[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-security-solution?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Network Security](https://www.paloaltonetworks.com/cyberpedia/network-security?ts=markdown) 3. [Cryptographic Agility: The Key to Quantum Readiness](https://www.paloaltonetworks.com/cyberpedia/what-is-cryptographic-agility?ts=markdown) Table of contents * [Why is cryptographic agility critical for post-quantum migration?](#why-is-cryptographic-agility-critical-for-post-quantum-migration) * [How does cryptographic agility work in practice?](#how-does-cryptographic-agility-work-in-practice) * [What are the key principles of crypto-agile design?](#what-are-the-key-principles-of-crypto-agile-design) * [How do organizations measure crypto-agility maturity?](#how-do-organization-measure-crypto-agility-maturity) * [How does cryptographic agility support hybrid and quantum-safe systems?](#how-does-cryptographic-agility-support-hybrid-and-quantum-safe-systems) * [What standards define cryptographic agility today?](#what-standards-define-cryptographic-agility-today) * [How can enterprises start building crypto-agility now?](#how-can-enterprises-start-building-crypto-agility) * [What's next for cryptographic agility?](#what-is-next-for-cryptographic-agility) * [Cryptographic agility FAQs](#cryptographic-agility-faqs) # Cryptographic Agility: The Key to Quantum Readiness 7 min. read Table of contents * [Why is cryptographic agility critical for post-quantum migration?](#why-is-cryptographic-agility-critical-for-post-quantum-migration) * [How does cryptographic agility work in practice?](#how-does-cryptographic-agility-work-in-practice) * [What are the key principles of crypto-agile design?](#what-are-the-key-principles-of-crypto-agile-design) * [How do organizations measure crypto-agility maturity?](#how-do-organization-measure-crypto-agility-maturity) * [How does cryptographic agility support hybrid and quantum-safe systems?](#how-does-cryptographic-agility-support-hybrid-and-quantum-safe-systems) * [What standards define cryptographic agility today?](#what-standards-define-cryptographic-agility-today) * [How can enterprises start building crypto-agility now?](#how-can-enterprises-start-building-crypto-agility) * [What's next for cryptographic agility?](#what-is-next-for-cryptographic-agility) * [Cryptographic agility FAQs](#cryptographic-agility-faqs) 1. Why is cryptographic agility critical for post-quantum migration? * [1. Why is cryptographic agility critical for post-quantum migration?](#why-is-cryptographic-agility-critical-for-post-quantum-migration) * [2. How does cryptographic agility work in practice?](#how-does-cryptographic-agility-work-in-practice) * [3. What are the key principles of crypto-agile design?](#what-are-the-key-principles-of-crypto-agile-design) * [4. How do organizations measure crypto-agility maturity?](#how-do-organization-measure-crypto-agility-maturity) * [5. How does cryptographic agility support hybrid and quantum-safe systems?](#how-does-cryptographic-agility-support-hybrid-and-quantum-safe-systems) * [6. What standards define cryptographic agility today?](#what-standards-define-cryptographic-agility-today) * [7. How can enterprises start building crypto-agility now?](#how-can-enterprises-start-building-crypto-agility) * [8. What's next for cryptographic agility?](#what-is-next-for-cryptographic-agility) * [9. Cryptographic agility FAQs](#cryptographic-agility-faqs) Cryptographic agility is the capability of an information system to rapidly change or replace cryptographic algorithms, keys, and protocols without disrupting operations or security. It enables systems to adapt to new cryptographic standards as threats evolve, including those introduced by quantum computing. This adaptability is essential for quantum readiness because it allows organizations to transition to post-quantum cryptography before current encryption becomes vulnerable. ## Why is cryptographic agility critical for post-quantum migration? Quantum computing is changing what "secure" means. The math that underpins today's [encryption](https://www.paloaltonetworks.com/cyberpedia/data-encryption) won't hold once quantum algorithms mature. The risk isn't when that happens. It's how long current systems will take to adapt. Here's why that's a problem: Most cryptography is deeply embedded across networks, devices, and software stacks. Replacing it can take years. Which means migration to post-quantum cryptography will be a multi-decade effort that must start now, not when quantum computers arrive. Cryptographic agility makes that possible. "The threats posed by future cryptographically relevant quantum computers to public-key cryptography demand an urgent migration to quantum-resistant cryptographic algorithms. The impact of this transition will be much larger in scale than previous