[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Threats](https://www.paloaltonetworks.com/cyberpedia/threat?ts=markdown) 3. [Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown) 4. [What is Cloud Incident Response?](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response?ts=markdown) Table of contents * [What Is Incident Response?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown) * [Why Is Incident Response Important?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#why?ts=markdown) * [Types of Cybersecurity Incidents](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#types?ts=markdown) * [What Is the Incident Response Lifecycle?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-lifecycle?ts=markdown) * [What Is an Incident Response Plan?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-plan?ts=markdown) * [What Is Digital Forensics and Incident Response?](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#forensics?ts=markdown) * [Incident Response Frameworks and Phases](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-phases?ts=markdown) * [Incident Response Teams](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-team?ts=markdown) * [Incident Response Tools and Technology](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-tools?ts=markdown) * [Incident Response Services](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#ir-services?ts=markdown) * [Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response#faq?ts=markdown) * [What is Cyber Incident Reporting?](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting?ts=markdown) * [An Overview of Cybersecurity Incident Management](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#an?ts=markdown) * [Key Components of Cyber Incident Reporting](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#key?ts=markdown) * [Steps to Establish a Cyber Incident Reporting Process](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#steps?ts=markdown) * [The CISA Rule for Cyber Incident Reporting](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#reporting?ts=markdown) * [Cyber Security Incident Case Study](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#cyber?ts=markdown) * [Cyber Incident Reporting FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-incident-reporting#faqs?ts=markdown) * [What is Digital Forensics and Incident Response (DFIR)?](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response?ts=markdown) * [DFIR: A Symbiotic Relationship](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#dfir?ts=markdown) * [The Role of Digital Forensics](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#role-of-digital-forensics?ts=markdown) * [The Role and Importance of Incident Response](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#roles?ts=markdown) * [What is the Difference Between DFIR and SOC?](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#difference?ts=markdown) * [The Role of EDR in DFIR](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#role-of-edr?ts=markdown) * [DFIR Challenges](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#challenges?ts=markdown) * [Digital Forensics and Incident Response Best Practices](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#best-practices?ts=markdown) * [Future Trends in DFIR](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#future-trends?ts=markdown) * [DFIR FAQs](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response#faqs?ts=markdown) * What is Cloud Incident Response? * [Cloud Incident Response (IR) Explained](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#explained?ts=markdown) * [Why Cloud IR Differs from Traditional IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#why?ts=markdown) * [The Cloud Incident Response Lifecycle](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#lifecycle?ts=markdown) * [SOC IR vs. Cloud IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#vs?ts=markdown) * [Best Practices for Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#best?ts=markdown) * [Cloud Incident Response Frameworks and Standards](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#standards?ts=markdown) * [The Role of Cloud-Native Security Tools](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#role?ts=markdown) * [Future Trends in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#future?ts=markdown) * [Key Challenges in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#key?ts=markdown) * [Solutions to Overcome Cloud IR Barriers](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#solutions?ts=markdown) * [Cloud Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#faqs?ts=markdown) * [What is an Incident Response Playbook?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook?ts=markdown) * [The Role of Incident Response Playbooks](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#role?ts=markdown) * [Differences Between Playbooks, Plans, and Runbooks](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#differences?ts=markdown) * [The Steps of Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#steps?ts=markdown) * [Key Components of an Incident Response Playbook](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#key?ts=markdown) * [Building an Effective Incident Response Playbook](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#building?ts=markdown) * [Incident Response Playbook FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook#faqs?ts=markdown) * [What is the Role of EDR in Digital Forensics and Incident Response (DFIR)?](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response?ts=markdown) * [Digital Forensics vs. Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#digital?ts=markdown) * [Exploring Fundamentals of EDR Incident Response and Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#exploring?ts=markdown) * [The Core Features of EDR Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#the?ts=markdown) * [The Intersection of EDR and Incident Response](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#response?ts=markdown) * [Enhancing Forensic Capabilities with EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#enhancing?ts=markdown) * [Integrating EDR into Your Cybersecurity Strategy](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#integrating?ts=markdown) * [DFIR vs. EDR](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#vs?ts=markdown) * [CSIRT vs. Digital Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#forensics?ts=markdown) * [Challenges with EDR in Incident Response and Forensics](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#challenges?ts=markdown) * [Case Study: Impact of EDR in Real-World Scenarios](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#case?ts=markdown) * [The Role of EDR in Incident Response and Forensics FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-the-role-of-edr-in-dfir-digital-forensics-and-incident-response#faqs?ts=markdown) * [What Is an Incident Response Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team?ts=markdown) * [What is an Incident Response Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#what?ts=markdown) * [Types of Incident Response Teams](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#types?ts=markdown) * [Key Functions and Responsibilities](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#key?ts=markdown) * [Building an Effective Incident Response Team](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#building?ts=markdown) * [Incident Response Team Structure](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#incident?ts=markdown) * [Benefits and Best Practices for IRTs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#benefits?ts=markdown) * [What is an EDR Team?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#edr?ts=markdown) * [What is an ERT?](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#ert?ts=markdown) * [Incident Response Team FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-team#faqs?ts=markdown) * [What is an Incident Response Plan Template?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template?ts=markdown) * [Importance of an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#importance-of-ir-plan?ts=markdown) * [Benefits of a Well-Crafted Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#benefits?ts=markdown) * [Key Components of an Incident Response Plan Template](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#key-components?ts=markdown) * [Steps to Create an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#steps?ts=markdown) * [Incident Response Plan Templates](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#templates?ts=markdown) * [Incident Response Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan-template#faqs?ts=markdown) * [What Is an Incident Response Plan (IRP)?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan?ts=markdown) * [Why is an Incident Response Plan Important?](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#why?ts=markdown) * [How to Build an Incident Response Plan](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#how?ts=markdown) * [Incident Response (IR) Plan FAQs](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan#faqs?ts=markdown) # What is Cloud Incident Response? 5 min. read Table of contents * * [Cloud Incident Response (IR) Explained](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#explained?ts=markdown) * [Why Cloud IR Differs from Traditional IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#why?ts=markdown) * [The Cloud Incident Response Lifecycle](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#lifecycle?ts=markdown) * [SOC IR vs. Cloud IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#vs?ts=markdown) * [Best Practices for Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#best?ts=markdown) * [Cloud Incident Response Frameworks and Standards](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#standards?ts=markdown) * [The Role of Cloud-Native Security Tools](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#role?ts=markdown) * [Future Trends in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#future?ts=markdown) * [Key Challenges in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#key?ts=markdown) * [Solutions to Overcome Cloud IR Barriers](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#solutions?ts=markdown) * [Cloud Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#faqs?ts=markdown) 1. Cloud Incident Response (IR) Explained * * [Cloud Incident Response (IR) Explained](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#explained?ts=markdown) * [Why