AI security is getting attention because AI has stopped being a side experiment. It is now part of how work gets done. Employees use copilots to write, research, code, and analyze. Product teams are adding AI into customer experiences. Developers are building applications on top of foundation models. Business teams are experimenting with agents that can read email, summarize documents, query data, and trigger workflows. That is a very different world from the one many AI review processes were designed for. An AI system can pass a benchmark and still fail in production. It can behave safely in a clean test environment and then encounter real […]
Shadow AI is no longer a theoretical risk. Employees are adopting AI tools faster than security teams can track them, often without IT’s knowledge, and frequently on devices and surfaces that traditional security tools simply can’t see. If you asked your security team right now how many AI tools are active across your organization, on which surfaces, and what’s being shared, could they answer? For most organizations, the honest answer is no. And that gap, between what your employees are doing with AI and what your security team can actually see, is where enterprise risk lives today. AI adoption in the enterprise didn’t slow down and wait for governance to catch […]
The model behind a security workflow shapes how fast a threat is caught, how accurately an incident is investigated, and how much a defender can trust the result. We treat that choice with care. Today we’re taking a clear step forward: Check Point has joined OpenAI’s Daybreak initiative through its Trusted Access for Cyber (TAC) program. These are real steps in how we bring AI into our defensive operations, and in the security we deliver to our customers. What Trusted Access for Cyber Gives Us Trusted Access for Cyber is OpenAI’s program for vetted security organizations that need its most […]
Key Findings: Check Point Research identified a critical vulnerability chain in LangGraph, an open-source framework from the creators of LangChain that enables developers to build complex, stateful, and controllable AI agent workflows using LLMs; they have approximately 46.5 million monthly downloads, making it one of the most widely adopted AI agent platforms in the world An SQL injection in LangGraph’s function could allow attackers to gain full control via remote code execution of a server by exploiting weaknesses in how the system processes and handles data. A compromised LangGraph server exposes everything the agent touches, including LLM API keys, customer data, CRM credentials, conversation history, and internal network […]
Frontier AI is moving faster than most governance and response systems were designed to handle.
The corporate landscape across the Japan and Asia-Pacific (JAPAC) region is facing an unprecedented regulatory and operational reckoning. The rise of hyper-autonomous ‘frontier’ AI models is pushing cyber security out of human hands and into a real-time war of machine against machine. This shift has triggered a highly coordinated enforcement wave cascading through JAPAC’s premier digital hubs, where regulators and enterprises are moving in lockstep to address machine-speed threats.
With corporate watchdogs Australian Prudential Regulation Authority (APRA) and Australian Securities and Investments Commission (ASIC) firing warning shots via urgent market letters, and neighbouring authorities like the Monetary Authority of Singapore and South Korea’s central government enacting strict new AI safety rules, organisations are being forced to completely overhaul their defensive architecture. Decades of relying on slower, committee-based governance are being shattered by new threat intelligence showing that autonomous AI agents can now exploit vulnerabilities and exfiltrate critical data within minutes—turning traditional 72-hour regulatory reporting windows into mere post-mortems.
The warning comes as the gap between corporate readiness and technological reality widens right across the JAPAC corridor. Much of the region’s current governance and cyber risk architecture still reflects a legacy system engineered for predictable, slower-paced environments. We have spent years building risk models where vulnerability discovery, incident escalation, and defensive response unfold gradually enough for traditional executive oversight and committee structures to remain effective. But that comfortable pace has officially vanished.
The Machine-Speed Reality
The sheer velocity of this shift was highlighted during restricted testing of Anthropic’s advanced frontier model, Claude Mythos, under an initiative known as Project Glasswing. Palo Alto Networks was among a select group of technology and cyber security organisations chosen to evaluate the implications of the model before its broader release. Mythos demonstrated an unprecedented capability to identify and exploit vulnerabilities across major operating systems at a level matching or exceeding advanced human experts.
During combined testing involving Mythos, Claude Opus 4.7, and OpenAI’s GPT-5.5-Cyber, the real-world impact of machine speed became starkly visible. In a single month, Palo Alto Networks disclosed 26 Common Vulnerabilities and Exposures (CVEs) representing 75 distinct issues, a massive surge compared to a typical monthly volume of fewer than five CVEs.
While discovering flaws at that scale would historically have raised uncomfortable questions around software quality, the landscape has fundamentally shifted. In this new era, radical transparency, paired with the ability to reflect and act instantly, has emerged as a critical corporate superpower. Frontier AI is accelerating both sides of the digital chessboard simultaneously: while attackers are gaining unprecedented speed, defenders are gaining a level of visibility that simply did not exist a few years ago. Real-time warfare between AI defenders and AI attackers is rapidly becoming the standard operating model.
AI Agents: The New Corporate ‘Insiders’
This shift introduces a profound dilemma for corporate leadership. Recent regulatory guidance repeatedly emphasises the necessity of human supervision, and for good reason—ultimate accountability must always remain with people. Boards must still set risk appetite, Chief Information Security Officers (CISOs) must determine operational thresholds, and security teams must decide how much authority autonomous systems should hold inside critical environments.
However, organisations must now look a step further. Autonomous AI agents—operating on behalf of employees, suppliers, or automated workflows—are quickly becoming the new corporate ‘insiders’. If not managed with extreme care, they represent massive, systemic blind spots.
Current identity and access frameworks are starting to buckle under the strain because they were never built to distinguish between human users and autonomous agents acting on their behalf. Traditional identity systems assume a predictable human pattern: a user authenticates, requests access, and operates within set boundaries. Autonomous agents, by contrast, interact continuously with APIs, generate code on the fly, move fluidly across workflows, and operate with delegated authority from trusted users.
When these agents begin operating deep inside critical infrastructure, financial services, or government workflows, the risk profile changes entirely. Security teams are no longer just dealing with stolen passwords or human misuse; they are managing autonomous systems capable of acting at machine speed across highly interconnected environments, with potentially devastating consequences if control is lost.
The Failure of the 72-Hour Window
This acceleration has effectively broken traditional regulatory reporting timelines. Recent threat observations from Unit 42 reveal that in approximately 20 percent of modern breaches, attackers successfully exfiltrate data within the very first hour of a compromise.
When data theft occurs inside 60 minutes, a 72-hour reporting window ceases to function as an effective defense mechanism. Instead, it becomes a post-mortem.
For example Australia’s current reporting obligations—including those under the SOCI Act, CPS 234, and the Privacy Act—were largely designed for static environments where defenders had sufficient time to investigate, escalate internally, and coordinate remediation before damage spread. Today, many CISOs quietly acknowledge the immense operational strain created by overlapping reporting frameworks during a live crisis. In the chaotic early stages of a compromise, security teams frequently find themselves managing compulsory reporting requirements from different regulators while their engineering teams are still actively trying to contain a fast-moving incident.
A Region-Wide Regulatory Reckoning
Australia is far from alone in this challenge. The regulatory anxiety echoing through the halls of APRA and ASIC is part of a highly coordinated, region-wide crackdown across the Japan and Asia-Pacific (JAPAC) tech corridor. As frontier models shrink the ‘time-to-exploit’ to near zero, neighbouring digital economies are rapidly realising that their legacy frameworks are equally vulnerable.
