* [Blog](https://www.paloaltonetworks.com/blog)
* [Cloud Security](https://www.paloaltonetworks.com/blog/cloud-security/)
* [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/)
* Are Cloud Serverless Func...

# Are Cloud Serverless Functions Exposing Your Data?

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-access-cloud-serverless-functions%2F)  
[](https://twitter.com/share?text=Are+Cloud+Serverless+Functions+Exposing+Your+Data%3F&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-access-cloud-serverless-functions%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecure-access-cloud-serverless-functions%2F&title=Are+Cloud+Serverless+Functions+Exposing+Your+Data%3F&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/cloud-security/secure-access-cloud-serverless-functions/&ts=markdown)  
\[\](mailto:?subject=Are Cloud Serverless Functions Exposing Your Data?)  
Link copied  
By [Golan Myers](https://www.paloaltonetworks.com/blog/author/golan-myers/?ts=markdown "Posts by Golan Myers")  
Jun 06, 2024  
12 minutes  
[Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)  
[Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)  
[AWS](https://www.paloaltonetworks.com/blog/tag/aws/?ts=markdown)  
[Azure](https://www.paloaltonetworks.com/blog/tag/azure/?ts=markdown)  
[Cloud Research](https://www.paloaltonetworks.com/blog/tag/cloud-research/?ts=markdown)  
[GCP](https://www.paloaltonetworks.com/blog/tag/gcp/?ts=markdown)

More than 25% of all publicly accessible serverless functions have access to[sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data?ts=markdown), as seen in internal research. The question then becomes, *Are* *cloud serverless functions exposing your data?* --- which is followed by *How can we assess them?*

## **Evaluating Public Access Across Cloud Providers**

Many architectural design questions arise when it comes to the use of serverless functions in cloud environments. In this blog post, we'll examine the question of public access, focusing on the main offerings of the three leading cloud providers --- AWS Lambda, Azure Functions and GCP Cloud Functions.

Already an expert? Just need a quick reference? Jump to the end of this post for a look at our cheat sheets.

* [AWS Cheat Sheet: Is my Lambda exposed?](#AWSCheatSheet)
* [Azure Cheat Sheet: Is my Function exposed?](#AzureCheatSheet)
* [GCP Cheat Sheet: Is my Cloud Function exposed?](#GCPCheatSheet)

Public access can be broken down into two segments:

* **Identity**: Lack of authentication and authorization enforcement on the function
* **Network**: Lack of network restriction and boundary enforcement on the function

Identity and network misconfigurations can impact the[security posture of serverless functions](https://www.paloaltonetworks.com/cyberpedia/what-is-serverless-security?ts=markdown) and increase the risk of security incidents and[data leaks](https://www.paloaltonetworks.com/cyberpedia/data-leak?ts=markdown).

## **Security Risks of Serverless as a Perimeter**

Choosing the right serverless offering entails operational and security considerations. Serverless functions are often targeted by adversaries looking to reach a company's data, and therefore can be considered a perimeter that requires appropriate security. Functions may hold a company's intellectual property (IP) and may interact with or even alter, company data stored at other locations (e.g., S3). As such, a security gap that enables an adversary to read, write or execute functions could lead to compromised data.

## **Real-Life Security Dilemma**

Let's look at the following scenario. You have a public website where customers can download a report of their past activity. You use a function with an HTTP trigger to fetch or compile, as well as to serve the file to the client. Should the function be public? Does the site force authentication that we might want to trickle down?

## **Public Function Considerations**

Is a function that you can reach via the public internet that requires a client certificate for interaction publicly available or does it simply lack network restrictions? What actions should we consider when it comes to public availability --- invoke/execute, read, write, or something else?

For a function to be publicly accessible, it must:

1. Be accessible from the public internet (i.e., publicly accessible network-wise)
2. Require no additional form of authentication (i.e., unauthenticated, anonymous access)

## **Potential Risks of Using Public Functions**

From the perspective of an adversary, what can be gained from public accessibility? Alternatively, what is the risk from the defender's perspective?

We can divide our focus into three sections based on the action type available:

* A publicly **invocable** function is contextual. It depends on what the function does --- the more sensitive the original use case for the function, the higher the risk.
* A publicly**writable** function offers a bit more room for imagination. Based on the function's permissions, we could use it to do our bidding. This requires an additional step --- waiting for its invocation.
* A publicly **readable** function could enable us to expose potentially sensitive information pertaining to the function and its related data, sometimes even obtaining the function's source code.

