cortex Cloud Aggregated Case view for the incident

Inside the case screen, the "Issues \& Insights" tab presents a unified timeline. The "Issue Sources" panel lists all contributing signals, automatically correlated. The incident includes both runtime activity and posture misconfigurations --- conditions that created openings for the attacker at each stage.
![Aggregated Kubernetes attack issues, correlated into a single case](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/Figure3.png)
Figure 3: Aggregated Kubernetes attack issues, correlated into a single case

Within seconds, the team reviews key issues flagged by Cortex Cloud:

* **Application Layer:** "Suspicious Input Deserialization" and "Anti Web Shell Protection" detections
* **Secret Access:** "Unusual Secret Access Within Cluster from a Pod"
* **Container Escape:** "Unauthorized Host Takeover Attempt via Chroot Escape"
* **Credential Theft:** "Suspicious Cloud Credential Theft via IMDS"
* **Privilege Escalation:** "Anomalous Role Self-Attachment" in AWS

Cortex Cloud correlates these signals into one coherent narrative. Analysts don't waste time jumping between tools or investigating them in isolation.

### From Alerts to Attack Narrative

The team opens the case to investigate further.

#### MITRE ATT\&CK Mapping

Each detection is mapped to the [MITRE ATT\&CK framework](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack), showing how the attacker moved through tactics and techniques.
![MITRE ATT\&CK mapping with associated assets and alerts](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-4.png)
Figure 4: MITRE ATT\&CK mapping with associated assets and alerts

#### Asset Correlation

Affected resources --- containers, clusters, cloud accounts and IAM identities --- are connected in a single view. Analysts also see the historical posture issues that made each asset vulnerable.
![All affected assets autocorrelated in one case](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-5.png)
Figure 5: All affected assets autocorrelated in one case

#### Causality Chain

An interactive chain reveals the complete attack sequence. The team clicks on the alert for secret access within the cluster.
![Attacker's commands, compromised container and network activity visualized in sequence](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-6.png)
Figure 6: Attacker's commands, compromised container and network activity visualized in sequence

They examine:

* The curl commands used to extract secrets
* The process tree showing which container was compromised
* Network connections initiated during lateral movement
* Links between the pod and other Kubernetes resources

![View of container and image metadata tracing the origin to a specific image in the registry](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-7.png)
Figure 7: View of container and image metadata tracing the origin to a specific image in the registry

The causality chain continues into the cloud layer. Cortex Cloud surfaces CloudTrail logs showing the exact moment the attacker exploited IMDS and escalated privileges.
![IAM role self-attachment traced to overpermissive cloud identity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-8.png)
Figure 8: IAM role self-attachment traced to overpermissive cloud identity

Analysts don't dig through thousands of logs or guess at intent. They see what happened, where it started, how it spread, and where it could go next.

### Immediate Response

With full context in hand, the team acts quickly:

* **Container Isolation:** Cuts off the compromised pod to stop lateral movement
* **Credential Rotation:** Replaces all AWS credentials exposed during the breach
* **Network Segmentation:** Applies tighter policies to restrict pod communication

Containment is swift. The team moves immediately to prevent recurrence by addressing the root causes across posture, identity and workload exposure.

## Implementing Preventive Controls

With the attack contained, the team turns to posture management to uncover the underlying weaknesses that enabled the breach.

### Kubernetes Security Posture Management (KSPM)

The KSPM dashboard surfaces several configuration issues across the affected clusters.
![KSPM dashboard with issues categorized by type and severity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-9.png)
Figure 9: KSPM dashboard with issues categorized by type and severity

* **Pod Security Issues:** Pods configured with elevated privileges or missing security context constraints
* **Admission Control Gaps:** No controllers enforcing security policy at deployment
* **Compliance Violations:** Multiple infractions against the CIS Amazon EKS Benchmark

The team takes immediate action:

1. Enables Cortex Cloud's admission controller across all clusters
2. Applies Pod Security Standards to restrict privileges
3. Adds network policies to limit both internal and external pod communication

![Workload Policies screen showing applied admission controller rules](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-10.png)
Figure 10: Workload Policies screen showing applied admission controller rules

### Cloud Configuration Hardening

To address misconfigurations at the cloud layer, the team strengthens identity and instance settings.

* **IMDSv2 Enforcement:** Replaces all IMDSv1 endpoints with IMDSv2
* **IAM Role Hardening:** Blocks role self-attachment with updated permissions
* **[Patch Management](https://www.paloaltonetworks.com/cyberpedia/patch-management):** Establishes a workflow for continuous patching of cloud workloads

### Shifting Security Left with Application-Aware Controls

![Application Security dashboard displaying scan results](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-11.png)
Figure 11: Application Security dashboard displaying scan results

Cortex Cloud's AppSec capabilities help prevent insecure code and misconfigurations from reaching production.

