* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/)
* [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/)
* SCCM: Enterprise Backbone...

# SCCM: Enterprise Backbone or Attack Vector?

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fsccm-enterprise-backbone-or-attack-vector%2F)  
[](https://twitter.com/share?text=SCCM%3A+Enterprise+Backbone+or+Attack+Vector%3F&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fsccm-enterprise-backbone-or-attack-vector%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fsccm-enterprise-backbone-or-attack-vector%2F&title=SCCM%3A+Enterprise+Backbone+or+Attack+Vector%3F&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector/&ts=markdown)  
\[\](mailto:?subject=SCCM: Enterprise Backbone or Attack Vector?)  
Link copied  
By [Lee Azrati Edri](https://www.paloaltonetworks.com/blog/author/lee-azrati-edri/?ts=markdown "Posts by Lee Azrati Edri") and [Shachar Roitman](https://www.paloaltonetworks.com/blog/author/shachar-roitman/?ts=markdown "Posts by Shachar Roitman")  
Sep 16, 2025  
11 minutes  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Active Directory](https://www.paloaltonetworks.com/blog/tag/active-directory/?ts=markdown)  
[Enumeration](https://www.paloaltonetworks.com/blog/tag/enumeration/?ts=markdown)  
[Eventlog](https://www.paloaltonetworks.com/blog/tag/eventlog/?ts=markdown)  
[Identity](https://www.paloaltonetworks.com/blog/tag/identity/?ts=markdown)  
[ITDR](https://www.paloaltonetworks.com/blog/tag/itdr/?ts=markdown)  
[Microsoft Configuration Manager](https://www.paloaltonetworks.com/blog/tag/microsoft-configuration-manager/?ts=markdown)  
[Microsoft System Center Configuration Manager](https://www.paloaltonetworks.com/blog/tag/microsoft-system-center-configuration-manager/?ts=markdown)  
[SCCM](https://www.paloaltonetworks.com/blog/tag/sccm/?ts=markdown)  
[SCCMHunter.](https://www.paloaltonetworks.com/blog/tag/sccmhunter/?ts=markdown)  
[SharpSCCM](https://www.paloaltonetworks.com/blog/tag/sharpsccm/?ts=markdown)  
[UEBA](https://www.paloaltonetworks.com/blog/tag/ueba/?ts=markdown)

## **Introduction**

### What is SCCM?

Microsoft System Center Configuration Manager (also known as SCCM) is a core component of enterprise IT infrastructure, enabling centralized software and device management of large-scale Windows environments. While SCCM provides critical capabilities that include software deployment, patch management, operating system imaging, and compliance enforcement, its deep integration and broad privileges make it a prime target for attackers.

This two-part series explores how attackers target SCCM and provides practical detection methods using event logs, file access patterns, and WMI telemetry. In Part 1, we cover SCCM architecture, enumeration techniques, and detection strategies. Part 2 examines advanced attacks including credential access and persistence.

### Why Do Attackers Target SCCM?

SCCM infrastructure generates extensive logs that detail its operations, from software deployments to policy updates and client interactions. Attackers are increasingly abusing SCCM because of its powerful capabilities. Most organizations neither collect nor monitor their logs, which exacerbates the issue. As a result, malicious activity can easily blend in with routine administrative actions, allowing attackers to move undetected while abusing legitimate functionality.

SCCM presents a considerable attack surface that adversaries frequently exploit. Its powerful features include:

* Software deployment
* Remote execution
* Configuration management

Threat actors can weaponize these features to achieve various malicious objectives, such as:

* Gaining privileged access
* Moving laterally across a network
* Maintaining persistence

For example, an attacker who gains access to a site server could deploy malicious applications or task sequences across all managed devices. This allows them to misuse SCCM's legitimate mechanisms to distribute malware or establish long-term persistence within the network.

## **SCCM Architecture: From CAS to Clients**

SCCM hierarchy defines the logical structure through which sites, systems, and clients are organized and managed. Before we move on, let's go over some SCCM terms that will accompany us heavily in this article.

