* [Blog](https://www.paloaltonetworks.com.au/blog)
* [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/)
* [AI and Cybersecurity](https://www.paloaltonetworks.com.au/blog/security-operations/category/ai-and-cybersecurity/)
* Tracking Down Malicious C...

# Tracking Down Malicious Communication with Advanced XDR Detection Tactics

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Ftracking-down-malicious-communication-with-advanced-xdr-detection-tactics%2F)  
[](https://twitter.com/share?text=Tracking+Down+Malicious+Communication+with+Advanced+XDR+Detection+Tactics&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Ftracking-down-malicious-communication-with-advanced-xdr-detection-tactics%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Ftracking-down-malicious-communication-with-advanced-xdr-detection-tactics%2F&title=Tracking+Down+Malicious+Communication+with+Advanced+XDR+Detection+Tactics&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/tracking-down-malicious-communication-with-advanced-xdr-detection-tactics/&ts=markdown)  
\[\](mailto:?subject=Tracking Down Malicious Communication with Advanced XDR Detection Tactics)  
Link copied  
By [Gal Bitensky](https://www.paloaltonetworks.com/blog/author/gal-bitensky/?ts=markdown "Posts by Gal Bitensky") and [Yoav Zemah](https://www.paloaltonetworks.com/blog/author/yoav-zemah/?ts=markdown "Posts by Yoav Zemah")  
Nov 05, 2025  
10 minutes  
[AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown)  
[Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)  
[cybersecurity](https://www.paloaltonetworks.com/blog/tag/cybersecurity/?ts=markdown)  
[Managed Security Service Providers (MSSPs)](https://www.paloaltonetworks.com/blog/tag/managed-security-service-providers-mssps/?ts=markdown)  
[Multi-Tenant Environments](https://www.paloaltonetworks.com/blog/tag/multi-tenant-environments/?ts=markdown)  
[Operational Costs](https://www.paloaltonetworks.com/blog/tag/operational-costs/?ts=markdown)  
[Security Operations Center (SOC)](https://www.paloaltonetworks.com/blog/tag/security-operations-center-soc/?ts=markdown)  
[Security Services](https://www.paloaltonetworks.com/blog/tag/security-services/?ts=markdown)  
[XDR](https://www.paloaltonetworks.com/blog/tag/xdr/?ts=markdown)  
[XSIAM](https://www.paloaltonetworks.com/blog/tag/xsiam/?ts=markdown)

# Executive Summary

In this article we outline a comprehensive approach to detecting covert malicious communication as part of Palo Alto Networks' Precision AI^®^ advanced capabilities, specifically focusing on command and control (C2) and data exfiltration. We will provide a rare glimpse into our thought process, implementing a "divide and conquer" strategy for classification. This strategy leverages diverse data sources like [endpoint detection and response (EDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr) and [network detection and response (NDR)](https://www.paloaltonetworks.com/cyberpedia/what-is-endpoint-detection-and-response-edr) for a holistic extended detection and response (XDR) view. A case study provides readers with insight into how initial stealth tactics, like mimicking legitimate software and using valid domains, ultimately generate anomalies that advanced security controls could detect, such as missing digital signatures and unusual communication patterns.

# Defining The Problem

Effective cybersecurity, even when it involves advanced AI-infused models, begins with a clear understanding of the threats we aim to counter. To ensure comprehensive coverage for [C2](https://www.paloaltonetworks.com/cyberpedia/command-and-control-explained) communication and data exfiltration, we must first define the problems that we intend to solve.
![Threat actor's infrastructure](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-347936-1.png)
Threat actor's infrastructure

We decided to scope our research to these concepts:

* **C2 Communication:** Covert, bi-directional communication channel established between a compromised system and an attacker-controlled command and control server *after* initial malware installation or system compromise has occurred.
* **Data Exfiltration:** A specific subset of malicious communication relates to the unauthorized, unidirectional transfer of sensitive data from a compromised network or system to an external destination. This exporting of data represents a significant breach of confidentiality and can lead to severe consequences for organizations, including financial losses, reputational damage, and regulatory penalties.

