[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/ai-security?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Next-Gen Trust Security](https://www.paloaltonetworks.com/network-security/next-gen-trust-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown) * [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown) * [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown) * [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown) * [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown) * [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown) * [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown) * [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown) * [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown) * [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown) * [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-security-solution?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection and Response (CDR)](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection and Response (CDR)](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) Identity Security * [Human Identities](https://www.paloaltonetworks.com/idira/human?ts=markdown) * [Machine Identities](https://www.paloaltonetworks.com/idira/machine?ts=markdown) * [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Frontier AI Defense](https://www.paloaltonetworks.com/unit42/ai-advantage?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Introducing Idira, the next-generation identity security platform.](https://www.paloaltonetworks.com/idira?ts=markdown) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Cybersecurity](https://www.paloaltonetworks.com/cyberpedia/cyber-security?ts=markdown) 3. [Quantum Security](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security?ts=markdown) 4. [NIST PQC Migration](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips?ts=markdown) Table of Contents * [What Is Quantum Security? Preparing for the Post-Quantum Era](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security?ts=markdown) * [What does the industry really mean by "quantum security"?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#what?ts=markdown) * [Why won't today's encryption hold up against quantum computers?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#why?ts=markdown) * [What is post-quantum cryptography, and why is it relevant?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#post?ts=markdown) * [Where do QKD and QRNG fit into quantum security?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#where?ts=markdown) * [Why is quantum security so challenging to put in place?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#challenging?ts=markdown) * [How are organizations getting quantum ready today?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#organizations?ts=markdown) * [Is the quantum threat imminent --- or still years away?](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#threat?ts=markdown) * [Quantum security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security#faqs?ts=markdown) * NIST PQC Migration Strategies: Steps, Standards \& Tips * [NIST-PQC Migration Explained](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#explained?ts=markdown) * [Why Organizations Need to Prepare Now](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#why?ts=markdown) * [NIST-PQC Standards Organizations Need to Understand](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#standards?ts=markdown) * [Steps to a Successful PQC Migration](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#successful?ts=markdown) * [NIST-PQC Migration Checklist](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#checklist?ts=markdown) * [Common NIST-PQC Migration Challenges](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#common?ts=markdown) * [NIST-PQC Migration FAQs](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#faqs?ts=markdown) * [What Is Post-Quantum Cryptography (PQC)? A Complete Guide](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc?ts=markdown) * [Post-Quantum Cryptography Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#explained?ts=markdown) * [The Quantum Threat to Modern Encryption](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#encryption?ts=markdown) * [How Post-Quantum Cryptography Works](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#how?ts=markdown) * [Standardized Algorithms: NIST FIPS 203, 204, and 205](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#algorithms?ts=markdown) * [Preparing for the Post-Quantum Transition](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#transition?ts=markdown) * [PQC Challenges and Implementation Pitfalls](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#challenges?ts=markdown) * [How Can Organizations Prepare for PQC?](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#prepare?ts=markdown) * [Post-Quantum Cryptography FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc#faqs?ts=markdown) * [8 Quantum Computing Cybersecurity Risks \[+ Protection Tips\]](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity?ts=markdown) * [Quantum Computing's Risk to Cybersecurity Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#explained?ts=markdown) * [8 Quantum Computing Threats to Cybersecurity](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#cybersecurity?ts=markdown) * [Quantum Threat and Readiness Timeline](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#timeline?ts=markdown) * [How Organizations Can Prepare for Quantum Cybersecurity Risks](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#how?ts=markdown) * [Consequences of Failing to Prepare Before Q-Day](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#consequences?ts=markdown) * [Quantum Computing Cybersecurity Risk Examples](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#examples?ts=markdown) * [Quantum Computing's Threats to Cybersecurity FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity#faqs?ts=markdown) # What Is NIST-PQC Migration? 3 min. read [Assess Your Quantum Readiness Now](https://start.paloaltonetworks.com/quantum-readiness-assessment.html) Table of Contents * * [NIST-PQC Migration Explained](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#explained?ts=markdown) * [Why Organizations Need to Prepare Now](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#why?ts=markdown) * [NIST-PQC Standards Organizations Need to Understand](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#standards?ts=markdown) * [Steps to a Successful PQC Migration](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#successful?ts=markdown) * [NIST-PQC Migration Checklist](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#checklist?ts=markdown) * [Common NIST-PQC Migration Challenges](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#common?ts=markdown) * [NIST-PQC Migration FAQs](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#faqs?ts=markdown) 1. NIST-PQC Migration Explained * * [NIST-PQC Migration Explained](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#explained?ts=markdown) * [Why Organizations Need to Prepare Now](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#why?ts=markdown) * [NIST-PQC Standards Organizations Need to Understand](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#standards?ts=markdown) * [Steps to a Successful PQC Migration](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#successful?ts=markdown) * [NIST-PQC Migration Checklist](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#checklist?ts=markdown) * [Common NIST-PQC Migration Challenges](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#common?ts=markdown) * [NIST-PQC Migration FAQs](https://www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips#faqs?ts=markdown) NIST-PQC (post-quantum cryptography) migration is the process of preparing enterprise systems, applications, identities, certificates, and encrypted communications for [post-quantum cryptography](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc?ts=markdown) standards developed by the National Institute of Standards and Technology. Organizations can prepare by inventorying cryptographic assets, prioritizing high-risk data, testing quantum-resistant algorithms, adopting crypto-agility, and aligning vendor, procurement, and compliance programs with NIST post-quantum cryptography requirements. Key Points * **Start with cryptographic discovery**: Organizations need a complete inventory of where RSA, ECC, Diffie-Hellman, certificates, keys, and cryptographic libraries are used. \* **Prioritize long-lived sensitive data**: Data that must remain confidential for years is most exposed to "harvest now, decrypt later" attacks. \* **Adopt crypto-agility**: Security teams need architectures that allow algorithms to be replaced without major system redesign. \* **Test before production**: NIST-PQC algorithms can increase key sizes, signature sizes, packet sizes, and latency. \* **Align vendors and procurement**: New systems should support NIST post-quantum cryptography standards and future cryptographic updates. ## NIST-PQC Migration Explained NIST-PQC migration prepares organizations to replace vulnerable public-key cryptography with quantum-resistant algorithms standardized by the [National Institute of Standards and Technology](https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards). The migration affects the cryptographic foundations used across enterprise security, including [identity](/content/pan/en_us/cyberpedia/what-is-identity-security), [authentication](/content/pan/en_us/cyberpedia/what-is-authentication-and-authorization), [certificates](/content/pan/en_us/cyberpedia/what-is-certificate-management), [TLS](/content/pan/en_us/cyberpedia/what-is-tls-certificate-renewal), [VPNs](/content/pan/en_us/cyberpedia/vpn-security), software