transitions because all public-key algorithms will need to be replaced rather than just a single algorithm. Also, this transition will certainly not be the last one required. Future cryptographic uses will demand new strategies and mechanisms to enable smooth transitions. As a result, crypto agility is a key practice that should be adopted at all levels, from algorithms to enterprise architectures." [- NIST, 39 2pd, Considerations for Achieving Crypto Agility - Strategies and Practices](https://csrc.nist.gov/pubs/cswp/39/considerations-for-achieving-cryptographic-agility/2pd) It allows systems to replace algorithms, keys, and protocols without redesigning the underlying infrastructure. In other words, agility is what turns cryptography from a fixed feature into a flexible system property. It also limits harvest-now-decrypt-later exposure. By rotating or re-encrypting data with new algorithms before older ones break, organizations can prevent long-term data from becoming vulnerable. Which is essential to quantum security. Without agility, even quantum-safe algorithms can't be deployed efficiently or at scale. Agility is what keeps encrypted ecosystems adaptable. So that when the cryptography changes, the systems built on it don't fall behind. | ***Further reading:*** * [*What Is Post-Quantum Cryptography (PQC)? A Complete Guide*](https://www.paloaltonetworks.com/cyberpedia/what-is-post-quantum-cryptography-pqc) * [*8 Quantum Computing Cybersecurity Risks \[+ Protection Tips\]*](https://www.paloaltonetworks.com/cyberpedia/what-is-quantum-computings-threat-to-cybersecurity) * [*Harvest Now, Decrypt Later (HNDL): The Quantum-Era Threat*](http://paloaltonetworks.com/cyberpedia/harvest-now-decrypt-later-hndl) ## How does cryptographic agility work in practice? Cryptographic agility works by separating cryptography from the systems that use it. In practice, that means encryption algorithms, keys, and protocols can change without touching the application code that relies on them. ![Flow diagram titled 'Example of cryptographic agility in action' showing four vertical sections labeled 'Threat Intelligence Feed,' 'System administrator,' 'Managed cryptographic system,' and 'External server.' A purple box in the first section reads 'Advisory: Vulnerability discovered in Algorithm A,' with an arrow indicating that the administrator receives an alert about Algorithm A's vulnerability. A blue callout beneath reads 'Uses inventory to locate systems still using Algorithm A,' leading to a horizontal arrow labeled 'Updates configuration to remove Algorithm A.' In the third section, a blue box labeled 'Currently supports Algorithm A and Algorithm B' changes to 'Configuration updated: Algorithm B only.' The external server section shows that the server supports 'Algorithm A and Algorithm B,' with a final arrow noting 'Negotiation selects Algorithm B after update.' A note below reads 'When a vulnerability is discovered, a crypto-agile system allows administrators to identify affected algorithms, remove them, and seamlessly negotiate secure alternatives without service interruption.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/Example-of-cryptographic-agility-in-action.png "Flow diagram titled 'Example of cryptographic agility in action' showing four vertical sections labeled 'Threat Intelligence Feed,' 'System administrator,' 'Managed cryptographic system,' and 'External server.' A purple box in the first section reads 'Advisory: Vulnerability discovered in Algorithm A,' with an arrow indicating that the administrator receives an alert about Algorithm A's vulnerability. A blue callout beneath reads 'Uses inventory to locate systems still using Algorithm A,' leading to a horizontal arrow labeled 'Updates configuration to remove Algorithm A.' In the third section, a blue box labeled 'Currently supports Algorithm A and Algorithm B' changes to 'Configuration updated: Algorithm B only.' The external server section shows that the server supports 'Algorithm A and Algorithm B,' with a final arrow noting 'Negotiation selects Algorithm B after update.' A note below reads 'When a vulnerability is discovered, a crypto-agile system allows administrators to identify affected algorithms, remove them, and seamlessly negotiate secure alternatives without service interruption.'") Here's how that happens: * **Agile systems use modular crypto libraries.** Each algorithm is treated as a replaceable module instead of a hard-coded function. Which means updates can be made through configuration or policy rather than redesign. * **Application interfaces are abstracted through APIs.** Those APIs define how data is encrypted, not which algorithm does it. So when new standards or post-quantum algorithms are introduced, the system can adopt them with minimal disruption. * **At the protocol level, agility depends on negotiation.