In Singapore, the regulatory response has been immediate. The Cyber Security Agency (CSA) recently issued a stark advisory warning that advanced frontier models can examine complex codebases and automate attacks faster than human developers can write patches. In lockstep, MAS finalised its Guidelines on AI Risk Management. Under these new rules, financial institutions are now mandated to perform continuous ‘AI Cyber Stress Testing’— requiring boards to prove that complex, autonomous AI-to-AI interactions within their systems won't trigger an unmanageable domino effect.
Meanwhile, South Korea has shifted from guidelines to hard law. The nation's landmark AI Basic Act (Framework Act on Artificial Intelligence) has officially entered into force, creating strict compliance mandates, mandatory data audits, and extraterritorial penalties for any enterprise deploying high-impact AI systems without ironclad human guardrails.
Across JAPAC, a uniform regulatory shift is underway: voluntary AI ethics frameworks are being replaced by proactive, real-time enforcement measures.
Moving with Discipline
Organisations broadly acknowledge that AI demands a distinct approach, yet implementation gaps remain. Businesses must move away from managing AI like standard software and instead commit the significant defensive resources needed to protect complex AI supply chains.
The language coming from regulators reflects these exact challenges. ASIC Commissioner Simone Constant warned that frontier AI capability could expose vulnerabilities at unprecedented speed and scale, creating systemic consequences across entire sectors. Her message to corporate Australia was direct: do not wait for perfect clarity to address the threat posed by new AI models. Instead, organisations must act now, and act with discipline, to strengthen the cyber resilience fundamentals that underpin their businesses.
The testing conducted within Project Glasswing ultimately proved that while frontier models can expose weaknesses at terrifying speed, that exact same capability can be weaponised defensively. By deploying AI to reduce exposure and identify vulnerabilities before adversaries can operationalise them, organisations can effectively level the playing field.
The most resilient organisations over the next few years will be those that combine real-time frontier AI defensive capabilities with disciplined human supervision, rather than treating the two as separate priorities. In the era of machine-speed warfare, you cannot successfully have one without the other.
To learn more about how we are securing the frontier of technology, visit the Palo Alto Networks Trust Center and explore the latest threat insights from Unit 42.
Enterprise security has always had a comforting assumption baked into it: systems do what they were built to do. Sometimes badly. Sometimes insecurely. Sometimes in ways that make auditors develop a nervous twitch. But still, the basic shape was understandable. Applications processed requests. Databases stored data. APIs connected systems. Users clicked things they probably should not have clicked. Then AI arrived and made the whole thing a little weird. AI did not introduce one neat new risk category. Security teams are very good at turning new risk categories into taxonomies, dashboards, and meetings with names like “working group.” The real […]
When people hear about hackers “asking an AI chatbot” to help them take over Instagram accounts, the instinctive reaction is to file it under prompt injection, jailbreaks, or “the model got tricked.” That may be the wrong lesson. According to reporting from 404 Media, hackers claimed they used Meta’s AI support chatbot to gain access to high-profile Instagram accounts by asking it to change the email address associated with the target account. The reported incidents coincided with several high-profile account takeovers, including accounts linked to the Obama White House, Sephora, and the Chief Master Sergeant of the Space Force. […]
At GTC Taipei during COMPUTEX 2026, NVIDIA is highlighting the growing adoption of its NVIDIA Vera BlueField-4 STX architecture and introducing new NVIDIA DOCA-powered innovations designed to secure the next generation of enterprise AI infrastructure. As organizations continue scaling AI factories, private LLM environments, distributed inference systems, and increasingly autonomous AI operations, enterprise infrastructure requirements are rapidly evolving. Modern AI environments combine high-performance compute, distributed storage systems, inference pipelines, Kubernetes clusters, APIs, GPU server farms, and sensitive enterprise data operating continuously at enormous scale. At the same time, AI-driven environments are introducing increasingly dynamic machine-to-machine interactions across infrastructure, applications, and […]
At Check Point we don’t wait for threats to evolve; we evolve ahead of them. This is why we’ve been running our Frontier AI Models Readiness Program: a proactive, structured initiative designed to ensure that our products remain resilient as AI models grow increasingly capable of understanding complex software systems and assisting adversaries in attacking them. As part of this program, we conducted large-scale AI-driven code scanning across our products, performed extensive security reviews, hardened components where needed, refined our time-to-patch procedures, and accelerated our protection development processes to meet the pace of emerging AI-driven threats. Today’s Jumbo Security Release […]
As AI rapidly reshapes industries, the role of the cloud has become even more critical. From automated customer experiences to intelligent cyber security and predictive analytics, AI transformations are increasingly being built on a cloud-first foundation. Over the past two years, AI has swiftly moved from an experimental state to an operational reality, with every leading organization embedding AI into the core of how they build, operate, and compete. However, security architectures have not kept pace with the AI transformation. Closing that gap requires more than incremental fixes. It demands a rethinking of how security is designed, deployed, and enforced […]
Learn how AI transforms cybersecurity through enhanced threat detection, new attack methods, model vulnerabilities, and the evolving skills teams need in 2026.
By now, you’ve heard about the latest frontier AI models that are remarkably good at finding vulnerabilities in code and creating potential exploits. So good, in fact, that these models have been significantly limited from general use in an attempt to give defenders time to find and fix vulnerabilities before attackers find and exploit them.
For context, on April 7, 2026, we began testing Anthropic’s Claude Mythos model as a launch partner for Project Glasswing. Our conclusion was clear: The latest models are extraordinarily capable at finding vulnerabilities and changing them into critical exploit paths in near-real-time. In Defender's Guide to the Frontier AI Impact on Cybersecurity, I shared our early findings and recommendations.
Since then, we’ve continued testing the latest frontier AI models, including Anthropic’s Mythos and Claude Opus 4.7 and OpenAI’s GPT-5.5-Cyber as part of the Trusted Access for Cyber program. The big question just a few weeks ago was: “Are we overstating the model capabilities?” With more testing, I can confidently say we weren’t. In fact, these models are likely even better at finding vulnerabilities than we initially realized. Today, we’re providing an update on our ongoing research, our learnings uncovered in the process, and the approach we’re taking to protect our customers.
Find and Fix Before Attackers Find and Exploit
Today, we released our May “Patch Wednesday” security advisories, our monthly cadence of transparent vulnerability disclosure and remediation. This is the first time where the majority of findings were the result of frontier AI models scanning our code.
These are the results of the full, initial scan of over 130 products across all three platforms.
As of today, we’ve patched all important vulnerabilities in our SaaS delivered products, and all customer-operated products now have patches available.
Today’s advisory covers 26 CVEs (representing 75 issues) versus our usual volume (typically less than 5 CVEs in a month); none of which are being exploited in the wild. Note, this excludes CyberArk vulnerabilities, which are disclosed in their normal process.
It's important to understand this isn’t a one-and-done situation. We’re now rescanning, applying all our learnings about how to provide the right context and threat intelligence to the models. We intend to fix every vulnerability we find before advanced AI capabilities become widely available to adversaries.