signing, secure boot, and encrypted communications. The urgency comes from the risk that future cryptographically relevant quantum computers could break widely used [public-key algorithms](/content/pan/en_us/cyberpedia/what-is-pki) such as RSA, elliptic curve cryptography, and Diffie-Hellman. While large-scale quantum computers capable of breaking these systems do not yet exist, adversaries can already collect encrypted data today and store it for future decryption. This threat is known as [harvest now, decrypt later](/content/pan/en_us/cyberpedia/harvest-now-decrypt-later-hndl), or HNDL. For organizations that protect long-lived sensitive data, the risk is immediate because the exposure begins when encrypted data is captured, not when quantum computers become available. Preparing for NIST-PQC migration is not simply a technical upgrade. It requires enterprise-wide planning across security, IT, engineering, compliance, procurement, vendor management, and executive leadership. ![Diagram showing how dynamic labels such as user ID, pod name, and IP address create millions of unique time series in observability systems, leading to high costs, slow queries, and complex management.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/nist-pqc-migration-strategies/hndl-lifecycle.jpg) ***Figure 1**: Harvest Now, Decrypt Later Lifecycle* Recommended Reading: [What Is Q-Day?](/content/pan/en_us/cyberpedia/what-is-q-day) ## Why Organizations Need to Prepare Now Adversaries are currently recording encrypted traffic from high-value targets with the intent to decrypt it once a quantum computer is available. [Unit 42's 2026 Global Incident Response Report](https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/?ts=markdown) highlights that AI has compressed the attack lifecycle, allowing threat actors to move from initial access to data exfiltration in as little as 72 minutes. Migration to NIST PQC will take years for many enterprises. Cryptography is deeply embedded in applications, devices, cloud services, third-party tools, network infrastructure, and identity systems. Many organizations lack full visibility into where cryptography exists, which algorithms are in use, or which systems depend on vulnerable public-key methods. Delaying preparation creates several risks: * Sensitive data may be harvested now and decrypted later. * [Legacy systems](/content/pan/en_us/cyberpedia/what-is-cybersecurity-platformization) may become more difficult and more expensive to upgrade. * Vendors may not be ready when migration pressure increases. * Compliance expectations may outpace internal readiness. * Organizations may lack the required inventory to prioritize risk. * Critical systems may experience performance or interoperability issues during a rushed migration. The practical goal is not to replace every algorithm immediately. The first goal is to understand exposure, build a migration roadmap, and make sure future systems can support [post-quantum cryptography](/content/pan/en_us/cyberpedia/what-is-quantum-security). ## NIST-PQC Standards Organizations Need to Understand Security leaders should understand which NIST standards affect enterprise migration planning. ### FIPS 203: ML-KEM for Key Exchange [FIPS 203](https://csrc.nist.gov/pubs/fips/203/final) defines ML-KEM, the Module-Lattice-Based Key-Encapsulation Mechanism. ML-KEM is designed for quantum-resistant key exchange and is expected to be used in areas such as TLS, VPNs, and secure session establishment. Organizations should evaluate where current systems use RSA, Diffie-Hellman, or elliptic curve cryptography for key exchange. These systems are likely candidates for future ML-KEM support or hybrid deployment. ### FIPS 204: ML-DSA for Digital Signatures [FIPS 204](https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf) defines ML-DSA, the Module-Lattice-Based Digital Signature Algorithm. ML-DSA supports quantum-resistant digital signatures for identity, software signing, certificates, secure boot, and supply chain validation. Organizations should identify systems that depend on digital signatures to prove trust, authenticity, or integrity. These may include software update pipelines, code-signing systems, certificate authorities, identity providers, and device authentication workflows. [Unit 42 research](https://www.paloaltonetworks.com/blog/2026/02/unit-42-global-ir-report/?ts=markdown) indicates that 23% of incidents involve attackers abusing trusted SaaS integrations. Digital signatures are mandatory because they prove that an identity, message, update, or transaction has not been forged or altered. As quantum risk grows, organizations will need quantum-resistant signature schemes to maintain trust in software, devices, users, and services. ### FIPS 205: SLH-DSA for High-Assurance Signatures [FIPS 205](https://csrc.nist.gov/pubs/fips/205/final) defines SLH-DSA, the Stateless Hash-Based Digital