** Systems identify supported algorithms and select the strongest option both sides share. This process prevents downgrade attacks, where an attacker forces a weaker algorithm to gain access. * **Key management is part of the same design.** Keys can be rotated, revoked, or reissued automatically across different cryptographic schemes. The result is a security framework that can evolve alongside new cryptographic requirements without breaking trust or uptime. ## What are the key principles of crypto-agile design? ![Chart titled 'The four pillars of crypto-agile design' showing four colored quadrants arranged around a central white circle numbered one through four. The top left orange quadrant is labeled 'Modularity' with text reading 'Each cryptographic function is isolated and interchangeable.' The top right blue quadrant is labeled 'Separation of policy \& mechanism' with text reading 'Policies guide what's used; mechanisms implement how.' The bottom right teal quadrant is labeled 'Lifecycle automation' with text reading 'Automate key rotation, algorithm updates, and deprecation.' The bottom left yellow quadrant is labeled 'Strong versioning' with text reading 'Track versions, algorithms, and key types across systems.' A note below reads 'Crypto-agile systems rely on modular design, policy-driven control, precise versioning, and lifecycle automation to evolve securely as cryptographic standards change.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/The-four-pillars-of-crypto-agile-design.png "Chart titled 'The four pillars of crypto-agile design' showing four colored quadrants arranged around a central white circle numbered one through four. The top left orange quadrant is labeled 'Modularity' with text reading 'Each cryptographic function is isolated and interchangeable.' The top right blue quadrant is labeled 'Separation of policy & mechanism' with text reading 'Policies guide what's used; mechanisms implement how.' The bottom right teal quadrant is labeled 'Lifecycle automation' with text reading 'Automate key rotation, algorithm updates, and deprecation.' The bottom left yellow quadrant is labeled 'Strong versioning' with text reading 'Track versions, algorithms, and key types across systems.' A note below reads 'Crypto-agile systems rely on modular design, policy-driven control, precise versioning, and lifecycle automation to evolve securely as cryptographic standards change.'") Cryptographic agility isn't a single feature. It's a design philosophy that makes encryption adaptable instead of static. And building for agility means thinking ahead to how systems will change, not just how they run today. Each crypto-agile system follows a few core principles that guide how algorithms are integrated, governed, and replaced. These principles create the structure that allows cryptography to evolve safely as new standards emerge. Here's how that translates into practice: ### Modularity A crypto-agile system is built from interchangeable parts. Each cryptographic function---like encryption, hashing, or key exchange---is isolated from the rest of the application. So new algorithms can be added or old ones removed without breaking functionality. Modularity also makes testing and validation easier because each component can be updated independently. ***Note:*** *This principle underpins interoperability. Modular systems can integrate new cryptographic libraries or hardware modules without re-engineering surrounding systems.* ### Separation of policy and mechanism Policy defines what the system should use. Mechanism defines how it's used. Keeping them separate ensures that algorithm changes are driven by governance, not code rewrites. This principle makes it possible to apply organization-wide cryptographic standards consistently across different systems and vendors. ### Strong versioning Cryptographic components must track what version, algorithm, and key type they use. Why? Because clarity prevents accidental reuse or unsupported combinations. Versioning helps organizations know exactly what's deployed and where updates are needed. It also supports backward compatibility during phased transitions. ### Lifecycle automation Agility depends on automation. Key generation, rotation, and retirement must happen on schedule and at scale. Automated lifecycle management reduces the risk of outdated or weak algorithms staying in use. It also provides the audit trail needed to verify compliance and maintain trust across changing cryptographic environments. ***Note:*** *This principle underpins interoperability. Modular systems can integrate new cryptographic libraries or hardware modules without re-engineering surrounding systems.