Cloud IR Differs from Traditional IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#why?ts=markdown) * [The Cloud Incident Response Lifecycle](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#lifecycle?ts=markdown) * [SOC IR vs. Cloud IR](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#vs?ts=markdown) * [Best Practices for Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#best?ts=markdown) * [Cloud Incident Response Frameworks and Standards](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#standards?ts=markdown) * [The Role of Cloud-Native Security Tools](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#role?ts=markdown) * [Future Trends in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#future?ts=markdown) * [Key Challenges in Cloud Incident Response](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#key?ts=markdown) * [Solutions to Overcome Cloud IR Barriers](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#solutions?ts=markdown) * [Cloud Incident Response FAQs](https://www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response#faqs?ts=markdown) Cloud incident response is a specialized discipline within cybersecurity focused on a structured approach to identifying, containing, and remediating security threats within a cloud computing environment. It involves quickly detecting, assessing, containing, and resolving threats to minimize harm to workloads and restore normal business operations. Unlike [traditional IR](https://www.paloaltonetworks.com/cyberpedia/what-is-incident-response?ts=markdown), cloud IR considers the unique aspects of cloud systems: * Distributed architecture * Shared responsibility between providers and customers * Scalable flexibility ### Lapsus$ Cloud Incident Response Case Study | Unit 42 ![Lapsus$ Cloud Incident Response Case Study | Unit 42](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/unit-42-cloud-incident-response/video-thumbnail-lapsus-cloud-incident-response-case-study-unit-42.jpg) close Key Points * **Proactive Planning**: Cloud incident response requires a dedicated plan tailored to the unique complexities of cloud environments, which differ significantly from traditional on-premises infrastructure. \* **Phased Approach**: The process follows a lifecycle that includes preparation, detection, containment, eradication, recovery, and post-incident analysis to ensure a thorough and repeatable process. \* **Unique Challenges**: Responding to cloud incidents involves specific difficulties like managing the shared responsibility model, maintaining visibility in dynamic environments, and using cloud-native tools for forensics. \* **Essential Components**: An effective strategy relies on a well-defined team, comprehensive logging and monitoring, automated response capabilities, and continuous training. \* **Zero Trust**: A zero trust security model is a foundational principle for cloud incident response, assuming no user or resource can be implicitly trusted, regardless of their location. ## Cloud Incident Response (IR) Explained The Palo Alto Networks Unit 42 [Global Incident Response Report](https://www.paloaltonetworks.com/resources/research/2025-incident-response-report?ts=markdown) revealed that nearly one-third (29%) of the cases that Unit 42 responded to were cloud-related, highlighting the growing need for specialized cloud incident response capabilities. Cloud incident response expands upon traditional incident management principles, specifically addressing the complexities of cloud environments. It involves a strategic approach to detecting and recovering from [cyber attacks](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack?ts=markdown) or security events affecting cloud-based infrastructure, applications, and data. The importance of cloud incident response stems from the dynamic, distributed, and API-driven nature of cloud platforms, which introduces distinct challenges compared to on-premises systems. Effective incident response in the cloud requires specialized knowledge of [cloud service provider (CSP)](https://www.paloaltonetworks.com/cyberpedia/cloud-service-provider?ts=markdown) architectures, the [shared responsibility model](https://www.paloaltonetworks.com/cyberpedia/cloud-security-is-a-shared-responsibility?ts=markdown), and cloud-native security controls. Incident response is part of the "Detect" and "Respond" stages in the Cloud Security Lifecycle. These stages align with cloud security frameworks, such as the [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) or [CIS Controls](https://www.cisecurity.org/controls), which outline a comprehensive approach to securing cloud environments. Security teams must adapt their processes to account for ephemeral resources, limited physical access, and the rapid pace of change in cloud environments. A well-prepared cloud incident response capability is vital for maintaining business continuity and protecting sensitive information in the face of evolving cyber threats. ## Why Cloud IR Differs from Traditional IR Cloud environments introduce unique complexities for incident response that necessitate a distinct approach from traditional on-premises methods. Understanding these differences is fundamental for effective incident management in the