[](https://www.paloaltonetworks.com/?ts=markdown)

* Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)
  ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg)

* [](https://www.paloaltonetworks.com/?ts=markdown)

* Products  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products  
  [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)
  
  * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)
  
  * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  
  * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)
  
  * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)
  
  * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  
  * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)
  
  * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)
  
  * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  
  * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)
  
  * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)
  
  * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)
  
  * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)
  
  * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)
  
  * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  
  * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)
  
  * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)
  
  * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)
  
  * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)
  
  * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)
  
  * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)
  
  * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)
  
  * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)
  
  * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)
  
  * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)
  
  * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)
  
  * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)
  
  * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)  
    [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)
  
  * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)
  
  * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)
  
  * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)
  
  * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)
  
  * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)
  
  * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)
  
  * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)
  
  * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown)
  
  * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)
  
  * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown)
  
  * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)
  
  * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown)
  
  * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  
  * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* Solutions  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions  
  Secure AI by Design
  
  * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)
  * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)  
    Network Security
  * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)
  * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown)
  * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)
  * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)
  * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown)
  * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown)
  * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown)
  * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown)
  * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown)
  * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown)
  * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown)
  * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)  
    Cloud Security
  * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown)
  * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown)
  * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown)
  * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown)
  * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown)
  * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown)
  * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown)
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown)
  * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown)  
    Security Operations
  * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown)
  * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown)
  * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown)
  * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown)
  * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown)
  * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown)
  * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)
  * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown)
  * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown)
  * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown)
  * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown)
  * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown)  
    Endpoint Security
  * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown)
  * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown)
  * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown)
  * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown)  
    [Industries](https://www.paloaltonetworks.com/industry?ts=markdown)
  * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown)
  * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown)
  * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown)
  * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown)
  * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown)

* Services  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services  
  [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)
  
  * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)
  
  * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown)
  
  * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown)
  
  * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown)
  
  * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown)
  
  * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown)
  
  * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown)
  
  * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown)
  
  * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown)
  
  * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown)
  
  * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown)
  
  * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown)
  
  * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown)
  
  * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown)
  
  * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)
  
  * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown)
  
  * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown)
  
  * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown)
  
  * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown)
  
  * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown)
  
  * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)
  
  * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)
  
  * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)
  
  * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown)
  
  * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown)
  
  * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown)
  
  * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown)  
    [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown)
  
  * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown)
  
  * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown)
  
  * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown)
  
  * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown)
  
  * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown)  
    [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg)  
    UNIT 42 RETAINER
    Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial.
    Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown)

* Partners  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners  
  NextWave Partners
  
  * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown)
  * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown)
  * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown)
  * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown)
  * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown)
  * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown)
  * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown)
  * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown)  
    Take Action
  * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown)
  * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown)
  * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner)
  * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess)
  * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator)  
    [CYBERFORCE
    CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise.
    Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown)

* Company  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company  
  Palo Alto Networks
  
  * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
  * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown)
  * [Investor Relations](https://investors.paloaltonetworks.com)
  * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
  * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown)
  * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
  * [Military \& Veterans](https://jobs.paloaltonetworks.com/military)  
    [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown)
  * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown)
  * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown)
  * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown)
  * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown)
  * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown)
  * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
  * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown)  
    Careers
  * [Overview](https://jobs.paloaltonetworks.com/)
  * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/)  
    [A Newsweek Most Loved Workplace
    "Businesses that do right by their employees"
    Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown)

* More  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More  
  Resources
  
  * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
  * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/)
  * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
  * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
  * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
  * [Tech Insider](https://techinsider.paloaltonetworks.com/)
  * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/)
  * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/)
  * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown)
  * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown)
  * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown)
  * [Tech Docs](https://docs.paloaltonetworks.com/)
  * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown)
  * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/)
  * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown)  
    Connect
  * [LIVE community](https://live.paloaltonetworks.com/)
  * [Events](https://events.paloaltonetworks.com/)
  * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown)
  * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown)
  * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)  
    [Blog
    Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity
    Learn more](https://www.paloaltonetworks.com/blog/)

* Sign In  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In
  
  * Customer
  * Partner
  * Employee
  * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown)
  * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown)

* EN  
  ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language
  
  * [USA (ENGLISH)](https://www.paloaltonetworks.com)
  * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au)
  * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br)
  * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca)
  * [CHINA (简体中文)](https://www.paloaltonetworks.cn)
  * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr)
  * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de)
  * [INDIA (ENGLISH)](https://www.paloaltonetworks.in)
  * [ITALY (ITALIANO)](https://www.paloaltonetworks.it)
  * [JAPAN (日本語)](https://www.paloaltonetworks.jp)
  * [KOREA (한국어)](https://www.paloaltonetworks.co.kr)
  * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat)
  * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx)
  * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg)
  * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es)
  * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw)
  * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk)

* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)

* [What's New](https://www.paloaltonetworks.com/resources?ts=markdown)

* [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount)

* [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html)

* [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown)  
  Search  
  All

* [Tech Docs](https://docs.paloaltonetworks.com/search)  
  Close search modal
  [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com)  
  [](https://www.paloaltonetworks.com/?ts=markdown)