* ## How do organizations measure crypto-agility maturity? Measuring crypto-agility starts with understanding how flexible a system actually is. It's not about whether algorithms can be replaced. It's about how quickly and safely those changes happen at scale. To help organizations benchmark that capability, researchers at Hochschule Darmstadt developed the [Crypto-Agility Maturity Model (CAMM)](https://camm.h-da.io/model/). It defines five levels of maturity, from 0 to 4, each describing how well an organization can identify, manage, and update its cryptographic assets. ![Chart titled 'CAMM state model' showing a horizontal five-step progression representing levels of crypto-agility maturity. Each level is illustrated with a diamond-shaped icon and label. From left to right, step 1 is labeled 'Initial/not possible' with a gray icon of a crossed-out circle. Step 2 is labeled 'Possible' with a light blue wrench icon. Step 3 is labeled 'Prepared' with a blue clipboard icon. Step 4 is labeled 'Practiced' with a dark blue graph and arrow icon. Step 5 is labeled 'Sophisticated' with a teal medal icon. Dotted lines connect each stage from left to right across the diagram. A small caption beneath reads 'UCS Research Group, Hochschule Darmstadt — Crypto-Agility Maturity Model (CAMM).'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/CAMM-state-model.png "Chart titled 'CAMM state model' showing a horizontal five-step progression representing levels of crypto-agility maturity. Each level is illustrated with a diamond-shaped icon and label. From left to right, step 1 is labeled 'Initial/not possible' with a gray icon of a crossed-out circle. Step 2 is labeled 'Possible' with a light blue wrench icon. Step 3 is labeled 'Prepared' with a blue clipboard icon. Step 4 is labeled 'Practiced' with a dark blue graph and arrow icon. Step 5 is labeled 'Sophisticated' with a teal medal icon. Dotted lines connect each stage from left to right across the diagram. A small caption beneath reads 'UCS Research Group, Hochschule Darmstadt — Crypto-Agility Maturity Model (CAMM).'") * At **Level 0**, cryptography is unmanaged. Algorithms and keys are hard-coded, and no central inventory exists. * At **Level 1**, awareness begins. Teams start cataloging algorithms and dependencies but still change them manually. * At **Level 2**, management processes emerge. Basic automation supports key rotation and algorithm updates. * At **Level 3**, governance and tooling are standardized. Crypto changes follow formal policy with automated enforcement. * At **Level 4**, agility is continuous. Cryptographic assets are fully inventoried, monitored, and automatically transitioned when standards evolve. Why it matters: Maturity determines how fast an organization can respond to new threats or standards without downtime or risk. It also ties into broader lifecycle management frameworks, where cryptographic health is treated as a measurable, improvable capability. Not a static control. ## How does cryptographic agility support hybrid and quantum-safe systems? Hybrid and quantum-safe systems are built to handle the transition between classical and post-quantum cryptography. Hybrid models use both types of algorithms at once. So if one fails, the other keeps data secure. And quantum-safe systems take that further by ensuring every cryptographic process, from key exchange to signing, remains secure against quantum attacks. Here's where agility fits in: Cryptographic agility allows these systems to mix, match, and eventually replace algorithms without rebuilding the architecture. It supports hybrid key-establishment methods that combine classical algorithms like RSA or ECC with post-quantum ones such as lattice-based schemes. The same goes for hybrid signatures, where two signature types are generated together for compatibility and assurance. ***Note:*** *Most early PQC deployments are expected to begin in hybrid form. Agility ensures these systems can evolve as NIST finalizes standards and vendors update implementations, avoiding costly redesigns each time new algorithms are approved.* Agility also ensures coexistence during the long transition ahead. It lets organizations update components independently, test new standards in parallel, and phase in post-quantum cryptography safely. In essence, agility makes interoperability possible between old and new worlds of encryption. It bridges the gap until quantum-safe systems become the norm. ## What standards define cryptographic agility today? Cryptographic agility isn't defined by a single framework. It's shaped by a network of standards that describe how algorithms should be managed, tested, and transitioned across systems. Together, these standards give organizations a roadmap for building crypto-agile infrastructure. ![Architecture diagram titled 'Global standards shaping cryptographic agility' showing five labeled boxes positioned over a faint world map background. In the lower left, a box labeled 'NIST CSWP 39 – Foundation' contains text 'Lifecycle and governance. Defines