[](https://www.paloaltonetworks.com/?ts=markdown)

* Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)
  ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [](https://www.paloaltonetworks.com/?ts=markdown)

* Products  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products  
  [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)
  
  * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)
  
  * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  
  * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)
  
  * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)
  
  * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  
  * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)
  
  * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)
  
  * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  
  * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)
  
  * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)
  
  * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)
  
  * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)
  
  * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)
  
  * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  
  * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)
  
  * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)
  
  * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)
  
  * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)
  
  * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)
  
  * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)
  
  * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)
  
  * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)
  
  * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)
  
  * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)  
    [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)
  
  * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)
  
  * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)
  
  * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)
  
  * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)
  
  * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)
  
  * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown)
  
  * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)
  
  * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown)
  
  * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)
  
  * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown)
  
  * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  
  * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* Solutions  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions  
  Secure AI by Design
  
  * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)  
    Network Security
  * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown)
  * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown)
  * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown)
  * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown)
  * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown)
  * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown)
  * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown)
  * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)  
    Cloud Security
  * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown)
  * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown)
  * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown)
  * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown)
  * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown)
  * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown)
  * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown)
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown)
  * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown)  
    Security Operations
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown)
  * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown)
  * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown)
  * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown)
  * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown)
  * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown)
  * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown)
  * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown)
  * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown)
  * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown)  
    Endpoint Security
  * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown)
  * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown)
  * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown)
  * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown)  
    [Industries](https://www.paloaltonetworks.com/industry?ts=markdown)
  * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown)
  * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown)
  * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown)
  * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown)
  * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown)

* Services  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services  
  [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)
  
  * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)
  
  * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown)
  
  * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown)
  
  * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown)
  
  * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown)
  
  * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown)
  
  * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown)
  
  * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown)
  
  * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown)
  
  * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown)
  
  * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown)
  
  * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown)
  
  * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown)
  
  * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown)
  
  * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)
  
  * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown)
  
  * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown)
  
  * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown)
  
  * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown)
  
  * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown)
  
  * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)
  
  * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown)
  
  * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown)
  
  * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown)
  
  * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown)  
    [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown)
  
  * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown)
  
  * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown)
  
  * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown)
  
  * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown)
  
  * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown)  
    [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg)  
    UNIT 42 RETAINER
    Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial.
    Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)

* Partners  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners  
  NextWave Partners
  
  * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown)
  * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown)
  * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown)
  * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown)
  * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown)
  * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown)
  * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown)
  * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown)  
    Take Action
  * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown)
  * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown)
  * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner)
  * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess)
  * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator)  
    [CYBERFORCE
    CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise.
    Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown)

* Company  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company  
  Palo Alto Networks
  
  * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
  * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown)
  * [Investor Relations](https://investors.paloaltonetworks.com)
  * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
  * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown)
  * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
  * [Military \& Veterans](https://jobs.paloaltonetworks.com/military)  
    [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown)
  * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown)
  * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown)
  * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown)
  * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown)
  * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown)
  * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
  * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown)  
    Careers
  * [Overview](https://jobs.paloaltonetworks.com/)
  * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/)  
    [A Newsweek Most Loved Workplace
    "Businesses that do right by their employees"
    Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown)

* More  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More  
  Resources
  
  * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
  * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/)
  * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
  * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
  * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
  * [Tech Insider](https://techinsider.paloaltonetworks.com/)
  * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/)
  * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/)
  * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown)
  * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown)
  * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown)
  * [Tech Docs](https://docs.paloaltonetworks.com/)
  * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown)
  * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/)
  * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown)  
    Connect
  * [LIVE community](https://live.paloaltonetworks.com/)
  * [Events](https://events.paloaltonetworks.com/)
  * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown)
  * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown)
  * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)  
    [Blog
    Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity
    Learn more](https://www.paloaltonetworks.com/blog/)

* Sign In  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)

* [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown)  
  Search  
  All

* [Tech Docs](https://docs.paloaltonetworks.com/search)  
  Close search modal
  [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com)  
  [](https://www.paloaltonetworks.com/?ts=markdown)