Signature Algorithm. SLH-DSA provides a hash-based signature option that can serve as a conservative fallback where long-term assurance is more important than speed or compact signature size. Organizations should consider SLH-DSA for high-assurance signing use cases where long-term integrity matters and larger signatures are acceptable. ## Steps to a Successful PQC Migration Migrating to post-quantum cryptography requires more than swapping out encryption algorithms. Organizations need a phased approach that identifies where cryptography is used, assesses quantum-related risk, prioritizes vulnerable systems, establishes governance, and updates security controls without disrupting business operations. The following eight steps provide a practical roadmap for moving from cryptographic discovery to quantum-safe readiness. ### Step 1: Build a Cryptographic Inventory Organizations cannot migrate what they cannot see. The first step in NIST-PQC preparation is a cryptographic inventory across applications, infrastructure, cloud environments, endpoints, identities, and third-party systems. A cryptographic inventory should document: | Inventory Area | What to Capture | | **Algorithms** | RSA, ECC, Diffie-Hellman, AES, SHA, TLS versions, custom cryptography | | **Certificates** | Issuers, expiration dates, key sizes, certificate chains, renewal processes | | **Keys** | Key type, length, location, rotation schedule, ownership | | **Protocols** | TLS, SSH, IPsec, S/MIME, VPN, mTLS, application-layer encryption | | **Libraries** | OpenSSL, BoringSSL, Java cryptography libraries, vendor-provided libraries | | **Applications** | Internal apps, SaaS integrations, APIs, customer-facing services | | **Infrastructure** | Firewalls, load balancers, proxies, VPN gateways, network appliances | | **Devices** | IoT, OT, mobile, embedded systems, unmanaged devices | | **Vendors** | Third-party products, SaaS platforms, managed services, software dependencies | |--------------------|-------------------------------------------------------------------------------| The inventory should also identify business owners, technical owners, data sensitivity, system criticality, and migration complexity. This step usually exposes uncomfortable truths: shadow IT, expired certificates, legacy applications, unmanaged cryptographic libraries, and systems no one wants to admit are still running. That is exactly why the inventory matters. ### Step 2: Identify Data at Risk from Harvest Now, Decrypt Later Attacks Not every system needs the same migration urgency. Organizations should prioritize data based on how long it must remain confidential. High-risk data includes: * National security information * Trade secrets * Intellectual property * Medical records * Financial records * Legal communications * Personally identifiable information * Critical infrastructure data * Long-term customer or citizen records A simple way to prioritize is to ask: If this encrypted data were stolen today and decrypted in 5, 10, or 15 years, would it still cause harm? If the answer is yes, the system should move higher on the NIST-PQC migration roadmap. ### Step 3: Prioritize Systems for Migration After inventorying cryptographic assets and identifying sensitive data, organizations should rank systems by risk and business impact. Priority should go to systems that: * Transmit or store long-lived sensitive data * Use RSA, ECC, or Diffie-Hellman for key exchange * Support identity, authentication, or trust decisions * Rely on digital signatures for software integrity * Connect to critical infrastructure * Support regulated workloads * Depend on third-party cryptographic libraries * Have long procurement or replacement cycles * Are difficult to patch or update Common high-priority systems include: | Priority System | Why It Matters | | PKI and certificate authorities | Trust foundation for identity, authentication, and encryption | | VPN and remote access systems | Protect sensitive traffic across networks | | TLS-enabled applications | Secure web, API, and application communications | | Identity providers | Support authentication and access decisions | | Code-signing systems | Protect software supply chain integrity | | Secure boot systems | Validate trusted device and workload startup | | Critical infrastructure systems | Often have long lifecycles and limited upgrade paths | | IoT and OT devices | May be constrained, difficult to patch, or vendor-dependent | |---------------------------------|---------------------------------------------------------------| The migration roadmap should balance quantum risk, business criticality, operational complexity, and vendor readiness. ### Step 4: Create a NIST-PQC Governance Program NIST-PQC migration cuts across many teams, so it needs governance. A dedicated PQC working group or center of excellence can help coordinate strategy, ownership, budget, and execution. The governance group should