While the core aspects and considerations of all serverless offerings are similar, each cloud provider's offering has a different set of configurations. Therefore, we must look at them independently to truly understand the options.

## **Security Considerations for AWS Lambda Functions**

AWS' main serverless offering is Lambda functions. As mentioned above, we will examine two angles of public access --- network and identity. First, let's map out the different actions and permissions that might interest us and divide them into the following categories:

* **Invoke** :*lambda:InvokeFunctionUrl, lambda:InvokeFunction*
* **Write** : *lambda:DeleteFunctionUrlConfig, lambda:UpdateFunctionUrlConfig, lambda:UpdateFunctionCode, lambda:UpdateFunctionConfiguration, lambda:PutFunctionEventInvokeConfig, lambda:UpdateFunctionEventInvokeConfig*
* **Read** : *lambda:GetFunction, lambda:GetFunctionConfiguration, lambda:GetFunctionUrlConfig*

When made publicly available, these permissions can enable anyone to either read, write, or invoke (execute) the function. While the emphasis is usually placed on the public invocation of functions, reading the source code of a function or even changing it could be just as dangerous.

For example, an adversary who can change the source code of a function that they cannot invoke could replace the code with their own malicious code and wait for the next invocation, at which point the function would operate on their behalf.

Now that we have an idea of potentially dangerous actions, how do we determine whether they're publicly available?

### **Network in AWS**

The first aspect of public access is the network. Can you reach the function via the public internet? By default, the answer is yes, however, once the function is configured with access to a virtual public cloud (VPC) within your environment, the default changes. In such an environment, the function's network accessibility depends on the various networking configurations, such as access controls on the connected VPC or configured endpoints or gateways.

### **Identity in AWS**

The second aspect of public access is identity. Does the function require any authentication material or enforce any level of authorization? Consider the actions we discussed earlier. When the resource-based policy enables any principal to carry out an action on the function, the action can be considered public from the identity perspective. While this is true for most actions, when looking at the invocation of Lambdas through function URLs (dedicated HTTP endpoints) we must consider an additional layer of authentication.

![Example of a resource-based policy that allows an action publicly](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-1.png)
Figure 1: Example of a resource-based policy that allows an action publicly\[/caption\]\[/caption\]For function URLs, we can configure one of two authentication types (*lambda:FunctionUrlAuthType* ) --- **NONE** and **AWS\_IAM** .

When configuring a function URL with NONE, a resource-based policy is created that enables the principal to carry out *lambda:InvokeFunctionUrl action*on the function. This allows anyone to invoke the function (via the HTTP endpoint) without additional credential material.
![Resource-based policy created for a function URL configured with auth\_type NONE](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-2.png)
Figure 2: Resource-based policy created for a function URL configured with auth\_type NONE

If we specify any principal '\*' (everyone) when configuring a function with AWS\_IAM, anyone with a valid AWS token can invoke the function (via the HTTP endpoint). Since there are no restrictions regarding who can create an AWS account, we can also consider this public.
![Resource-based policy created for a function URL configured with auth\_type AWS\_IAM and principal](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-3.png)
Figure 3: Resource-based policy created for a function URL configured with auth\_type AWS\_IAM and principal

The following screenshots are examples of invocation requests to a Lambda configured with AWS\_IAM auth\_type with no network restrictions. Both requests are from the same AWS entity, which is external to the Lambda's account. During the first request, the principal in the resource-based policy is configured as a role within the Lambda's account.
![Request fails on principal restrictions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/Screenshot-2024-06-06-084519.png)
Figure 4: Request fails on principal restrictions

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-4.png)
During the second request, the principal in the resource-based policy is configured as '\*' (everyone).

![Request succeeds after changing the principal to ‘\*’ (everyone)](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-5.png)
Figure 5: Request succeeds after changing the principal to '\*' (everyone)

## **Security Considerations for Azure Functions**

Azure Functions is Azure's main serverless offering. We will look at two angles of public access --- network and identity --- as we did when analyzing AWS Lambdas. Due to the way Azure Functions code is stored, writing or reading it for each Function requires a key, and as such, it can't be considered public. For that reason, we'll focus on the invoke/execute action.