1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown)
3. [API Security](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security?ts=markdown)
4. [What Is Broken Function Level Authorization?](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization?ts=markdown)  
   Table of Contents

* [What Is API Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security?ts=markdown)
  * [API Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#api?ts=markdown)
  * [Definition of an API](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#definition?ts=markdown)
  * [Why API Security Is Important](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#why?ts=markdown)
  * [Traditional Approach to Web Application Security](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#traditional?ts=markdown)
  * [Anatomy of an API Attack](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#anatomy?ts=markdown)
  * [API Security Risks](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#risks?ts=markdown)
  * [API Security for SOAP, REST and GraphQL](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#graphql?ts=markdown)
  * [API Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#best?ts=markdown)
  * [Cortex Cloud's API Security Solution](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#prisma?ts=markdown)
  * [API Security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security#faqs?ts=markdown)
* [API Security Monitoring](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring?ts=markdown)
  * [What to Monitor: Traffic, Sessions, Anomalies, Threats](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#monitor?ts=markdown)
  * [Services and Tools for Monitoring APIs](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#services?ts=markdown)
  * [Response Mechanisms: Threat Detection, Response, Remediation for APIs](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#response?ts=markdown)
  * [Ensuring the Best API Security Posture with Monitoring and Continuous Improvement](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#ensuring?ts=markdown)
  * [Building a Monitoring-Driven API Security Lifecycle](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#building?ts=markdown)
  * [API Security Monitoring FAQs](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring#faqs?ts=markdown)
* What Is Broken Function Level Authorization?
  * [API5:2023 - Broken Function Level Authorization Explained](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#broken?ts=markdown)
  * [Understanding Broken Function Level Authorization in API Security](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#understanding?ts=markdown)
  * [How Broken Function Level Authorization Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#how?ts=markdown)
  * [The Business Impact of Broken Function Level Authorization](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#business?ts=markdown)
  * [Identifying Broken Function Level Authorization in Your APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#identifying?ts=markdown)
  * [Preventing Broken Function Level Authorization: Best Practices](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#preventing?ts=markdown)
  * [Broken Function Level Authorization FAQs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#faqs?ts=markdown)
* [What Is Unrestricted Access to Sensitive Business Flows?](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows?ts=markdown)
  * [API6:2023 - Unrestricted Access to Sensitive Business Flows Explained](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#explained?ts=markdown)
  * [Understanding Unrestricted Access to Sensitive Business Flows in API Security](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#understanding?ts=markdown)
  * [How Unrestricted Access to Sensitive Business Flows Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#how?ts=markdown)
  * [The Business Impact of Unrestricted Access to Sensitive Business Flows](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#flows?ts=markdown)
  * [Identifying Unrestricted Access to Sensitive Business Flows in Your APIs](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#identifying?ts=markdown)
  * [Preventing Unrestricted Access to Sensitive Business Flows: Best Practices](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#preventing?ts=markdown)
  * [Unrestricted Access to Sensitive Business Flows FAQs](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows#faqs?ts=markdown)
* [What Is Broken Object Property Level Authorization?](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization?ts=markdown)
  * [API3:2023 - Broken Object Property Level Authorization Explained](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#explained?ts=markdown)
  * [Understanding Broken Object Property Level Authorization](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#understanding?ts=markdown)
  * [How Broken Object Property Level Authorization Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#how?ts=markdown)
  * [The Business Impact of Broken Object Property Level Authorization](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#business?ts=markdown)
  * [Identifying Broken Object Property Level Authorization in Your APIs](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#identifying?ts=markdown)
  * [Preventing Broken Object Property Level Authorization: Best Practices](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#preventing?ts=markdown)
  * [Broken Object Property Level Authorization FAQs](https://www.paloaltonetworks.com/cyberpedia/broken-object-property-level-authorization#faqs?ts=markdown)
* [Cloud API Security: Strategy for the DevOps Era](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy?ts=markdown)
  * [The Role of API Keys and Secrets in Cloud APIs --- Risks and Misuses](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#role?ts=markdown)
  * [The Gateway Layer in Cloud APIs: Why a Web API Security Gateway Is Critical](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#gateway?ts=markdown)
  * [Monitoring and Protecting APIs in Real Time in Cloud/DevOps Contexts](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#monitoring?ts=markdown)
  * [Strategy Checklist: Best Practices for Cloud API Security in DevOps](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#strategy?ts=markdown)
  * [Conclusion: Bridging DevOps Velocity with Secure API Posture](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#conclusion?ts=markdown)
  * [Cloud API Security FAQs](https://www.paloaltonetworks.com/cyberpedia/cloud-api-security-strategy#faqs?ts=markdown)
* [API Security Checklist for Modern Application Teams](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist?ts=markdown)
  * [Discover and Classify All APIs](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#discover?ts=markdown)
  * [Apply Core API Security Controls](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#apply?ts=markdown)
  * [Protect API Data at Every Layer](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#protect?ts=markdown)
  * [Secure API Endpoints and Runtime Behavior](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#secure?ts=markdown)
  * [Continuously Monitor, Test, and Improve](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#monitor?ts=markdown)
  * [Building Resilience Through Systematic Execution](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#resilience?ts=markdown)
  * [API Security Checklist FAQs](https://www.paloaltonetworks.com/cyberpedia/api-security-checklist#faqs?ts=markdown)
* [What Is Broken Authentication?](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2?ts=markdown)
  * [API2:2023 - Broken Authentication Explained](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#API2-2023?ts=markdown)
  * [Understanding Broken Authentication in API Security](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#understanding?ts=markdown)
  * [How Broken Authentication Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#broken?ts=markdown)
  * [The Business Impact of Broken Authentication](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#business?ts=markdown)
  * [Identifying Broken Authentication in Your APIs](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#identifying?ts=markdown)
  * [Preventing Broken Authentication: Best Practices](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#preventing?ts=markdown)
* [Broken Authentication FAQs](https://www.paloaltonetworks.com/cyberpedia/broken-authentication-api2#faqs?ts=markdown)