cloud. ### Shared Responsibility Model The shared responsibility model defines the security obligations between the cloud service provider and the customer. The CSP is responsible for the security of the cloud (the underlying infrastructure), while the customer is responsible for security in the cloud, encompassing data, applications, and configurations. This division means incident responders must clearly understand which party is responsible for specific aspects during an incident. ### Dynamic and Ephemoral Infrastructure Cloud environments feature highly dynamic and ephemeral infrastructure, unlike static on-premises systems. Resources like virtual machines, containers, and serverless functions can scale up, down, or disappear rapidly. This dynamism complicates digital forensics and investigation, as evidence may be short-lived or distributed across many temporary instances. ### Limited Physical Access In cloud environments, customers do not have physical access to the underlying hardware or data centers. This absence of physical control means traditional forensic methods, such as imaging physical disks, are not applicable. Incident responders must rely on cloud provider APIs, logging services, and virtualized tools for investigation and data collection. ### API-Driven Control Plane Cloud services are primarily managed through APIs, which form the control plane for all cloud operations. Many cloud incidents involve the compromise of API keys or unauthorized access to the management plane. Incident responders must understand how to monitor and secure these APIs, as well as how to revoke compromised credentials swiftly. ![Incident response process diagram showing five connected phases: Scope, Investigate, Secure, Support \& Report, and Transform, with corresponding icons and detailed descriptions for each phase. Threat Intelligence is shown as an underlying foundation supporting all phases](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/unit-42-cloud-incident-response/cloud-incident-response-methodology.png "Incident Response Process Phases") **Figure 1**: Incident Response Process Phases ## The Cloud Incident Response Lifecycle Effective cloud incident response follows a structured process, adapting established incident handling phases to the unique characteristics of cloud computing. This lifecycle ensures a systematic approach to managing security incidents from preparation through post-incident analysis. ### Preparation This phase involves establishing the necessary foundations before an incident occurs. It includes: * **Developing a Plan**: A tailored Cloud IR plan outlines procedures, roles, and responsibilities for handling cloud incidents. * **Building a Team**: An effective team requires members with specialized knowledge of cloud platforms, architectures, and security services. * **Implementing Controls** : Deploying cloud-native security controls like [cloud security posture management (CSPM)](https://www.paloaltonetworks.com/cyberpedia/cspm-tools?ts=markdown) and [cloud workload protection platforms (CWPP)](https://www.paloaltonetworks.com/cyberpedia/what-is-cwpp-cloud-workload-protection-platform?ts=markdown) to prevent and detect incidents. * **Establishing Logging** : Comprehensive logging and monitoring are essential for visibility. Services like AWS CloudTrail, Azure Activity Logs, and Google Cloud Audit Logs provide critical audit trails of API activity. Integrating these logs with a centralized [security information and event management (SIEM)](https://www.paloaltonetworks.com/cyberpedia/what-is-siem-logging?ts=markdown) system or cloud-native threat detection services enhances threat detection capabilities. ### Identification The identification phase focuses on detecting security events and determining if they constitute a cloud incident. Early and accurate identification minimizes potential damage. #### Threat Detection in Cloud Environments Threat detection involves continuously monitoring cloud resources for suspicious activities or [indicators of compromise](https://www.paloaltonetworks.com/cyberpedia/indicators-of-compromise-iocs?ts=markdown). This includes analyzing logs for anomalous API calls, unauthorized access attempts, or unusual network traffic patterns. Cloud-native threat detection services can automatically identify many common cloud threats. #### Alerting Mechanisms for Security Events Configuring effective alerting mechanisms ensures that security teams are promptly notified of potential incidents. Alerts should be prioritized based on severity and potential impact. Integration with existing [security operations center (SOC)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-soc?ts=markdown) workflows is important for timely response. #### Initial Triage and Assessment of Cloud Incidents Once an alert is received, initial triage involves quickly assessing the nature and scope of the potential incident. This includes verifying the alert, determining affected cloud resources, and estimating the potential impact. Rapid assessment helps decide whether to escalate to a full incident response. ### Containment The speed of cloud attacks is a major concern. According to the [Unit 42 Global Incident Response Report](https://www.paloaltonetworks.co.uk/resources/research/2025-incident-response-report), in