1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
2. [Cloud Security](https://www.paloaltonetworks.com/cyberpedia/cloud-security?ts=markdown)
3. [CI CD Security](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security?ts=markdown)
4. [What Is Shift Left Security?](https://www.paloaltonetworks.com/cyberpedia/shift-left-security?ts=markdown)  
   Table of Contents

* [What Is CI/CD Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security?ts=markdown)
  * [CI/CD Security Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#security?ts=markdown)
  * [Why CI/CD Security Is Critical](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#critical?ts=markdown)
  * [CI/CD Security Threats](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#threats?ts=markdown)
  * [Securing the CI/CD Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#securing?ts=markdown)
  * [CI/CD Security Best Practices](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#practices?ts=markdown)
  * [CI/CD Security FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-ci-cd-security#faqs?ts=markdown)
* [What Is the CI/CD Pipeline?](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown)
  * [CI/CD Pipeline Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#ci-cd-pipeline?ts=markdown)
  * [How CI/CD Works: A Day in the Life of the Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#how-ci-cd-works?ts=markdown)
  * [Stages of a CI/CD Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#stages-of-a-ci-cd-pipeline?ts=markdown)
  * [Types of CI/CD Pipelines](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#types-of-ci-cd-pipelines?ts=markdown)
  * [CI/CD in the Cloud](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#ci-cd-in-the-cloud?ts=markdown)
  * [CI/CD Pipeline Best Practices](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#best-practices?ts=markdown)
  * [CI/CD Pipeline KPIs](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#ci-cd-pipeline-kpis?ts=markdown)
  * [CI/CD Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#ci-cd-tools?ts=markdown)
  * [Security in CI/CD](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#security-in-ci-cd?ts=markdown)
  * [CI/CD Trends on the Horizon](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#ci-cd-trends-on-the-horizon?ts=markdown)
  * [CI/CD Pipeline FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security#faq?ts=markdown)
* [What Is Insecure System Configuration?](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7?ts=markdown)
  * [CICD-SEC-7: Insecure System Configuration Explained](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7#insecure?ts=markdown)
  * [Importance of Secure System Configuration in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7#importance?ts=markdown)
  * [Preventing Insecure System Configuration in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7#preventing?ts=markdown)
  * [Industry Standards for System Configuration Security](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7#standards?ts=markdown)
  * [Insecure System Configuration FAQs](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7#faqs?ts=markdown)
* What Is Shift Left Security?
  * [Shift Left Security: A Developer-Centric Reality Check](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#shift?ts=markdown)
  * [Core Principles of Shift Left Security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#core?ts=markdown)
  * [What Shift Left Looks Like in Practice](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#practice?ts=markdown)
  * [What Secure Looks Like Now](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#secure?ts=markdown)
  * [Shift Left Security FAQS](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#faqs?ts=markdown)
* [What Is DevOps?](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown)
  * [DevOps Is Not](https://www.paloaltonetworks.com/cyberpedia/what-is-devops#devops?ts=markdown)
  * [DevOps Defined](https://www.paloaltonetworks.com/cyberpedia/what-is-devops#defined?ts=markdown)
  * [CI/CD Pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-devops#cicd?ts=markdown)
  * [DevOps and Security](https://www.paloaltonetworks.com/cyberpedia/what-is-devops#security?ts=markdown)
  * [DevOps FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-devops#faqs?ts=markdown)
* [What Is Executive Order 14028?](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028?ts=markdown)
  * [What's the Purpose of EO 14028?](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#what?ts=markdown)
  * [NIST's Responsibilities Under Executive Order 14028](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#nist?ts=markdown)
  * [A Platform Approach to Securing Software Development](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#platform?ts=markdown)
  * [Tracing Vulnerabilities Through SBOMs](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#tracing?ts=markdown)
  * [Improving Software Supply Chain Security](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#improving?ts=markdown)
  * [Federal EO 14028 FAQs](https://www.paloaltonetworks.com/cyberpedia/executive-order-14028#faqs?ts=markdown)
* [What Is Cloud Software Supply Chain Security?](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-software-supply-chain-security?ts=markdown)
* [What is DevSecOps?](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops?ts=markdown)
  * [What is DevSecOps?](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#what?ts=markdown)
  * [DevSecOps vs DevOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#devsecops?ts=markdown)
  * [Why DevSecOps Practices Are Important](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#why?ts=markdown)
  * [Five Guidelines to DevSecOps Implementation](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#five?ts=markdown)
  * [Finding the Best DevSecOps Tools](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#finding?ts=markdown)
  * [The Best of DevSecOps: Trends in Cloud Native Security Practices](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#the?ts=markdown)
  * [DevSecOps FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops#faqs?ts=markdown)
* [What Is Insufficient Flow Control Mechanisms?](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1?ts=markdown)
  * [CICD-SEC-1: Insufficient Flow Control Mechanisms Explained](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#insufficient-flow-control-mechanism?ts=markdown)
  * [Importance of Robust Flow Control Mechanisms in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#importance?ts=markdown)
  * [Preventing Insufficiency in Flow Control Mechanisms](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#preventing-insufficiency-in-flow-control-mechanism?ts=markdown)
  * [Best Practices to Ensure Sufficient Flow Control in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#best-practices?ts=markdown)