# What Is Broken Function Level Authorization?

4 min. read  
Table of Contents

* * [API5:2023 - Broken Function Level Authorization Explained](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#broken?ts=markdown)
  * [Understanding Broken Function Level Authorization in API Security](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#understanding?ts=markdown)
  * [How Broken Function Level Authorization Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#how?ts=markdown)
  * [The Business Impact of Broken Function Level Authorization](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#business?ts=markdown)
  * [Identifying Broken Function Level Authorization in Your APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#identifying?ts=markdown)
  * [Preventing Broken Function Level Authorization: Best Practices](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#preventing?ts=markdown)
* [Broken Function Level Authorization FAQs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#faqs?ts=markdown)

1. API5:2023 - Broken Function Level Authorization Explained

* * [API5:2023 - Broken Function Level Authorization Explained](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#broken?ts=markdown)
  * [Understanding Broken Function Level Authorization in API Security](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#understanding?ts=markdown)
  * [How Broken Function Level Authorization Manifests in Real-World APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#how?ts=markdown)
  * [The Business Impact of Broken Function Level Authorization](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#business?ts=markdown)
  * [Identifying Broken Function Level Authorization in Your APIs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#identifying?ts=markdown)
  * [Preventing Broken Function Level Authorization: Best Practices](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#preventing?ts=markdown)
* [Broken Function Level Authorization FAQs](https://www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization#faqs?ts=markdown)

Broken function level authorization (BFLA), a critical OWASP Top 10 API risk, occurs when regular users gain access to administrative or restricted functions. In cloud environments, where privileged operations are distributed across numerous microservices, these authorization gaps allow attackers to escalate privileges, leak [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data?ts=markdown), and bypass production system controls.