almost one in five cases, data exfiltration occurred in less than an hour. Organizations need to leverage automation to contain threats at machine speed before they can escalate. Containment aims to limit the scope and impact of an ongoing cloud incident. This phase requires swift action to prevent further damage or unauthorized access. #### Isolating Affected Cloud Resources Incident responders must quickly isolate compromised cloud resources, such as virtual machines, containers, or storage buckets. This might involve changing network security group rules, detaching compromised instances from the network, or suspending user accounts. The goal is to prevent the attacker from [moving laterally](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement?ts=markdown) or [exfiltrating more data](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown). #### Preventing Further Spread of the Incident Beyond isolation, containment strategies focus on preventing the incident from spreading to other cloud resources or connected systems. This could involve blocking malicious IP addresses, disabling compromised credentials, or segmenting networks. Rapid response is critical due to the interconnected nature of cloud environments. #### Leveraging Cloud-Native Capabilities for Rapid Containment Cloud providers offer various native capabilities that can be leveraged for rapid containment. These include automated remediation actions triggered by security alerts, policy-based enforcement, and the ability to quickly provision or de-provision resources. Automation significantly accelerates containment efforts. ### Eradication Eradication focuses on removing the threat from the cloud environment and eliminating its root cause. This phase ensures the attacker no longer has access or persistence. #### Removing the Threat from the Cloud Environment This involves deleting malicious files, removing backdoors, and revoking any unauthorized access. For cloud incidents, this often means deleting compromised instances, containers, or serverless functions and deploying clean versions. It also includes removing any persistent access mechanisms established by the attacker. #### Patching Vulnerabilities, Correcting Misconfigurations Identifying and remediating the underlying vulnerability or misconfiguration that allowed the incident to occur is crucial. This might involve applying security patches, updating insecure configurations, or strengthening IAM policies. Addressing the root cause prevents recurrence. #### Restoring Affected Systems After the threat is eradicated, affected systems and data must be restored to a secure, pre-incident state. This often involves deploying from trusted backups or golden images. Verification steps ensure that no malicious artifacts remain and systems are functioning correctly. ### Recovery The recovery phase focuses on restoring normal operations and ensuring the long-term integrity and security of cloud systems. This involves bringing affected services back online in a controlled manner. #### Restoring Operations to Normal This step involves systematically bringing affected cloud services and applications back online. A phased approach is often used to minimize disruption and allow for continuous monitoring. Prioritization of critical services ensures business continuity. #### Validating System Integrity Thorough validation ensures that all restored systems are clean, secure, and functioning as expected. This includes security scans, integrity checks, and performance monitoring. Verification helps confirm that the eradication efforts were successful and no new vulnerabilities were introduced. #### Ensuring Business Continuity The ultimate goal of recovery is to ensure that business operations can resume with minimal interruption. This involves coordinating with business units and stakeholders to manage expectations and communicate progress. A successful recovery minimizes financial and reputational damage. ### Post-Incident Activity (Lessons Learned) The final phase involves a comprehensive review of the incident to learn from the experience and improve future incident response capabilities. This continuous improvement loop is vital for enhancing cloud security posture. #### Analyzing the Incident (Post-Mortem) A detailed post-mortem analysis examines what happened, how it happened, and why. This includes reviewing logs, timelines, and response actions. Identifying the root cause and contributing factors is paramount. #### Identifying Root Causes and Areas for Improvement This step focuses on pinpointing specific vulnerabilities, misconfigurations, or process gaps that led to the incident. Insights gained inform improvements to security controls, policies, and procedures. For example, a recent analysis of cloud breaches showed that over 60% were linked to cloud misconfigurations, highlighting the need for continuous posture management. #### Updating Plans and Security Controls Based on lessons learned, the cloud incident response plan, security policies, and technical controls are updated. This might involve refining detection rules, enhancing automation, or providing additional training to the incident response team. This iterative process strengthens overall cloud security. ![Cortex Detection