  * [The Impact of New Technologies on Flow Control](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#impact?ts=markdown)
  * [Insufficient Flow Control Mechanisms FAQs](https://www.paloaltonetworks.com/cyberpedia/insufficient-flow-control-mechanisms-cicd-sec1#faq?ts=markdown)
* [What Is Poisoned Pipeline Execution (PPE)?](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4?ts=markdown)
  * [CICD-SEC-4: Poisoned Pipeline Execution Explained](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4#pipeline?ts=markdown)
  * [Importance of Secure Pipeline Execution in CI/CD](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4#importance?ts=markdown)
  * [Preventing Poisoned Pipeline Execution](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4#poisoned?ts=markdown)
  * [Poisoned Pipeline Execution FAQs](https://www.paloaltonetworks.com/cyberpedia/poisoned-pipeline-execution-cicd-sec4#faqs?ts=markdown)
* [What Is Ungoverned Usage of Third-Party Services?](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8?ts=markdown)
  * [CICD-SEC-8: Ungoverned Usage of Third-Party Services Explained](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8#ungoverned?ts=markdown)
  * [Importance of Governing Third-Party Services in CI/CD](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8#importance?ts=markdown)
  * [Preventing Ungoverned Usage of Third-Party Services](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8#preventing?ts=markdown)
  * [Industry Standards for Governing Third-Party Services](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8#industry?ts=markdown)
  * [Ungoverned Usage of Third-Party Services FAQs](https://www.paloaltonetworks.com/cyberpedia/ungoverned-usage-third-party-services-cicd-sec8#faqs?ts=markdown)
* [What Is Insufficient Pipeline-Based Access Controls?](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5?ts=markdown)
  * [CICD-SEC-5: Insufficient Pipeline-Based Access Controls Explained](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5#insufficient?ts=markdown)
  * [Importance of Pipeline-Based Access Controls in CI/CD](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5#importance?ts=markdown)
  * [Preventing Insufficiency in Pipeline-Based Access Controls](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5#preventing?ts=markdown)
  * [Industry Standards for Pipeline-Based Access Controls](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5#industry?ts=markdown)
  * [Insufficient Pipeline-Based Access Controls FAQs](https://www.paloaltonetworks.com/cyberpedia/pipeline-based-access-controls-cicd-sec5#faqs?ts=markdown)
* [What Is Insufficient Logging and Visibility?](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10?ts=markdown)
  * [CICD-SEC-10: Insufficient Logging and Visibility Explained](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10#insufficient?ts=markdown)
  * [Importance of Sufficient Logging and Visibility in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10#importance?ts=markdown)
  * [Preventing Insufficiency in Logging and Visibility](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10#preventing?ts=markdown)
  * [Industry Standards for Logging and Visibility in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10#standards?ts=markdown)
  * [Insufficient Logging and Visibility FAQs](https://www.paloaltonetworks.com/cyberpedia/insufficient-logging-visibility-cicd-sec10#faqs?ts=markdown)
* [What Is Insufficient Credential Hygiene?](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6?ts=markdown)
  * [CICD-SEC-6: Insufficient Credential Hygiene Explained](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6#insufficient-credential-hygiene-explained?ts=markdown)
  * [Importance of Credential Hygiene in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6#importance?ts=markdown)
  * [Preventing Insufficiency in Credential Hygiene](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6#preventing?ts=markdown)
  * [Industry Standards for Credential Hygiene in CI/CD](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6#industry-standards?ts=markdown)
  * [Insufficient Credential Hygiene FAQs](https://www.paloaltonetworks.com/cyberpedia/insufficient-credential-hygiene-cicd-sec6#faq?ts=markdown)
* [What Is Inadequate Identity and Access Management?](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2?ts=markdown)
  * [CICD-SEC-2: Inadequate Identity and Access Management Explained](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2#inadequate-identity?ts=markdown)
  * [Importance of Identity and Access Management in CI/CD](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2#importance?ts=markdown)
  * [Preventing Inadequacy in Identity and Access Management](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2#preventing-inadequacy?ts=markdown)
  * [Best Practices for IAM in CI/CD](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2#best-practices?ts=markdown)
  * [Inadequate Identity and Access Management FAQs](https://www.paloaltonetworks.com/cyberpedia/inadequate-iam-cicd-sec2#faq?ts=markdown)
* [What Is Improper Artifact Integrity Validation?](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9?ts=markdown)
  * [CICD-SEC-9: Improper Artifact Integrity Validation Explained](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9#artifact?ts=markdown)
  * [Importance of Artifact Integrity Validation in CI/CD](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9#importance?ts=markdown)
  * [Preventing Improper Artifact Integrity Validation](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9#improper?ts=markdown)
  * [Industry Practices to Promote Artifact Integrity in CI/CD](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9#promote?ts=markdown)
  * [Improper Artifact Integrity Validation FAQs](https://www.paloaltonetworks.com/cyberpedia/improper-artifact-integrity-validation-cicd-sec9#faqs?ts=markdown)
* [What Is Dependency Chain Abuse?](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3?ts=markdown)
  * [CICD-SEC-3: Dependency Chain Abuse Explained](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#cicd-sec?ts=markdown)
  * [Importance of Secure Dependency Chains in CI/CD](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#importance?ts=markdown)
  * [Identifying Signs of Dependency Chain Abuse](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#identifying-signs?ts=markdown)
  * [Preventing Dependency Chain Abuse](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#preventing?ts=markdown)
  * [Additional Practices for Dependency Chain Security](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#additional-practices?ts=markdown)
  * [Dependency Chain Abuse FAQs](https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3#faq?ts=markdown)
* [Anatomy of a Cloud Supply Pipeline Attack](https://www.paloaltonetworks.com/cyberpedia/anatomy-ci-cd-pipeline-attack?ts=markdown)