## API5:2023 - Broken Function Level Authorization Explained

Function-level authorization failures allow users to execute privileged operations beyond their intended scope. Cloud APIs intensify this risk, as [microservice architectures](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices?ts=markdown) often fragment authorization logic across dozens of independent services. By systematically probing HTTP methods and endpoint paths, attackers can uncover administrative functions left exposed by inconsistent security policies. Also known as API5:2023 on OWASP's top 10 list, BFLA elevates standard user access into a powerful admin tool and potentially the most direct route to total system compromise.

### Controlling Endpoint Access

Function-level authorization determines which users can invoke specific API endpoints based on their assigned roles or privileges. A standard user accessing /api/users/{id} to view their own profile exercises proper authorization. An endpoint like /api/admin/users/delete requires elevated privileges that block regular account holders from execution.

The authorization layer sits between authentication and business logic. Authentication confirms identity. Authorization decides what that identity can do.

### Function-Level Versus Object-Level Authorization

Function-level authorization governs access to entire endpoints or operations. Object-level authorization controls access to specific data instances. You're dealing with function-level issues when a regular user calls /api/admin/reports/generate and receives data. You're facing object-level problems when User A retrieves User B's records through /api/users/456/profile.

Function-level flaws expose operations. Object-level flaws expose data belonging to other entities. Both involve improper access, but they target different architectural layers.

### Vertical Privilege Escalation

Security professionals call this vulnerability vertical access control failure or privilege escalation. Users move vertically up the permission hierarchy to claim administrator, moderator, or system-level capabilities. Unlike horizontal escalation, where user A accesses user B's equivalent-privilege resources, vertical movement grants powers exceeding the user's designated role.

### API Complexity Factors

RESTful architectures expose operations through HTTP methods and URL patterns rather than form submissions or page loads. Developers scatter functionality across GET, POST, PUT, DELETE, and PATCH verbs, hitting hundreds of endpoints. Each verb-endpoint combination needs explicit authorization logic.

Traditional web applications centralize admin functions in dedicated interfaces protected by session checks. Modern cloud APIs distribute privileged operations across microservices where teams work independently. Authorization logic fragments. Gaps appear.

### The URL Path Illusion

Teams assume /api/admins/ paths require admin rights, while /api/users/ paths stay public. The endpoint organization doesn't enforce security boundaries. Developers frequently place administrative functions under user-facing paths for architectural reasons. The route /api/users/export might dump the entire user database. Path structure offers zero security guarantees without enforcement code.

## Understanding Broken Function Level Authorization in API Security

API functions represent discrete operations that manipulate system state or retrieve information. Authorization at the function level decides who executes those operations based on assigned privileges.

### Defining Functions in API Architecture

Functions map to specific endpoint-method combinations. The endpoint /api/users paired with GET retrieves user lists. Paired with POST, the same endpoint creates new user accounts. Paired with DELETE, it removes accounts from the system.

Each HTTP verb exposes a distinct function requiring separate authorization logic. Developers building RESTful services often protect GET operations while leaving PUT, PATCH, or DELETE exposed. An attacker changes the verb from GET to DELETE and executes unauthorized deletions.

The path /api/reports/monthly might serve different functions depending on query parameters. Adding ?action=generate creates reports. Adding ?action=delete removes them. Query strings and request bodies introduce additional function variations that need protection.

### Role Hierarchies and Group-Based Access

Organizations structure permissions through hierarchical roles. Administrators possess system-wide privileges. Department managers access resources within their organizational units. Standard users operate with limited read-write capabilities scoped to their own data.

Group-based access control assigns users to collections like billing, support, or engineering. Members inherit the group's permission set. A billing API endpoint processing refunds should execute only for users in the billing group, regardless of their role level.

Cloud environments complicate role management. Service accounts, API keys, machine identities, and federated users all need function-level restrictions. A Lambda function invoking internal APIs requires different permissions than a mobile app client accessing the same backend.

### Entry Points and Method-Based Exposure

Every exposed endpoint presents an attack surface. APIs publish hundreds or thousands of routes across multiple services. Each route accepts multiple HTTP methods. Teams struggle to audit whether every endpoint-method pair enforces appropriate authorization.

