Case Study

Safeguarding the state of Salzburg with unified network and endpoint security

The provincial government of Land Salzburg, the Austrian state, are using ML-Powered Next-Generation Firewalls in combination with an extended detection and response platform that spans all of their data sources to stop modern attacks. The combined power of superior threat prevention, behavioral protection, and AI-based analysis means the provincial government can ensure the continual delivery of trusted digital-first services to more than 500,000 citizens.

In brief


The Salzburg Provincial Government

Organisation Size

3,000 employees across 90 locations


Local Government

Featured Products and Services

Public services including housing, education, and social care


Salzburg, Austria


A fragmented, outmoded cybersecurity strategy delayed the response to threats and demanded significant manual intervention.


  • Deliver uninterrupted, responsive public services across the state of Salzburg.
  • Use behaviour analytics to identify anomalies and pinpoint stealthy and unknown threats.
  • Speed up investigations by viewing the root cause of alerts.
  • Increase security resources’ productivity and agility


Palo Alto Networks portfolio, consisting of:
Network Security Platform of ML-Powered Next-Generation Firewalls
Modern SOC platform including Cortex XDR

Download PDF Share

A struggle to stop every attack vector

The provincial government of the Austrian state of Salzburg were relying on an outmoded cybersecurity strategy that was inflexible, siloed, and expensive to run. Separate network and endpoint security platforms struggled to stop every possible attack vector.


Public services delivery for 500,000 people

Covering an area of more than 7,000 km2, the state of Salzburg – officially known as Land Salzburg – stretches along its main river, the Salzach, which rises in the Central Eastern Alps and runs to the Alpine foothills. Land Salzburg has more than 500,000 citizens.

The Salzburg Provincial Government employs approximately 3,000 people and also supports 1,000 students in state schools. A total of 4,500 endpoints and servers are distributed across about 90 locations.

The challenges for the state authority were threefold.

First, the existing network security firewalls were nearing end-of-life. A modern, flexible approach to protecting the network was needed – one that delivered complete visibility and control over the distributed environment.

Second, an outmoded endpoint protection platform made it harder to stop modern threats and see the full scope of targeted attacks. Endless alerts and complex investigations also delayed responses.

Third, the siloed nature of the legacy SecOps strategy was generating a deluge of low-fidelity alerts.


Our goal was to move to a consolidated endpoint, detection, and response solution. One that would give us the visibility to eliminate blind spots, root out adversaries, and accelerate investigations.

–Tobias Pfeiffer, IT Security Manager, State of Salzburg


Pinpoint stealthy and unknown threats

The Salzburg Provincial Government required a system that would:

  • Deliver uninterrupted, responsive service to the citizens of Land Salzburg.
  • Use behavioural analytics to identify anomalies and pinpoint stealthy and unknown threats.
  • Speed investigations by viewing the root causes of alerts from any data source.
  • Increase the productivity and agility of security resources.


One integrated cybersecurity portfolio

After a rigorous evaluation, The Salzburg Provincial Government chose Palo Alto Networks. “We wanted a large, best-of-breed partner. Smaller security vendors typically provide only point technologies, or they are acquired by larger vendors and lose their innovation edge. The Palo Alto Networks portfolio brings together proven, best-of-breed technologies in both network and endpoint security. It also works seamlessly as one integrated cybersecurity portfolio,” says Tobias.

The Palo Alto Networks portfolio comprises ML-Powered Next-Generation Firewalls (NGFWs) and Cortex XDR. “The complete firewall migration took place on a Saturday,” says Tobias. “We immediately had total visibility and control of applications across all 4,000 users and devices – in the office, at home, and on the go.”

Cortex XDR was tested intensively in combination with the firewall, the endpoints, and the Windows/Linux servers.


This EDR technology was new to us, so we approached it with caution. Our worries were unfounded though. We rolled out Cortex XDR centrally, and it was operational on the first 3,000 endpoints within one week. Everything worked perfectly.

–Tobias Pfeiffer, IT Security Manager, State of Salzburg

The Salzburg Provincial Government now has enterprise-wide protection and can analyse data from any source to stop sophisticated attacks. The new cybersecurity technology stack enables the organisation to accurately detect threats with behavioural analytics and reveals root causes to speed up investigations. Additionally, the tight integration with previously disconnected enforcement points accelerates containment.

The training provided by Palo Alto Networks was also invaluable. Tobias explains, “The tips and tricks we learned allowed us to get results even faster and understand why certain processes happen the way they do.”


In the conventional endpoint protection mode, you rely on a blacklist. With Cortex XDR, you say goodbye to that. It’s now about the behaviour of what happens when a file is executed. An insane number of data sources work together in the background, which in turn flow into the behaviour analysis.

–Tobias Pfeiffer, IT Security Manager, State of Salzburg


Confident, responsive public services delivery

The benefits of this ambitious, forward-thinking SecOps strategy include:

  • Reliable, trusted public services delivery: The data the Salzburg Provincial Government relies on to deliver public services to more than 500,000 people is safeguarded and available anytime.
  • Proactive protection against growing attack surface: According to Tobias: “Integrated firewall and endpoint data transformed security visibility and control. We use the granular insight into what’s happening on our network to take preventive actions.”
  • Improved control: Owing to the behaviour-based analytics, the false positive rate amounts to “just one or two false positives every year.”
  • Increased productivity: “We no longer analyse an event based on patterns, but instead on behaviour,” says Tobias. “The AI determines whether an event should be presented to the security team for further evaluation. Right now, we are taking a closer look at maybe 10 incidents each week.”
  • Enhanced efficiency: Salzburg no longer has a person dedicated to monitoring and responding to individual alerts, which has enabled IT resources to be diverted to strategic tasks. “There’s no day-to-day reconfiguration or manual monitoring anymore,” says Tobias. “It’s all automated.”
  • Near real-time performance: Following the implementation, there has been no degradation in latency – despite the continual monitoring, users access data at the speed of business.


I did not hesitate to participate in this Palo Alto Networks case study – I am immensely proud of our cybersecurity strategy and the protection it offers to the people in and around Salzburg.

–Tobias Pfeiffer, IT Security Manager, State of Salzburg

Learn more about Palo Alto Networks on the website – where you can also read many more customer stories.