While incredibly powerful, AI models aren’t simply magic. To achieve high-fidelity results, you need to build AI scanning harnesses, leverage context, guardrails and threat intelligence. We’ve also discovered a variance across models, due to variations in their training. A multimodel approach is required to identify the superset of vulnerabilities. And finally, while the immediate priority is finding and fixing the vulnerabilities that organizations currently have, the longer-term shift is incorporating these models directly into the software development lifecycle. This is the light at the end of the tunnel: A future where software is secure by design.
Four Steps Every Organization Needs to Take Immediately
Regardless of the current restricted access, we believe these capabilities will flow more broadly to other models. We now estimate a narrow three-to-five-month window for organizations to outpace the adversary before AI-driven exploits start to become the new norm. This impending vulnerability deluge demands urgency. Organizations that haven’t put appropriate safeguards in place will face an entirely new class of risk. Here’s what we recommend:
Find and Fix Vulnerabilities In Your Applications, Products and Code
Find and fix before attackers find and exploit.
Leverage AI models to identify vulnerabilities across all codebase.
Apply the same AI scanning to your open-source supply chain, and remediate or mitigate findings.
Run accelerated patching tightly coordinated with product and development teams.
Assess, Reduce and Remediate Your Exposure
Reduce what is reachable by attackers, secure what must be accessible, such as customer-facing applications.
Attack surface management products, like Cortex Xpanse®, have never been more critical for finding and reducing exposure.
The latest frontier AI models are very adept (with the right AI scanning harness) at evaluating exposures, understanding security misconfigurations and prioritizing attack-path reachability.
Audit your supply chain, including AI infrastructure, runtime environments and model dependencies.
Ensure Attack Protections
Vulnerability exploits are typically just one step of a multi-step attack lifecycle. Ensuring best-in-class protections is now even more important for preventing breaches.
Map current sensor coverage to identify critical blind spots in detection, prevention and telemetry.
Deploy best-in-class XDR everywhere with an emphasis on real-time ML-based detection and prevention of attacks with all hosts on-premises and cloud included.
Deploy Agentic Endpoint Security to secure wide-scale adoption of vibe coding and AI security across the enterprise (e.g. Prisma AIRS® and our recent acquisition of Koi are now a necessity for securing the agentic endpoint).
Secure enterprise browsers with AI-based security are a must have for securing where users now do their work.
Zero trust and Identity Security are foundational to securing every user and connection, extending to internal segmentation and outbound application connections.
Deploy Real-Time Security Operations
Autonomous AI-driven attacks will drive attack lifecycles to minutes requiring every SOC to achieve single-digit mean time to detect (MTTD) and mean time to respond (MTTR).
Attack detections must be AI/ML-driven to detect even frequently changing and novel attacks at scale.
These AI detections must operate against a wide range of first party and third party data sources. A best in class AI SOC must operate on ALL relevant data sources.
Automation, both natively integrated and throughout the SOC lifecycle, is necessary to achieve single-digit MTTR. This automation will increasingly be agentic.
This must be delivered as a platform to remove seams and gaps created by point solutions.
Assess and act as quickly as possible.
Fighting AI with AI — AI Frontier Security Innovations Coming Soon
So far, frontier AI models only find new attacks, not new attack techniques. This means that with the right innovations, we can expand our use of AI to solve the security challenges that organizations are facing, and deliver what our customers need to stay ahead of the ever-evolving threat landscape, including:
Reimagining virtual patching with proactive, high-fidelity content updates across network, endpoint and cloud security – We expect that across open source and technology suppliers there will be a deluge of patches, and virtual patching will provide a mitigation layer necessary to give your teams time to update. We expect to roll out the first phase of capabilities very soon.
Enhanced attack preventions, including cyber-LLM trained ML and small language models (SML) and behavior protections – Early testing with Cortex XDR® and our network security security services, such as WildFire® malware prevention, indicate high protection coverage from the types of attacks created using these new frontier AI models.
Using these models to scan our code, applications and even security configurations – Our intention is to productize these capabilities and incorporate them into our platforms.
Unit 42 — We’re Here to Help
We recognize that not everyone has the capacity and/or expertise to action all of the recommendations to effectively counter frontier AI-driven risks in the short timeframe mandated by AI innovation. Our Unit 42 Frontier AI Defense service is designed to discover and remediate your current exposure before attackers do, strengthen controls that reduce exposure and contain impact and modernize security operations so teams can detect and respond at machine speed.
This is a pivotal moment for our industry. While the scale of the challenge presented is real, I’m confident in our ability to solve it. We’re here to help our customers navigate this transition and ensure that as the landscape continues to evolve, the advantage remains with the defender.
Forward-Looking Statements
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. These forward-looking statements are not guarantees of future performance, and there are a significant number of factors that could cause actual results to differ materially from statements made in this blog. We identify certain important risks and uncertainties that could affect our results and performance in our most recent Annual Report on Form 10-K, our most recent Quarterly Report on Form 10-Q, and our other filings with the U.S. Securities and Exchange Commission from time-to-time, each of which are available on our website at investors.paloaltonetworks.com and on the SEC's website at www.sec.gov. All forward-looking statements in this blog are based on information available to us as of the date hereof, and we do not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.
How Nations Hack, Why Attribution Fails, and What AI Changes
Executive Summary: Code War author Allie Mellen, argues that cyberwarfare must be understood through a human and geopolitical lens to close the knowledge gap between the security community and the public.
Disclaimer:
This post reflects the perspectives shared in the book Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, and does not represent the views of the publisher of this blog.
The summer of 1983, President Reagan watched WarGames at Camp David and couldn't get it out of his head. A week later, he walked into a White House meeting with cabinet members and Congress and launched into a detailed plot summary of a Matthew Broderick movie about a teenager who nearly hacks the world into nuclear war. The room full of defense experts sat uncomfortably, suppressing smirks. Then Reagan turned to General John Vessey, Chairman of the Joint Chiefs, and asked if something like that could actually happen.
Vessey came back a week later with an answer: "Mr. President, the problem is much worse than you think."
Fifteen months after that, Reagan signed a classified presidential directive titled "National Policy on Telecommunications and Automated Information Systems Security" – the first federal policy of its kind. A movie had done what years of expert warnings hadn't: It made the most powerful person in the world stop and ask the right question.
Allie Mellen, author of Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, loves to tell this story, and it captures exactly why she wrote the book. In a conversation recorded at RSA 2025, Mellen joined Threat Vector host, David Moulton, to talk about nation-state threats, attribution pitfalls, and why the security industry's biggest problem isn't technical.
"They're human stories, and if we can communicate them that way to the general public, then we'll get more people interested in cybersecurity, invested in cybersecurity, and invested in protecting their data."
That gap, between what the security community understands and what everyone else grasps, is the core problem Mellen set out to solve. And in today's geopolitical moment, closing it has never been more urgent.
Every Nation Hacks Differently
One of the central arguments in Code War is that you can't understand a nation's cyber behavior without understanding its history, doctrine and social contract. China, Russia, Iran, North Korea and the U.S. each approach offensive and defensive cyber operations from completely different starting points, and those differences matter enormously to defenders.
China operates with patience. Its attacks tend to be low and slow, focused on long-term espionage rather than loud disruption. But that changes sharply in its own region, where operations targeting Taiwan are aggressive and relentless. Russia, by contrast, is bombastic; they want you to know it was Russia. Its influence operations have been some of the most effective in modern history, studied and imitated by Iran and others.