include representatives from: * Security * IT * Network engineering * Cloud engineering * Application development * Identity and access management * Legal * Compliance * Procurement * Vendor management * Risk management * Executive leadership This group should own: * Cryptographic inventory standards * Risk prioritization * Migration roadmap * Vendor requirements * Procurement language * Testing requirements * Compliance alignment * Budget planning * Executive reporting Without governance, PQC migration can become scattered across teams, tools, and vendors. That leads to duplicated work, inconsistent decisions, and avoidable risk. ### Step 5: Build Crypto-Agility into the Environment [Crypto-agility](/content/pan/en_us/cyberpedia/what-is-cryptographic-agility) is the ability to replace cryptographic algorithms, keys, libraries, and protocols without redesigning major systems. It is one of the most important requirements for NIST-PQC migration because standards, vendor implementations, and best practices will continue to evolve. Organizations can improve crypto-agility by: * Centralizing cryptographic libraries * Avoiding hardcoded algorithms * Using configurable cryptographic policies * Standardizing certificate and key management * Maintaining accurate cryptographic asset ownership * Building algorithm replacement into software development practices * Requiring vendors to support cryptographic updates * Testing fallback and rollback procedures Crypto-agility also protects organizations beyond the quantum transition. If a future vulnerability affects a cryptographic algorithm or implementation, agile environments can respond faster and with less disruption. ### Step 6: Evaluate Hybrid Cryptography During the transition to post-quantum cryptography, many organizations will use hybrid cryptographic deployments. Hybrid approaches combine a classical algorithm, such as ECDH, with a post-quantum algorithm, such as ML-KEM. [Hybrid cryptography](/content/pan/en_us/cyberpedia/what-is-hybrid-cryptography) helps organizations maintain current security while adding quantum resistance. If a post-quantum algorithm or implementation later reveals an issue, the classical algorithm still protects against conventional attacks during the transition period. Organizations should consider hybrid deployment for: * TLS * VPNs * mTLS * API communications * Secure remote access * High-value data exchange * Cloud-to-cloud communications * Critical business applications Hybrid deployment should be tested carefully because it can increase [handshake](/content/pan/en_us/cyberpedia/what-is-a-tls-handshake) size, affect latency, and create interoperability issues with existing infrastructure. ### Step 7: Test Performance and Interoperability NIST-PQC migration can affect performance because post-quantum keys, ciphertexts, and signatures are often larger than classical equivalents. That does not mean migration is impractical, but it does mean organizations need testing before production rollout. Testing should evaluate: * TLS handshake size * Packet fragmentation * Latency * Load balancer behavior * Firewall inspection * VPN negotiation * Certificate chain size * Memory consumption * CPU usage * IoT and mobile device constraints * Application compatibility * Failure and rollback behavior For example, larger PQC signatures may affect certificate chains, [software signing](/content/pan/en_us/cyberpedia/what-is-an-x509-certificate), or constrained devices. Larger key exchange payloads may affect TLS handshakes, VPNs, and network appliances. The goal is to identify these issues early, not during an emergency migration window. ### Step 8: Align Vendors, Procurement, and Contracts NIST-PQC migration depends heavily on vendor readiness. Many organizations rely on third-party products for identity, cloud services, network security, endpoint security, application delivery, certificate management, and software development. Procurement and vendor management teams should require vendors to answer: * Do you support NIST PQC standards? * Which standards do you support: ML-KEM, ML-DSA, SLH-DSA? * Do you support hybrid cryptography? * What is your PQC roadmap? * Can your product support crypto-agility? * Which cryptographic libraries do you use? * How are certificates, keys, and algorithms managed? * What customer configuration changes are required? * What performance impacts should we expect? * What is the migration timeline? New technology purchases should include PQC readiness and crypto-agility requirements. Otherwise, organizations may keep buying systems that become future migration problems. ## NIST-PQC Migration Checklist Organizations preparing for NIST-PQC migration can use the following checklist to assign ownership, prioritize risk, and sequence work across security, IT, compliance, procurement, and vendor teams. | Related Step | Action | Purpose | | **Step 1** | Build a cryptographic inventory | Identify