Engine](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/unit-42-cloud-incident-response/cortex-detection-engine.jpg "Cortex Detection Engine") **Figure 2**: Cortex Detection Engine ### Cloud Detection and Response (CDR): The Next Evolution [Cloud Detection and Response (CDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-detection-and-response-cdr?ts=markdown) is a specialized security solution built for the cloud. It focuses on detecting threats, investigating incidents, and responding quickly by continuously monitoring cloud environments for suspicious activity like malware and privilege escalation. CDR provides real-time visibility and protection for everything in the cloud---from workloads and data to user identities and control plane activities. CDR is a necessary evolution because older tools like [Endpoint Detection and Response (EDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr?ts=markdown) and [Network Detection and Response (NDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-network-detection-and-response?ts=markdown) were not designed for the dynamic, distributed nature of the cloud. CDR uses the cloud's own services and APIs to automatically and efficiently detect threats at scale. An effective CDR solution monitors and protects across multi-cloud environments in real time. It uses behavioral threat detection and intelligence to find complex attack paths and can correlate threat signals from various cloud sources. By triggering automated responses, CDR helps reduce the time it takes to detect and respond to threats, making it a critical component of any cloud security strategy. It also integrates with other security platforms, like [CNAPP](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cloud-native-application-protection-platform?ts=markdown) and [SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-siem?ts=markdown), to provide a centralized defense, reduce tool sprawl, and speed up incident response. ## SOC IR vs. Cloud IR Security Operations Center (SOC) Incident Response and Cloud Incident Response share the same goal: to detect, analyze, contain, and mitigate security incidents. However, they differ significantly in their focus and operational challenges. * **SOC IR** : A broad, centralized function that oversees the entire IT infrastructure, including on-premises systems, networks, and [endpoints](https://www.paloaltonetworks.com/cyberpedia/what-is-an-endpoint?ts=markdown). The SOC team uses a wide array of tools to gain a unified view and coordinate responses. * **Cloud IR** : A specialized discipline that focuses exclusively on cloud environments. Cloud IR requires specific expertise in cloud-native tools (e.g., AWS CloudTrail, Azure Monitor) and an understanding of dynamic configurations like [IAM](https://www.paloaltonetworks.com/cyberpedia/what-is-identity-and-access-management?ts=markdown) roles and [virtual private clouds (VPCs)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-transit-virtual-private-cloud?ts=markdown). It is a vital component of a modern SOC's broader responsibilities. ## Best Practices for Cloud Incident Response Adopting strategic practices significantly enhances an organization's cloud incident response capabilities. These best practices focus on proactive measures, automation, and continuous improvement. * **Develop a Cloud-Specific Plan** : Create a tailored [incident response plan (IRP)](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan?ts=markdown) that defines roles, responsibilities, and communication protocols for cloud incidents, accounting for the shared responsibility model. * **Embrace Automation**: Automate threat detection, alert triage, and initial containment actions to reduce response times. * **Prioritize CSPM**: Continuously monitor cloud environments for misconfigurations, compliance violations, and security risks. Of all incidents that Unit 42 responded to, 41% contained at least one contributing factor that was related to IAM issues, such as overly permissive accounts and roles, highlighting the need for continuous posture management. * **Enhance Cloud Visibility**: Centralize logs from all cloud services into a unified platform to gain comprehensive visibility for detection and investigation. * **Regularly Test and Drill**: Conduct tabletop exercises and simulated incidents to validate your plan and identify gaps. * **Invest in Training and Expertise**: Continuously develop cloud security skills within your incident response team through training and certifications. ## Cloud Incident Response Frameworks and Standards Leveraging established frameworks provides a structured and systematic approach to cloud incident response. These frameworks offer guidance on developing, implementing, and improving incident handling capabilities in cloud environments. ### Cloud Incident Response Frameworks and Standards Leveraging established frameworks provides a structured and systematic approach to Cloud IR. * [**NIST SP 800-61 R2**](https://www.nist.gov/privacy-framework/nist-sp-800-61): Provides a widely recognized guide for incident handling, and its core phases are adaptable to cloud environments. * [**CSA Cloud Incident Response Framework**](https://cloudsecurityalliance.org/artifacts/cloud-incident-response-framework): Addresses the unique challenges of cloud computing, such as the shared