* **Central Administration Site (CAS)** - Sits at the top of the SCCM hierarchy, providing centralized management and reporting across multiple primary sites. It's typically used in large-scale enterprise deployments. If a CAS isn't deployed, the hierarchy starts with the primary site as the top-level site.
* **Primary Sites** are the core administrative units and are responsible for client management, policy enforcement, and data processing (usually referred to as "site server"). Every client must be assigned to a primary site.
* **Secondary Sites** are children of primary sites and are used to support remote or bandwidth-constrained locations. Secondary sites help distribute content and policies locally and maintain a partial copy of the site database.
* **SCCM clients** are software agents installed on managed devices. They communicate with management points to receive policies, send inventory data to the site server, and execute tasks like applying updates and installing software.
* **Site Server Roles** define specific responsibilities that support system operations and can be distributed across multiple servers to enhance scalability and performance. The site server hosts the SCCM site, manages the SQL database, and oversees the overall configuration.
* **Management Point** (MP) acts as the communication bridge between SCCM clients and the site server, providing policies and configuration to clients, receiving inventory and status data, and distributing deployment information for applications and updates.
* **Distribution Point** (DP) stores content such as applications, updates, and operating system images, delivering it to clients as needed.
* **Site Database** is an essential component that stores all SCCM-related information, manages configuration data and supports system operations through SQL queries.
* **SCCM console** is the primary interface for managing and monitoring the entire System Center Configuration Manager infrastructure.
* **SMS Provider** serves as the interface that allows the SCCM console to interact with the site database, enabling administrative tasks and data retrieval.

Figure 1 shows a visual representation of the SCCM hierarchy and how sites and clients interact.
![Figure 1.SCCM site architecture.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-1.png)
Figure 1.SCCM site architecture.

This structured hierarchy enables SCCM to scale from small environments to global infrastructures while maintaining centralized control and flexibility.

## **Deep Dive: SCCM Attack Tactics**

This section provides a detailed examination of common attack techniques targeting SCCM, specifically mapped to the [MITRE ATT\&CK Tactic: Discovery](https://attack.mitre.org/tactics/TA0007/).

### Tools Targeting SCCM

Before diving into Discovery, here are some tools attackers use against SCCM that we will explore throughout this blog post:

* [**SCCMHunter**](https://github.com/garrettfoster13/sccmhunter) -- Tool for identifying and attacking SCCM assets in AD domains.
* [**SharpSCCM**](https://github.com/Mayyhem/SharpSCCM) --Post-exploitation tool for lateral movement and credential harvesting.
* [**CMLoot**](https://github.com/1njected/CMLoot) -- Finds sensitive files on SCCM SMB shares.

Additional known tools include malSCCM, PowerSCCM, sccm-http-looter, and SCCMSecrets.

### Enumeration Techniques

Attackers gain a lot of information about the domain in general and SCCM in particular by abusing different built in mechanisms like LDAP ,WMI etc.

#### ***Lightweight Directory Access Protocol (LDAP)***

By querying Active Directory via the LDAP protocol, an attacker can map the SCCM infrastructure. This can reveal information about site servers, management points, distribution points (including those configured for PXE boot), SCCM-related service accounts, and other infrastructure objects.

Figure 2 shows an example of running enumeration using SCCMHunter tool via the command line.

*Python sccmhunter.py find -u \<username\> -p \<password\> -d \<domain\> -dc-ip \<dc ip\>*
![Figure 2. Executing an SCCM enumeration using the python SCCMHunter tool.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-2.png)
Figure 2. Executing an SCCM enumeration using the python SCCMHunter tool.

Table 1 present LDAP queries are commonly used by SCCM enumeration attack tools:
![Table 1. LDAP queries used to enumerate SCCM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-3.png)
Table 1. LDAP queries used to enumerate SCCM.

#### ***Windows Management Instrumentation (WMI)***

Attackers can enumerate SCCM configurations directly from client agents using WMI.

When an attacker gains access to a machine with the SCCM client agent installed, they can query the root\\ccm namespace to retrieve information about the local client's Management Point and Site Code by leveraging the SMS\_Authority class.