Developers place administrative functions alongside user-facing operations for architectural convenience. The route /api/accounts/bulk-update sits next to /api/accounts/profile because both manipulate account data. One requires admin privileges, the other doesn't. Code reviewers miss the distinction.

### Deny by Default Architecture

Secure systems block all access unless code explicitly grants permission. "Deny by default" means new endpoints start locked. Developers must write authorization rules that open specific functions to specific roles.

Permit by default architectures allow access unless code explicitly blocks it. Adding a new endpoint automatically inherits permissive access. Developers forget to add restrictions. Privilege escalation vulnerabilities appear.

### Function Layer Versus Data Layer Authorization

Function-level checks occur before business logic executes. The system asks, Can this role invoke this operation? Data-level checks occur during business logic execution. The system asks, Does this user own this specific resource?

An API enforcing function-level authorization on /api/documents/delete verifies admin privileges before executing any deletion logic. An API enforcing data-level authorization allows the delete function to run but restricts which document IDs the user can target. Both layers need protection.

## How Broken Function Level Authorization Manifests in Real-World APIs

Authorization failures emerge when endpoints execute privileged operations without verifying the caller's role. Attackers exploit predictable API patterns to discover and invoke functions beyond their permission scope.

![Broken function level authorization](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/broken-function-level-authorization/broken-function-level-authorization.jpg "Broken function level authorization")

### Regular Users Invoking Administrative Endpoints

Administrative operations frequently live at predictable paths. Teams deploy user management functions to /api/admin/users/export or /api/v1/system/settings/update. Attackers enumerate these paths using wordlists containing common administrative terms like "admin," "manage," "settings," "export," and "bulk."

Mobile applications and single-page web apps leak endpoint structures through bundled JavaScript. Decompiling an APK file or reading minified frontend code reveals the complete API surface, including administrative routes that the UI hides from regular users. An attacker extracts the path /api/admin/reports/financial from the mobile app's source code and requests it directly with their standard user token.

### HTTP Method Manipulation

REST conventions map CRUD operations to HTTP verbs. GET retrieves, POST creates, PUT replaces, PATCH modifies, DELETE removes. Developers protect read operations with authentication but forget to restrict write operations at the same endpoint.

An authenticated user queries GET /api/subscriptions/premium and receives subscription details. Changing the method to DELETE /api/subscriptions/premium while keeping the same authorization token successfully cancels the premium tier. The endpoint verified identity but ignored role requirements for destructive operations.

OPTIONS requests expose supported methods for each endpoint. Sending OPTIONS /api/users/profile returns "Allow: GET, PUT, DELETE, PATCH" in response headers. Attackers know which verbs to test for authorization gaps.

### Cross-Group Function Access

Multitenant platforms segregate users into organizational groups, departments, or teams. The billing group accesses /api/billing/invoices while the support group accesses /api/support/tickets. Authorization logic should restrict billing endpoints to billing group members.

Weak implementations verify group membership for the default UI workflow but skip checks when users directly request cross-group endpoints. A support representative discovers /api/billing/refunds/process through API documentation and successfully processes refunds despite belonging to the wrong functional group.

### Endpoint Discovery Through Pattern Recognition

API versioning and resource naming follow predictable conventions. Finding /api/v1/users/profile suggests /api/v1/users/list exists. Discovering /api/reports/monthly implies /api/reports/yearly might work. Teams expose /api/products/export for product managers but fail to protect the parallel /api/customers/export endpoint with equivalent authorization.

Attackers iterate through resource names, HTTP verbs, and common action suffixes. They test /api/users/delete, /api/accounts/disable, /api/settings/reset, and /api/data/export against their low-privilege tokens. Automated scanners generate thousands of variations within minutes.

### Mixed Administrative and User Functions

Microservices consolidate related operations in a single service boundary. The user service handles profile updates, password resets, role assignments, and account deletions. Developers protect role assignments with admin checks but forget to apply the same rigor to bulk operations at /api/users/bulk-delete. Path proximity creates a false sense of consistent protection.

## The Business Impact of Broken Function Level Authorization

Function-level authorization failures grant attackers administrative control over cloud infrastructure, customer data, and critical business operations. The vulnerability transforms authenticated low-privilege users into system administrators.

