// Trust & Security Report
Palo Alto Networks, Inc. (formerly Demisto, Inc., acquired 2019)
Cortex XSOAR: Security Orchestration, Automation, and Response (SOAR) platform available as a hosted cloud service and on-premises deployment. Successor product Cortex AgentiX (agentic SOC) announced for 2026.
Certifications held
21
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs-cortex.paloaltonetworks.com“SOC 2 Type II certified for production environments. Annual penetration testing performed; SOC 2 and penetration test reports available upon request. SOC 2+ extends the standard control set with HIPAA Security Rule alignment and mapping to GDPR, PCI DSS, and UK NCSC Cloud Security Principles.”
Verify on paloaltonetworks.com“ISO certification(s) demonstrates to customers that Palo Alto Networks has been independently assessed to have appropriate processes in place to help ensure the security and reliability of sensitive customer data. XSOAR Hosted Service documentation confirms ISO 27001 certification for its production environment.”
Verify on paloaltonetworks.com“ISO 27017 provides cloud-specific information security controls supplementing ISO 27001 and ISO 27002. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“ISO 27018 focuses on safeguarding PII in public cloud settings. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“ISO 27701 is an extension to ISO 27001 through its own set of privacy-specific requirements. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“ISO 42001 is an Artificial Intelligence Management System standard published in late 2023; enables organizations to establish AI management frameworks. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“ISO 22301 is a Business Continuity Management System certification. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“ISO 27032 is a cybersecurity framework standard. Palo Alto Networks holds this certification.”
Verify on paloaltonetworks.com“This Privacy Statement applies to personal information collected by Palo Alto Networks while acting in the capacity of a data controller, as that term is defined in the European Union's (EU) General Data Protection Regulation. Customer Data Processing Addendum (DPA) is available. Certified to EU-US Data Privacy Framework, Swiss-US DPF, and UK extension to EU-US DPF.”
Verify on paloaltonetworks.com“Cortex XSOAR is listed among Cortex platform products that achieved FedRAMP High Authorization as of January 30, 2025, representing an uplift from prior Moderate authorization. Cortex XSOAR FedRAMP uses FIPS 140-2 cryptographic modules for protection of data in transit and at rest, with all cipher suites in compliance with NIST SP800-52r2 guidance.”
Verify on paloaltonetworks.com“The Payment Card Industry Data Security Standards (PCI DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Listed on Palo Alto Networks' official certifications page. Product-specific scope for XSOAR not separately enumerated.”
Verify on paloaltonetworks.com“The CSA STAR (Security, Trust, Assurance, and Risk) Certification is a comprehensive security standard for cloud service providers. It evaluates the provider's security controls based on the Cloud Security Alliance's best practices, ensuring transparency, accountability, and trust in cloud environments. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“StateRAMP brings SLED customers together to develop standards for cloud security, educate on best practices, and recognize a common method for verifying the cloud security of service providers. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“Cortex XSOAR FedRAMP uses FIPS 140-2 cryptographic modules for protection of data in transit and at rest, with all cipher suites in compliance with NIST SP800-52r2 guidance.”
Verify on paloaltonetworks.com“Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“The Information Security Registered Assessors Program (IRAP) provides a framework for assessing the implementation and effectiveness of an organization's security controls against the Australian government's security requirements. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“Cyber Essentials Plus is a UK government-backed scheme. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“The Information System Security Management and Assessment Program (ISMAP) is a Japanese government initiative to evaluate and certify the security of cloud service providers. Listed on Palo Alto Networks' official certifications page.”
Verify on paloaltonetworks.com“Palo Alto Networks is Esquema Nacional de Seguridad (ENS) High certified. The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre).”
Verify on paloaltonetworks.com“Palo Alto Networks has been certified to the Global Cross-Border Privacy Rules system.”
Verify on paloaltonetworks.com“Palo Alto Networks has been certified to the Global Privacy Recognition for Processors system.”
> Show 1 unconfirmed / not-held certifications
source: paloaltonetworks.comNo vendor receives official HIPAA certification from the U.S. government. SOC 2+ report includes HIPAA Security Rule alignment and mapping. BAA is reported to be available for eligible Palo Alto Networks services; XSOAR-specific BAA coverage requires direct sales engagement to confirm. No public listing of XSOAR as an explicitly HIPAA-covered service found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Cloud: US-hosted on AWS by default. Data transfer impact assessments are published for US, India, Singapore, Costa Rica, Colombia, Australia, and Mexico. Specific regional deployment options are available per contract. FedRAMP environments use US-only data residency.
