* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://www2.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Introducing the New Corte... # Introducing the New Cortex Shellcode AI Protection: A Precision AI-Driven Module [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-new-cortex-shellcode-ai-protection-a-precision-ai-driven-module%2F) [](https://twitter.com/share?text=Introducing+the+New+Cortex+Shellcode+AI+Protection%3A+A+Precision+AI-Driven+Module&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-new-cortex-shellcode-ai-protection-a-precision-ai-driven-module%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fintroducing-the-new-cortex-shellcode-ai-protection-a-precision-ai-driven-module%2F&title=Introducing+the+New+Cortex+Shellcode+AI+Protection%3A+A+Precision+AI-Driven+Module&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/introducing-the-new-cortex-shellcode-ai-protection-a-precision-ai-driven-module/&ts=markdown) \[\](mailto:?subject=Introducing the New Cortex Shellcode AI Protection: A Precision AI-Driven Module) Link copied By [Cortex Research Team](https://www.paloaltonetworks.com/blog/author/cortex-research-team/?ts=markdown "Posts by Cortex Research Team") Jul 03, 2024 12 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Precision AI](https://www.paloaltonetworks.com/blog/tag/precision-ai/?ts=markdown) [shellcode](https://www.paloaltonetworks.com/blog/tag/shellcode/?ts=markdown) Research By: Yinnon Meshi, Lior Rochberger, Eran Tamari, and Daniel Frank ## **Executive Summary** When dealing with sophisticated and evasive cyberattacks, one of the more challenging aspects for defenders is detecting and preventing the execution of shellcode. [Shellcode](https://en.wikipedia.org/wiki/Shellcode) is a common yet elusive component that is being utilized by threat actors, due to its stealthy nature. To address the detection and prevention of shellcode, Palo Alto Networks developed a novel AI-based module, specifically designed to tackle the evolving landscape of shellcode threats. By implementing advanced machine learning techniques, our new AI-based module now offers Palo Alto Networks Cortex customers enhanced shellcode prevention capabilities protecting against new and unseen variations of shellcode. In this write-up, we will dive into the realm of shellcode and examine how our AI-driven approach is once again raising the bar when it comes to threat detection and prevention. ## **What is Shellcode?** Shellcode is a headerless arbitrary sequence of bytes, representing assembly instructions that are commonly loaded in memory without being backed by a file on disk. In Windows, shellcode is naturally not loaded by the Windows loader, which requires it to run as position independent code and resolve its own APIs. Threat actors often tend to weaponize shellcode in various post-exploitation phases, using either known exploitation frameworks and payloads like Metasploit's [Meterpreter](https://www.offsec.com/metasploit-unleashed/about-meterpreter/), or using completely new and custom shellcode payloads. Post-exploitation shellcode commands are delivered by malicious loaders and injectors that commonly allocate memory and trigger execution. In the past, shellcode was used only to obtain a remote shell, hence the name "Shell-Code". Nowadays, shellcode is used to perform a wide range of tasks, from creating a remote shell and communicating with a remote server, to loading additional resources and binaries. The capability implemented in this module focuses on post-exploitation shellcode detection, which is normally used to execute additional payloads after the attacker obtains code execution privilege on the compromised endpoint. ## **Challenges in Shellcode AI-Based Prevention** Due to its elusive nature, shellcode presents different and significant detection challenges. Some of the noteworthy challenges include: * **Execution within legitimate processes:** The execution of shellcode payloads within the memory space of legitimate processes makes it difficult to distinguish from benign operations. Additionally, the inherent unreadability of machine code and the requirement for full memory context can further complicate analysis. * **Legitimate software behavior:** Traditional detection methods often depend on identifying behavioral triggers such as executable memory allocation and page protection modifications, which are commonly seen in legitimate software and may be harder to distinguish from malicious activity. * **Shellcode evasion techniques:** Attackers continually evolve, utilizing techniques like direct syscalls to evade defenses. Common attack frameworks such as [Metasploit](https://www.metasploit.com/) and [CobaltStrike](https://www.cobaltstrike.com/) can create custom shellcode commands that avoid traditional and known detection patterns. ## **Developing our AI-Based Module For Cortex** The development of this module required us to use a new and innovative approach. We started from an extensive analysis of numerous malicious files, and then we constructed a dataset of the most difficult-to-detect shellcode buffers we encountered during the analysis. During the development of our AI-based module, our approach faced several key