### Complete System Compromise

Admin-level access lets attackers reconfigure authentication systems, modify authorization rules, and create backdoor accounts. An attacker gaining administrative endpoint access can promote their own account to superuser status, disable security logging, and establish persistent access mechanisms that survive password resets and security audits.

Cloud environments amplify the damage. Administrative APIs control infrastructure provisioning, network configurations, and cross-service permissions. Compromising AWS, Azure, or GCP management APIs through broken function authorization grants control over compute resources, storage buckets, databases, and serverless functions across the environment.

### Data Exposure and Exfiltration

Administrative functions frequently include bulk export capabilities designed for legitimate backup and migration workflows. Endpoints like /api/users/export, /api/transactions/download, or /api/customers/report return complete datasets in single requests. Attackers invoke these functions for [data exfiltration](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown), often successfully extracting millions of customer records, financial transactions, or proprietary business data within seconds.

Multitenant platforms suffer cascading exposure. Breaching one tenant's administrative functions can reveal data from other tenants if the authorization layer fails to properly scope administrative access to organizational boundaries.

### Operational Destruction

Write operations under administrative paths modify or delete production data at scale. Bulk deletion endpoints remove customer accounts, transaction histories, or critical configurations. Update operations, change pricing structures, disable security features, or modify access control policies.

Infrastructure management APIs offer destructive capabilities. Unauthorized calls to /api/infrastructure/terminate or /api/databases/drop destroy live production systems. Recovery requires restoring from backups, assuming backup systems remain uncompromised.

### Compliance and Regulatory Failures

[SOC 2](https://www.paloaltonetworks.com/cyberpedia/soc-2?ts=markdown) Type II audits mandate role-based access controls with documented enforcement mechanisms. Function-level authorization gaps fail control objectives around logical access and change management. ISO 27001 certification requires demonstrable access restriction based on business need and role assignment. [GDPR](https://www.paloaltonetworks.com/cyberpedia/gdpr-compliance?ts=markdown) mandates access controls protecting [personal data](https://www.paloaltonetworks.com/cyberpedia/pii?ts=markdown) from unauthorized processing.

Audit findings trigger remediation requirements, delayed certifications, and customer contract violations. Enterprise customers demand evidence of [access control](https://www.paloaltonetworks.com/cyberpedia/access-control?ts=markdown) maturity before signing agreements or renewing contracts.

## Identifying Broken Function Level Authorization in Your APIs

Security teams discover function-level authorization gaps through systematic testing that maps every endpoint-method-role combination. Manual exploration combined with automated scanning reveals unprotected privileged operations.

### Manual Endpoint Enumeration

Start with comprehensive API documentation. OpenAPI specifications, Swagger files, and internal wikis list exposed endpoints, supported HTTP methods, and expected parameters. Teams often document administrative endpoints alongside public routes, revealing the complete attack surface.

Test each endpoint with multiple HTTP verbs regardless of documented support. Send GET, POST, PUT, PATCH, DELETE, and OPTIONS requests to every discovered path. An endpoint documented as GET-only might accept DELETE requests that skip authorization checks. Record which verbs return successful responses versus 405 Method Not Allowed errors.

Create test accounts representing every role in your system. You need standard users, premium users, group members, department managers, and administrators. Log authentication tokens for each role. Execute identical API requests using different role tokens to identify privilege boundaries.

### Cross-Role Authorization Testing

Build a matrix-mapping roles to endpoints. Rows represent user types. Columns represent API paths. Fill each cell by attempting the request with that role's credentials. Mark cells green for authorized access, red for properly blocked access, and yellow for unexpected authorization grants.

A complete matrix reveals authorization gaps immediately. If the "standard user" row shows green cells for /api/admin/users/export or /api/billing/refunds/process, you've found a broken function authorization. Yellow cells indicate authorization logic exists but behaves unexpectedly for specific role combinations.