# What Is Shift Left Security?

5 min. read  
[AppSec's New Horizon: A Virtual Event](https://start.paloaltonetworks.com/appsecs-new-horizon-virtual-event.html)  
Table of Contents

* * [Shift Left Security: A Developer-Centric Reality Check](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#shift?ts=markdown)
  * [Core Principles of Shift Left Security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#core?ts=markdown)
  * [What Shift Left Looks Like in Practice](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#practice?ts=markdown)
  * [What Secure Looks Like Now](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#secure?ts=markdown)
* [Shift Left Security FAQS](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#faqs?ts=markdown)

1. Shift Left Security: A Developer-Centric Reality Check

* * [Shift Left Security: A Developer-Centric Reality Check](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#shift?ts=markdown)
  * [Core Principles of Shift Left Security](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#core?ts=markdown)
  * [What Shift Left Looks Like in Practice](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#practice?ts=markdown)
  * [What Secure Looks Like Now](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#secure?ts=markdown)
* [Shift Left Security FAQS](https://www.paloaltonetworks.com/cyberpedia/shift-left-security#faqs?ts=markdown)

Shift left security, or [DevSecOps](https://www.paloaltonetworks.com/cyberpedia/what-is-devsecops?ts=markdown), is the practice of integrating security practices earlier in the software development lifecycle (SDLC). Instead of treating security as a separate phase at the end of development, shift left security embeds security considerations and activities from the initial stages of planning, design, and coding, all the way through to deployment and operation.

## Shift Left Security: A Developer-Centric Reality Check

Shift left security promised early detection, tighter feedback loops, and fewer last-minute fire drills. The idea made sense. Move security upstream. Involve developers before vulnerabilities slip into production. But ideas don't secure code, and reality rarely matches the whiteboard.

To understand shift left in a cloud-native context, you need to start by unlearning assumptions. Shifting security left isn't about stuffing security tools into your pipeline and declaring victory. It's about recognizing where development has moved, and reshaping security to fit that motion.

### Development Moved. Did Security Follow?

In traditional environments, developers wrote code and tossed it over the wall. [Cloud native](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native?ts=markdown) flipped that dynamic. Teams now own everything from code to infrastructure. Infrastructure is code. Pipelines are code. Security, if it's going to work, has to live in the same places developers work --- not in silos with separate tooling.

Many teams tried to shift left by forcing developers to learn the entire threat landscape. That failed. Security that burdens velocity will be ignored. Security that aligns with how developers think --- abstracted, declarative, fast --- is the kind that sticks.

### Shift Left Requires the Right Abstractions

Security needs to embed where context is rich. That means implementing [code security](https://www.paloaltonetworks.com/cyberpedia/what-is-code-security?ts=markdown) before it compiles, infrastructure before it deploys, and identities before they're misused. It means thinking like a developer versus a gatekeeper.

Linting [infrastructure-as-code](https://www.paloaltonetworks.com/cyberpedia/what-is-iac?ts=markdown) templates before they're merged beats scanning running resources after they've drifted. Precommit hooks that catch insecure dependencies save hours of [incident response](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown) later. [Policy-as-code](https://www.paloaltonetworks.com/cyberpedia/what-is-policy-as-code?ts=markdown) enforces guardrails without introducing friction. Developers don't need security experts on their shoulder --- they need guardrails that don't collapse under real-world complexity.

### Tooling Isn't Enough --- Feedback Matters

Static analysis often triggers noise fatigue, and alerts without context get ignored. What matters is how feedback loops are wired. A low-severity issue in an isolated branch isn't the same as a misconfigured role in a shared module.

Developers need actionable context: why it's a problem, what it affects, and how to fix it without breaking everything else.

When security insights show up inline --- next to the code, in the editor, in the pull request --- adoption skyrockets. Not because developers suddenly love security, but because it respects their flow.

### Shift Left Is a Cultural Change

True shift left security doesn't mean shifting burden. It means shifting ownership. It means enabling ownership with the right mix of automation, education, and empathy. Developers already think in systems. Security has only to meet them there, speak their language, and offer tools that understand the context of their world.

What shift left security demands, in the cloud-native era, is a security strategy that lives in version control, scales with [microservices](https://www.paloaltonetworks.com/cyberpedia/what-are-microservices?ts=markdown), and never forgets the human in the loop.

## Core Principles of Shift Left Security

### Security Can't Catch Up --- It Has to Be There First

Security doesn't bolt on. It doesn't slot in. It certainly doesn't "shift left" by simply moving a tool earlier in the CI pipeline. To integrate security early and continuously, you have to rethink the software development lifecycle not as a sequence of stages but as a living system, where code, infrastructure, and policy evolve together from the first line written to the last commit deployed.

In traditional models, security enters late --- usually after the last line of code is written and someone's asking for a go-live date. At that point, it's too late to fix anything meaningful without blowing up timelines. So security teams scramble to triage, file tickets, argue severity, and maybe slap on compensating controls. That cycle burns everyone involved and erodes trust.