agility as a system property; establishes crypto lifecycle management and migration practices.' Above it to the left, a box labeled 'RFC 7696 – Protocol layer' includes text 'Dynamic negotiation. Covers algorithm negotiation, downgrade resistance, and flexibility in communication protocols.' In the center, a box labeled 'ISO/IEC 23837-1 – Evaluation layer' contains text 'Testing and interoperability. Specifies conformance and interoperability for QKD and crypto-agile systems.' To the right, a box labeled 'ETSI QKD 014 + QSC 001 – Architecture layer' reads 'Quantum-safe design. Extends crypto-agility into hybrid and quantum-safe architectures, ensuring coexistence of classical and PQC.' In the upper right, a box labeled 'ATIS I-0000098 – Implementation layer' contains text 'Industry roadmap. Connects global standards to telecom and enterprise deployment, emphasizing phased PQC adoption.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/global-standards.png "Architecture diagram titled 'Global standards shaping cryptographic agility' showing five labeled boxes positioned over a faint world map background. In the lower left, a box labeled 'NIST CSWP 39 – Foundation' contains text 'Lifecycle and governance. Defines agility as a system property; establishes crypto lifecycle management and migration practices.' Above it to the left, a box labeled 'RFC 7696 – Protocol layer' includes text 'Dynamic negotiation. Covers algorithm negotiation, downgrade resistance, and flexibility in communication protocols.' In the center, a box labeled 'ISO/IEC 23837-1 – Evaluation layer' contains text 'Testing and interoperability. Specifies conformance and interoperability for QKD and crypto-agile systems.' To the right, a box labeled 'ETSI QKD 014 + QSC 001 – Architecture layer' reads 'Quantum-safe design. Extends crypto-agility into hybrid and quantum-safe architectures, ensuring coexistence of classical and PQC.' In the upper right, a box labeled 'ATIS I-0000098 – Implementation layer' contains text 'Industry roadmap. Connects global standards to telecom and enterprise deployment, emphasizing phased PQC adoption.'") The foundation comes from [NIST CSWP 39](https://csrc.nist.gov/pubs/cswp/39/considerations-for-achieving-cryptographic-agility/2pd), which outlines best practices for cryptographic lifecycle management and agility planning. It defines agility as a property that allows systems to evolve securely as algorithms change. [RFC 7696](https://datatracker.ietf.org/doc/html/rfc7696) complements it at the protocol level. It describes how communication protocols can negotiate algorithms dynamically and resist downgrade attacks. [ISO/IEC 23837-1](https://www.iso.org/standard/77097.html) adds an evaluation layer. It defines methods for testing and certifying interoperability between different [QKD](http://paloaltonetworks.com/cyberpedia/quantum-key-distribution-qkd) and crypto-agile systems. [ETSI QKD 014](https://www.etsi.org/deliver/etsi_gs/QKD/001_099/014/01.01.01_60/gs_qkd014v010101p.pdf) and [ETSI QSC 001](https://www.etsi.org/deliver/etsi_gr/qsc/001_099/001/01.01.01_60/gr_qsc001v010101p.pdf) extend this work into quantum-safe architectures, specifying how classical and quantum technologies can coexist securely. Finally, [ATIS I-0000098](https://atis.org/resources/strategic-framework-for-crypto-agility-and-quantum-risk-assessment/) connects these global efforts to real-world deployment. It offers an industry roadmap for implementing quantum-resilient and crypto-agile networks. Ultimately, the standards community is converging. NIST, ISO, ETSI, and ATIS are aligning their guidance so organizations worldwide can migrate toward post-quantum security in a coordinated, interoperable way. ## How can enterprises start building crypto-agility now? Cryptographic agility isn't something that can be added overnight. It has to be built deliberately across people, processes, and technology. Most organizations already rely on dozens of cryptographic components scattered across systems and vendors. The goal now is to bring that landscape under control and make it adaptable before the post-quantum transition begins. ![Flow diagram titled 'Building crypto-agility: A step-by-step roadmap' showing four ascending steps arranged from bottom left to top right. Step 1, labeled 'Discover \& govern' in gray, includes text 'Establish visibility \& control. Map all cryptographic assets—algorithms, keys, libraries, and dependencies. Define governance roles and approval workflows.' Step 2, labeled 'Design for agility' in orange, reads 'Implement modular, standards-based architecture. Adopt crypto-agile libraries and abstracted APIs that allow seamless algorithm swaps.' Step 3, labeled 'Test \& validate' in blue, includes text 'Pilot hybrid \& post-quantum deployments. Run controlled pilots to verify interoperability and performance