Interestingly, the very system China built to protect itself has become a liability in one specific domain. Because Chinese operators live behind the Great Firewall, without access to western social media, they lack the cultural fluency that makes Russian disinformation so effective. "They try to use memes, but it's like ‘uncanny valley’," Mellen explains. "They just slightly miss every time and so it doesn't go viral." The walled garden that gives China control over its own population makes it harder to manipulate everyone else's.
Attribution Is a Geopolitical Tool, Not Just a Technical One
Mellen is careful about attribution, and she wants defenders to be too. The standard technical signals (coding language, infrastructure patterns, operational hours) are necessary but not sufficient. Nation-states, especially the U.S., have developed tools specifically designed to mimic other actors' signatures. AI will make that problem significantly worse.
But the bigger issue is motivation. Mellen walks through a case from the Olympics where an attack was initially attributed to North Korea, even though North Korea was actively trying to normalize relations at the time by sending Kim Jong Un's sister to the games. The actual perpetrator was Russian, using a false flag to obscure its involvement. The lesson: Attribution requires asking not just "who has the technical capability?" but "who has the motive right now, given everything happening geopolitically?"
The pitfalls are real:
Tools once used exclusively by intelligence agencies are now publicly available, making code signatures unreliable.
Working-hours analysis is easy to spoof, especially for sophisticated actors.
Government-controlled research in adversarial nations can deliberately skew attribution findings.
False flag operations are increasingly sophisticated and harder to disentangle.
Why Your Data Is a Geopolitical Asset
One of the more powerful sections of the conversation centers on a question Mellen hears constantly: why would China care about my data?
Her answer cuts through the dismissiveness. These nations aren't collecting data out of idle curiosity. They're willing to constrain companies for it, invest billions in infrastructure for it, and in some cases, far worse. "Whether you wanna be involved in that system or not, you are involved in that system," she says. "And so you can either choose to take control of your information in that environment, or you can just pretend like it's not your problem."
The historical context she offers is striking. One of the driving forces behind GDPR in the EU was the collective memory of how Nazi Germany used data to target Jewish people during the Holocaust. Europe built privacy protections into law because it had seen what happens when governments gain unrestricted access to population data. That's not an abstract concern. It's a lesson written in history that the rest of the world is still catching up to.
AI Makes Everything Harder
Mellen isn't optimistic about the trajectory. Attribution is about to get much harder. Attacks are about to get much more dynamic. And AI is the reason for both.
She points to research on Chinese state-sponsored actors using AI to orchestrate attacks across the full kill chain, with only a couple of human checkpoints in the loop. The implication isn't just faster attacks. It's more adaptive malware that can adjust to different operating environments, more convincing disinformation that clears the cultural context bar, and reconnaissance-to-exploitation cycles that move faster than most defenders can process.
The constraints that have always slowed sophisticated attackers – understanding the operating system, identifying vulnerabilities, crafting exploits, mimicking attribution – all get easier with AI. All of that becomes more dynamic. And most enterprises, Mellen acknowledges, are not yet equipped to respond effectively.
The investment required is in the basics the industry has always struggled to get right, executed now at a pace and scale that demands automation and AI on the defensive side. Fighting AI with AI isn't a vendor talking point. It's the only math that works.
Built on the Pioneers of PAM (privileged access management): Idira is Palo Alto Networks next-generation identity security platform, extending privileged access controls to every human, machine and AI agent identity in the AI enterprise.
Zero Standing Privilege by Default: Idira replaces static, always-on access with dynamic privilege, granted just-in-time on a single control plane.
AI-Driven Identity: AI runs natively inside Idira to surface hidden entitlements, unmanaged accounts, recommend least privilege, and remediate to close the gap between attackers who move in 72 minutes and defenders who historically took days.
Since Palo Alto Networks and CyberArk came together in February, customers have been asking me the same question: What does the future of identity security actually look like?
I am proud to introduce Idira, the next-generation identity security platform from Palo Alto Networks. Idira secures every identity in the AI enterprise (human, machine, AI agent) on a single control plane that discovers risk, applies privilege dynamically, and governs the full lifecycle from first access to last session.
Idira begins with a belief shaped by more than 20 years of working on this problem. Privilege is the most challenging aspect of identity security. For a generation, the industry learned how to manage it well for a small population – administrators inside the most security-sensitive organizations in the world. That was necessary. But it is no longer enough.
The moment has come to extend that same rigor to every identity, because every identity today carries the power to move the business, or enable an attacker. That is the journey Idira takes us on. From privilege controls for administrators, to privilege controls for every identity.
Attackers Are Not Breaking In. They Are Logging In.
For most of the last two decades, identity security was built on a comfortable assumption: One can maintain a firm divide between a small number of powerful administrators and a much larger number of ordinary users; that is enough to secure the organization. That assumption no longer holds.
Our Chairman and CEO, Nikesh Arora, calls it the “IAM fallacy,” and the data in the 2026 Identity Security Landscape Report makes clear why it is time to retire this assumption.
Machine identities now outnumber humans by 109 to 1. Of those, 79 are AI agents.
91% of organizations already run autonomous agents in production.
90% of organizations suffered an identity-related breach in the past 12 months. 83% of organizations suffered two or more incidents.
The old model is not failing because identity became less important. It is failing because identity and privilege became universal and ubiquitous.
Every major breach I have studied over the last two years follows the same pattern. An attacker steals a credential. They move laterally using standing access that should have expired. They escalate privilege. They reach the data, the infrastructure or the business systems they came for: Okta, MGM, Microsoft. Different industries. Different scales. The same pattern.
One overprivileged identity unlocks the entire enterprise.
And when defenders have a chance to respond, they are already behind and disadvantaged. 97% of practitioners tell us that fragmented tools add 12 hours to every identity incident response time. All while Unit 42® has observed the fastest attackers move from a first foothold to exfiltration in as little as 72 minutes.
Identity is now the enterprise perimeter. And the perimeter was built for a threat model that no longer exists.
Every Identity Is Privileged — Idira’s First Fundamental Principle
The premise of Idira is simple. Every identity in your organization is privileged.
Every login, every token, every service account, every workload, every AI agent can trigger a workflow, call an API, or reach sensitive data. Some can create and destroy infrastructures, direct organizational spend, or create new identities. Privilege is no longer reserved for a small class of administrators. It is distributed across the enterprise, quietly and continuously, every second of the day.
The controls that protect privilege cannot be reserved for the few, either.
Idira changes three things from day one.
First, We Discover
Idira continuously finds every identity, every entitlement and every access path across your entire environment: humans, machines, workloads, secrets, certificates and AI agents everywhere – on the network, in the cloud, on servers and endpoints, in the browser. If someone or something can authenticate, Idira knows it is there, knows what it can reach, and evaluates how much of that access is actually necessary.
Second, We Control
Idira replaces static, always-on accounts attackers rely on with dynamic privileges that exist only in the moment of use. Zero standing privilege moves from aspiration to default, and it applies equally to the administrator logging into production, the developer deploying code, and the AI agent calling a tool. This is the shift to identity-centric active security.
Third, We Govern
Idira automates the identity lifecycle end-to-end. Governance stops being a quarterly compliance exercise and becomes a continuous enforcement loop. The 12-hour fragmentation tax closes.