responsibility model and the dynamic nature of cloud resources. * [**ISO/IEC 27035**](https://www.iso27001security.com/html/27035.html): A broader standard for information security incident management that is applicable across various IT environments, including the cloud. ## The Role of Cloud-Native Security Tools Cloud-native security tools are essential for effective incident response in the cloud, providing capabilities specifically designed for dynamic cloud environments. These tools offer deep integration with cloud platforms, enhancing visibility, detection, and automated response. * **Cloud Security Posture Management (CSPM)**: Continuously assesses cloud configurations against security best practices and compliance standards to prevent incidents. * **Cloud Workload Protection Platforms (CWPP)**: Provides security for workloads like virtual machines and containers, offering runtime protection and micro-segmentation. * **Cloud-Native Logging and Monitoring**: Services like CloudTrail and Azure Monitor are indispensable for capturing API calls and activity for forensic analysis. * **Identity and Access Management (IAM)**: Comprehensive IAM controls are fundamental for managing user permissions and detecting anomalous access patterns. ## Future Trends in Cloud Incident Response The landscape of Cloud IR continues to evolve rapidly, driven by technology and changes in cloud adoption. * **AI and Machine Learning**: These technologies will improve threat detection by identifying subtle anomalies in vast amounts of data. * **Serverless and Container Security**: The adoption of these technologies introduces new challenges, requiring specialized security tools for ephemeral environments. * **Zero Trust Principles**: The Zero Trust model will become increasingly relevant, continuously verifying every user and device to minimize the impact of compromised credentials. * **Supply Chain Security**: As organizations rely on third-party cloud services, supply chain security will become a critical concern for incident response. ## Key Challenges in Cloud Incident Response Cloud environments present specific hurdles for incident responders, requiring specialized strategies and tools. Addressing these challenges is crucial for building an effective cloud incident response program. ### Visibility and Data Collection Gaining visibility is challenging because cloud environments are distributed and logs are spread across multiple services. The ephemeral nature of cloud resources means that evidence can disappear quickly, and traditional digital forensics techniques (like imaging a physical disk) don't apply. ### Skills Gaps Many security professionals lack deep expertise in cloud security. Incident response teams may be proficient in on-premises environments but require specialized training to understand cloud-native services, architectures, and the nuances of the shared responsibility model. ### Speed and Scale The rapid pace of change and the massive scale of cloud environments can overwhelm manual processes. Attackers often use automation to launch attacks quickly, necessitating an equally automated and rapid response from defenders. ### Multi-Cloud Complexity Organizations using multiple cloud providers face additional challenges due to inconsistent tools, policies, and APIs across different platforms, which complicates managing a unified response. ### Misconfigurations Cloud misconfigurations are a leading cause of security incidents, often exposing sensitive data or creating vulnerabilities. In fact, in [41% of incidents](https://www.paloaltonetworks.co.uk/resources/research/2025-incident-response-report), at least one contributing factor was related to IAM issues, such as overly permissive accounts and roles. Proactive, continuous monitoring is crucial to address this. #### Need for Continuous Configuration Monitoring Continuous Cloud Security Posture Management (CSPM) is essential to detect and remediate misconfigurations in real time. Automated tools can scan cloud environments for deviations from security best practices and compliance standards. This proactive approach significantly reduces the attack surface. ## Solutions to Overcome Cloud IR Barriers Overcoming the unique challenges of the cloud requires a strategic blend of proactive planning, specialized tools, and a shift in operational mindset to ensure rapid and effective incident response. ### Proactive Strategies * **Establish a proactive approach**: Be prepared for incidents before they escalate to reduce damage and downtime. This includes creating a cloud incident response plan, training teams on cloud-specific threats, and implementing automated monitoring tools. * **Regularly test and update plans**: Conduct tabletop exercises and incident response drills to find weaknesses in your plan and help teams practice responses. Keep the plan fresh to adapt to new threats and cloud changes. * **Utilize security frameworks**: Use proven methodologies like the CIS Controls or the MITRE ATT\&CK Matrix to improve incident detection and define tactics. The CSA is also creating a holistic Cloud Incident Response Framework. * **Adopt a Zero Trust model**: Zero Trust is an extension of the principle of least privilege. It assumes a breach has occurred and works to minimize the blast radius with