Modern endpoints are extremely complex with countless processes communicating with each other and across networks, classifying "bad" vs. "good" comms is an extremely difficult task. By properly scoping what we will tackle, we can tailor our security solutions to detect, prevent, and respond effectively to the distinct, yet often interconnected, stages of a cyberattack lifecycle. This allows us to develop more robust and targeted defenses, ultimately providing superior protection to our customers against the evolving threat landscape.

# Methodically Defeating C2 Infrastructure

### Divide and Conquer

Now that we've defined the problem, we need to plan how we validate and improve our coverage. The most effective way of doing so is solving clear sub-problems given how immense the world of C2 and data exfiltration is. In order to do so, we classified various genres of malicious clients and servers, which in turn allowed us to pick appropriate features for each "C2 flavor".

For instance, the methodologies we use to detect the abuse of living off the land binaries (LOLBINs) for C2 purposes differ significantly from those we use to identify a novel, recently compiled binary. Similarly, data exfiltration to a legitimate cloud storage service presents a different detection challenge compared to uploading data to an IP address hosted on an internet service provider (ISP) that is known to be suspicious. Each scenario necessitates a tailored approach to feature selection and detection logic.

The volume and diversity of data make it increasingly difficult to figure out which features to include, and which to exclude from our detection logic. At Cortex, we integrate a multitude of data sources, combining classic EDR and NDR data. This combined approach provides a more holistic and accurate view of potential threats than traditional security products.

Having defined the scope of the problem and the types of entities we are likely to encounter, we then cataloged every feature that could prove useful in this context. Ranging from a binary's signature status and the rarity of its signer to the intricate TLS fingerprints of both client and server communications, this comprehensive list of features helps us to capture a broad spectrum of threat actors' techniques.

### Detection Strategies

As part of our classification process, we matched each identified feature to its appropriate use case, for example:

* A binary compiled by a sophisticated threat actor is unlikely to have a commonly used binary signing certificate, even if it is signed. This makes the rarity of the signer an excellent feature for detecting bespoke malware.
* A C2 server set up by a threat actor and associated with a newly registered domain might seem like a surprising technique in the current threat landscape, but as it turns out, this tactic provides readily accessible, "low-hanging fruit" features that we can leverage to detect anomalous hosts and their malicious activities.

The following table summarizes some of the features we've matched to a use case in our research:

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-347936-2.png)

# A Case Study - Generic Detection of a Clever Malvertising Campaign

Using our newly crafted detection strategies we tracked down multiple advanced malicious campaigns. We are sharing with you one of these cases which demonstrates how our proper meticulous process proved itself against a threat actor leveraging creative tactics.

## Malvertising Infection Vector

Since early August 2025 we have identified multiple malvertising campaigns that target users who search for the GitHub desktop client. In the case that we study here, the threat actor combined [dangling commits](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/#post-138681-_5bj9rp99k4ek) with a more traditional malvertising campaign.
![Malvertising campaign attack chain](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-347936-3.png)
Malvertising campaign attack chain

The campaign was designed to work as follows:

1. The threat actor creates a disposable GitHub user.
2. The user forks the target repository.
3. A malicious commit is added to the user's downstream fork.
4. The threat actor crafts a URL that includes the downstream commit hash with the upstream original repository address.
5. The threat actor pushes the crafted link to the malicious commit in a malvertising campaign, abusing the trusted upstream repository.

We identified several malicious commits, including one in which the GitHub user @hTarehu forked the official GitHub desktop client repository, and added a malicious commit to the downstream repository on August 4, 2025.

The sole change was to the README.md file, in which the threat actor embedded a section containing links to a malicious binary.