This is what I mean when I say we are democratizing privilege controls. We are not loosening them. We are extending the strongest privilege controls the industry has ever built to every identity that now carries the weight of the business, without penalizing these identities for the powers they carry.
Already Better Together
Idira is not launching into an empty runway. We have been executing against this roadmap since the day we joined Palo Alto Networks, and the early results give us real confidence in what comes next.
Earlier this year at the RSA Conference, we launched Next-Generation Trust Security (NGTS), the first network-native platform to automate certificate lifecycle management and accelerate post-quantum readiness. That matters because 71% of organizations have not yet automated certificate renewal. As public TLS lifetimes compress to 47 days and manual workloads multiply, that gap becomes more than an operational burden. It becomes a business continuity risk.
NGTS closes it in the network itself.
As one of the core platforms of Palo Alto Networks along with Strata® and Cortex®, Idira is providing deep identity integrations across the entire portfolio to enhance platform value for customers. Prisma® Browser delivers privileged access directly in the place where enterprise users work. Prisma AIRS 3.0 natively integrates with Idira to extend deep identity security and privilege controls to AI agents. Cortex will receive first-party identity signals to sharpen detection and take automatic identity- and privilege-driven response actions when indicators of compromise are detected.
Customers are already seeing the impact. Northern Trust improved password compliance by 137 percent. Panasonic Information Systems rebuilt its security operations around identity. Healthfirst grounded its zero trust program in identity-first controls. PDS Health secured clinical access for more than 900 practices. They had different problems with the same answer.
Different challenges. One answer. One platform. Consistent privilege controls applied to every identity that matters.
AI Makes This Urgent. AI Makes This Possible.
AI has changed the speed, scale and economics of identity risk.
Frontier models have crossed a threshold. Anthropic's Claude Mythos Preview has already identified thousands of zero-day vulnerabilities across the operating systems and browsers that businesses rely on every day. Every exposed secret, every standing admin path, every forgotten service account can now be discovered, validated and weaponized faster than most security teams can respond. 55% of the decision-makers in our 2026 survey named AI-enabled threats as their top identity concern.
If frontier models are rewriting the economics of attack, the only credible response is to rewrite the economics of defense with the same technology.
Idira is how we do that in identity. AI is built into the platform to surface hidden entitlements, identify risky access combinations, recommend the least privilege automatically, and drive surgical remediation. That same intelligence lets attackers find the weakest link in 72 minutes and helps defenders close it in seconds.
When code cannot be patched fast enough, identity becomes the control plane that can still adapt at machine speed.
Same Mission, Stronger Together
For more than two decades, the pioneers of privileged access have management-built controls trusted to safeguard the world's most critical environments. That mission created a category and earned the trust that made today possible.
Idira carries that mission forward and expands it to match the scale of the problem we now face.
This is the first wave, not the last. The roadmap extends privilege controls to workforce identity, advances machine and agentic identity security, and unifies a fragmented market into one platform. We are building it in the open, shaped by the customers in the room with us at IMPACT and by the realities they face every day.
The future of identity security will not be defined by access alone. It will be defined by control. See what Idira is built to deliver.
Forward-Looking Statements
This blog contains forward-looking statements that involve risks, uncertainties and assumptions, including, without limitation, statements regarding the benefits, impact, or performance or potential benefits, impact or performance of our products and technologies or future products and technologies. Any unreleased services, integrations or features (and any services or features not generally available to customers) referenced in this or other press releases or public statements are not currently available (or are not yet generally available to customers) and may not be delivered when expected or at all. Customers who purchase Palo Alto Networks applications should make their purchase decisions based on services and features currently generally available.
For the last several months, we have had early, unbounded access to the latest frontier AI models. What we’ve seen from that vantage point has made it clear that the window for organizations to get ahead of what’s coming is shorter than most leaders realize.
We have moved past the era of incremental AI improvements into a threat landscape shift. Our testing has revealed a step-change in capability that demonstrates an intuitive understanding of software vulnerabilities. This is more than faster code generation, it is a shift from AI as an assistant to AI as an autonomous agent capable of discovering and chaining flaws at a scale that most defenders aren’t prepared for.
These capabilities will not stay confined to controlled environments for long. When Mythos first launched, we predicted a six-month window before attackers gained access. We now believe that timeline has accelerated significantly.
To meet this inflection point, defense must operate at the speed of the adversary. That is why Palo Alto Networks has introduced Frontier AI Defense. This initiative unites our AI-native security platforms with Unit 42® consulting and threat expertise with strategic partners to deliver continuous protection, prioritized risk mitigation and autonomous remediation.
What the Threat Looks Like Now
The latest frontier models, including OpenAI’s GPT-5.5-Cyber, Anthropic’s Mythos and Claude Opus 4.7, and the specialized variants emerging across major labs, represent roughly a 50% improvement in coding efficiency over their predecessors. That number sounds incremental, but in practice, it’s the threshold at which AI crosses from a helpful assistant into an autonomous operator.
Based on our testing and review, we found four key developments that, taken together, redefine the modern threat landscape:
Vulnerability Discovery at Scale: Frontier AI is exceptionally effective at identifying vulnerabilities across massive, complex codebases. In our testing, three weeks of model-assisted analysis matched a full year of manual penetration testing, with broader coverage.
Exploit Chaining & Synthesis: What is more consequential than individual discovery is the models’ ability to think like an attacker. They link multiple lower-severity issues into single, critical exploit paths, seeing full-stack logic, including SaaS and public-facing surfaces, in ways traditional scanners cannot.
Attack Cycle Compression: In AI-assisted scenarios, the time from initial access to exfiltration has collapsed to as little as 25 minutes. Detection and response measured in hours is no longer a viable standard; single-digit MTTR (Mean Time to Respond) is the new floor.
The Unsupervised Attack Surface: Rapid AI development and decentralized innovation are creating a massive, unsupervised attack surface in real-time. As local AI agents become commonplace, every desktop is now effectively a server, yet most organizations lack visibility into the code their own employees are generating and deploying.
Our Approach
These emerging threats form the foundation of how we have architected our platform response for the agentic era – Frontier AI Defense. Our approach moves beyond traditional, reactive defense to provide a comprehensive framework built to outpace frontier-AI-enabled attackers. This initiative is defined by:
Advanced Access: We leverage early access to frontier AI models to harden defenses and simulate attacks before they reach the mainstream.
Intelligence-Led Resilience: Unit 42 experts leverage frontier AI to fast-track discovery and remediation of exposures at machine speed through our Unit 42 Frontier AI Defense service.
Unified Global Ecosystem: We provide the scale required for global protection through our Frontier AI Alliance of elite partners, including Accenture, Armadin, Deloitte, IBM, NTT DATA, and PwC.
Machine Speed Security: By natively integrating Frontier AI across our platforms, we deliver the automated, real-time defense necessary to counter autonomous threats.
The Window Is Open. It Won’t Be for Long.
The capabilities we tested under early-access conditions are expected to become widely available over the next several months. Success in this new environment requires adapting your cybersecurity stack before these tools are in the hands of every adversary.
The threat has never been more sophisticated. The window to prepare for this shift is closing. And we're here to help secure your future at the edge of the frontier.