micro-segmentation, continuous monitoring, and automated threat detection. ### Operational and Technical Solutions * **Automate detection and response**: Implement automated tools to monitor cloud resources and trigger responses in real-time. Automated runbooks, for example, can be automatically executed to resolve certain types of incidents, speeding up resolution and ensuring consistency. Tools like Security Orchestration, Automation, and Response (SOAR) platforms can automatically isolate compromised systems and revoke permissions. * **Enhance visibility and logging**: Maintain visibility and auditing across all cloud platforms to track administrative and anomalous events. Implement a centralized logging and analytics platform, such as a Security Information and Event Management (SIEM) system, to consolidate logs and monitor for suspicious activity in real-time. * **Prioritize training**: Ensure your team is familiar with cloud environments and tools through cloud-specific training and certifications. Well-trained teams can respond faster and more effectively during an incident. * **Use cloud-native and third-party tools**: Leverage cloud-native tools like Cortex XSOAR, an AI-driven security orchestration, automation, and response platform, that can automatically isolate compromised systems and revoke permissions.. Third-party solutions can enhance visibility across multi-cloud environments, provide advanced analytics, and automate configuration checks. * **Secure identities and access** : Implement strong access controls, [multi-factor authentication (MFA)](https://www.paloaltonetworks.com/cyberpedia/what-is-multi-factor-authentication?ts=markdown), and the principle of least privilege. Regularly review and revoke access permissions for users who no longer need them. ## Cloud Incident Response FAQs ### What are the 5 incident response steps? The five core steps of incident response, often adapted from frameworks like NIST, include Preparation, Identification, Containment, Eradication, and Recovery. A sixth crucial step, Post-Incident Activity or Lessons Learned, is often included to ensure continuous improvement. ### What is the critical step in incident response for cloud security? While all steps are vital, the critical steps in cloud incident response are often Identification and rapid Containment. Due to the dynamic nature and interconnectedness of cloud environments, threats can spread extremely quickly, making swift detection and isolation paramount to minimize impact. ### How do you detect and respond to a data breach in the cloud? Detecting a cloud data breach involves continuous monitoring of cloud logs, network traffic, and data access patterns for anomalies. Response requires immediate containment by isolating affected data stores and revoking compromised access, followed by eradication of the threat, recovery of data from secure backups, and thorough post-incident analysis. ### What is incident management in the cloud? Incident management in the cloud is the overarching process of handling security incidents within cloud environments, encompassing planning, detection, analysis, response, and post-incident activities. Its goal is to minimize the impact of security events on cloud-based systems and ensure business continuity. ### What are cloud responses? Cloud responses refer to specific actions taken within cloud environments during an incident, leveraging cloud-native capabilities. Examples include isolating virtual machines, revoking compromised API keys, deploying automated remediation scripts via serverless functions, or utilizing cloud provider security services for containment and eradication. Related content [What is an Incident Response Plan? Why an IRP is important and how to build an effective one.](https://www.paloaltonetworks.com/cyberpedia/incident-response-plan?ts=markdown) [Unit 42 Cloud Security Assessment Proactively identify potential threats to your cloud environment using industry-leading threat intelligence and cloud security expertise.](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) [2025 Unit 42 Global Incident Response Report Discover the latest threat actor tactics and get real world insights and expert recommendations.](https://start.paloaltonetworks.com/unit-42-incident-response-report.html) [Gartner^®^ Market Guide for DFIR Retainer Services Get insights and recommendations to ensure your organization is prepared for incident response.](https://start.paloaltonetworks.com/gartner-dfir-guide) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20is%20Cloud%20Incident%20Response%3F&body=Discover%20the%20essentials%20of%20Cloud%20Incident%20Response%2C%20from%20creating%20an%20incident%20response%20plan%20to%20working%20with%20cloud%20service%20providers%20and%20incident%20responders.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/unit-42-cloud-incident-response) Back to Top [Previous](https://www.paloaltonetworks.com/cyberpedia/digital-forensics-and-incident-response?ts=markdown) What is Digital Forensics and Incident Response (DFIR)? [Next](https://www.paloaltonetworks.com/cyberpedia/what-is-an-incident-response-playbook?ts=markdown) What is an Incident Response Playbook? {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2025 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language