### **Network in Azure**

When discussing the network availability of an Azure Function, there are multiple layers that we need to consider. Networking for Functions is done at the Function app level. First, there's the native "Public network access" configuration. Second, we must take into consideration Vnet integration (network injection) and private network endpoints.

Private endpoints and public network access are incompatible configurations (i.e., they cannot coexist). As such, if private endpoints are configured for the Function app, they cannot, by definition, be accessible via the public internet.

While Vnet integration applies to all outbound traffic (i.e., initiated by the Function) by default, it can be limited to route only private traffic through the Vnet. At that point, accessibility is determined by the Vnet's configurations, such as the applied network security groups (NSG). However, since the integration applies only to traffic initiated by the Function, it is slightly less relevant from a public invocation perspective.

### **Identity in Azure**

We have multiple options for the identity side of Azure Functions invocation. At the Function app level, we can enforce authentication using Entra ID or a variety of OAuth and OIDC-based identity providers (IdPs). At the individual Function level, we can enforce key-based authentication or no authentication at all (anonymous).

A publicly invocable Function (from the identity aspect) scenario occurs only when the Function app either has no authentication configured, or the "Allow unauthenticated access" option is enabled --- *and* the individual Function's authorization level is set to "Anonymous."

Setting the individual Function as anonymous is carried out during its creation.
![Setting “ANONYMOUS” during function creation](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-6.png)
Figure 6: Setting "ANONYMOUS" during function creation

We can also view the postcreation configuration in the code.
![Code snippet that updates authorization level](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/Screenshot-2024-06-06-084904.png)
Figure 7: Code snippet that updates authorization level

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-7.png)
Here's an example of an authentication configuration for a Function app that enables unauthenticated access:

![Reflected changes shown in azure portal](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/Screenshot-2024-06-06-085747.png)
Figure 8: Reflected changes shown in azure portal

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-8.png)
With the configurations shown above and given no network restrictions, anyone can invoke a Function publicly.

![Anonymous call from web interface.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-9.png)
Figure 9: Anonymous call from web interface.

## **Security Considerations for GCP Cloud Functions**

GCP Cloud Functions is GCP's main serverless offering. Just like we analyzed the previous two offerings, here we will examine network and identity to define public access. We'll look at the invocation in GCP Cloud Functions as we did with Azure Functions.

GCP offers two generations of Cloud Functions --- Gen 1 and Gen 2. Gen 2 is built on top of Cloud Run and adds efficiency and support for further events. As such, it benefits from Cloud Run's inherent security features, such as [sandboxing](https://www.paloaltonetworks.com/cyberpedia/sandboxing?ts=markdown) and the Function's containerization. In addition, each generation requires different permissions.

* Gen 1
  * *cloudfunctions.functions.invoke*
* Gen 2
  * *run.executions.cancel*
  * *run.jobs.run*
  * *run.routes.invoke*

### **Network in GCP**

GCP enables three default configuration options for networking: *allow all traffic,* *allow internal traffic only,* *allow internal traffic and traffic from cloud load balancing* . Among the three, only *allow all traffic* permits connections from the public internet.

Similar to Azure, in GCP Cloud Functions we can connect our Function to a VPC for outbound connections, which is the point where the VPC security mechanisms, such as firewall rules, determine the permitted connections. The VPC connection, though, applies only to traffic initiated by the Function, making this configuration less relevant in the public invocation discussion.

### **Identity in GCP**

We must address multiple considerations regarding the identity end of GCP Cloud Functions. The first is the native "Allow unauthenticated invocation" configuration, which permits public access from the identity aspect while the alternative requires authentication.

But it does not end here. If we look into the configurations, we'll notice that we can add roles to different principals. GCP provides us with two special identifiers:

* *allAuthenticatedUsers,* which represents any entity authenticated with a Google account*allUsers,* which represents anyone.

Since anyone can create a personal Google account, we can treat the two identifiers as "Everyone." By adding the permissions mentioned above (or more commonly, the *Cloud Functions Invoker* or *Cloud Run Invoker* predefined roles that contain the permissions) to either the *allUsers* or *allAuthenticatedUsers* principals, we enable public access from the identity aspect.