Next, the threat actor crafted the following link:

hxxps://github\[.\]com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009#download-github-desktop

Next, the actor promoted this link with a sponsored ad, presenting the malicious URL as an official verified website, in an effort to infect users who search for and attempt to download the GitHub desktop client.

## Stealth - At What Cost?

The ingenuity of the threat actor's infection vector inadvertently generated unexpected anomalies. A crucial aspect of their deception involved leveraging a widely used and seemingly innocuous application -- GitHub's official desktop client -- as a cover for their malicious activities. Further adding to the impression of legitimacy, the malicious payload was distributed from what appeared to be the verified official repository of this application. Moreover, the domain name promoted throughout their malvertising campaign was entirely legitimate, further cementing the illusion of authenticity for unsuspecting victims.

However, these very tactics were a double-edged sword. Although highly effective in the social engineering scheme to lure victims into downloading the malicious software, ultimately this approach became a point of vulnerability. Despite its effectiveness, this social engineering scheme is detected by advanced security controls, which identify the discrepancies between the initial stage of the malware and a typical, legitimate client downloaded from the authentic repository. An example of such a feature is the absence of a valid digital signature on the downloaded executable, which is a fundamental characteristic of legitimate software. Furthermore, the download itself did not originate directly from GitHub, the purported source, but rather from a third-party site -- a highly suspicious deviation for an official client download.

Following the download of this fake client, it proceeded to establish communication with additional staging servers. These servers, unlike those associated with the legitimate GitHub desktop client, were entirely new and previously unobserved. This behavior raises additional red flags for sophisticated security monitoring systems. The communication patterns and destinations were highly atypical for the genuine application, providing additional evidence of the malicious nature of the downloaded software.

This anomalous network activity would be a key indicator for detection systems focused on identifying command and control communications. This attack is easily detected using our divide-and-conquer strategy. We identified a binary compiled by the attacker, disguised as a legitimate client, communicating with a C2 server self-hosted by the attacker and never contacted before by the benign client. The features that we analyzed have proven to be a valuable resource, as they enable us to reveal numerous discrepancies that we use to flag this attack.
![The execution of the fake GitHub client and related malicious activity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/11/word-image-347936-4.png)
The execution of the fake GitHub client and related malicious activity

# Conclusion

Our journey started in rigorously defining C2 communication and data exfiltration, and systematically categorizing malicious entities and their associated features. This in turn allowed us to get the most of our precision AI models, creating an optimal robust framework for detecting covert communication. This approach, demonstrated in our detailed case study on a clever malvertising campaign, highlights the effectiveness of integrating diverse data sources like EDR and NDR. Our continuous adaptation to evolving threat actor tactics, coupled with a thorough validation of detection strategies, ensures that our security solutions provide comprehensive and superior protection against sophisticated cyberattacks.

# Appendix

## C2 and Exfiltration Detectors

* [Rare binary connected to a rare cloud resource](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Rare-binary-connected-to-a-rare-cloud-resource)
* [Rare binary connected to a rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Rare-binary-connected-to-a-rare-external-host)
* [Windows LOLBIN executable connected to a rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Windows-LOLBIN-executable-connected-to-a-rare-external-host)
* [Scripting engine connected to a rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Scripting-engine-connected-to-a-rare-external-host)
* [A compromised process accessed a rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/A-compromised-process-accessed-a-rare-external-host)
* [A commonly abused process connected to a rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/A-commonly-abused-process-connected-to-a-rare-external-host)
* [A commonly abused process connected to a rare cloud resource](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/A-commonly-abused-process-connected-to-a-rare-cloud-resource)
* [A process connected to rare external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/A-process-connected-to-rare-external-host)
* [A process connected to a rare cloud resource](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/A-process-connected-to-a-rare-cloud-resource)
* [Rare process created an SSH session to an uncommon cloud resource](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Rare-process-created-an-SSH-session-to-an-uncommon-cloud-resource)
* [Rare process created an SSH session to an uncommon external host](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Rare-process-created-an-SSH-session-to-an-uncommon-external-host)
* [Rare communication over email ports to external email server by unsigned process](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Rare-communication-over-email-ports-to-external-email-server-by-unsigned-process)