before rollout.' Step 4, labeled 'Monitor \& adapt' in teal, contains text 'Automate lifecycle management. Track algorithm health, rotate keys per NIST SP 800-131A, and phase out deprecated methods.'](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/A-step-by-step-roadmap.png "Flow diagram titled 'Building crypto-agility: A step-by-step roadmap' showing four ascending steps arranged from bottom left to top right. Step 1, labeled 'Discover & govern' in gray, includes text 'Establish visibility & control. Map all cryptographic assets—algorithms, keys, libraries, and dependencies. Define governance roles and approval workflows.' Step 2, labeled 'Design for agility' in orange, reads 'Implement modular, standards-based architecture. Adopt crypto-agile libraries and abstracted APIs that allow seamless algorithm swaps.' Step 3, labeled 'Test & validate' in blue, includes text 'Pilot hybrid & post-quantum deployments. Run controlled pilots to verify interoperability and performance before rollout.' Step 4, labeled 'Monitor & adapt' in teal, contains text 'Automate lifecycle management. Track algorithm health, rotate keys per NIST SP 800-131A, and phase out deprecated methods.'") Here's how that process typically starts. * **Building crypto-agility starts with visibility.** Organizations first need to understand where and how cryptography is used across their environment. That means creating an enterprise-wide inventory of algorithms, keys, libraries, and dependencies. Governance frameworks should define ownership, review cycles, and approval processes for cryptographic changes. * **Next comes implementation.** Agile cryptography depends on modular, standards-based libraries and APIs. Systems that abstract algorithm selection make it possible to switch to new methods---like post-quantum or hybrid schemes---without rewriting applications. * **Then it's time to test.** Pilot environments allow teams to validate hybrid deployments that combine classical and post-quantum algorithms. These pilots help verify interoperability and performance before full production rollout. * **Ongoing monitoring is the last piece.** Enterprises should track algorithm status and rotate keys according to [NIST SP 800-131A](https://csrc.nist.gov/pubs/sp/800/131/a/r2/final) guidance. That means retiring deprecated methods and re-encrypting [sensitive data](https://www.paloaltonetworks.com/cyberpedia/sensitive-data) as standards evolve. As demonstrated here, crypto-agility is built step by step. Governance and visibility come first, followed by flexible design, controlled experimentation, and continuous algorithm management. Taken together, those actions lay the groundwork for a secure and quantum-ready future. ## What's next for cryptographic agility? ![Timeline diagram titled 'The road ahead for quantum key distribution' showing three columns labeled 'Now – near term,' 'Mid term,' and 'Future horizon.' The left column contains a red section labeled 'Hybrid security integration: Quantum + post-quantum coexistence' with supporting text explaining that organizations are testing hybrid architectures combining QKD's physical key exchange with PQC's algorithmic resilience. The middle column is titled 'Global network expansion: Continental \& satellite-scale deployment' and describes programs such as EuroQCI, Toshiba, and ID Quantique extending QKD across regional, national, and orbital links using repeaters, trusted nodes, and satellites. The right column shows two stacked red sections: 'Toward a quantum-secure ecosystem,' which explains that QKD, PQC, and classical cryptography will operate together as layers of the same defense model, and 'Network convergence: Integration into classical networks,' which notes that ETSI and ISO/IEC standards are enabling unified optical and quantum control planes where QKD becomes a managed service layer within telecom infrastructure.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-cryptographic-agility/The-road-ahead-for-quantum-key-distribution.png "Timeline diagram titled 'The road ahead for quantum key distribution' showing three columns labeled 'Now – near term,' 'Mid term,' and 'Future horizon.' The left column contains a red section labeled 'Hybrid security integration: Quantum + post-quantum coexistence' with supporting text explaining that organizations are testing hybrid architectures combining QKD's physical key exchange with PQC's algorithmic resilience. The middle column is titled 'Global network expansion: Continental & satellite-scale deployment' and describes programs such as EuroQCI, Toshiba, and ID Quantique extending QKD across regional, national, and orbital links using repeaters, trusted nodes, and satellites. The right column shows two stacked red sections: 'Toward a quantum-secure ecosystem,' which explains that QKD, PQC, and classical cryptography will operate together as layers of the same defense model, and 'Network convergence: Integration into classical networks,' which notes that ETSI and ISO/IEC standards are enabling unified optical and quantum control planes where QKD becomes a managed service layer within telecom infrastructure.") Cryptographic agility is moving from concept to standard practice. **The next phase is about system-level integration.