#### Tooled to Keep Time

The cloud-native model demands a different rhythm. Developers own more than code. They define infrastructure, manage access, and shape deployment logic. In that environment, waiting for "the security phase" guarantees failure. Security must embed directly into the design, coding, and review stages. That doesn't mean overwhelming teams with policy docs or scanning every keystroke. It means instrumenting systems where decisions happen.

Take infrastructure as code. A Terraform plan represents real intent, long before anything gets provisioned. Validating that plan against security policies before it merges avoids misconfigurations that scanners often catch only after resources have drifted in production. Likewise, [SAST](https://www.paloaltonetworks.com/cyberpedia/what-is-sast-static-application-security-testing?ts=markdown) tools wired into precommit hooks or IDE plugins can catch vulnerable patterns as code is written.

Continuous integration doesn't just apply to the codebase. It applies to security context. As services change and dependencies shift, every commit becomes a potential vector. Early security integration means those changes don't accumulate silently. Every change runs through a policy lens, automatically and with clarity when human judgment is needed.

There's no benefit in slowing down development just to be "secure." The goal is to compress the distance between developer intent and secure outcomes. That only happens when security lives inside the developer workflow.

### Automation Without Blindness

You can't scale cloud-native development without automation. You also can't secure it without automated security practices. But here's the catch. Automation without context doesn't just fail --- it creates noise and teaches teams to ignore the systems designed to protect them.

Security automation isn't about replacing humans. It's about accelerating judgment, about embedding meaningful, context-aware decisions into pipelines, code reviews, infrastructure definitions, and runtime behavior --- where they can do the most good with the least friction.

Security testing should happen at every stage, but it needs to be tuned. Run SAST on every commit but only block merges for real risks --- not cosmetic violations or low-confidence heuristics. Use [SBOMs](https://www.paloaltonetworks.com/cyberpedia/what-is-software-bill-materials-sbom?ts=markdown) and dependency scanners to flag vulnerable libraries, but filter results through runtime context, exploitability, and usage paths. No one wants to triage an avalanche of CVEs that have no actual impact. Developers will stop looking.

Automated compliance checks should function like circuit breakers. When Terraform or [Kubernetes](https://www.paloaltonetworks.com/cyberpedia/what-is-kubernetes?ts=markdown) manifests violate critical policies --- overpermissive roles, public storage buckets, unscoped [secrets](https://www.paloaltonetworks.com/cyberpedia/kubernetes-secrets?ts=markdown) --- those builds should fail early, with clear guidance on how to fix the problem. But for lower-severity issues, treat automation as a nudge. Flag the concern, offer a remediation path, but don't bring development to a halt unless necessary.

#### Shifting Left Nonintrusively

The most effective automation is invisible until it needs to be seen. It works in the background, scanning images as they're built, checking IaC templates during pull requests, validating [container runtime](https://www.paloaltonetworks.com/cyberpedia/runtime-security?ts=markdown) configurations in CD workflows. When it surfaces an issue, it comes with context: what went wrong, why it matters, and how to resolve it without derailing everything else.

Security automation also needs lifecycle awareness. What works on day one might fail at scale. Scan times creep up. Rulesets drift. Exceptions pile up. Build pipelines choke under the weight of tools meant to help. Build in observability from the start. Track how often rules trigger, how long teams take to respond, and how many alerts get ignored. Tune accordingly.

The power of automation doesn't lie in enforcement. It lies in reinforcement --- embedding security into the rhythm of development so that secure behavior becomes the path of least resistance. Get that right, and you don't need to teach every developer to think like a security engineer. You've already put the safety rails in the road.

### Knowledge That Transfers, Not Training That Expires

Developers don't need to become security experts to write secure code. To shift left, they need the kind of security knowledge that transfers. They need fluency in security the same way they need fluency in version control or debugging. It's not a specialty --- it's a muscle. And like any muscle, it strengthens through repetition and relevance.

Security knowledge transfers best when it maps to real code. Annotated examples of secure patterns in the languages and frameworks teams already use will always beat abstract guidelines. Teaching a Go developer how to avoid race conditions in auth logic matters more than explaining what SQL injection is for the fifteenth time.

Contextual tooling fills the gap between learning and doing. IDE plugins that flag dangerous functions or unsafe defaults while code is written train developers on the fly. Git hooks that block commits containing hardcoded secrets teach discipline without delay. Pull request bots that offer secure alternatives to insecure libraries turn every review into a learning opportunity. These tools don't preach --- they participate.

#### Make It Real

The key is relevance. A backend engineer doesn't need a lecture on frontend CSP headers. A developer writing Lambda functions needs to understand [least privilege](https://www.paloaltonetworks.com/cyberpedia/what-is-least-privilege-access?ts=markdown) more than cross-site scripting. Meet developers where they are, in the problems they're solving, with examples drawn from the technologies they use.

Knowledge also needs memory. Documenting secure patterns in internal wikis or developer portals gives teams something to return to. Codifying policy as code gives them something to trust. When security guidance becomes a living part of the development ecosystem, it starts to feel relevant.

Security enablement done well doesn't slow development. Developers who understand the guardrails can move faster, with fewer escalations, fewer reversions, and fewer post-deployment fire drills. They stop coding defensively and start designing securely.

