[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Security Operations](https://www.paloaltonetworks.com/cyberpedia/security-operations?ts=markdown) 3. [MITRE Att\&ck](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack?ts=markdown) 4. [What Is MITRE ATT\&CK Framework?](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack?ts=markdown) Table of Contents * What Is MITRE ATT\&CK Framework? * [MITRE ATT\&CK Framework Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#mitre?ts=markdown) * [Structuring Adversary Behavior by Tactic](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#structuring?ts=markdown) * [MITRE ATT\&CK Tactics and Their Role in Security Intelligence](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#intelligence?ts=markdown) * [MITRE ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#techniques?ts=markdown) * [MITRE ATT\&CK Use Cases](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#usecases?ts=markdown) * [Using the MITRE ATT\&CK Framework during a Live Attack](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#live?ts=markdown) * [Comparing MITRE ATT\&CK and the Cyber Kill Chain](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#comparing?ts=markdown) * [Advancing Organizational Maturity with ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#advancing?ts=markdown) * [Toward a Behavioral Framework for Securing AI](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#toward?ts=markdown) * [MITRE ATT\&CK Framework FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#faqs?ts=markdown) * [How Do I Implement MITRE ATT\&CK Techniques?](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques?ts=markdown) * [Key Elements of the MITRE ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques#key-elements?ts=markdown) * [How to Implement MITRE ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques#implement?ts=markdown) * [How to Use MITRE ATT\&CK Techniques Effectively](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques#how-to-use?ts=markdown) * [MITRE ATT\&CK Techniques Used Often by Cyber Attackers](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques#techniques?ts=markdown) * [Implementing MITRE ATT\&CK Techniques FAQs](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques#faq?ts=markdown) * [What is the MITRE ATT\&CK Matrix?](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix?ts=markdown) * [MITRE ATT\&CK Matrix Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#mitre?ts=markdown) * [Key Components of MITRE ATT\&CK: Tactics, Techniques, and Procedures](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#key?ts=markdown) * [Diverse MITRE ATT\&CK Matrices: Adapting to Specific Environments](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#diverse?ts=markdown) * [How Organizations Operationalize MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#how?ts=markdown) * [Implementing and Maintaining a MITRE ATT\&CK Program](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#program?ts=markdown) * [Benefits of Leveraging the MITRE ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#benefits?ts=markdown) * [Common Challenges and Solutions](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#solutions?ts=markdown) * [MITRE ATT\&CK and the Cybersecurity Landscape](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#landscape?ts=markdown) * [MITRE ATT\&CK Matrix FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix#faqs?ts=markdown) * [What Are MITRE ATT\&CK Techniques?](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques?ts=markdown) * [MITRE ATT\&CK Techniques Explained](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#techniques?ts=markdown) * [The Anatomy of a MITRE ATT\&CK Technique](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#anatomy?ts=markdown) * [Understanding Common and Emerging ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#common-techniques?ts=markdown) * [Detecting and Mitigating MITRE ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#detecting?ts=markdown) * [Leveraging ATT\&CK Techniques for Enhanced Security Operations](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#leveraging?ts=markdown) * [The Future Evolution of ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#future-evolution?ts=markdown) * [MITRE ATT\&CK Techniques FAQs](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques#faqs?ts=markdown) * [How Has MITRE ATT\&CK Evolved?](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation?ts=markdown) * [Evolution of MITRE ATT\&CK Explained](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#evolution?ts=markdown) * [The Historical Trajectory of MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#historical?ts=markdown) * [Why TTPs Matter: Shifting the Cybersecurity Paradigm](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#why?ts=markdown) * [Key Milestones in ATT\&CK's Expansion and Refinement](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#key?ts=markdown) * [Core Components and Their Evolving Definition](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#core?ts=markdown) * [Why the Evolution Matters: Benefits for Cybersecurity Professionals](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#professionals?ts=markdown) * [Addressing the Evolving Threat Landscape with ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#evolving?ts=markdown) * [Operationalizing the Framework: Practical Applications and