Every AI system you deploy is a potential attack surface. Models and agents can carry embedded backdoors, malicious operators or compromised dependencies. Once running, these artifacts can exfiltrate sensitive data or execute unauthorized code, creating persistent vulnerabilities within the enterprise perimeter. Organizations running AI workloads on Nutanix need security that catches these threats before they reach production.
Nutanix and Palo Alto Networks are excited to announce a purpose-built integration between the Nutanix Enterprise AI and Palo Alto Networks Prisma AIRS® advanced security capabilities, specifically focusing on AI Model Security and AI Red Teaming. This partnership directly addresses the critical need for a secure-by-design approach to AI development, giving customers the confidence to accelerate their AI journey.
Seamless Security Integration on the Nutanix Enterprise AI Platform
The Nutanix Enterprise AI platform provides a unified, scalable and secure foundation for the entire AI lifecycle: from data preparation and model fine-tuning to deployment and management. By integrating cutting-edge AI security tools by Palo Alto Networks directly into this workflow, we enable security checks to become an intrinsic part of the AIOps pipeline.
Prisma AIRS integration user flow.
Scanning AI Models for Comprehensive Vulnerability Detection
The Prisma AIRS AI Model Security solution introduces sophisticated model scanning capabilities that are essential for preemptively identifying and mitigating risks.
Prisma AIRS Model Security Integration: Automatically scans AI models (e.g., during check-in to a model registry on the Nutanix Enterprise AI platform) for inherent vulnerabilities, policy violations and malicious code. This provides Proactive Risk Mitigation by detecting malicious or vulnerable model artifacts before deployment, helping prevent zero-day exploits and potential data leakage caused by compromised models.
Dependency Analysis: Examines all open-source libraries and dependencies used in the model environment for known vulnerabilities and license compliance issues. This enables Supply Chain Security, eliminating risks introduced by third-party components throughout the entire AI deployment lifecycle.
Model Supply Chain Threats: The system addresses malicious model artifacts, including deserialization exploits, embedded backdoors, unsafe file formats, unauthorized code execution, untrusted sources and noncompliant licenses. This enables Model Integrity and Governance by validating model safety, provenance, approved formats, license compliance and detecting hidden execution paths before deployment.
AI Red Teaming Your AI Systems for Adversarial Resilience
AI Model Security addresses known issues, but the malicious actors of tomorrow are developing new ways to exploit AI systems. This is where the power of Prisma AIRS AI Red Teaming by Palo Alto Networks comes into play, creating a crucial layer of proactive testing against adversarial attempts. AI Red Teaming involves simulating sophisticated attacks against the AI application’s behavior to test its resilience under attack.
Continuous AI assessment: Onboard an LLM model, application and agent, then start scanning in less than 10 minutes. Use documented APIs to integrate into CI/CD pipelines to trigger automated red teaming whenever versions are updated. Connect AI endpoints securely via an outbound web socket channel to eliminate the need for routing changes, while maintaining the option for IP allowlisting, if preferred. Your team controls access. This reduces technical setup overheads and empowers you to keep your assessment current.
Contextual Vulnerability Insights: Prisma AIRS profiles your LLM model, application or agent and informs the Red Teaming Agent to design relevant attack objectives. The Red Teaming Agent is trained on over 50 techniques and simulates attack prompts to achieve those objectives. This reduces noise and lets you focus on actual business relevant risk.
Comprehensive Threat Coverage: Prisma AIRS uses a library of over 750 attacks to evaluate your defensibility. Both the library and the red teaming agent are updated and trained on a constant basis to keep up with the AI threat landscape. This stress tests your AI system thoroughly, so your system is defensible to known and unknown threats.
Unified Security Dashboard for AI Model Security and AI Red Teaming being made available in Nutanix Enterprise AI.
Securing the Future of Enterprise AI — The Nutanix and Palo Alto Networks Integration
This integration between the scalable, high-performing Nutanix Enterprise AI platform and the advanced security intelligence of Palo Alto Networks offers measurable value to AI-driven organizations:
Accelerated Time-to-Trust – By automating critical security checks as part of the MLOps process on the Nutanix Enterprise AI platform, teams can deploy models faster, knowing they have been rigorously vetted by a leading security partner.
Simplified Compliance and Governance – The joint solution provides a verifiable record of security testing (scanning and red teaming), making it simpler to demonstrate adherence to internal governance standards and external regulatory mandates.
End-to-End AI Security Posture – Customers gain a holistic view of security, from the unified AI infrastructure layer managed by Nutanix, to the network security enforced by Palo Alto Networks. This visibility now extends critically into the AI models themselves, completing the security posture by unlocking controlled access to vendor models, so protection is enforced seamlessly.
Cost and Resource Efficiency – Integrating security tools within the existing AI platform streamlines workflows. Data Scientists and ML Engineers can trigger red teaming simulations and scanning directly within their familiar Nutanix environments, reducing the need for dedicated, siloed security teams to manually test every model.
The partnership between Nutanix and Palo Alto Networks is a commitment to building a more secure future for enterprise AI. With this integration, you can bring LLM models into your environment without fear. Malicious code and hidden backdoors are blocked before they ever reach you. Your endpoints stay continuously protected, with coverage across over 50 attack techniques and the contextual risks that come with agentic AI. When you're evaluating a model or an endpoint, the risk picture is right there inside NAI – no context-switching, no guesswork. And a custom security dashboard gives you a single place to see where you stand. The result is AI you can actually trust at the core of your lifecycle, so your teams can build faster without trading off security for speed.
Key Takeaways
A "Secure-by-Design" AI Pipeline: The partnership between Nutanix and Palo Alto Networks is a commitment to building a more secure future for enterprise AI. The integration enables advanced level AI security in AIOps workflow. By embedding Prisma AIRS directly into the Nutanix Enterprise AI platform, organizations can automate model scanning and vulnerability detection during the initial check-in phase, authorizing only validated, secure models to reach production.
Proactive Defense via AI Model Security and AI Red Teaming: The solution provides a dual-layer defense: AI Model Security preemptively blocks hidden backdoors, malicious code and supply chain threats in third-party artifacts, while AI Red Teaming uses autonomous agents for contextual discovery to generate new attack scenarios and have over 750 sophisticated adversarial attack scenarios. This enables resilience against both known vulnerabilities and emerging zero-day AI exploits.
Unified Governance and Operational Efficiency: The partnership consolidates security and visibility into a single custom dashboard within the Nutanix environment. This unified view allows Security and AI teams to manage risk while having continuous assessments and compliance records significantly accelerating the time to trust.
Next Steps
For more information, visit the Palo Alto Networks partner directory or contact your local sales representatives to learn more about a trial run.
To deliver this critical edge, our Unit 42 Frontier AI Defense will now leverage Anthropic’s Claude Security, powered by Opus 4.7. By integrating one of the world’s most advanced AI models, we are empowering our customers to outpace automated threats. Through Frontier AI Defense, organizations can rapidly assess their security posture, remediate vulnerabilities and harden their infrastructure against next-generation, AI-driven attacks.
We are utilizing Claude Security’s deep technical reasoning to enable our customers to find and fix vulnerabilities with unprecedented speed. This includes:
AI-Driven Exposure Analysis – Identifying complex exploit chains that turn minor findings into critical risks.