### Feedback That Matters, When It Matters

The distance between cause and effect defines whether a developer learns from a mistake or repeats it. In fast-moving, cloud-native environments, the only feedback that matters is the kind that lands early, lands often, and lands with enough precision to guide.

You can't afford to wait for a weekly scan or a quarterly review cycle to surface risk. By then, the code has changed, and the vulnerability has taken root in production. Effective feedback loops turn days into minutes and vague reports into actionable insights. They surface issues within the developer's tools --- in the pull request, the IDE, and the terminal. When an engineer gets a clear security finding before the code merges, they're still in problem-solving mode. They know the context. They haven't mentally shifted to the next task.

But speed alone doesn't make feedback useful. Relevance does. Developers need to know which risks matter, why they matter here, and what to do about them. Flagging a high CVSS score means nothing without showing whether the vulnerable function is even reachable. Highlighting a misconfigured security group only helps if you point to the source IaC file and offer a secure fix that won't break the service.

#### Noise Is the Enemy

Developers who receive a flood of low-priority findings will tune out the critical ones. Feedback loops must be curated, prioritized, and tied to business impact. Otherwise, they become background noise to click past on the way to shipping.

There's also a human side to the loop. Automated tools catch a lot, but not everything. Code reviews remain one of the most underutilized venues for early security feedback. Teams that embed security questions into design discussions, review checklists, and architectural decision records catch flaws before a single line is written. That's not oversight --- it's design-level defense.

Continuous feedback doesn't mean constant interruption. It means building rhythms that reflect how modern teams work. When feedback becomes part of the code conversation, not an afterthought or escalation, security becomes a team asset.

### Treat Security Like Code

Security that lives outside of version control won't survive in a world defined by GitOps, CI/CD, and infrastructure-as-code. The pace of modern software delivery leaves no room for manual gatekeeping or ad hoc review. If security can't evolve at the speed of development, it becomes irrelevant --- or worse, a bottleneck that teams learn to skirt.

Treating security as code means encoding security policy, logic, and enforcement in the same systems developers already use to manage infrastructure and applications. It means making security declarative, testable, repeatable, and peer-reviewable --- just like any other critical system component.

Version-controlled security policies bring clarity and accountability. When access rules, identity boundaries, and enforcement logic live in code, every change has history, justification, and peer review. You don't just know what the system looks like --- you know how it got there, who changed it, and why. That auditability is priceless when something goes wrong.

#### Automation Without Ambiguity

Automation becomes far more powerful when policies are written as code. Policy-as-code frameworks like Open Policy Agent or HashiCorp Sentinel let you write security constraints that run inside CI/CD pipelines, infrastructure deployments, or [container orchestrators](https://www.paloaltonetworks.com/cyberpedia/what-is-container-orchestration?ts=markdown). That turns abstract requirements into hard-coded rules --- rules that block dangerous changes before they happen.

Treating security as code also unlocks integration. Guardrails defined in code can trigger unit tests, participate in linting, run in premerge checks, and integrate with IDEs. Developers don't have to wonder whether a configuration violates policy --- the tooling tells them immediately, with line-specific feedback and fix suggestions. That's how culture shifts. Get rid of ambiguity and gain buy-in.

#### With Flexibility Comes the Need for Discipline

Security-as-code can rot like any other codebase. Policies grow brittle, rulesets balloon with exceptions, enforcement logic drifts from actual risk, etc. Just like application code, security rules need tests, refactoring, and maintenance. Teams must treat policy repositories with the same rigor as their production systems.

But the payoff wins converts. Security becomes portable. Teams can share guardrails across services, replicate environments safely, and collaborate on risk reduction without endless Slack threads or duplicated effort. And because everything is in code, it scales with the team.

If security doesn't live in Git, it lives in people's heads or old PDFs. Neither of those scales. Codify what matters, run it automatically, and review it like it's part of the product.

### Security Only Works When the Silos Fall

No amount of tooling will compensate for a team culture that isolates security from the people doing the building. Security won't get visibility into how systems work in production, and developers won't understand the threats security is trying to defend against. Operations ends up owning the fallout when something breaks, and everyone loses.

In a cloud-native environment, the lines between dev, sec, and ops blur by design. Infrastructure is defined in code. Permissions are declared in config. Deployments happen through automation. When those layers operate in isolation, security becomes fragmented --- one team scanning IaC, another triaging runtime alerts, and no one owning the full picture.

Collaboration means shared responsibility, not divided accountability. Developers need to understand what secure design looks like. Security engineers need to understand what constraints the development team is working under. Operations needs to know which controls are critical and which ones can flex in the face of an incident. That only happens through ongoing, structured communication.

#### Collaboration, First and Always

Effective collaboration starts upstream. Security engineers should participate in architectural planning and design reviews, not just threat modeling workshops stapled onto the sprint retrospective. Developers should be involved in choosing and tuning security tools because they're the ones who have to live with the alerts. Ops needs to help define what "secure enough" looks like in production so the team can make realistic trade-offs.

Shared tooling helps --- but only if the workflows are aligned. It doesn't help to give each team its own dashboard full of disconnected alerts. The goal is a shared source of truth where risks, findings, and remediations are tracked in the same systems everyone uses: version control, issue trackers, deployment pipelines. The more security becomes part of the fabric of daily work, the less it feels like someone else's job.

