Palo Alto Networks and AT&T - Delivering Quantum-Resilient SASE Fabric

Jul 16, 2026
7 minutes

By Yogesh Ranade from Palo Alto Networks, and Senthil Ramakrishnan from AT&T

The digital world is currently navigating a dual-speed revolution. Acceleration of AI and hyperconnectivity is unlocking unprecedented economic value. The silent but rapid progress of quantum computing is fundamentally threatening the cryptographic foundation upon which that value is built.

As leaders in global networking and cybersecurity, Palo Alto Networks and AT&T Business launched Secure Connectivity solutions for Business Customers. We recognize that quantum-readiness is no longer a distant milestone; it is now a strategic imperative. With threatening data longevity and Trust Now, Forge Later targeting digital identities, the risks are already looming. 

By integrating Prisma SD-WAN’s cryptographic innovation with AT&T’s global network, Palo Alto Networks and AT&T Business are proud to deliver the Quantum-Resilient SASE Fabric.

The Quantum Shift Towards Building Resilience for Tomorrow’s Reality

For over 30 years, the difficulty of mathematics has been our primary defense. Classical algorithms, like RSA and Diffie-Hellman, provided the shield for our global economy because they were computationally impossible for classical machines to solve. However, quantum computing fundamentally changes this landscape by providing an exponential speed-up. By leveraging Shor’s Algorithm, quantum computers can break these classical cryptographic foundations, turning a decryption process that would take a classic supercomputer millennia into a task of mere hours.

Neutralizing the Quantum Crisis

Palo Alto Networks is embedding Post-Quantum Cryptography (PQC) as a native pillar of the Prisma SASE fabric. We are moving beyond the forklift-upgrade model to a software-defined, standards-based foundation, which is built on strict separation of management and data plane components:

  • Universal Control Plane Hardening (TLS 1.3): We have transitioned all control plane traffic to TLS 1.3 (Transport Layer Security 1.3), the global gold standard for Internet encryption. This secures the "brain" of the network (where routing configurations and security policies are managed), making it immune to quantum-enabled impersonation and credential theft.
  • PQC-Hardened Data Plane (IETF Standards): We are operationalizing PQC across the entire fabric by adopting official standards published by the Internet Engineering Task Force (IETF), specifically RFC 9370, 9242, and 8784. In plain terms, these standards allow us to use "hybrid key exchanges." This means we wrap your data in two layers of protection at once: a classical mathematical shield for immediate compatibility, and a quantum-resistant shield to protect against future decryption threats, all without causing packet fragmentation or network slowdowns.
  • Logs and Telemetry Plane: All network telemetry and metadata (the automated operational logs and traffic pattern data generated by the network, rather than the actual content of your business files) are encrypted in transit via TLS 1.3. This architecture guarantees that even this secondary network metadata is geofenced to your chosen region with no cross-region aggregation, satisfying the most stringent data residency mandates.
  • Crypto-Agility as a Standard: "Crypto-agility" is natively built into our systems, which means the software is designed to adopt new mathematical algorithms. As the National Institute of Standards and Technology (NIST) refines its guidelines, our systems can be upgraded seamlessly via simple, automated cloud updates without requiring expensive hardware replacements to ensure our customers’ security posture.
  • Secure Boot Support: Palo Alto Networks Prisma SD-WAN ION hardware supports Secure Boot to ensure that only cryptographically signed bootloaders, kernels, and trusted applications are executed during the boot process. This establishes a chain of trust from the BIOS firmware to the operating system, preventing the execution of unauthorized or tampered software. ION hardware appliances ship with an integrated, dedicated Trusted Platform Module (TPM), which provides hardware-level root-of-trust by securely storing cryptographic keys, certificates, and sensitive data to prevent unauthorized physical tampering and ensure secure device authentication. The OS/software layers use PQC algorithms to negotiate and secure the management, control plane and data plane tunnels. This ensures quantum readiness without requiring an immediate, widespread rip-and-replace of physical branch hardware.