** Where agility becomes built into platforms, protocols, and supply chains instead of added on later. **NIST's upcoming drafts will formalize this shift.** They focus on continuous cryptographic lifecycle management. Not just algorithm replacement. Which means systems will need to monitor, validate, and adapt automatically as standards evolve. **At the same time, post-quantum cryptography is nearing finalization.** Once those algorithms are standardized, agility will determine how smoothly they enter real-world products and infrastructure. What it comes down to is this: The future of cryptographic agility lies in convergence. Automation, governance, and interoperability are merging into one ecosystem. Where cryptography changes safely, predictably, and at scale. As cryptographic standards evolve, agility will be the difference between organizations that adapt in time---and those that don't. ![Quantum assessment icon](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-quantum-security/icon-quantum-readiness.svg) Get your quantum readiness assessment The assessment includes: * Overview of your cryptographic landscape * Quantum-safe deployment recommendations * Guidance for securing legacy apps \& infrastructure --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Get my assessment](https://www.paloaltonetworks.com/resources/ebooks/quantum-security#assessment) ## Cryptographic agility FAQs #### What is the cryptographic agility approach? Cryptographic agility is the design and governance approach that enables systems to rapidly replace, upgrade, or retire cryptographic algorithms, keys, and protocols without disrupting operations. It supports continuous lifecycle management and prepares systems to adopt post-quantum cryptography as standards evolve. #### What is an example of crypto agility? A practical example is a communication protocol that can negotiate between classical and post-quantum algorithms during handshake. This allows endpoints to select the strongest mutually supported encryption method without code changes---demonstrating modular, adaptive security consistent with RFC 7696 and NIST cryptographic lifecycle guidance. #### How do you achieve cryptoagility? Organizations achieve cryptoagility by establishing cryptographic inventories, adopting modular crypto libraries and abstracted APIs, piloting hybrid deployments, and automating key rotation and algorithm updates per NIST SP 800-131A. Governance frameworks ensure agility becomes a managed, repeatable process rather than an ad hoc engineering task. #### What are the challenges of implementing crypto agility? Major challenges include identifying all cryptographic dependencies, achieving interoperability across legacy systems, automating lifecycle management at scale, and aligning with evolving standards. Limited visibility, fragmented ownership, and integration complexity can slow adoption, making governance and inventory the hardest---and most critical---starting points. Related content [Blog: Palo Alto Networks Announces New Quantum Security Innovations Learn about the new crypto inventory tool, quantum-optimized firewalls and PAN-OS 12.1 enabled quantum readiness.](https://www.paloaltonetworks.com/blog/2025/08/securing-the-quantum-age/) [Podcast: Threat Vector | Is the Quantum Threat Closer Than You Think? Hear how to start your transition to quantum-resistant cryptography now.](https://www.paloaltonetworks.com/resources/podcasts/threat-vector-is-the-quantum-threat-closer-than-you-think) [TechDocs: Quantum Security Concepts Get the facts on resisting the quantum computing threat straight from PANW's solutions documentation.](https://docs.paloaltonetworks.com/network-security/quantum-security/administration/quantum-security-concepts) [Interactive experience: Is Your Organization Ready for a Quantum-Safe Future? Dive into an immersive overview on quantum threats, PQC, and NIST's new standards.](https://www.paloaltonetworks.com/resources/ebooks/quantum-security) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=Cryptographic%20Agility%3A%20The%20Key%20to%20Quantum%20Readiness&body=Cryptographic%20agility%20is%20an%20information%20system%E2%80%99s%20ability%20to%20rapidly%20change%20or%20replace%20cryptographic%20algorithms%2C%20keys%2C%20and%20protocols%20without%20disruption.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-cryptographic-agility) Back to Top {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language