Blame kills collaboration. If developers are punished for missing security issues they weren't trained to spot, or if security engineers are seen as blockers instead of enablers, teams will retreat into defensive postures. Progress stalls, and culture crumbles.

You don't need perfect agreement. Collaboration means shared context and mutual respect. It means understanding that a developer rushing to hit a deadline isn't sloppy --- they're pressured. A security engineer asking hard questions isn't a roadblock --- they're protecting what's been built. The best teams create space for both to operate together.

Related Article: [How to Transition from DevOps to DevSecOps](https://www.paloaltonetworks.com/cyberpedia/devops-to-devsecops?ts=markdown)

## What Shift Left Looks Like in Practice

Good ideas rarely fail from lack of belief --- they fail in execution. Shift left security has been widely embraced in theory but often stumbles once teams try to operationalize it. The challenge isn't a lack of will. It's the absence of practical models that balance speed, autonomy, and security without pulling the architecture into gridlock.

Let's look at patterns that teams can adopt --- and anti-patterns they should avoid if they want shift left security to deliver lasting value.

* Patterns align with how developers already build.
* Anti-patterns, though well-intentioned, tend to erode trust, slow delivery, or generate busywork without improving security outcomes.

|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| ### Pattern: Policy-as-Code in the Dev Loop Security policy encoded as code and enforced in the [CI/CD pipeline](https://www.paloaltonetworks.com/cyberpedia/what-is-the-ci-cd-pipeline-and-ci-cd-security?ts=markdown) gives developers instant feedback and consistent guardrails. When Terraform, Kubernetes, or CloudFormation templates are subject to automated checks before merge, teams catch misconfigurations like overly broad [IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) permissions or unencrypted storage. The key is proximity. A policy-as-code engine like Open Policy Agent doesn't just enforce rules. It allows teams to write human-readable policies, version them alongside infrastructure code, and trigger checks automatically at pull request time. That's the heart of shift left: actionable enforcement without leaving the developer's workflow. | ### Anti-Pattern: Ticket-Driven "Approvals" for Infrastructure Changes Pushing every infrastructure change through a manual ticket review may look like control, but it grinds velocity to a halt and alienates developers. It's slow, opaque, and unscalable. Worse, it often leads teams to bypass the process entirely, creating shadow systems outside the official pipeline. Security should sit where decisions happen --- in code, in CI, in the review --- not at the end of a queue. If a rule is important enough to enforce, codify it. If it's too complex to codify, don't pretend a ticket system will solve the problem.                                                                                                                                                                                              |
| ### Pattern: Secret Scanning in GitHub Actions Hardcoded secrets remain one of the easiest, most damaging mistakes developers can make. Embedding secret scanning into GitHub Actions --- or whatever CI system you use --- catches exposed keys, tokens, and credentials before they land in the main branch. This kind of automation works because it's fast, quiet, and focused. It surfaces only when needed. It points to the exact commit, flags the problem, and gives the developer a chance to remediate or suppress with full visibility. No separate dashboard. No ticketing system. Just clean feedback in context.                                                                                                                                                                                                                                                                                                             | ### Anti-Pattern: Alert Flooding Without Prioritization Running security scanners without tuning them leads to what teams call "the Christmas tree effect" because everything lights up red. Every commit, every dependency bump, every config tweak triggers an alert. The team, understandably, starts ignoring them. And the moment they stop looking, critical issues slip through. Shift left security doesn't mean throwing every possible alert into the developer's lap. It means curated, risk-aware feedback that reflects business context. A 10/10 CVE in a dev-only [container](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown) that never sees production isn't the same as an 8.1 in a shared library exposed to the internet. Treating them the same is a fast way to lose credibility. |
| ### Pattern: Auto-Generated Threat Models Threat modeling doesn't have to be slow. When teams use architecture diagrams, IaC definitions, or service metadata to generate basic threat models automatically, they reduce time-to-insight dramatically. Developers get a first draft without needing to fill out templates or attend meetings. From there, security teams can refine and iterate with them. The collaborative jumpstart --- diagram → threat model → shared review --- removes the friction that usually keeps modeling out of early design.                                                                                                                                                                                                                                                                                                                                                                                 | ### Anti-Pattern: Turning Every Security Tool into a Gate Treating every tool as a hard blocker trains teams to game the system. Developers start working around tooling instead of with it. A flaky SAST scanner that fails builds unpredictably becomes a liability. An overly rigid policy engine that flags every harmless deviation as critical gets disabled "temporarily" and never re-enabled. Gates make sense for high-confidence, high-impact risks. But many tools should guide or warn instead of block. Developers are more likely to adopt systems that support their velocity rather than challenge it. Respect the flow, and they'll respect the signal.                                                                                                                                                            |

## What Secure Looks Like Now

Shift left security is a shift in gravity --- pulling security decisions earlier, closer to the code, closer to the people building it. When done well, it doesn't slow you down. It gives you confidence. You know what's running. You know who has access. You know where your risks are --- and what's being done about them.

Security that sticks doesn't fight the way developers work. It fits into it. The best systems don't just catch vulnerabilities. They prevent them from appearing in the first place. They teach. They guide. They scale with the architecture and with the team.