We can enable unauthenticated access to invoke the function during its creation.
![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-10.png)
Figure 10: GCP Function authentication setting

Alternatively, we can require authentication and add permissions to the *allUsers* group (in this case a Gen two instance).
![“AllUsers” principal (anyone with internet access) role assignment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-11.png)
Figure 11: "AllUsers" principal (anyone with internet access) role assignment

Once we apply the configuration, we can see that GCP changes the authentication status to "Allow unauthenticated."

**Before:**
![Authentication setting before role assignment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/Screenshot-2024-06-06-090522.png)
Figure 12: Authentication setting before role assignment

**After:**
![Authentication setting after role assignment](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/Screenshot-2024-06-06-090918.png)
Figure 13: Authentication setting after role assignment

Given the above configuration and assuming no network restrictions, the Function is publicly invocable.
![Callable function result](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-14.png)
Figure 14: Callable function result

## **Summary**

While serverless computing often provides a simpler, more efficient, more scalable, and less expensive solution to build applications, it is subject to many potential pitfalls, regardless of your vendor of choice. In this blog, we briefly covered some configurations of the main cloud providers' key serverless offerings, and showed how easily they can become convoluted and lead to errors.

In the best case scenario, you miss one configuration while another keeps you safe (e.g., misconfigured network access but successfully configuring identity controls). In the worst case scenario, your function is publicly accessible and, depending on context, could act as a pivot for an adversary within your environment. As such, it is important to understand the services and each of their configurations, as well as to set up boundaries, good practices and security measures to prevent these misconfigurations from happening.

### **AWS Cheat Sheet: Is My Lambda Exposed?**

![AWS Cheat Sheet](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-15.png)
Figure 15: AWS Cheat Sheet

### **Azure Cheat Sheet: Is My Function Exposed?**

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-16.png)
Figure 16: Azure Cheat Sheet

### **GCP Cheat Sheet: Is My Cloud Function Exposed?**

![GCP Cheat Sheet](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/06/word-image-322771-17.png)
Figure 17: GCP Cheat Sheet

## Learn More

For a fuller understanding of how your data is exposed in the cloud, read our comprehensive[State of Cloud Data Security 2023 report](https://www.paloaltonetworks.com/resources/data-security-2023-report?ts=markdown), which not only sheds light on critical aspects of cloud data security but also provides actionable steps to defend your valuable data.

*** ** * ** ***

## Related Blogs

### [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown), [DevOps](https://www.paloaltonetworks.com/blog/cloud-security/category/devops/?ts=markdown), [Research](https://www.paloaltonetworks.com/blog/cloud-security/category/research/?ts=markdown)

[#### OpenAI Custom GPTs: What You Need to Worry About](https://www.paloaltonetworks.com/blog/cloud-security/openai-custom-gpts-security/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Cloud Native Application Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-application-platform/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Prisma Cloud Adds Support for Agentless Security on Azure and GCP](https://www.paloaltonetworks.com/blog/cloud-security/agentless-for-azure-and-gcp/)

### [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Cloud Security](https://www.paloaltonetworks.com/blog/category/cloud-security/?ts=markdown)

[#### From Control to Command: The Future of Multicloud Security](https://www.paloaltonetworks.com/blog/network-security/from-control-to-command-the-future-of-multicloud-security/)

### [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Is Your Snowflake Data at Risk? Find and Protect Sensitive Data with DSPM](https://www.paloaltonetworks.com/blog/cloud-security/protect-sensitive-data-dspm-snowflake/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud NGFW](https://www.paloaltonetworks.com/blog/network-security/category/cloud-ngfw/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Cloud NGFW is Essential for AWS \& Azure Cloud Traffic Protection](https://www.paloaltonetworks.com/blog/network-security/cloud-ngfw-is-essential-for-aws-azure-cloud-traffic-protection/)

### [Announcement](https://www.paloaltonetworks.com/blog/cloud-security/category/announcement/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown), [Data Security Posture Management](https://www.paloaltonetworks.com/blog/cloud-security/category/data-security-posture-management/?ts=markdown)

[#### Data Security, Meet Remediation: Introducing the New Integration Between Prisma Cloud DSPM and Cortex XSOAR](https://www.paloaltonetworks.com/blog/cloud-security/dspm-xsoar-data-security/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language