### Automated Discovery and Scanning

Feed your API specification into authorization testing frameworks like OWASP ZAP, Burp Suite Enterprise, or specialized [API security](https://www.paloaltonetworks.com/cyberpedia/what-is-api-security?ts=markdown) platforms, including [CNAPP](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown). Configure the scanner with multiple authentication contexts representing different user roles. The tool systematically requests that every endpoint-method pair with each credential set, flagging authorization mismatches.

Generate wordlists from common administrative terms. Tools like ffuf, Gobuster, or custom scripts iterate through variations of /api/admin, /api/manage, /api/internal, /api/system, combined with resource names and action verbs. Append discovered endpoints to your testing matrix.

Parse client-side applications for undocumented endpoints. Mobile app binaries, JavaScript bundles, and configuration files leak API routes that documentation omits. Attackers use the same discovery techniques, so security teams must test these hidden paths.

### Critical Testing Questions

Verification requires answering specific authorization questions for every endpoint.

* Can authenticated users with standard roles invoke this function?
* What happens when you change GET to DELETE at /api/resources/{id}?
* Do group membership checks prevent cross-group access to /api/billing/invoices from support team credentials?

Test whether new endpoints inherit permissive defaults or require explicit authorization configuration. Deploy a test endpoint without authorization decorators and attempt access with low-privilege tokens. If the request succeeds, your framework permits it by default.

## Preventing Broken Function Level Authorization: Best Practices

Secure APIs enforce authorization through centralized, deny-by-default mechanisms that explicitly grant function access based on verified roles. Prevention requires architectural decisions, consistent code patterns, and ongoing validation.

### Centralized Authorization Enforcement

Build a single authorization module that every endpoint invokes before executing business logic. Middleware frameworks like Express.js, Spring Security, or ASP.NET Core authorization filters provide injection points that intercept requests before they reach controller code. Configure these components to evaluate role requirements against authenticated user claims.

Deny all access by default. New endpoints start locked until developers explicitly declare which roles can invoke them. Framework configurations should require authorization annotations on every public method. Missing annotations trigger build failures or runtime exceptions in development environments.

Create reusable authorization components that accept role requirements as parameters. Rather than writing custom authorization logic in each endpoint, call a shared function that evaluates whether the current user's roles satisfy the declared requirements. Centralized code undergoes review once and applies consistently across hundreds of endpoints.

### Architectural Patterns for Admin Functions

Segregate administrative operations into dedicated controllers that inherit from an AdminBaseController abstract class. The base class constructor or initialization method verifies admin role membership before allowing any child method execution. Developers adding new admin endpoints inherit authorization automatically by extending the protected base class.

Implement attribute-based access control at the controller and method level. Decorators like @RequiresRole("admin") or \[Authorize(Roles = "Administrator")\] in C# declare authorization requirements directly in code adjacent to the protected function. Code reviewers see authorization requirements without hunting through configuration files.

Platform teams should provide template repositories with preconfigured authorization middleware and base controllers. New services clone the template and inherit secure-by-default patterns. Custom authorization logic gets reviewed as an exception requiring security team approval.

### Method and Endpoint Verification

Write authorization checks that evaluate both the HTTP verb and the resource path. An endpoint allowing GET /api/reports for standard users requires separate authorization logic for DELETE /api/reports. Routing frameworks that map multiple verbs to the same handler function need explicit authorization checks for each supported verb.

Place authorization validation inside business logic methods, not just at controller boundaries. A shared service method like UserService.deleteUser should verify caller permissions even when invoked from internal code paths. Defense in depth prevents authorization bypass through alternative invocation routes.

Avoid authorization decisions based on URL patterns. Code checking whether the path contains "/admin/" creates false security boundaries. Attackers request administrative functions deployed under non-admin paths. Role-based authorization logic should evaluate user claims against required permissions without parsing URLs.

### Continuous Authorization Audits

Maintain an authorization matrix mapping every endpoint-method combination to required roles. [API gateway](https://www.paloaltonetworks.com/cyberpedia/what-is-api-gateway?ts=markdown) configurations, OpenAPI specifications with security schemes, or dedicated authorization documentation should serve as the source of truth. Compare the actual endpoint auth code against the documented requirements during each deployment.