When shift left takes root, the culture shifts too. Developers stop pushing security to the end of the sprint. Security teams stop filing tickets no one reads. And software starts shipping with fewer surprises, fewer fire drills, and more control. That's not just shift left. That's progress.

## Shift Left Security FAQS

### Is shift left security just DevSecOps with a new name?

No. Shift left refers specifically to moving security earlier in the software development lifecycle. DevSecOps speaks to broader integration of security practices into the entire DevOps culture, including operations. Shift left is a tactic. DevSecOps is the cultural shift. They overlap, but they aren't interchangeable.

### How early is "early" when we talk about integrating security?

Before the first line of code is merged. Security starts at design. Infrastructure decisions, data flows, and service boundaries define the risk surface long before features get built. Catching misconfigurations in an IaC plan beats detecting them post-deployment.

### Do we really need more tools to do shift left well?

Not necessarily. Most teams already have the tooling --- they just don't use it effectively. What matters more is integration. Security tools that live outside the developer workflow don't shift left --- they sit off to the side. The right tools are the ones that speak the language of code, Git, and CI.

### What's policy-as-code?

It's the practice of expressing security and compliance rules as machine-readable code. These policies can run automatically in CI/CD pipelines to validate infrastructure, enforce identity constraints, or block insecure configurations. They're version-controlled, testable, and repeatable --- just like application code.

### How do you prevent alert fatigue when automating scans?

By tuning results, prioritizing context, and delivering feedback inside the workflow. Don't show every CVE --- show the ones that affect live code paths. Don't send alerts to email --- surface them in the pull request. Less is more when what's shown is actionable.

### What's the difference between SAST, DAST, and IAST?

* SAST (Static Application Security Testing) analyzes source code without executing it.
* DAST (Dynamic Application Security Testing) scans running applications from the outside, like a black-box tester.
* IAST (Interactive Application Security Testing) observes applications during runtime from the inside.

Each has a role, but only SAST truly "shifts left."

### Does shift left apply to containers and Kubernetes too?

Absolutely. Kubernetes manifests, Helm charts, and container build files are all code. You can apply policy checks, run linters, and enforce image security rules during CI. Waiting until runtime is too late.

### What's a security champion?

A developer who takes on part-time responsibility for security practices within their team. They help bridge gaps between security engineers and developers, advocate for secure design, and often serve as a first point of contact for tooling, training, and reviews.

### Is secret scanning in CI enough to prevent leaks?

It's essential, but it's not enough on its own. Prevention starts with education --- developers need to know what not to check in. Strong pre-commit hooks and internal SDKs that manage secrets automatically add extra protection.

### What if the shift left tools slow down the build pipeline?

Then they're misconfigured or misused. The best shift left tools are fast, quiet, and focused. You shouldn't pay for security with velocity unless the trade-off is critical --- and even then, optimize for early detection, not runtime bloat.

### Where does threat modeling fit into shift left?

Right at the start. You don't need a full whiteboard session for every sprint. Lightweight, iterative models --- especially auto-generated ones --- help teams reason through risk while designs are still fluid. That's the sweet spot.

### What's the difference between a gate and a guardrail?

A gate stops you from moving forward. A guardrail guides you while letting you keep momentum. Shift left works best when security behaves like a guardrail --- advising and enforcing only when necessary.

### Does every team need their own security expert?

No, but every team needs access to security insight. Whether through shared champions, embedded security engineers, or policy-as-code systems, the goal is consistent coverage, not duplicating headcount.
Related Content  
[ASPM Buyer's Guide
Gain a comprehensive framework for evaluating and choosing an ASPM solution that shifts your AppSec strategy from reactive to proactive.](https://start.paloaltonetworks.com/application-security-posture-management-buyers-guide.html)  
[Accelerate Secure Development with Prevention-First Application Security Posture Management (ASPM)
Learn how Cortex Cloud's ASPM centralizes and correlates findings from disparate security scanning tools with complete context across code, application infrastructure, and cloud ru...](https://www.paloaltonetworks.com/resources/datasheets/application-security-posture-management-solution-brief?ts=markdown)  
[Introducing Cortex Cloud ASPM
Cortex Cloud ASPM gives security and engineering teams the control to prevent exploitable risk early and respond with full context across the software lifecycle.](https://www.paloaltonetworks.com/blog/cloud-security/introducing-aspm-cortex-cloud/?ts=markdown)  
[AppSec's New Horizon
Join this virtual event to get a practical, prevention-first blueprint --- backed by new Unit 42 research --- to modernize your AppSec strategy.](https://start.paloaltonetworks.com/appsecs-new-horizon-virtual-event.html)  
![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20Shift%20Left%20Security%3F&body=Shift%20left%20security%20integrates%20protection%20early%20in%20development%E2%80%94empowering%20teams%20to%20catch%20vulnerabilities%20and%20misconfigurations%2C%20reduce%20risk%2C%20and%20ship%20secure%20software%20at%20scale.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/shift-left-security)  
Back to Top  
[Previous](https://www.paloaltonetworks.com/cyberpedia/insecure-system-configuration-cicd-sec7?ts=markdown) What Is Insecure System Configuration?  
[Next](https://www.paloaltonetworks.com/cyberpedia/what-is-devops?ts=markdown) What Is DevOps?  
{#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language