where cryptography is used across applications, infrastructure, cloud environments, endpoints, identities, certificates, keys, protocols, libraries, and vendors. | | **Step 1** | Identify RSA, ECC, and Diffie-Hellman use | Locate public-key cryptography that may be vulnerable to future quantum attacks. | | **Step 1** | Review PKI and certificate systems | Understand certificate authorities, certificate chains, expiration dates, key sizes, renewal processes, and trust dependencies. | | **Step 2** | Map sensitive data flows | Identify where long-lived confidential data is stored, transmitted, or exposed to "harvest now, decrypt later" risk. | | **Step 2** | Prioritize long-lived sensitive data | Determine which data would still cause harm if decrypted in 5, 10, or 15 years. | | **Step 3** | Prioritize systems for migration | Rank systems based on quantum risk, business criticality, data sensitivity, regulatory exposure, and technical complexity. | | **Step 3** | Identify high-priority trust systems | Prioritize PKI, VPNs, TLS-enabled applications, identity providers, code-signing systems, secure boot, critical infrastructure, IoT, and OT systems. | | **Step 4** | Create a PQC working group | Establish cross-functional ownership across security, IT, engineering, identity, legal, compliance, procurement, vendor management, risk, and leadership. | | **Step 4** | Define governance responsibilities | Assign ownership for inventory standards, risk prioritization, vendor requirements, testing, budget planning, and executive reporting. | | **Step 5** | Implement crypto-agility | Enable algorithms, keys, libraries, and protocols to be replaced without major system redesign. | | **Step 5** | Remove hardcoded cryptography | Use configurable cryptographic policies and centralized libraries to support future algorithm changes. | | **Step 6** | Evaluate hybrid cryptography | Assess where classical and post-quantum algorithms may need to work together during the transition. | | **Step 6** | Identify hybrid deployment candidates | Review TLS, VPNs, mTLS, API communications, secure remote access, cloud-to-cloud communications, and high-value data exchanges. | | **Step 7** | Test performance and interoperability | Evaluate handshake size, latency, packet fragmentation, certificate chain size, CPU usage, memory consumption, and application compatibility. | | **Step 7** | Validate rollback and failure behavior | Confirm that systems can recover safely if PQC or hybrid deployments create performance or compatibility issues. | | **Step 8** | Assess vendor readiness | Determine whether vendors support NIST PQC standards, hybrid cryptography, crypto-agility, and future cryptographic updates. | | **Step 8** | Add PQC language to procurement | Require new systems and contracts to include PQC readiness, crypto-agility, roadmap transparency, and support for NIST standards. | | **Final Planning Action** | Create a phased migration roadmap | Sequence work across discovery, assessment, prioritization, pilots, migration, monitoring, and optimization. | | **Final Planning Action** | Report readiness to leadership | Communicate exposure, progress, budget needs, vendor gaps, and migration timelines to executive stakeholders. | |---------------------------|-------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ## Common NIST-PQC Migration Challenges ### Limited Cryptographic Visibility Many organizations do not know where cryptography is used. This is the biggest blocker to migration. Without visibility, teams cannot prioritize systems, estimate cost, or understand risk. ### Legacy and Embedded Systems Older applications, IoT devices, OT systems, and embedded technologies may not support modern cryptographic updates. These systems may require compensating controls, vendor replacement, or longer migration timelines. ### Vendor Dependencies Many enterprise systems rely on vendor-managed cryptography. If vendors do not support NIST-PQC standards or crypto-agility, internal migration plans may stall. ### Performance and Compatibility Issues Post-quantum cryptography can increase payload sizes and affect network behavior. Organizations need testing to avoid problems with load balancers, firewalls, certificates, and latency-sensitive applications. ### Lack of Ownership PQC touches security, IT, legal, compliance, engineering, and procurement. Without clear ownership, teams may assume someone else is handling it. Spoiler: that usually ends badly. ## NIST-PQC Migration FAQs ### What is NIST-PQC migration? NIST-PQC migration is the process of preparing systems, applications, certificates, keys, protocols, and infrastructure to support post-quantum cryptography standards developed by NIST. The goal is to reduce exposure to quantum attacks against vulnerable public-key cryptography. ### When should organizations start preparing for NIST-PQC migration? Organizations should start now, especially if they protect