## XQL - Malicious GitHub Client

// Description: Querying Potential Fake GitHub Client Cases

dataset = xdr\_data

| filter event\_type = PROCESS and action\_process\_file\_web\_mark != null

| alter ReferrerUrl = action\_process\_file\_web\_mark -\> ReferrerUrl

| filter ReferrerUrl ~=

"https:\\/\\/github.com\\/desktop\\/desktop\\/tree\\/?\[0-9a-f\]{40}\\?tab=readme-ov-file"

| fields agent\_hostname, actor\_effective\_username, actor\_process\_image\_path, ReferrerUrl

| dedup ReferrerUrl

## Indicators of Compromise - Malicious GitHub Client

### Known malicious commits

* 636f5d478fa774635da5b25ecb842822ab444009 (associated with @hTarehu)
* 629f3ab77b0c6840618029d39869d078f8a5a694
* 3b3e14cec9f2c7f9567bb1a50ece12d4eb337305
* a48188b0d5bdc3e8728cb37619cc51f7392b086f

### Malvertised link format

hxxps://github\[.com/desktop/desktop/tree/636f5d478fa774635da5b25ecb842822ab444009?tab=readme-ov-file\&gad\_source=1\&gad\_campaignid={redacted}\&gclid={redacted}#download-github-desktop

### Associated user

@hTarehu (vilenakoroleva000@rambler.ru)

### Malicious domains

hxxps://downloadingpage\[.\]my

hxxps://feelsifuyerza\[.\]com

hxxps://git-desktop\[.\]app

hxxps://gitpage\[.\]app

hxxps://oguiuweyqwe\[.\]online

hxxps://poiwerpolymersinc\[.\]online

hxxps://powiquwieree\[.\]com

hxxps://slepseetwork\[.\]online

### Payloads (SHA256)

0b9afc9019f3074c429025e860294cb9456510609dd1dca8e8378753ade5a17e

ec89c0ffc755eafc61bbf3b9106e0d9d7cbfaa9e70fbe17d9e4fbb9a7d38be64

e252bb114f5c2793fc6900d49d3c302fc9298f36447bbf242a00c10887c36d71

ad07ffab86a42b4befaf7858318480a556a2e7c272604c3f1dcae0782339482e

efcf5fe467f0ba8f990bcdfc063290b2cf3e8590455e6c7c8fe0f7373a339f36

ed1811c16a91648fe60f5ee7d69fe455d0a3855eebb2f3d56909b7912de172fd

2a1c127683dba19399cc6516d5700d4e756933889dad156cd62b992aaf732816

*** ** * ** ***

## Related Blogs

### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### NL2XQL: Turning Natural Language into Powerful Cybersecurity Querying](https://www.paloaltonetworks.com.au/blog/security-operations/nl2xql-turning-natural-language-into-powerful-cybersecurity-querying/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's New in Cortex](https://www.paloaltonetworks.com.au/blog/security-operations/whats-new-in-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### How Cortex Defends Against Microsoft SharePoint "ToolShell" Exploits](https://www.paloaltonetworks.com.au/blog/security-operations/how-cortex-defends-against-microsoft-sharepoint-toolshell-exploits/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown)

[#### Defending against Phantom Taurus with Cortex](https://www.paloaltonetworks.com.au/blog/security-operations/the-rise-of-phantom-taurus-unmasking-a-stealthy-new-threat-to-global-security-with-cortex/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### Think You Have Visibility? Think Again.](https://www.paloaltonetworks.com.au/blog/security-operations/think-you-have-visibility-think-again/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### What's New for Cortex and Cortex Cloud (Apr '25)](https://www.paloaltonetworks.com.au/blog/security-operations/whats-new-for-cortex-and-cortex-cloud-apr-25/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language