GenAI features within XSOAR use Retrieval Augmented Generation (RAG) and are designed so that customer private data is not used to train commercial LLM models. Cortex AgentiX (2026 XSOAR successor) was described as trained on 1.2 billion playbooks; whether any real customer playbooks were included in this training dataset is not publicly confirmed. On-premises deployment option is available for organizations that require complete data control. No explicit opt-out mechanism is publicly documented for the cloud-hosted service.
// Security controls
Encryption in transit
TLS for all communications between Cortex XSOAR components and third-party tools. FedRAMP variant uses FIPS 140-2 compliant cipher suites per NIST SP800-52r2.
docs-cortex.paloaltonetworks.comEncryption at rest
AWS EBS volume encryption using dedicated per-customer Customer Master Keys (CMKs) via AWS KMS. Integration credentials and authentication data (passwords, API keys) stored encrypted. Keys rotated annually; manual rotation available if a vulnerability is discovered.
docs-cortex.paloaltonetworks.comPenetration testing
Annual penetration testing performed; reports available under NDA upon request through the Trust Center security report request service.
docs-cortex.paloaltonetworks.comAccess controls
Default access restricted to customer users and authorized Palo Alto Networks personnel. Support team access granted only when a support case is opened. Active Directory, SSO, and other advanced authentication methods supported.
docs-cortex.paloaltonetworks.comNetwork security
Inbound traffic limited to port 443. Web interface access can be restricted to specific CIDRs (up to 100 custom rules). DDoS protection via AWS load balancer. Static outbound IP available for internal device connections.
docs-cortex.paloaltonetworks.comVulnerability management
Security Assurance and Vulnerability Disclosure Policy published. Security Advisories provide timely information on product vulnerabilities. Trust 360 Program provides a consolidated view of security, compliance, and privacy controls.
paloaltonetworks.com// Products & data scope
data: Security incident data, threat intelligence, integration credentials, alert data, playbook automation outputs. Production environment is SOC 2 Type II and ISO 27001 certified. Development instances are explicitly NOT SOC 2 compliant.
900+ prebuilt integration packs. Visual code-free playbook editor. Multi-tenant deployment available for MSSPs. FedRAMP High authorized as of January 2025.
data: Customer-controlled deployment. All data remains within customer infrastructure. No cloud data exposure.
Customer manages all compliance and security controls independently. Recommended for strict data residency or air-gapped environments.
data: AI-driven autonomous SOC agent. Stated to be trained on 1.2 billion playbooks; customer-data training scope not publicly confirmed.
Announced as successor to Cortex XSOAR. Standalone version expected in early 2026. AI training posture requires clarification before use in regulated environments.
// What to watch
- CERT-SCOPE: Most certifications are held at the Palo Alto Networks, Inc. corporate level. Cortex XSOAR Hosted Service explicitly confirms SOC 2 Type II and ISO 27001 in product documentation. FedRAMP High is confirmed specifically for Cortex XSOAR as of January 2025. Other org-level certs (PCI DSS, CSA STAR, ISO 27017/18/27701 etc.) should be treated as organizational in scope unless confirmed per-product.
- HIPAA-AMBIGUITY: No standalone HIPAA certification exists for any vendor. SOC 2+ report maps controls to the HIPAA Security Rule. BAA is available for eligible services but XSOAR-specific BAA coverage requires direct confirmation from Palo Alto Networks sales or legal.
- AI-TRAINING-UNCONFIRMED: Cortex AgentiX (2026 XSOAR successor) is described as trained on 1.2 billion playbooks. Whether real customer playbooks contributed to this training dataset is not publicly confirmed. Customers in regulated industries should obtain written confirmation before migrating to AgentiX.
- DEV-INSTANCE-NOT-IN-SCOPE: The XSOAR Hosted Service documentation explicitly states that development instances are not SOC 2 compliant. Only production environments carry SOC 2 Type II and ISO 27001 coverage.
- LEGACY-NAME: The catalog slug references 'Demisto,' the name of the company acquired by Palo Alto Networks in 2019. The current legal entity is Palo Alto Networks, Inc. and the current product name is Cortex XSOAR. Identity is certain; 'Demisto' is a legacy naming artifact.
// At a glance
Pricing model
Enterprise licensing via Palo Alto Networks sales team. No public pricing listed. Contact sales for quote.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Palo Alto Networks, Inc. (formerly Demisto, Inc., acquired 2019)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
paloaltonetworks.com