aspects that needed to be addressed: * **Standalone precision:** Achieving a high precision rate was crucial to match the performance of manually crafted detection logic. The module had to accurately identify shellcode without relying on external validation or additional analysis layers. * **Flexibility:** We needed the capability to fix problems accurately, while preserving and enhancing detection capabilities, without compromising existing shellcode coverage. This meant designing a highly maintainable module that can be adapted and easily updated to address new threats, as well as improve detection over time. * **"Laziness" of machine learning (ML) models:** ML models often aim to generalize detection, but this can also cause several dominant features to overshadow the remaining "weaker" features. This can hinder the model from learning complex combinations of features. Ensuring the model recognized subtle and nuanced patterns in the data was essential for effective shellcode detection. ## **Implemented Solution** To effectively address the challenges of detecting and preventing shellcode attacks, we developed a robust solution that leverages advanced machine learning and deep system visibility. Our approach combines cutting-edge techniques with the unique capabilities of the Cortex platform to identify and neutralize shellcode threats in real-time. By utilizing the power of AI, we can analyze intricate patterns and behaviors that traditional methods might miss. This section will detail how our innovative module functions, providing a comprehensive look at the technologies and methodologies that drive our enhanced protection capabilities. To implement an effective solution, we utilized the Cortex platform's kernel-mode system call interception, which provides deep visibility into system operations. This capability allows us to detect low-level malicious activities inspected from the kernel. Running in the context of the Cortex kernel-mode system call interception capabilities, our proprietary ML module can detect and prevent sophisticated malware that employs advanced evasion techniques, such as [direct syscalls](https://www.paloaltonetworks.com/blog/security-operations/a-deep-dive-into-malicious-direct-syscall-detection/) and custom shellcode obfuscation. This approach not only improves coverage by identifying patterns and behaviors that traditional rule-based memory scanners often miss or will most likely be unable to detect, but also reduces false positives and preserves precision, while ensuring that legitimate processes are not incorrectly flagged as threats. Finally, our machine learning models continuously adapt to recognize new and unseen shellcode variations, providing a dynamic and robust defense mechanism. To address the aforementioned issues we faced, we developed a novel ML framework composed of four distinct algorithms tailored specifically for this module. This framework combines several approaches: * Supervised learning leveraging [decision trees](https://en.wikipedia.org/wiki/Decision_tree). * [Weak supervision.](https://en.wikipedia.org/wiki/Weak_supervision) * A proprietary ML algorithm that maximizes diversity. Key features of this framework include: * **Robustness:** Given the high sample complexity and limited feature reasoning (e.g., lack of metadata such as headers), achieving extremely high precision by simply adding more benign data was not feasible. To tackle this, we developed an algorithm based on a variation of decision trees specifically designed to dramatically reduce the risk of false positives without relying on additional benign data. * **False positives prevention layer:** To further mitigate the risk of false positives, we added an algorithmic layer based on weak supervision. This layer is constructed to reduce the risk of false positives, while preserving the previous model's recall. It uses both labeled and unlabeled data, as unlabeled data has usually a greater availability. * **Multi-view analysis:** Our decision tree algorithm was further enhanced to target each malicious sample from multiple angles. This multi-view approach assumes that each angle can uncover different attack vectors in the wild. By extracting as much information as possible from each sample, we increased our chances of detecting sophisticated malicious shellcode that is harder to find. By combining these methods together into a single framework, we provide our customers an extended protection against sophisticated malicious shellcode. This integrated approach ensures that our AI-based module offers both precise and robust detection, adding a critical layer in cybersecurity defenses. ## **Shellcode AI-Based Detection in the Wild: Three Distinct Use Cases** The following examples exhibit real-life attacks that were caught in our telemetry by the newly developed AI Shellcode module. ### First Use Case - XMRig Miner Shellcode Miners are a good example of an evolving threat that is here to stay, and it often employs sophisticated techniques to increase infection rates and persistence. Notably, the authors of miners can utilize shellcode to execute their payloads in memory, in an attempt to avoid detection by traditional file-based antivirus solutions. When