Automated tests should execute every endpoint with multiple role contexts and assert expected authorization outcomes. Integration test suites authenticate as different user types and verify that admin endpoints reject standard user tokens while user endpoints permit appropriate access.

Review authorization implementations when business requirements change. New user roles, organizational restructuring, or feature releases alter which users should access which functions. Schedule quarterly authorization audits that reconcile code-level permissions with current business policies.

## Broken Function Level Authorization FAQs

### What is attribute-based access control?

Attribute-based access control evaluates multiple characteristics of users, resources, and environmental conditions to make authorization decisions. ABAC policies combine attributes like department, clearance level, time of day, and data classification to grant or deny access. Cloud environments use ABAC to enforce context-aware permissions that adapt based on risk factors and resource sensitivity.

### What is a policy enforcement point?

Policy enforcement points intercept requests and apply authorization decisions before allowing access to protected resources. PEPs sit between clients and backend services, consulting policy decision points to determine whether the requested operation should proceed. API gateways, reverse proxies, and service meshes commonly implement PEP functionality in cloud architectures.

### What are OAuth scopes?

OAuth scopes represent granular permission boundaries that access tokens carry. When applications request authorization, they specify which capabilities they need through scope parameters. A token with "user:email" scope accesses email addresses but can't modify account settings. APIs check presented scopes against operation requirements, rejecting requests that lack sufficient authorization even with valid authentication.

### What is JWT claims validation?

JWT claims validation verifies that the attributes embedded within JSON Web Tokens match the authorization requirements for requested operations. Claims include user roles, group memberships, permission levels, and token expiration timestamps. APIs extract claims from decoded tokens and evaluate them against endpoint requirements before executing business logic, ensuring callers possess the necessary privileges.

### What is zero-trust architecture?

Zero-trust architecture eliminates implicit trust based on network location and requires explicit verification for every access request. Users and services prove their identity and authorization continuously rather than gaining broad access after initial authentication. Cloud platforms implement zero trust through identity-based segmentation, least-privileged access, and continuous authorization validation across service boundaries.

### What is the principle of least privilege?

The principle of least privilege grants users and systems only the minimum permissions required to complete their designated tasks. Accounts start with zero access and receive explicit grants for specific functions they need. Cloud IAM policies implement least privilege by denying all actions by default and permitting only documented, business-justified operations.
Related content  
[Secure Your Application Programming Interfaces (APIs)
API security is critical for application protection. Gain complete visibility, protect against threats, and eliminate blind spots with our tipsheet.](https://www.paloaltonetworks.com/resources/datasheets/tip-sheet-secure-your-apis?ts=markdown)  
[Securing the API Attack Surface
In partnership with the ESG research team, we surveyed IT, cybersecurity and application development professionals to uncover the latest trends in API security.](https://www.paloaltonetworks.com/resources/research/api-security-statistics-report?ts=markdown)  
[API Security
API security involves real-time protection against OWASP Top 10 attacks, DoS, and bot attacks, including SQL injection and cross-site scripting.](https://www.paloaltonetworks.com/cortex/cloud/api-security?ts=markdown)  
[Web Application and API Security | WAAS
Discover Cortex Cloud's WAAS module and automatically detect and protect your microservices-based web applications and APIs.](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown)  
![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20Broken%20Function%20Level%20Authorization%3F&body=API5%3A2023-Broken%20function%20level%20authorization%20allows%20users%20to%20access%20admin%20endpoints.%20Learn%20to%20identify%20and%20prevent%20this%20critical%20API%20security%20vulnerability.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/broken-function-level-authorization)  
Back to Top  
[Previous](https://www.paloaltonetworks.com/cyberpedia/api-security-monitoring?ts=markdown) API Security Monitoring  
[Next](https://www.paloaltonetworks.com/cyberpedia/unrestricted-access-sensitive-business-flows?ts=markdown) What Is Unrestricted Access to Sensitive Business Flows?  
{#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language