Scalable Application Analysis – Performing deep-stack code reviews at a scale and depth previously unavailable.
Agentic Defense – Powering autonomous workflows that detect and remediate threats at machine speed, backed by human oversight.
Palo Alto Networks is also participating in Anthropic's Cyber Verification Program, which credentials security teams for legitimate defensive use of frontier models.
The threat timeline is accelerating. Within months, AI-driven attack capabilities will become a standard fixture of the threat landscape. Palo Alto Networks is dedicated to ensuring our global customers are equipped with the modern frontier AI models necessary to stay secure both today and tomorrow.
Frontier AI is changing what is possible for attackers. To meet this escalating threat, Palo Alto Networks is teaming up with Armadin, the new offensive security company founded by Kevin Mandia. This partnership expands our newly introduced Unit 42 Frontier AI Defense service, scaling our ability to identify and remediate AI-driven exposures, and accelerating protection across the enterprise.
Over the past few weeks, we’ve spoken with hundreds of CISOs who universally feel the urgency on the frontlines. Security leaders need to know exactly where they stand against the AI-driven attacks happening right now, and the ones coming in the next six months.
Expanding Frontier AI Defense — The External AI Hyperattack Assessment
For organizations seeking to actively pressure-test their perimeter, this partnership introduces an autonomous, AI-driven offensive assessment of your external attack surface.
This added layer identifies real attack paths and proves exploitability across internet-facing assets. The platform begins with passive discovery, validating publicly exposed assets, cloud resources and secrets. Next, Armadin deploys a coordinated swarm of autonomous AI attack agents, operating at machine speed across your external footprint.
These agents execute active reconnaissance, launch attacks and exploit vulnerabilities in parallel, using over 50,000 templates. Upon initial access, the swarm simulates post-exploitation behavior to demonstrate impact, logging every attack chain as decision-grade evidence of exploitable risk.
Decision-Grade Proof of Exploitable Risk
With this added layer of autonomous simulation, Unit 42 Frontier AI Defense provides an even more rigorous, pressure-tested view of an organization's external attack surface. This allows our experts to accurately simulate the tradecraft of the most capable, AI-equipped threat actors, compressing complex attack lifecycles from days into minutes.
AI may change what is possible for attackers, but in the hands of defenders, it becomes a decisive advantage. This partnership is another important step in making sure that advantage stays with the defenders.
A member of Project Glasswing and OpenAI’s Trusted Access for Cyber (TAC) program, Palo Alto Networks remains the only company equipped to deliver this strategic level of partnership through Unit 42 Frontier AI Defense and the Frontier AI Alliance, driven to integrate cutting-edge technologies into our products and services.
Palo Alto Networks Completes Acquisition of Portkey
We are pleased to announce that Palo Alto Networks has officially completed the acquisition of Portkey.
We are moving from vision to reality by integrating Portkey’s pioneering AI Gateway directly into the fabric of the Palo Alto Networks product portfolio. Prisma AIRS AI Gateway will provide a unified vantage point to secure and govern AI agents at scale, offering a mission-critical control plane to identify, authenticate and authorize every agentic interaction in real time.
We are delivering the industry’s most comprehensive security and unified control framework for the agentic enterprise, enabling our customers to scale autonomous AI workloads with complete confidence.
The era of the AI Enterprise has arrived. Today, 81% of enterprises are piloting the use of AI agents or have fully implemented AI agent solutions. We aren't just talking about smart chatbots. We are talking about autonomous agents that execute.
By leveraging APIs and MCP servers, these agents navigate complex workflows, access sensitive data and make real-time, business-critical decisions. The question is no longer if companies will adopt AI agents, but how to securely operationalize them without putting the brakes on innovation.
The Challenge: Expanding Attack Surfaces
AI agents are creating a new and largely invisible attack surface. The risk is not just their independence, but the lack of visibility and accountability. Without a centralized enforcement layer for operational and security controls, every team that deploys an agent may unintentionally expose the enterprise to unauthorized data access and heightened security risks.
To solve this, Palo Alto Networks is redefining security for the agentic era. We recently introduced Prisma AIRS 3.0, the industry’s first platform to secure the entire agentic AI lifecycle. Portkey's acquisition accelerates that momentum.
The Prisma AIRS AI Gateway: From Chaos to Control
Portkey's AI Gateway will be integrated into Prisma AIRS to deliver the unified control plane that enterprises need to operationalise and secure AI apps and agents at scale.
Moving from “chaos to control” requires a centralized approach to governance. Currently, many AI initiatives are hindered by fragmented security and a lack of oversight. The AI Gateway solves this by providing a unified vantage point where organizations can enforce consistent policies across all models and agents, ensuring every interaction is identified, authenticated and authorized in real time within a single governing framework.
The Prisma AIRS AI Gateway will establish a mission-critical control plane for the agentic enterprise, enabling teams to move autonomous workloads from development into at-scale production with confidence. With operational features like a unified API to LLMs, an agent registry, semantic routing and caching, the AI Gateway equips enterprises with complete control in one platform. By serving as a centralized enforcement point at the center of Prisma AIRS for all agent traffic, the AI Gateway will provide critical security functions, including Agent Artifact scanning, automated Red Teaming and Runtime Security needed to monitor behavior, route requests and mitigate risks in real time. Crucially, the AI Gateway will reinforce Agent Identity Security via Idira (formerly CyberArk), applying strict protocols to ensure every autonomous action is authenticated and governed by least-privilege controls.
Our vision is for the Prisma AIRS AI Gateway to serve as the industry blueprint for enterprises in the agentic era. By making security a foundational component of the operational lifecycle, we are empowering enterprises to build and govern an AI ecosystem that is secure by design.
Why Portkey? The Pioneer in AI Gateways
Battle-Tested: Portkey’s AI Gateway is already supporting the demands of the modern enterprise, at scale, with several Fortune 500 customers, processing trillions of tokens per month with the low latency that is required for agent-to-agent communication. This ensures that agentic security does not come at the cost of developer speed or application performance.
Architectural Simplicity: Portkey offers plug-and-play capabilities with just three lines of code required to implement the AI Gateway. The AI Gateway, powered by unified APIs, also provides secure access to over 3,000 LLMs, MCP servers and agents, giving enterprises a flying start to building and executing with AI agents.
Better Together: Palo Alto Networks and Portkey’s joint vision is to make Prisma AIRS the most ubiquitous platform for AI security. With exceptional AI security by Palo Alto Networks combined with Portkey’s AI Gateway, we will offer a comprehensive AI Security platform.
What’s Next?
The era of AI Enterprises is here. We’re making sure it is secure by design. The complexity of managing agents and securing them has long created friction in enterprises. With the integration of Portkey into Prisma AIRS, we will remove the trade-off between agent autonomy and authority. We are ensuring that as businesses accelerate into the era of autonomous agents, the security architecture isn’t just keeping up, it is setting the pace.