data that must remain confidential for many years. The first step is not the immediate replacement of all cryptography. The first step is inventory, risk assessment, vendor review, and roadmap development. ### What systems should be prioritized for PQC migration? Organizations should prioritize systems that protect long-lived sensitive data, support identity and authentication, rely on certificates or digital signatures, enable secure remote access, or use vulnerable public-key algorithms such as RSA, ECC, and Diffie-Hellman. ### What is crypto-agility? Crypto-agility is the ability to replace cryptographic algorithms, keys, protocols, and libraries without redesigning major systems. It allows organizations to adapt as standards evolve, vulnerabilities emerge, or new regulatory expectations appear. ### Is hybrid cryptography required for NIST-PQC migration? Hybrid cryptography is not always required, but it is a practical transition strategy. It combines classical cryptography with post-quantum cryptography to maintain current protection while adding quantum resistance. ### Does AES-256 need to be replaced? No. AES-256 is a symmetric encryption algorithm and is generally considered resistant to quantum attacks when implemented correctly. NIST-PQC migration primarily focuses on vulnerable public-key cryptography, including RSA, ECC, Diffie-Hellman, and related signature or key exchange mechanisms. ### How long does NIST-PQC migration take? The timeline depends on the organization's size, cryptographic complexity, vendor dependencies, legacy systems, and regulatory requirements. Large enterprises should expect a multi-year effort that begins with discovery and prioritization. ### What should organizations ask vendors about PQC readiness? Organizations should ask whether vendors support NIST standards such as ML-KEM, ML-DSA, and SLH-DSA; whether they support hybrid deployments; how they manage cryptographic updates; and what their roadmap is for post-quantum migration. Related Content [Path to Quantum-Ready SASE Get your SASE quantum-ready to protect against "Harvest Now, Decrypt Later" (HNDL) attacks.](https://www.paloaltonetworks.com/blog/sase/the-practical-path-to-a-quantum-ready-future-in-sase/?ts=markdown) [Discover Quantum-Safe IoT Security Protect your connected devices from cryptographic threats posed by quantum computers.](https://www.paloaltonetworks.com/cyberpedia/quantum-safe-iot-security?ts=markdown) [How Prepared are You? Take a quick Quantum Readiness Assessment to see how your infrastructure measures up.](https://www.paloaltonetworks.com/quantum-safe-digital-survey?ts=markdown) [Video: A CISO's Guide to Quantum Security (Episode 1) Watch the series to learn the steps to transition to a post-quantum world.](https://www.youtube.com/watch?v=sJ84XRtE2VE) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=NIST%20PQC%20Migration%20Strategies%3A%20Steps%2C%20Standards%20%26%20Tips&body=Secure%20your%20enterprise%20against%20quantum%20threats.%20Explore%20NIST%20PQC%20standards%20and%20migration%20strategies%20to%20prioritize%20assets%2C%20map%20risks%2C%20and%20adopt%20quantum-resistant%20algorithms.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/nist-pqc-migration-strategies-steps-standards-and-tips) Back to Top [Previous](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-security?ts=markdown) What Is Quantum Security? Preparing for the Post-Quantum Era [Next](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc?ts=markdown) What Is Post-Quantum Cryptography (PQC)? A Complete Guide {#footer} Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/ai-security?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Next-Generation Identity Security](https://www.paloaltonetworks.com/idira?ts=markdown) * [Privileged Access Management](https://www.paloaltonetworks.com/idira/human/privileged-access-management?ts=markdown) * [Identity and Access Management](https://www.paloaltonetworks.com/idira/human/identity-and-access-management?ts=markdown) * [Endpoint Privilege Manager](https://www.paloaltonetworks.com/idira/human/endpoint-privilege-manager?ts=markdown) * [Identity Governance](https://www.paloaltonetworks.com/idira/human/identity-governance?ts=markdown) * [Workforce Password Management](https://www.paloaltonetworks.com/idira/human/workforce-password-management?ts=markdown) * [Agentic Identities](https://www.paloaltonetworks.com/idira/agentic?ts=markdown) * [Secrets Management](https://www.paloaltonetworks.com/idira/machine/secrets-management?ts=markdown) * [Unified Secrets Governance](https://www.paloaltonetworks.com/idira/machine/unified-secrets-governance?ts=markdown) * [Application Credentials Delivery](https://www.paloaltonetworks.com/idira/machine/application-credentials-delivery?ts=markdown) * [Vendor Privileged Access](https://www.paloaltonetworks.com/idira/human/vendor-privileged-access?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language