Challenges](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#challenges?ts=markdown) * [The Future of MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#future?ts=markdown) * [Evolution of MITRE ATT\&CK FAQs](https://www.paloaltonetworks.com/cyberpedia/evolution-of-mitre-attack-continuous-improvement-and-adaptation#faqs?ts=markdown) * [What Are MITRE ATT\&CK Use Cases?](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases?ts=markdown) * [How MITRE ATT\&CK Benefits Organizations](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases#how?ts=markdown) * [Key Components of the ATT\&CK Matrix](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases#key?ts=markdown) * [Main Use Cases for MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases#main?ts=markdown) * [Real-World Applications of MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases#real?ts=markdown) * [MITRE Att\&ck Use Cases FAQs](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-use-cases#faqs?ts=markdown) * [A CISO's Guide to MITRE ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack?ts=markdown) * [MITRE ATT\&CK Explained](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#mitre?ts=markdown) * [Benefits of MITRE ATT\&CK for CISOs](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#benefits?ts=markdown) * [How MITRE ATT\&CK Works for Cybersecurity Leaders](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#how?ts=markdown) * [Implementing MITRE ATT\&CK in Your Security Operations](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#operations?ts=markdown) * [Challenges and Best Practices for CISOs](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#challenges?ts=markdown) * [MITRE ATT\&CK for CISOs FAQs](https://www.paloaltonetworks.com/cyberpedia/a-cisos-guide-to-mitre-attack#faqs?ts=markdown) * [How Does MITRE ATT\&CK Apply to Different Technologies?](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-for-different-technologies?ts=markdown) * [Key Elements of the MITRE ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-for-different-technologies#key?ts=markdown) * [Technological Domains of the MITRE ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-for-different-technologies#technological?ts=markdown) * [MITRE ATT\&CK for Different Technologies FAQs](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-for-different-technologies#faqs?ts=markdown) * [What is the Difference Between MITRE ATT\&CK Sub-Techniques and Procedures?](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures?ts=markdown) * [Understanding the MITRE ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#understanding?ts=markdown) * [Exploring Sub-Techniques in the ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#sub-techniques?ts=markdown) * [Exploring Procedures in the ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#procedures?ts=markdown) * [The Role of Sub-Techniques in Cybersecurity Strategies](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#role?ts=markdown) * [Procedures as a Tool for Detailed Threat Analysis](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#tool?ts=markdown) * [Continuous Evolution: Staying Updated with ATT\&CK Framework](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#continuous?ts=markdown) * [MITRE ATT\&CK Sub-Techniques vs. Procedures FAQs](https://www.paloaltonetworks.com/cyberpedia/mitre-attack-sub-techniques-vs-procedures#faqs?ts=markdown) # What Is MITRE ATT\&CK Framework? 6 min. read Table of Contents * * [MITRE ATT\&CK Framework Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#mitre?ts=markdown) * [Structuring Adversary Behavior by Tactic](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#structuring?ts=markdown) * [MITRE ATT\&CK Tactics and Their Role in Security Intelligence](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#intelligence?ts=markdown) * [MITRE ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#techniques?ts=markdown) * [MITRE ATT\&CK Use Cases](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#usecases?ts=markdown) * [Using the MITRE ATT\&CK Framework during a Live Attack](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#live?ts=markdown) * [Comparing MITRE ATT\&CK and the Cyber Kill Chain](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#comparing?ts=markdown) * [Advancing Organizational Maturity with ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#advancing?ts=markdown) * [Toward a Behavioral Framework for Securing AI](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#toward?ts=markdown) * [MITRE ATT\&CK Framework FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#faqs?ts=markdown) 1. MITRE ATT\&CK Framework Explained * * [MITRE ATT\&CK Framework Explained](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#mitre?ts=markdown) * [Structuring Adversary Behavior by Tactic](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#structuring?ts=markdown) * [MITRE ATT\&CK Tactics and Their Role in Security Intelligence](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#intelligence?ts=markdown) * [MITRE ATT\&CK Techniques](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#techniques?ts=markdown) * [MITRE ATT\&CK Use Cases](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#usecases?ts=markdown) * [Using the MITRE ATT\&CK Framework during a Live Attack](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#live?ts=markdown) * [Comparing MITRE ATT\&CK and the Cyber Kill Chain](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#comparing?ts=markdown) * [Advancing Organizational Maturity with ATT\&CK](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#advancing?ts=markdown) * [Toward a Behavioral Framework for Securing AI](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#toward?ts=markdown) * [MITRE ATT\&CK Framework FAQs](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack#faqs?ts=markdown) The MITRE ATT\&CK framework is a knowledge base of adversary tactics and techniques, derived from real-world observations, used to map, detect, and mitigate post-compromise behavior across enterprise, cloud, mobile, and industrial control system environments. ![Cortex XDR Leads MITRE ATT\&CK in Round 6 - Explainer Video](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-mitre-attack/video-thumbnail-cortex-xdr-leads-mitre-attack-in-round-6-explainer-video.jpg) close ## MITRE ATT\&CK Framework Explained The MITRE ATT\&CK framework is a globally accessible knowledge base of adversary behavior, maintained by MITRE Corporation and grounded in real-world observations. It organizes [cyber attack](https://www.paloaltonetworks.com/cyberpedia/what-is-a-cyber-attack?ts=markdown) techniques by tactics --- each representing a stage in an adversary's objective, such as Initial Access, Privilege Escalation, or Exfiltration. Each technique is mapped to procedures, detection opportunities, and mitigations. ATT\&CK allows defenders to model threats based on how adversaries operate p\]ost-compromise rather than focusing solely on signatures or indicators. The framework supports [cyber threat intelligence](https://www.paloaltonetworks.com/cyberpedia/what-is-cyberthreat-intelligence-cti?ts=markdown) analysis, red teaming, defensive gap assessments, and control validation across enterprise, cloud, mobile, and ICS environments. What sets MITRE ATT\&CK apart is its emphasis on behavior versus tooling. It tracks what attackers do, as well as how they do it. By aligning defenses with the tactics and techniques defined in ATT\&CK, organizations can build detection strategies with resilience to evolving tools and emerging threat actors. ![The MITRE ATT\&CK framework for Enterprise 2025, ever growing.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/mitre-att-ck.png "The MITRE ATT&CK framework for Enterprise 2025, ever growing.") ***Figure 1** : The MITRE ATT\&CK framework for Enterprise 2025, ever growing. Visit [MITRE ATT\&CK](https://attack.mitre.org/) to access this interactive tool.* ## Structuring Adversary Behavior by Tactic Each [MITRE ATT\&CK Matrix](https://www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack-matrix?ts=markdown) organizes adversary behavior into a visual structure based on tactics and techniques. Tactics are the columns, which represent an attacker's objective at each phase of an intrusion. [MITRE techniques](https://www.paloaltonetworks.com/cyberpedia/what-are-mitre-attack-techniques?ts=markdown) are the cells beneath them, specific actions used to achieve the objective. Some techniques also include subtechniques, which offer more granular detail on variations of a given behavior. The matrices are dynamic, updated regularly by [MITRE ATT\&CK](https://attack.mitre.org/) to reflect newly observed adversary tradecraft across platforms and industries. Each matrix is tailored to a domain: Enterprise, Mobile, Cloud, Containers, or ICS. ### Enterprise Matrix The Enterprise matrix covers behaviors across Windows, macOS, Linux, Azure AD, SaaS, and other platforms. It spans 14 core tactics, from Initial Access to Impact. Each tactic contains multiple techniques. For example, Execution includes T1059: Command and Scripting Interpreter, a commonly used method for running malicious code on [endpoints](https://www.paloaltonetworks.com/cyberpedia/what-is-an-endpoint?ts=markdown). Enterprise is the most widely adopted matrix, forming the foundation for detection engineering, threat modeling, and red/blue team exercises across security programs. ### Cloud Matrix The Cloud matrix extends ATT\&CK to [cloud-native environments](https://www.paloaltonetworks.com/cyberpedia/what-is-cloud-native?ts=markdown). It includes tactics tailored to identity federation, API abuse, and tenant manipulation. Techniques like T1078.004: Valid Accounts -- Cloud Accounts and T1562.008: Impair Defenses -- Disable or Modify Cloud Logging reflect how attackers exploit [SaaS](https://www.paloaltonetworks.com/cyberpedia/what-is-saas?ts=markdown) misconfigurations and cloud control plane weaknesses. Many organizations integrate the Cloud matrix into detection rules for platforms like AWS CloudTrail, Azure Monitor, and Google Cloud Audit Logs. ### Mobile Matrix The Mobile matrix focuses on iOS and Android-specific attack vectors. Tactics here include Initial Access, Collection, and Exfiltration, adapted to reflect mobile OS design. Techniques include mobile-specific behaviors such as T1406: Credential Access via Keylogging and T1450: Application Layer Protocol. Mobile threats remain under-monitored in many organizations, making this matrix critical for visibility into employee-owned and BYOD environments. ### ICS Matrix Designed for industrial control systems (ICS), the ICS matrix includes tactics like Inhibit Response Function, Manipulation of Control, and Impair Process Control. These reflect the physical outcomes attackers pursue in environments such as energy, manufacturing, and water treatment. The ICS matrix draws from unique adversary behavior, including techniques observed in campaigns like Triton and Industroyer, where attackers sought to disrupt or destroy physical processes. |---------------------------|----------------|-----------|------------|---------| | **Tactic** | **Enterprise** | **Cloud** | **Mobile** | **ICS** | | Reconnaissance | X | | | | | Resource Development | X | | | | | Initial Access | X | X | X | X | | Execution | X | X | X | X | | Persistence | X | X | X | X | | Privilege Escalation | X | X | X | X | | Defense Evasion | X | X | X | | | Credential Access | X | X | X | | | Discovery | X | X | X | X | | Lateral Movement | X | X | X | X | | Collection | X | X | X | X | | Command and Control | X | X | X | X | | Exfiltration | X | X | X | | | Inhibit Response Function | | | | X | | Impair Process Control | | | | X | | Impact | X | X | | X | | Evasion | | | | X | **Table 1**: MITRE ATT\&CK tactic coverage by matrix ### How Matrices Drive Threat-Informed Defense Matrices serve as structured maps of known behavior. They inform detection coverage audits, highlight control gaps, and enable [SOCs](https://www.paloaltonetworks.com/cyberpedia/what-is-a-soc?ts=markdown) to prioritize alerts by adversary intent. Security teams use matrices to build detection logic, design simulation exercises, and communicate threats in a standardized language aligned with adversary behavior. MITRE ATT\&CK sharpens detection tools, giving every alert a tactical context, which then turns data into decisions. ## MITRE ATT\&CK Tactics and Their Role in Security Intelligence In the MITRE ATT\&CK framework, tactics represent the why behind adversary actions --- their tactical goals within the kill chain. Each tactic defines a discrete phase of an attack, such as gaining initial access, escalating privileges, or [exfiltrating data](https://www.paloaltonetworks.com/cyberpedia/data-exfiltration?ts=markdown). There are 14 tactics in the Enterprise matrix, beginning with Reconnaissance and ending with Impact. Tactics provide structure to raw telemetry. When mapped to adversary behavior, they contextualize what a detected action is trying to achieve. That allows defenders to assess not only what occurred, but where they're in the adversary lifecycle and what comes next. ### From Raw Signals to Tactical Awareness [Security operations](https://www.paloaltonetworks.com/cyberpedia/what-is-security-operations?ts=markdown) teams often drown in alerts that lack hierarchy or intent. By aligning detections to ATT\&CK tactics, analysts can group telemetry into functional stages of an intrusion. For example, failed login attempts from an unusual source may map to Initial Access, while the creation of a new admin account aligns with Privilege Escalation. If followed by a file transfer to an external domain, it may indicate Exfiltration. Each mapping tells a story --- and each story points to how close the attacker is to achieving their goal. Tactic-based detection doesn't just enrich alerts. It strengthens response prioritization. An alert mapped to Command and Control deserves more scrutiny than one stuck in Reconnaissance. Context allows teams to focus where adversary progress is most dangerous. ### Operational Benefits Across the Security Stack * [**Threat hunting**](https://www.paloaltonetworks.com/cyberpedia/threat-hunting?ts=markdown) becomes more structured when tactics guide hypotheses. Hunters can focus on verifying if specific objectives have been attempted, like [lateral movement](https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-movement?ts=markdown) across departments. * **Detection engineering** becomes more resilient when mapped to tactics instead of signatures. If a new tool is used for data staging, but it behaves similarly to known techniques, the tactic-based detection still applies. * **Red teaming** becomes more impactful when emulated activity aligns with known tactics used by real threat actors, allowing defenders to evaluate detection and response per objective, not per tool. * **Threat intelligence** becomes more actionable when indicators are enriched with tactic tags. Knowing a hash belongs to a tool used during Persistence changes how it's triaged and blocked. Tactics turn data into decisions. They give every behavior a role and every signal a purpose. ### Building Intelligence Around the Adversary's Objectives Tactical awareness transforms security from event-driven to adversary-driven. Instead of reacting to symptoms, teams operate with insight into attacker intent. Insider knowledge informs everything from [SIEM](https://www.paloaltonetworks.com/cyberpedia/what-is-siem?ts=markdown) rule tuning to tabletop exercises and executive reporting. When organizations track their detection coverage by tactic, they understand their exposure by adversary objective. ![Sample attack chain of tactics common Muddled Libra incidents, as identified by Unit 42](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-mitre-attack/sample-attack-chain-of-tactics.png "Sample attack chain of tactics common Muddled Libra incidents, as identified by Unit 42") ***Figure 2**: Sample attack chain of tactics common Muddled Libra incidents, as identified by Unit 42* ## MITRE ATT\&CK Techniques In the MITRE ATT\&CK framework, techniques describe how adversaries achieve tactical objectives. Each technique represents a specific method used to carry out a phase of the attack. Techniques are nested under the tactics they serve. For example, under the Execution tactic, Command and Scripting Interpreter (T1059) represents an adversary's use of scripting environments to run payloads on a system. Every technique is documented with examples, detection guidance, and potential mitigations. Many techniques also include sub-techniques, which provide more granular insight into variations on the method. Sub-techniques help organizations tune defenses precisely and build detections that account for diverse implementations of the same adversarial intent. ### Operationalizing Technique-Level Intelligence Techniques are the building blocks of behavior-based detection. By mapping alerts or observed activity to techniques, defenders can shift from indicator-driven analysis to adversary-informed investigation. A single technique may manifest in many ways. Valid Accounts (T1078), used under multiple tactics like Initial Access or Persistence, can appear as a successful login from an unusual geography, a token refresh from a known user agent, or a new session for a service account. Mapping all these back to the same technique enables broader detection coverage without relying on static [IoCs](https://www.paloaltonetworks.com/cyberpedia/indicators-of-compromise-iocs?ts=markdown). ### Technique Prioritization Based on Threat Landscape Not all techniques carry equal weight. Prioritization depends on factors like industry threat profile, existing visibility gaps, and adversary alignment. Organizations often use: * Historical incident data to map which techniques were used in past compromises * Threat intelligence reports that attribute techniques to known threat actors * Control coverage assessments that highlight where detection or prevention is weak * MITRE's own D3FEND and CAPEC models to connect techniques to countermeasures and exploit patterns Mapping internal telemetry against high-priority techniques gives teams a focused, threat-informed view of their exposure. ### Linking Techniques to Real Threat Actor Behavior Each technique page in ATT\&CK includes references to groups that have used the method, such as APT29's use of Spearphishing Attachment (T1566.001) or FIN7's use of Scheduled Task/Job (T1053). The connection between tactics, techniques, and actors allows defenders to build threat models based on real campaigns rather than hypothetical attack chains. When organizations map incidents to techniques and correlate them with actor profiles, they gain the ability to predict what actions are likely next in an attack and to prioritize defenses accordingly. MITRE ATT\&CK techniques turn logs into narratives. They enable defenders to understand not just that something happened, but why it happened, how it was done, and what's likely to follow. That behavioral clarity is what makes the framework operationally valuable at every layer of the security stack. ![Framework use cases](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-mitre-attack/framework-use-cases.png "Framework use cases") ***Figure 3**: Framework use cases* ## MITRE ATT\&CK Use Cases ### Detection Engineering The MITRE ATT\&CK framework enables security teams to design detections around behavior, not tools. By mapping detections to specific techniques, analysts can write rules that detect adversarial activity regardless of the toolset. Taking this approach future-proofs detection logic, allowing SOCs to catch unknown variants of known behaviors. Techniques also guide coverage assessments. Teams can identify which techniques are already detected and which lack visibility, helping them prioritize sensor deployment, log enrichment, or new detection rules based on tactical risk. ### Threat Hunting Hunting teams use MITRE ATT\&CK to focus hypotheses. Instead of relying on broad anomaly detection, hunters align their queries to high-priority techniques observed in relevant campaigns. A team may explore variations of Lateral Tool Transfer (T1570) or Remote System Discovery (T1018) to find activity suggesting an adversary is moving laterally. Because each technique includes example procedures, data sources, and detection recommendations, ATT\&CK provides a starting point for crafting hunts with operational focus. ### Threat Intelligence Mapping ATT\&CK creates a shared language for expressing adversary behavior. Cyber threat intelligence teams enrich reports by tagging tactics and techniques used by threat groups. Instead of vague references to "malicious PowerShell," intelligence products specify T1059.001, tying observed behavior directly to MITRE ATT\&CK's standardized taxonomy. This structure allows faster triage. When a new report mentions a technique your organization already detects, you can validate coverage immediately. When it surfaces a gap, you can respond with targeted action. ### Red Teaming and Purple Teaming ATT\&CK helps red teams emulate adversaries more accurately. Rather than relying on generic scripts, they build campaigns aligned to known actors using the same techniques, mapped across tactics. A red team simulating APT29, for example, might execute [Spearphishing](https://www.paloaltonetworks.com/cyberpedia/what-is-spear-phishing?ts=markdown) Attachment (T1566.001) for access and Scheduled Task/Job (T1053) for persistence. Purple teams use the same mapping to validate controls. They track detection efficacy by technique and identify which alerts were blocked, missed, or misclassified. MITRE ATT\&CK becomes the blueprint for adversary simulation and response validation. ### Security Gap Assessment Organizations use the MITRE ATT\&CK framework to conduct defensive coverage audits. By mapping existing detections and telemetry to ATT\&CK techniques, they can visualize which behaviors are detected, which are monitored passively, and which are blind spots. These assessments often drive decisions around logging scope, EDR coverage, SIEM correlation, and budget allocation. Tools like MITRE ATT\&CK Navigator allow organizations to visualize these gaps and overlay them with threat actor profiles, helping prioritize based on both capability and likelihood. ### Executive Reporting and Risk Communication Because MITRE ATT\&CK abstracts behaviors into tactics and techniques, it offers a language that connects technical detail to executive-level risk. Security leaders can report on how their organization detects Credential Access or Exfiltration rather than listing raw event counts. This alignment helps CISOs communicate detection maturity, justify investment, and benchmark capability over time. ATT\&CK provides the structure to translate detection engineering into operational and strategic insight. When ATT\&CK is embedded across detection, response, intelligence, and reporting, it becomes more than a framework. It becomes the shared operating system for threat-informed defense. ## Using the MITRE ATT\&CK Framework during a Live Attack ### Behavior Over Time: Mapping an Intrusion to ATT\&CK The real value of the MITRE ATT\&CK framework emerges during an active intrusion. Security teams are equipped to interpret adversary behavior in sequence and map each move to a tactic and technique. Mapping of course turns fragmented telemetry into a structured timeline of intent, progress, and exposure. The example below walks through a simplified but realistic attack scenario, showing how ATT\&CK techniques surface across the intrusion lifecycle. Each step illustrates how defenders use the framework to identify, contextualize, and counter specific adversary actions. ### ATT\&CK in Action: Step-by-Step Intrusion Mapping #### Initial Access A phishing email arrives with a malicious Excel file containing embedded macros. Mapped to: T1566.001: Spearphishing Attachment #### Execution Once opened, the file executes an obfuscated PowerShell payload. Mapped to: T1059.001: PowerShell #### Persistence The payload establishes long-term access by registering a scheduled task. Mapped to: T1053.005: Scheduled Task #### Privilege Escalation The attacker impersonates a local admin token to bypass user restrictions. Mapped to: T1134.001: Token Impersonation/Theft #### Defense Evasion Windows event logs are cleared, and tamper protection on the EDR agent is disabled. Mapped to: T1070.001: Clear Windows Event Logs Mapped to: T1562.001: Disable or Modify Tools #### Credential Access Memory scraping tools target the LSASS process to harvest credentials. Mapped to: T1003.001: LSASS Memory #### Lateral Movement The attacker uses RDP and stolen credentials to move to a finance department workstation. Mapped to: T1021.001: Remote Desktop Protocol #### Collection Documents tagged "invoice," "ACH," and "wire" are aggregated and zipped. Mapped to: T1560.001: Archive Collected Data: Local Archiving #### Exfiltration Files are transferred over an HTTPS session to attacker-controlled infrastructure. Mapped to: T1048.002: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol #### Impact Ransomware is deployed as a final-stage distraction and coercion mechanism. Mapped to: T1486: Data Encrypted for Impact ### Team-Specific Engagement Across the Framework While the attack unfolds, different teams engage with MITRE ATT\&CK through different lenses: * **SOC analysts** triage alerts by tactic, accelerating escalation when alerts transition from Execution to Lateral Movement. * **Detection engineers** correlate behaviors across users and hosts, improving coverage of linked techniques like Credential Dumping and Remote System Discovery. * **Threat hunters** develop hypotheses based on common technique chains seen in similar actor profiles. * **Incident responders** reconstruct the intrusion path by mapping observed telemetry to tactics and sub-techniques. * **Executives** receive incident briefings anchored in standardized, adversary-centric language, reducing guesswork and elevating clarity. The MITRE ATT\&CK framework isn't just a postmortem taxonomy. It's a live system for understanding where an adversary is in their campaign, how they're operating, and where your defenses must adapt next. It moves teams from event collection to adversary alignment. In a live incident, that shift is the difference between chasing alerts and stopping attacks. ## Comparing MITRE ATT\&CK and the Cyber Kill Chain The Cyber Kill Chain and MITRE ATT\&CK both model adversary behavior, but they serve different functions and reflect different levels of operational granularity. The Kill Chain, developed by Lockheed Martin, offers a high-level view of attacker progression from initial reconnaissance to execution of objectives. MITRE ATT\&CK operates at a much deeper layer, mapping the specific techniques adversaries use within and across those stages. The Cyber Kill Chain's seven stages --- Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives --- are linear. It's a useful narrative structure, especially for early-stage incident response and high-level education. MITRE ATT\&CK, in contrast, isn't linear. It's tactic-driven and maps techniques across overlapping or repeating objectives like Persistence, Credential Access, or Exfiltration. Its inherent flexibility better reflects real-world intrusion complexity. ### Granularity and