we ran the new AI Shellcode module on our telemetry, it soon caught an ongoing campaign spreading an XMRig-based miner, masquerading as cracked versions of different security software. The campaign, which started at the end of 2023 and continued to the middle of 2024, spread a loader of an XMRig Miner that utilized shellcode injection in order to execute the miner in memory. Breaking down the different stages of the attack. In the first stage of the attack: * The loader, named Cimnkuokmgw.exe, unpacks itself in memory, and drops a copy of itself named updater.exe. * It then sets its persistence component by writing a scheduled task for its freshly created registry autorun key. This completes the first stage of the attack. This activity can be seen in Figure 1 below. ![Figure 1. First stage execution of the XMRig miner, as detected by Cortex set to detect-only mode, for research purposes.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-1.png) Figure 1. First stage execution of the XMRig miner, as detected by Cortex set to detect-only mode, for research purposes. In the second stage of the attack, updater.exe is executed and creates a file called gcvywecf.tmp, which is the XMRig miner payload itself. The miner then injects into two separate instances of conhost.exe: * The first instance is responsible for creating a mutex (qafmvnuzwchno), and for creating a log file (g.log) that saves on disk the output of the following WMI query's result: wmic PATH Win32\_VideoController GET Name, VideoProcessor. * The second instance is responsible for creating another mutex (bnpjjtgqmfaqhphd), and for dropping the vulnerable driver Winring0x64.sys (named WR64.sys), including creating a service to enable its loading. It then triggers the XMRig payload (gcvywecf.tmp) which performs the main mining activity, including communicating with the mining pool. Figure 2 below depicts the second stage of the attack. ![Figure 2. Second stage execution of the XMRig miner, as shown in Cortex set to detect-only mode, for research purposes.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-2.png) Figure 2. Second stage execution of the XMRig miner, as shown in Cortex set to detect-only mode, for research purposes. The shellcode detection of the current use-case was generated automatically using our ML models. A snippet of shellcode extracted from a larger buffer in memory is shown in Figure 3 below. ![Figure 3. A snippet of the XMRig shellcode](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-3.jpeg) Figure 3. A snippet of the XMRig shellcode When analyzing the shellcode, a human malware analyst may notice that the malicious code is searching for the MZ and PE headers, indicative of Windows executable files. However, building a native detection system based solely on these patterns would result in numerous false positives in a production environment. Our ML model goes beyond these obvious indicators. It incorporates additional, seemingly unrelated conditions that might not make immediate sense to a human analyst. By analyzing complex patterns and correlations within the data, the model generates highly accurate prevention rules. This advanced approach ensures the effective detection of shellcode with minimal false positives. ![Figure 4. End user notification for the prevention of the initial loader](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-4.png) Figure 4. End user notification for the prevention of the initial loader ### Second Use Case - Quasar RAT Leveraging Shellcode Quasar RAT is an open source .NET malware that is used by a variety of threat actors. Over the past few years, the malware was [reported](https://tuxcare.com/blog/hackers-drops-coinminer-quasar-rat-using-emotet-botnet/) being distributed using different methods, including via other malware and exploitation of vulnerable and unpatched internet-facing servers and applications. In May 2024, we investigated a Quasar RAT infection, whose infection vector was the exploitation of vulnerable SQL servers. In this case, the attacker used PowerShell to download different components including binaries, scripts and configuration files from a known Quasar RAT command and control (C2) server. The certificate of this C2 can be seen in Figure 5 below. ![Figure 5. Quasar RAT’s certificate used for the command and control server](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-5.png) Figure 5. Quasar RAT's certificate used for the command and control server The payloads that were delivered in this campaign were saved in the compromised environment under the path C:\\Users\\Public and then executed. All of the payloads were configured to use the same Quasar RAT's server as their C2. The execution chain of these payloads is depicted in Figure 6. ![Figure 6. Exploitation of sqlsrvr.exe, as shown in Cortex set to detect-only mode, for research purposes.](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-6.png) Figure 6. Exploitation of sqlsrvr.exe, as shown in Cortex set to detect-only mode, for research purposes. Among the different payloads that we observed, one sample exhibited a suspicious behavior that looked like the execution of a shellcode. The malware, named p.exe, connected to its C2 and downloaded an