#### Code-Level Security

The team integrates scanning into development workflows:

* **Software Composition Analysis (** [**SCA**](https://www.paloaltonetworks.com/cyberpedia/what-is-sca)**):** Detects vulnerable packages in application dependencies
* **Infrastructure as Code (** [**IaC**](https://www.paloaltonetworks.com/cyberpedia/what-is-iac)**) Scanning:** Flags misconfigurations in manifests and Terraform files
* **Secrets Scanning:** Identifies embedded credentials in source code repositories

#### CI/CD Pipeline Security

Security becomes part of the delivery process:

* **Admission Control Integration:** Blocks unsafe deployments at build time
* **Automated Pull Requests:** Submits remediations directly into developer workflows
* **Policy Guardrails:** Enforces configuration baselines without disrupting development

![GitHub interface showing Cortex-generated pull requests](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-12.png)
Figure 12: GitHub interface showing Cortex-generated pull requests

### Intelligent Risk Prioritization

With findings across multiple environments, the team needs to focus on what matters most.
![Vulnerability dashboard with runtime and exposure context](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-13.png)
Figure 13: Vulnerability dashboard with runtime and exposure context

* **Runtime Context:** Prioritizes vulnerabilities in loaded components
* **Exposure Context:** Surfaces risks in public-facing workloads first
* **Sensitive Data Context:** Elevates issues in applications tied to financial systems

Context-aware prioritization reduces noise and focuses response efforts on active, high-impact risks.

### Setting Guardrails Without Slowing Development

To support speed and safety, the team configures Cortex Cloud's intelligent guardrails that:

* Allow unrestricted dependencies in test environments
* Enforce stricter controls in production
* Guide developers through remediation with clear, contextual recommendations

![AppSec policies balancing velocity and enforcement](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-14.png)
Figure 14: AppSec policies balancing velocity and enforcement ![AppSec policy creation view](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/05/word-image-339276-15.png)
Figure 13: AppSec policy creation view

Guardrails maintain momentum without sacrificing security posture.

### Results and Business Impact

Cortex Cloud enables lasting gains for the team and the organization:

1. **Reduced Attack Surface:** Fewer misconfigurations across workloads and environments
2. **Faster Detection:** MTTD drops from days to minutes
3. **Improved Developer Feedback:** Security shifts earlier in the pipeline
4. **Automated Compliance:** Continuous alignment with CIS EKS and internal policies

## Learn More

Cortex Cloud delivers integrated protection across application security, cloud posture, runtime environments and SOC workflows --- enabling teams to secure cloud-native applications with speed and precision.

If you haven't seen Cortex Cloud up close and in action, [schedule your demo](https://www.paloaltonetworks.com/cortex/cloud/demo) today.

*** ** * ** ***

## Related Blogs

### [Cloud Detection and Response](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-detection-and-response/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Kubernetes: A Practitioner's Guide to KSPM](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-a-practitioners-guide-to-kspm/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Vulnerability Management](https://www.paloaltonetworks.com/blog/cloud-security/category/vulnerability-management/?ts=markdown)

[#### Analyze Vulnerabilities (CVEs) with Confidence](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/vulnerability-management-intelligence-stream/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-security-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### Closing the Gap Between Cloud Visibility and Network Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-visibility-network-security-context-exposure-management/)

### [CIEM](https://www.paloaltonetworks.com/blog/cloud-security/category/ciem-2/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [IAM](https://www.paloaltonetworks.com/blog/cloud-security/category/iam-2/?ts=markdown), [Identity Security](https://www.paloaltonetworks.com/blog/cloud-security/category/identity-security/?ts=markdown), [KSPM](https://www.paloaltonetworks.com/blog/cloud-security/category/kspm/?ts=markdown)

[#### Turning Kubernetes Last Access to Kubernetes Least Access Using KIEMPossible](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/kubernetes-identity-security-kiempossible/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown), [Code to Cloud to SOC](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud-to-soc/?ts=markdown)

[#### Introducing Cortex Cloud 2.0: Smarter Cloud Security for an AI-Driven World](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/cloud-security-platform-cortex-cloud-2-0/)

### [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown), [Cloud-Native Application Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-protection-platform/?ts=markdown), [CNAPP](https://www.paloaltonetworks.com/blog/cloud-security/category/cnapp/?ts=markdown)

[#### How Auto-Remediation Shifts the Odds in Cloud Security](https://origin-researchcenter.paloaltonetworks.com/blog/cloud-security/auto-remediation-cnapp/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language