Figure 3 demonstrates execution of the command \*SharpSCCM.exe local site-info,\*this command executes WMI query that extracts the information about management point and site code of the client.
![Figure 3. Example of execution of WMI query on the class SMS\_Authority via SharpSCCM.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-4.png)
Figure 3. Example of execution of WMI query on the class SMS\_Authority via SharpSCCM.

#### ***SCCMContentLib$ Shared Folder***

SCCMContentLib$ is the default share hidden in each distribution point.

This share stores package contents, software updates, applications and scripts.  
Even though this share contains sensitive data, such as credentials or private keys, it requires no special permissions and it is readable by all users.

[cmloot.py](http://cmloot.py) is an open-source tool which is used to enumerate sensitive files on *SCCMContentLib*$ shared folder.

Figure 5 show example of execution of the command  
*python cmloot.py \<domain\>/\<username\>:\<password\>@ip -cmlootdownload sccmfiles.txt.*  
![Figure 4. Executing cmloot.py to enumerate files on SCCMContentLib$.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-5.png)  
Figure 4. Executing cmloot.py to enumerate files on SCCMContentLib$.

#### ***SCCM Log Files***

SCCM logs are stored locally on client machines, by default under C:\\Windows\\CCM\\Logs. These logs contain detailed information about software deployments, management points and communication behavior. Attackers might enumerate these logs to uncover operational insights, identify distribution points, and extract references to potentially sensitive scripts or configuration data.

Highly targeted native logging paths:

* C:\\Windows\\CCM\\Logs: This folder contains client-side logs which are generated by the SCCM client.
* C:\\Windows\\CCMCACHE: This folder contains client cache, it stores temporarily downloaded content for software installations and updates. SCCM clients download content from Distribution Points into this folder before installation.
* C:\\Windows\\CCMSETUP: This folder used during initial installation or reinstallation of the SCCM client.

Figure 5 Shows execution of the command *SharpSCCM.exe local triage* that enumerates logs stored on SCCM client.
![Figure 5. Example of enumeration log file by SharpSCCM.exe.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-6.png)
Figure 5. Example of enumeration log file by SharpSCCM.exe.

## Detection Strategies

After we understand how it works, it's relatively easy to detect suspicious activity in an SCCM environment.

### Tracking LDAP Enumeration

To detect **LDAP enumeration** attempts, monitor Event ID 1644, Microsoft-Windows-ActiveDirectory\_DomainService. Although not enabled by default, this event is recorded on Domain Controllers if the [Windows registry is updated](https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/how-to-find-expensive-inefficient-and-long-running-ldap-queries-in-active-direct/257859) to activate it. Filtering for queries that target SCCM-related objects and originate from accounts that don't typically interact with these resources can reveal potential enumeration attempts.

A strong indicator of malicious reconnaissance is the usage of broad [wildcard](https://en.wikipedia.org/wiki/Wildcard_character) searches such as "\*sccm\*" or "\*mecm\*". These terms are commonly associated with attack tools that look for SCCM-related objects.

Another monitoring option is the collection of Windows event log [Event ID 4662](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662), which logs access attempts to objects in Active Directory.  
Specifically, monitor access to the "System Management" container.

It is used by SCCM to publish critical configuration data such as site boundaries, site codes, management points and distribution points.  
Unauthorized or unusual access to this container may indicate enumeration activity by an attacker attempting to map the SCCM infrastructure.

Figure 6 shows an example of a Cortex XDR alert that detects this activity.
![Figure 6. ”Suspicious enumeration on Microsoft Configuration Manager via LDAP” - Cortex XDR alert.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-7.png)
Figure 6. "Suspicious enumeration on Microsoft Configuration Manager via LDAP" - Cortex XDR alert.

### Hunting WMI-Based Enumeration

To counter **WMI-based enumeration** , organizations can monitor WMI queries targeting the SMS\_Authority class.  
Unusual or high volumes of queries to this class from non-standard processes or user accounts could be a sign of malicious enumeration.

Figure 7 shows an example of a Cortex XDR alert that detects this activity.
![Figure 7. “Potential SCCM credential harvesting using WMI detected” - Cortex XDR alert.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-8.png)
Figure 7. "Potential SCCM credential harvesting using WMI detected" - Cortex XDR alert.