additional file named 1.bin, which was indeed encrypted shellcode. After the file was downloaded to the environment, p.exe read it together with another file, url.txt (potentially a configuration file), that was downloaded previously by the attacker from the same C2. The shellcode was then loaded into memory and dropped an additional payload, [PetitPotato](https://github.com/wh0amitz/PetitPotato), a local privilege escalation tool. The SQL process altered the protection of a memory page using the VirtualProtect API, prompting Cortex to assess a potential shellcode buffer. Despite the absence of obvious red flags and the fact that the buffer was not resembling any known shellcode frameworks, the Cortex Shellcode AI module effectively detected and prevented the shellcode, as depicted in Figure 7 below. ![Figure 7. Prevention of p.exe, as shown by Cortex](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-7.png) Figure 7. Prevention of p.exe, as shown by Cortex ![Figure 8. Quasar RAT shellcode that could pass as benign](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-8.png) Figure 8. Quasar RAT shellcode that could pass as benign ### Third Use Case - Low-Detection Rate CobaltStrike [CobaltStrike](https://attack.mitre.org/software/S0154/) is a sophisticated threat emulation software that was initially created for red teaming and adversary simulation, but like many other cybersecurity tools, it has fallen into the wrong hands. Cybercriminals and nation state threat actors leverage CobaltStrike for its robust post-exploitation capabilities, such as a dedicated C2 and pivoting and lateral movement within compromised networks. Another notable feature of CobaltStrike is its ability to generate shellcode payloads, which can be extensively customized. This customization allows attackers to craft unique payloads that evade traditional security defenses. However, the Cortex Shellcode AI module addresses this customization feature by leveraging advanced machine learning algorithms to detect and block even the most subtle and low-detected samples. By analyzing patterns and behaviors rather than relying solely on signature-based detection, our solution can detect and prevent threats posed by customized CobaltStrike payloads. The sample's low-detection rates in VirusTotal can be seen in Figure 9. ![Figure 9. Low-detection rate CobaltStrike](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-9.png) Figure 9. Low-detection rate CobaltStrike Set to prevent mode, Cortex prevented the execution of the low-detected CobaltStrike, as shown in Figure 10 below. ![Figure 10. End user notification for the prevention of CobaltStrike](https://www.paloaltonetworks.com/blog/wp-content/uploads/2024/07/word-image-324272-10.png) Figure 10. End user notification for the prevention of CobaltStrike ## **Conclusion** The Cortex Shellcode AI module, a [Palo Alto Networks Precision AI™](https://www.paloaltonetworks.com/precision-ai-security) technology, represents a significant advancement in the detection and prevention aspects of cybersecurity by combining novel machine learning algorithms with kernel-mode system call interception to detect and prevent elusive shellcode attacks. This cutting-edge approach enhances detection coverage and adapts to emerging threats by providing robust protection against even the most advanced and custom shellcode payloads. By integrating multiple algorithms and leveraging a multi-view approach, the Cortex research team has developed a comprehensive solution that addresses the complexities of modern cyberthreats, raising the bar in endpoint security. *** ** * ** *** ## Related Blogs ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Cortex Copilot - Another Step Forward in SOC Transformation](https://www2.paloaltonetworks.com/blog/security-operations/cortex-copilot-another-step-forward-in-soc-transformation/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Real-World Email Attacks Detected by Cortex Advanced Email Security](https://www2.paloaltonetworks.com/blog/security-operations/real-world-email-attacks-detected-by-cortex-advanced-email-security/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### From Silos to Synergy: How Cortex XDL Transforms XDR to Elevate Threat Detection](https://www2.paloaltonetworks.com/blog/security-operations/from-silos-to-synergy-how-cortex-xdl-transforms-xdr-to-elevate-threat-detection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### SE Labs Awards Palo Alto Networks AAA Rating and 100% Prevention Against Ransomware](https://www2.paloaltonetworks.com/blog/security-operations/se-labs-awards-palo-alto-networks-aaa-rating-and-100-prevention-against-ransomware/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Reports](https://www.paloaltonetworks.com/blog/category/reports/?ts=markdown) [#### A Leader in the 2025 Gartner Magic Quadrant for EPP --- 3 Years Running](https://www2.paloaltonetworks.com/blog/2025/07/named-a-leader-gartner-magic-quadrant/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Optimize Analyst Workflows with Cortex Copilot](https://www2.paloaltonetworks.com/blog/security-operations/optimize-analyst-workflows-with-cortex-copilot/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language