The AT&T Perspective Views Security at Global Scale

From the perspective of a global leader like AT&T, PQC is an operational mandate. Providing connectivity to the world’s most regulated industries means that security cannot be bolted on. Security must be an inherent property of the transport layer and the connectivity infrastructure itself.

Turning Complexity into a Strategic Advantage

Managing a global footprint that spans across 5G, fiber, and legacy underlays requires an institutional expertise that few can match. For AT&T, the move to a more secure quantum-ready fabric with Dynamic Defense is about providing security where it matters most: the network. Our customers shouldn't have to worry about whether their data is traveling over an MPLS circuit or the public internet.

Through this collaboration, AT&T expands the delivery of Dynamic Defense:

  • Cross-Underlay Consistency: We enable PQC protection to be applied uniformly across all transport mediums, eliminating the "weak links" that often exist in hybrid environments where data moves between private and public circuits.
  • Automated PQC Policy Orchestration: New branch locations are seamlessly integrated into the quantum-ready fabric through automated policy distribution. The moment a device is activated via zero touch provisioning, the branch is enabled to be protected against HNDL threats from the first packet without requiring manual site-by-site intervention.
  • Compliance: With mandates like NIS2/DORA in Europe and NORA/CNSA 2.0 in the U.S., our clients face a closing window for compliance. AT&T provides the verifiable chain of trust required to prove "Quantum Readiness" across the entire circuit path, ensuring your fabric is audit-ready and compliant with global standards.

The Power of the Post-Quantum Secure Fabric

The true value of this relationship lies in the synergy between the network and the security stack. By combining our strengths, we have built a solution that is significantly more resilient than the sum of its parts.

The SPI Advantage Is Performance Without Compromise

Through Service Provider Interconnect (SPI), Palo Alto Networks' security platforms natively integrate with AT&T’s private network core to deliver a seamless quantum-safe on-ramp. This means business traffic can connect directly to a secure AT&T network without having to build slow, complex software tunnels over the public internet, preserving high performance while delivering next-generation encryption. Historically, high-level encryption meant a "performance tax" on latency and throughput. Our combined architecture allows quantum-safe traffic to flow over AT&T’s network backbone, enabling organizations to modernize their security without sacrificing the user experience.

Securing the Decentralized Perimeter (The Branch as the Edge)

In today’s highly distributed business landscape, the traditional corporate "headquarters" is no longer the center of gravity. The network perimeter has shifted to the branch (decentralized edge locations like retail storefronts, remote clinics, regional bank offices, and warehouse hubs) and the individual 5G-connected devices employees use. Securing these remote, local edge points is critical because they represent the primary gateway where sensitive company data first enters the network. 

By utilizing AT&T’s leadership in WAN, 5G and cellular technologies, we leverage Hybrid Public Key Infrastructure (PKI) to secure these edge locations. Hybrid PKI is a digital identity framework that issues dual security credentials to every device: one "classical" identity to ensure compatibility with existing networks today, and one "quantum-resistant" identity. This double-verification guarantees that a cellular-connected remote branch or a mobile site is just as immune to quantum decryption or identity spoofing as a fortified corporate data center.

The Path Forward Is a Vision for Long-Term Trust

The transition to a quantum-ready future is a marathon, not a sprint, and the first steps must be taken now. Palo Alto Networks and AT&T Business are offering a clear, practical path to quantum resilience.

We are delivering more than a simple software update as we prepare customers for the next generation of digital commerce. Together, we are designing our network to help ensure the data of today remains protected against the threats of tomorrow, securing the digital integrity of every enterprise we serve.

As we redefine the boundaries of security in connectivity, we invite you to join us in helping secure your organization’s digital future. Contact your or Palo Alto Networks account representative today to begin a strategic Quantum-Readiness Assessment and experience the power of the Quantum-Resilient SASE Fabric.


Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.