### Watching SCCMContentLib$ Share Folder

To detect potential abuse of the **SCCMContentLib$ shared folder** , organizations can monitor Windows Security event log, [Event ID 5140](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-5140). This event logs access attempts to network shares. Look for high volumes of access events to the SCCMContentLib$ share by unusual user accounts, to detect behavior like first-time access, accounts that are not typically associated with SCCM content, and access attempts from suspicious IP addresses. In addition, a high volume of file access to the SCCMContentLib$ path is also an effective indicator when searching for malicious activity.

Figure 8 shows an example of multiple access to SCCMContentLib$ in Event 5140.
![Figure 8. Windows Security Event ID 5140 A network share object was accessed.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-9.png)
Figure 8. Windows Security Event ID 5140 A network share object was accessed.

Figure 9 shows an example of a Cortex XDR alert that detects this activity.
![Figure 9. “Suspicious File Activity in SCCMContentLib Shared Folder by user” - Cortex XDR Alert.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-10.png)
Figure 9. "Suspicious File Activity in SCCMContentLib Shared Folder by user" - Cortex XDR Alert.

### Monitoring SCCM Logs for Malicious Activity

To detect enumeration of **SCCM native log files**, organizations can monitor for high volumes of file access (read or open operations) to the following directories:

* C:\\Windows\\CCM\\Logs
* C:\\Windows\\CCMCACHE
* C:\\Windows\\CCMSETUP

Look for access by user accounts or processes that are not typically associated with routine SCCM client operations.

Figure 10 shows an example of a Cortex XDR alert that detects this activity.
![Figure 10. “Suspicious SCCM log files enumeration” - Cortex XDR Alert.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-11.png)
Figure 10. "Suspicious SCCM log files enumeration" - Cortex XDR Alert.

## **Conclusion**

Organizations must recognize that SCCM is not just an IT management platform, but a privileged infrastructure component and critical security dependency. Securing it requires more than routine patching - it demands visibility, context-aware detection, and proactive monitoring.

Part two of this series will delve into advanced attack techniques like credential access and persistence, along with practical strategies for detecting and mitigating these threats.

## **Alert Table**

The alerts discussed in this blog are located under the **'Microsoft SCCM Analytics'** UI tag on Cortex XDR.
![Table 2. SCCM Cortex Alerts](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/09/word-image-344501-12.png)
Table 2. SCCM Cortex Alerts

## **Don't Miss Part 2 Tomorrow, Where We Dive Deeper Into the Attacker's Playbook**

While Part 1 revealed how adversaries map and enumerate SCCM infrastructure, Part 2 exposes the real prize: how they steal Network Access Account credentials and establish persistent administrative control through the SMS Admins group. We'll show you how attackers can extract credentials from WMI repositories, abuse SCCM policies, and maintain long-term access to your entire infrastructure---plus the detection strategies you need to catch them in the act. If you thought reconnaissance was concerning, wait until you see what happens when attackers move from discovery to domination.

## **Additional Resources**

### Tools

* [GitHub - Mayyhem/SharpSCCM](https://github.com/Mayyhem/SharpSCCM) -- A C# utility for interacting with SCCM
* [SCCMHunter](https://github.com/garrettfoster13/sccmhunter) -- A post-exploitation tool built to streamline identifying, profiling, and attacking SCCM-related assets in an Active Directory domain

### Related Articles

* [Misconfiguration-Manager](https://github.com/subat0mik/Misconfiguration-Manager/tree/main) -- Duane Michael, SpecterOps
* [SCCM Hierarchy Takeover. One Site to Rule Them All](https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087) -- Chris Thompson, SpecterOps
* [Misconfiguration Manager: Overlooked and Overprivileged](https://posts.specterops.io/misconfiguration-manager-overlooked-and-overprivileged-70983b8f350d) -- Duane Michael, SpecterOps

*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Demystifying Impossible Traveler Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Boosting Identity Security with Cortex XDR/XSIAM Honey Users](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Disrupting Legacy Vulnerability Management](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/disrupting-legacy-vulnerability-management/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Cortex Advanced Email Security -- Built for Today's AI Threats](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/cortex-advanced-email-security-built-for-todays-ai-threats/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language