This blog contains forward-looking statements that involve risks, uncertainties, and assumptions, including, but not limited to, statements regarding the anticipated benefits and impact of the acquisition of Portkey on Palo Alto Networks, Portkey and their customers. There are a significant number of factors that could cause actual results to differ materially from statements made in this blog, including, but not limited to: risks related to disruption of management time from ongoing business operations due to the acquisition and the integration of Portkey and other recent acquisitions; our ability to effectively operate Portkey's operations and business, integrate Portkey’s business and products into our products, and realize the anticipated synergies in the transaction in a timely manner or at all; changes in the fair value of our contingent consideration liability associated with acquisitions; developments and changes in general market, political, economic and business conditions; failure of our platformization product offerings; risks associated with managing our growth; risks associated with new product, subscription and support offerings; shifts in priorities or delays in the development or release of new product or subscription or other offerings or the failure to timely develop and achieve market acceptance of new products and subscriptions, as well as existing products, subscriptions and support offerings; failure of our product offerings or business strategies in general; defects, errors, or vulnerabilities in our products, subscriptions or support offerings; our customers’ purchasing decisions and the length of sales cycles; our ability to attract and retain new customers; developments and changes in general market, political, economic, and business conditions; our competition; our ability to acquire and integrate other companies, products, or technologies in a successful manner; our debt repayment obligations; and our share repurchase program, which may not be fully consummated or enhance shareholder value, and any share repurchases which could affect the price of our common stock.
Additional risks and uncertainties that could affect our financial results are included under the captions "Risk Factors" and "Management's Discussion and Analysis of Financial Condition and Results of Operations" in our Quarterly Report on Form 10-Q filed with the SEC on February 18, 2026, which is available on our website at investors.paloaltonetworks.com and on the SEC's website at www.sec.gov. Additional information will also be set forth in other filings that we make with the SEC from time to time. All forward-looking statements in this blog are based on information available to us as of the date hereof, and we do not assume any obligation to update the forward-looking statements provided to reflect events that occur or circumstances that exist after the date on which they were made.
Expand Strategic Collaboration to Secure the AI Enterprise
The transition from generative AI to agentic AI represents one of the most significant shifts in the history of enterprise technology. As organizations move from simple chatbots to autonomous agents that can execute business processes, the attack surface isn't just changing, it's exploding.
At Google Cloud Next 2026 in Las Vegas, Palo Alto Networks is proud to announce a series of groundbreaking integrations with Google Cloud. These innovations are designed to do more than just monitor the new AI-driven landscape; they are built to secure it by design. AI deployment is currently outpacing AI governance. By embedding our security platform into Google Cloud’s infrastructure, we are giving today’s enterprises the foundation to become the autonomous organizations of tomorrow.
Here is a look at the four major milestones of our partnership being unveiled this week.
Secure AI Agents with Google Cloud + Prisma AIRS
As autonomous AI agents become the new enterprise standard, security can no longer be an afterthought; it must be architectural. By integrating Prisma AIRS™ natively with Google Cloud Gemini Enterprise Agent Platform, we provide the proactive defenses required to govern complex agentic workflows. This integration ensures that as you scale your autonomous workforce, your security scales with it, providing comprehensive operational integrity without hindering the speed of innovation.
We are delivering capabilities across three critical pillars:
Protecting Agent-Specific Runtime Risks: In an agentic ecosystem, the primary risk is unauthorized or a destructive action taken by the AI agents themselves. Prisma AIRS secures the "agent-to-tool" interface, preventing poisoned context from triggering malicious scripts or destructive actions. The solution monitors agent execution in real-time, so agents cannot leak sensitive credentials or tool schemas, maintaining the boundary between agents and their access to enterprise data.
Securing the GenAI Application Surface: Modern AI applications and agents require a secure-by-design approach. Prisma AIRS AI Runtime Security™ provides prevention of more than 30 adversarial prompt injection and jailbreak techniques, as well as malicious code and URLs within LLM outputs. Prisma AIRS utilizes over 1,000 predefined patterns out of the box and ML-powered Enterprise DLP to stop sensitive data leakage.
Enforcing Enterprise AI Safety and Grounding: Trust in AI is built on the consistency and safety of its output. Prisma AIRS allows organizations to define safety policies in natural language and filter toxic content across eight distinct categories to protect brand reputation. Using contextual grounding, Prisma AIRS can prevent misleading outputs that contradict internal RAG data, keeping agents tied to real facts.
This integration ensures that as you scale your autonomous workforce, your security posture scales with it, providing operational integrity without hindering the speed of innovation.
Security-as-Code for Prisma AIRS Integration with Application Design Center (ADC)
The traditional bolt-on approach to security is no longer viable in a cloud-first world. Google Cloud’s Application Design Center (ADC) is revolutionizing how applications are built, using an intuitive canvas and natural language via Gemini Code Assist.
Palo Alto Networks is announcing that it will be published as a template within the Application Design Center, providing more capabilities to engineering teams:
Drag-and-Drop Security – Visually "snap" VM-Series firewalls and Prisma AIRS AI protections directly into network flows.
AI-Driven Architecture – Use natural language prompts to generate secure-by-default, multiregion architectures.
Simultaneous Deployment – Deploy entire application stacks and security services in a single, unified workflow, ensuring protection is present from the very first minute of deployment.
Zero-Day Protection at Scale with Advanced Malware Sandboxing for Google Cloud NGFW Enterprise
The battle against malware has shifted to the cloud. Modern attacks are faster, more evasive and capable of bypassing traditional defenses.
That is why we are excited to announce Advanced WildFire®, powered by Palo Alto Networks, natively integrated into Google Cloud NGFW Enterprise, delivering AI-driven malware prevention directly within Google Cloud environments.
This integration embeds inline sandboxing and real-time threat intelligence directly into Google Cloud’s distributed firewall to stop advanced and unknown threats before they impact workloads, enabling:
Secure Detonation – Suspicious files are safely executed in a controlled sandbox environment to uncover hidden and unknown threats.
Inline Traffic Inspection – Inbound and outbound traffic is analyzed in real time to prevent lateral movement of malicious payloads across cloud environments.
AI-Driven Threat Prevention – Leverages global threat intelligence by Palo Alto Networks to block zero-day threats before they compromise workloads.
With Advanced WildFire embedded directly into Google Cloud NGFW Enterprise, organizations can extend consistent protection across their cloud infrastructure while maintaining operational simplicity.
Cloud NGFW Enterprise Advanced Malware Sandboxing will be available in Public Preview soon.
Defining the Future with the Google Cloud Marketplace
Palo Alto Networks has joined the Google Cloud Marketplace Agent-as-a-Service as a launch partner to introduce the Prisma AIRS Model Security agent. Operating as an Agent-as-a-Service, this solution scans AI models for vulnerabilities and policy noncompliance before they reach production.
Available in the Agent Gallery inside Gemini Enterprise, this marketplace offering runs entirely within the customer’s own Google Cloud environment, providing both new and existing Prisma AIRS users a seamless and simple deployment experience inside Gemini Enterprise.
Securing AI Innovation at Scale
The collaboration between Palo Alto Networks and Google Cloud is built on a shared vision: Security should be an accelerator for innovation, not a bottleneck. As we look toward the future of the AI-powered enterprise, our commitment remains to provide the most robust, platform-driven security for every workload, every agent and every interaction.
Want to see these integrations in action? Contact your Palo Alto Networks representative to learn more about how we are securing the future of the cloud together. If you’re attending Google Cloud Next 2026, join us at these sponsored sessions: