* [Blog](https://www2.paloaltonetworks.com/blog)
* [Network Security](https://www2.paloaltonetworks.com/blog/network-security/)
* [Next-Generation Firewalls](https://www2.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/)
* Palo Alto Networks Outper...

# Palo Alto Networks Outperforms Against Cobalt Strike Attacks

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fnetsec-ngfw-cobalt-strike%2F)  
[](https://twitter.com/share?text=Palo+Alto+Networks+Outperforms+Against+Cobalt+Strike+Attacks&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fnetsec-ngfw-cobalt-strike%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fnetwork-security%2Fnetsec-ngfw-cobalt-strike%2F&title=Palo+Alto+Networks+Outperforms+Against+Cobalt+Strike+Attacks&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/network-security/netsec-ngfw-cobalt-strike/&ts=markdown)  
\[\](mailto:?subject=Palo Alto Networks Outperforms Against Cobalt Strike Attacks)  
Link copied  
By [Samaresh Nair](https://www.paloaltonetworks.com/blog/author/samaresh-nair/?ts=markdown "Posts by Samaresh Nair")  
Nov 15, 2023  
4 minutes  
[Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)  
[Firewall](https://www.paloaltonetworks.com/blog/tag/firewall/?ts=markdown)  
[network security](https://www.paloaltonetworks.com/blog/tag/network-security/?ts=markdown)  
[Threats and attacks](https://www.paloaltonetworks.com/blog/tag/threats-and-attacks/?ts=markdown)

Palo Alto Networks is the leading vendor in preventing Cobalt Strike C2 communication. According to the recently published report by SecureIQlab, Palo Alto Networks is the only leader with a block rate of ~99% of tested attacks and the highest Threat Response Efficiency. Please find the report [here](https://secureiqlab.com/wp-content/uploads/2023/09/Comparative_CobaltStrike_Report_09_06_2023.pdf).

The ever-evolving threat landscape makes it challenging for organizations to be confident in their security posture. Our Unit 42 team has [reported](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42-network-threat-research-report-vol1.pdf) more than a 73% increase in attackers using white hat hacking tools to perform command and control attacks, with "Cobalt Strike" as the leading attack. Cobalt Strike can create highly evasive C2 channels, bypassing traditional security methods of blocking with IPS signatures, URL filtering, etc. SecureIQ Lab published a [study](https://secureiqlab.com/wp-content/uploads/2023/09/Comparative_CobaltStrike_Report_09_06_2023.pdf) comparing leading security offerings for Next-Generation Firewalls and SASE products, concluding that Palo Alto Networks is the leading vendor in preventing Cobalt Strike C2 communication with the AI/ML-based Cloud-delivered Advanced Threat Prevention service. The report is based on individual studies for [NGFW](https://www.paloaltonetworks.com/resources/research/2022-secure-iq-lab-report) and [SASE](https://www.paloaltonetworks.com/resources/research/2023-secureiqlab-command-and-control-comparative-report) products.

**Cobalt Strike Explained**

Cobalt Strike is a legitimate penetration testing tool intended to be used by white hat hackers to perform penetration tests. With an intuitive UI, even novice threat actors can launch sophisticated command and control attacks such as command line execution, file transfers, keylogging, etc.

Malleable C2 profiles allow the operator to encrypt, encode and otherwise obfuscate network traffic in many different ways to mimic benign flows and even other malware communications. These profiles range from well-known default or basic settings to nearly limitless hand-crafted custom profiles. Traditional signatures can be evaded even for known Cobalt Strike profiles.

Researchers have also created and shared tools to quickly generate new randomized Cobalt Strike profiles. These profiles are highly configurable, small in memory, emit low and asynchronous traffic, and can be masqueraded as different pieces of software, making them difficult to detect.

Due to its flexibility and ease of use, Cobalt Strike is unfortunately being used for malicious purposes by bad actors. A few cracked versions have recently become readily available, skyrocketing their application for illegitimate use.

The traditional approach vendors use static IPS signatures, blocking malicious URLs and domains hosting the C2 server. Based on the SecureIQLab studies, these techniques fail to address new and evasive variants. A new approach is needed to block C2 traffic with Cobalt Strike while avoiding false positives.

**See The Only Leader in Exfiltration of Sensitive information Over the Command-and-Control Channel**

Traditional IPS signatures cannot distinguish between genuine benign traffic and the one emulated by Cobalt Strike and let the traffic through. Palo Alto Networks' [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention) uses ML/AI to detect C2 traffic masqueraded as benign application traffic. Advanced Threat Prevention Service is able to detect and block over 99% of C2 traffic, whereas other leading security services were able to block less than 20% with the traditional approaches.

The graphic below from SecureIQLab shows that Palo Alto Networks is the only leader that successfully blocks over 99% of attempted C2 channels using Cobalt Strike.
![Palo Alto Networks is the only leader that successfully blocks over 99% of attempted C2 channels using Cobalt Strike.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/11/word-image-308919-1.png)
Figure 1: Palo Alto Networks is the only leader that successfully blocks over 99% of attempted C2 channels using Cobalt Strike.

With cloud-delivered security, a customer can view the logs of an attempted command and control attack, which can be automatically blocked through configurable settings. At the same time, our competitors may allow this traffic.

SecureIQ Lab tested the ability of various security solutions to block the command-and-control capabilities of the Cobalt Strike attack suite. The test measured the block rate of each vendor in five attack scenarios: Basic attack, random attack, custom attack, nonstandard ports-based attack, HTTPS attack and hostname change attack.
![How security vendors stack up against Cobalt Strike attacks.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/11/word-image-308919-2.png)
Figure 2: How security vendors stack up against Cobalt Strike attacks.

Palo Alto Networks leads all security vendors in preventing Cobalt Strike C2 communication.

Cobalt Strike remains the premier post-exploitation adversary emulator that continues to evade conventional next-generation solutions, including signature-based detection. By design, Cobalt Strike is exceptionally malleable and resilient against static detections. An advanced attacker will have no problem creating completely novel Malleable C2 profiles explicitly designed to thwart static defenses of IPS signatures.

Palo Alto Networks' Advanced Threat Prevention's inline deep-learning models and heuristic techniques can prevent Cobalt Strike Beacon and Team Server C2 sessions before exfiltrating a single byte.

Download the [full report](https://secureiqlab.com/wp-content/uploads/2023/09/Comparative_CobaltStrike_Report_09_06_2023.pdf) to learn more.

*** ** * ** ***

## Related Blogs

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown)

[#### Now Available: WildFire Cloud Location in Australia](https://www2.paloaltonetworks.com/blog/network-security/now-available-wildfire-cloud-location-in-australia/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### PAN-OS 10.0 for the World's First ML-Powered NGFW Now Available](https://www2.paloaltonetworks.com/blog/2020/07/network-ml-powered-ngfw/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Paradigm Shift: The World's First ML-Powered NGFW with PAN-OS 10.0](https://www2.paloaltonetworks.com/blog/2020/06/network-pan-os-10-0/)

### [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### PAN-OS 8.1: SSL Decryption Broker for Federal Government](https://www2.paloaltonetworks.com/blog/2018/03/gov-pan-os-8-1-ssl-decryption-broker-federal-government/)

### [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown), [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Hybrid Cloud Data Center](https://www.paloaltonetworks.com/blog/network-security/category/hybrid-cloud-data-center/?ts=markdown), [IoT Security](https://www.paloaltonetworks.com/blog/network-security/category/iot-security/?ts=markdown), [Network Perimeter](https://www.paloaltonetworks.com/blog/network-security/category/network-perimeter/?ts=markdown), [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Strata Network Security Platform](https://www.paloaltonetworks.com/blog/network-security/category/strata-network-security-platform/?ts=markdown), [Zero Trust Security](https://www.paloaltonetworks.com/blog/network-security/category/zero-trust-security/?ts=markdown)

[#### Palo Alto Networks Leads the Way with Quantum and Multicloud Security](https://www2.paloaltonetworks.com/blog/2025/08/paves-way-for-quantum-ready-security/)

### [Next-Generation Firewalls](https://www.paloaltonetworks.com/blog/network-security/category/next-generation-firewalls/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### A Brand New Fight: Securing Your AI-Powered Applications](https://www2.paloaltonetworks.com/blog/network-security/secure-ai-apps-by-design/)

### Subscribe to Network Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language