Operational Value Where the Kill Chain describes what phase an attacker is in, ATT\&CK describes how that activity is being executed. For example, Kill Chain might identify the Installation phase. ATT\&CK would detail whether the adversary used T1053: Scheduled Task or T1547.001: Registry Run Keys to persist. MITRE ATT\&CK also tracks sub-techniques, allowing defenders to tune detections for specific procedures within a broader tactic. Utilizing the level of detail enables more precise detection logic, more effective threat hunting, and more accurate simulation during red and purple team operations. Kill Chain is more static. It doesn't adapt as easily to multicloud, hybrid, or identity-centric attacks, where lateral movement and privilege escalation don't follow predictable paths. ATT\&CK's matrix structure, by contrast, accommodates dynamic attacker behavior across systems and platforms. ### Use Case Alignment The Kill Chain is ideal for communicating high-level attack flow in executive briefings or early-stage planning. It helps organizations establish a general understanding of adversary progression and supports the design of layered defenses that block attacks at each stage. ATT\&CK is tactical and technical. It's used by SOC teams, threat hunters, and detection engineers to build and evaluate defenses around specific behaviors. It supports control validation, logging strategy, threat modeling, and response prioritization. Many mature organizations use both. They use Kill Chain to explain and frame, and ATT\&CK to operationalize and act. Together, they offer strategic alignment and technical precision. When precision matters, though, MITRE ATT\&CK carries the weight. ## Advancing Organizational Maturity with ATT\&CK Most security programs encounter the MITRE ATT\&CK framework early, often during detection tuning or threat intelligence tagging. Its value, however, emerges when ATT\&CK moves from reference to backbone. Mature organizations treat it as more than a matrix of adversary behavior. They use it to align detection strategy, measure defensive performance, and drive coordinated response across teams. ATT\&CK adoption often begins with coverage analysis and detection engineering. From there, it progresses to threat-informed defense, simulation planning, and metrics-driven decision-making. Organizations that mature their use of ATT\&CK develop a continuous feedback loop between adversary behavior, control visibility, and operational readiness. ### Tailoring ATT\&CK to the Environment No two environments have the same threat surface. MITRE ATT\&CK offers flexibility across platforms --- Windows, Linux, macOS, cloud, SaaS, [containers](https://www.paloaltonetworks.com/cyberpedia/what-is-a-container?ts=markdown), mobile, and ICS --- but operationalizing that coverage requires mapping it to your architecture and telemetry. Identity infrastructure, for example, is rich with ATT\&CK-relevant techniques but often under-monitored. Techniques like T1078.004: Valid Accounts -- Cloud Accounts or T1556.006: Modify Authentication Process -- Cloud IAM demand cloud-native detection coverage that traditional tools miss. Organizations using [SaaS](https://www.paloaltonetworks.com/cyberpedia/what-is-saas?ts=markdown) platforms like Microsoft 365 or Google Workspace often overlook tactics such as Persistence and Collection, assuming those environments are inherently secure. ATT\&CK exposes gaps by anchoring detection efforts in adversary behaviors rather than vendor guarantees. Visibility across the matrix should be platform-aware. A mature program understands which tactics are relevant to each domain and prioritizes accordingly. ### Scaling ATT\&CK Use Across Teams Security teams gain the most from MITRE ATT\&CK when it becomes a shared operating model across functions. That means: * Detection engineers using technique IDs to standardize and version-control rules * Threat intel analysts tagging actor behavior to ATT\&CK to support prioritization * Incident responders tracing intrusions across tactics to reconstruct kill chains * Red teams building scenarios aligned to real adversary tradecraft * Blue teams measuring response times against high-risk techniques The convergence builds institutional memory. ATT\&CK creates a common vocabulary that connects detection logic with strategic threat models and live operational decisions. ### Benchmarking and Metrics for ATT\&CK Adoption Mature organizations measure with ATT\&CK. Coverage heat maps become part of board reporting. Simulation outcomes are tied to specific techniques. Detection logic is tested not just for alert generation but for adversary interruption at each tactical stage. Key maturity indicators include: * Percent of high-priority techniques mapped to active detections * Detection-to-response time per tactic * Frequency of ATT\&CK-aligned red and purple team exercises * Breadth of MITRE ATT\&CK technique references in IR case retrospectives By tying operational metrics to adversary behavior, organizations can calibrate investment, reduce alert noise, and focus on the techniques that actually matter in their threat landscape. ## Toward a Behavioral Framework for Securing AI As adversaries adopt artificial intelligence and target machine learning systems, the need for a structured, behavioral understanding of AI-specific threats becomes urgent. [MITRE's Sensible Regulatory Framework for AI Security](https://www.paloaltonetworks.com/cyberpedia/mitre-sensible-regulatory-framework-atlas-matrix?ts=markdown) represents a forward-looking counterpart to the ATT\&CK Framework, grounded in the same philosophy: that effective defense begins with clearly defined, observable threat behaviors. While ATT\&CK maps how human adversaries act post-compromise, the AI framework anticipates how threat actors may exploit the unique properties of learning systems. Both frameworks aim to give defenders a shared vocabulary and a strategic lens. In time, as AI becomes more deeply integrated into enterprise infrastructure and attacker playbooks, the principles underpinning MITRE ATT\&CK will likely shape how organizations detect, mitigate, and govern AI threats at scale. ## MITRE ATT\&CK Framework FAQs ### What is the MITRE D3FEND framework? MITRE D3FEND is a complementary knowledge base to ATT\&CK, focused on defensive techniques. While ATT\&CK catalogs how adversaries operate, D3FEND maps countermeasures, such as hardening, detection, and deception techniques, to specific MITRE ATT\&CK techniques. It helps defenders evaluate whether their controls mitigate or detect known adversary behaviors, creating a more structured link between offensive behaviors and defensive architecture. ### What is a sub-technique in MITRE ATT\&CK? A sub-technique is a more detailed, specific implementation of a broader ATT\&CK technique. For example, T1059: Command and Scripting Interpreter includes sub-techniques like PowerShell (T1059.001) and Bash (T1059.004). Sub-techniques allow defenders to tailor detections and mitigations to the exact procedure used, enabling finer-grained analytics and a deeper understanding of adversary tradecraft. ### What is ATT\&CK Navigator? ATT\&CK Navigator is a web-based tool developed by MITRE that allows security teams to visually explore and annotate the ATT\&CK matrices. It enables users to map detections, threat actor techniques, and coverage across tactics. Teams often use Navigator to track control coverage, plan red teaming exercises, and prioritize gaps based on adversary behavior. ### What is an ATT\&CK technique ID? An ATT\&CK technique ID is a unique identifier assigned to every technique and sub-technique in the framework. These IDs, such as T1021 or T1059.003, ensure consistency in detection engineering, intelligence reporting, and red team planning. Referencing IDs standardizes communication across tools, teams, and reports. ### What is MITRE Engage? MITRE Engage is a framework focused on adversary engagement and cyber deception. Unlike ATT\&CK, which documents adversary behavior, Engage provides structured guidance for using deception --- such as honeypots, misdirection, and adversary interaction --- to disrupt and observe intrusions. It aligns closely with ATT\&CK tactics to guide proactive defense beyond detection and response. ### What is the difference between MITRE ATT\&CK and CVE? MITRE ATT\&CK catalogs adversary behavior post-compromise, focusing on tactics and techniques. CVE (Common Vulnerabilities and Exposures), also maintained by MITRE, is a standardized list of known software vulnerabilities. CVE is about exploitable flaws in code. ATT\&CK is about what an attacker does once they have access. Together, they describe both how attackers get in and how they operate once inside. ### What is PRE-ATT\&CK? PRE-ATT\&CK was a matrix designed to capture adversary behavior before gaining initial access --- such as reconnaissance and target selection. In 2020, MITRE deprecated PRE-ATT\&CK and merged relevant behaviors into the Enterprise matrix to better reflect continuous, multiphase intrusions. Many of its concepts now appear under tactics like Reconnaissance and Resource Development. Related content [Mitigating Cyber Risks with MITRE ATT\&CK: Expert Recommendations from Unit 42 Learn how to protect your organization from ransomware and extortion incidents with expert Unit 42 recommendations mapped to MITRE ATT\&CK.](https://www.paloaltonetworks.com/resources/research/2023-unit42-mitre-attack-recommendations?ts=markdown) [Cortex XDR Performance in MITRE Evals See how Cortex XDR performs in the MITRE ATT\&CK® Enterprise Evaluations, the most rigorous test of endpoint security, measuring a solution's ability to defend modern cyberattacks.](https://www.paloaltonetworks.com/cortex/cortex-xdr/mitre?ts=markdown) [Unmatched 100% Detection in MITRE Evals 2024 Learn about the first participant ever to achieve 100% detection with technique-level detail and no configuration changes or delays in MITRE ATT\&CK Evaluations.](https://www.paloaltonetworks.com/blog/2024/12/historic-results-in-the-2024-mitre-attck-enterprise-evaluations/?ts=markdown) [The Essential Guide to MITRE ATT\&CK Round 4 For the fourth round of the MITRE ATT\&CK Evaluations, 30 vendors participated to see how their solutions stacked up to protect and defend against the tactics, techniques and proced...](https://start.paloaltonetworks.com/Essential-Guide-MITRE-R4.html) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20MITRE%20ATT%26CK%20Framework%3F&body=MITRE%20ATT%26CK%20framework%20maps%20real-world%20adversary%20behavior%20to%20tactics%20and%20techniques.%20Learn%20how%20to%20apply%20it%20for%20detection%2C%20threat%20hunting%2C%20and%20strategic%20defense.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-mitre-attack) Back to Top [Next](https://www.paloaltonetworks.com/cyberpedia/how-to-implement-mitre-attack-techniques?ts=markdown) How Do I Implement MITRE ATT\&CK Techniques? {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language