// Trust & Security Report

    Palo Alto Networks, Inc. logo

    Palo Alto Networks, Inc.

    Cortex: AI-driven security operations platform including XDR (endpoint/XDR), XSIAM (AI-powered SOC and next-gen SIEM), XSOAR (security orchestration and automation), Xpanse (attack surface management), Cortex Cloud (CNAPP), Advanced Email Security, and AgentiX (agentic AI security workforce)

    Certifications held

    31

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2+ (Type 2)
    HELD

    SOC 2+ represents an additional level of certification against an expanded control set, including control alignment against the HIPAA Security Rule, and additionally maps product controls to key controls for GDPR, PCI DSS, and UK NCSC Cloud Security Principles.

    Verify on paloaltonetworks.com
    ISO 27001
    HELD

    ISO certification(s) demonstrates to customers that Palo Alto Networks has been independently assessed to have appropriate processes in place to help ensure the security and reliability of sensitive customer data. Certified standards include ISO 27001 (Information Security Management System).

    Verify on paloaltonetworks.com
    ISO 27017
    HELD

    Palo Alto Networks holds ISO 27017 certification, which provides guidance on the information security aspects of cloud computing, recommending cloud-specific information security controls and implementation guidance specific to cloud service providers.

    Verify on paloaltonetworks.com
    ISO 27018
    HELD

    Palo Alto Networks holds ISO 27018 certification, a code of practice focusing on protection of personal data in the cloud, providing implementation guidance on controls applicable to public cloud PII.

    Verify on paloaltonetworks.com
    ISO 27701
    HELD

    Palo Alto Networks holds ISO 27701 certification, which specifies requirements for establishing a privacy information management system (PIMS) as an extension to ISO 27001.

    Verify on paloaltonetworks.com
    ISO 42001 (AI Management System)
    HELD

    Palo Alto Networks holds ISO 42001 certification — the first international management system standard for artificial intelligence. MSECB certificate PDF hosted at paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/legal/technical-certifications/iso-42001.pdf. Confirmed on ISO certifications page listing ISO 42001 among held certs.

    Verify on paloaltonetworks.com
    ISO 22301 (Business Continuity)
    HELD

    Palo Alto Networks holds ISO 22301 certification for Business Continuity Management System, supporting its Operational Resilience Program.

    Verify on paloaltonetworks.com
    PCI DSS
    HELD

    The Payment Card Industry Data Security Standards (PCI DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. [Listed as held on Palo Alto Networks certifications page. SOC 2+ also maps controls to PCI DSS.]

    Verify on paloaltonetworks.com
    FedRAMP High (Cortex platform)
    HELD

    Cortex has achieved FedRAMP High Authorization, marking a significant milestone for government security operations. As the first and only AI-driven SOC platform to secure FedRAMP High Authorization, Cortex empowers federal agencies with industry-leading capabilities. (Authorized January 30, 2025; covers Cortex XDR, XSIAM, XSOAR, Xpanse.)

    Verify on paloaltonetworks.com
    FedRAMP Moderate
    HELD

    Palo Alto Networks delivers the most comprehensive suite of AI-powered cybersecurity solutions authorized for use in federal networks at the Moderate and High Impact level, with 20+ FedRAMP Authorized solutions across network, cloud and security operations.

    Verify on paloaltonetworks.com
    StateRAMP
    HELD

    StateRAMP brings SLED customers together to develop standards for cloud security, educate on best practices, and recognize a common method for verifying the cloud security of service providers. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    CSA STAR
    HELD

    The CSA STAR (Security, Trust, Assurance, and Risk) Certification is a comprehensive security standard for cloud service providers. It evaluates the provider's security controls based on the Cloud Security Alliance's best practices, ensuring transparency, accountability, and trust in cloud environments. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    HIPAA (regulatory compliance posture)
    HELD

    SOC 2+ includes control alignment against the HIPAA Security Rule. Cortex XSIAM meets FedRAMP High, HIPAA, and ISO requirements from day one, with 35+ security and compliance certifications and prebuilt templates to keep you audit-ready. Note: HIPAA is a regulatory posture, not a standalone certification; explicit BAA availability not confirmed in public documentation.

    Verify on paloaltonetworks.com
    GDPR (regulatory compliance posture)
    HELD

    The Data Processing Addendum reflects Palo Alto Networks' pledge to privacy, security, and responsibility for our global customers. Standard Contractual Clauses available for EEA transfers; GDPR user rights (access, portability, rectification, erasure, restriction) documented. SOC 2+ maps controls to GDPR key controls.

    Verify on paloaltonetworks.com
    Germany C5
    HELD

    Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme to help organizations demonstrate operational security against common cyber-attacks when using cloud services. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    IRAP (Australia)
    HELD

    The Information Security Registered Assessors Program (IRAP) provides a framework for assessing the implementation and effectiveness of an organization's security controls against the Australian government's security requirements. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    ISMAP (Japan)
    HELD

    The Information System Security Management and Assessment Program (ISMAP) is a Japanese government initiative to evaluate and certify the security of cloud service providers. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    TISAX
    HELD

    The Trusted Information Security Assessment Exchange (TISAX) assessment is a European automotive industry-standard information security assessment catalog. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    Common Criteria (ISO/IEC 15408)
    HELD

    Common Criteria for Information Technology Security Evaluation is an international standard (ISO-IEC 15408) providing assurance that specification, implementation, and evaluation of security measures has been conducted in a rigorous, standardized, and repeatable manner. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    FIPS 140
    HELD

    The Federal Information Processing Standard (FIPS) 140 is a U.S. Government standard defining security requirements for cryptographic modules protecting sensitive information. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    ENS High (Spain)
    HELD

    Palo Alto Networks is Esquema Nacional de Seguridad (ENS) High certified. The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre).

    Verify on paloaltonetworks.com
    Cyber Essentials Plus (UK)
    HELD

    Cyber Essentials Plus is a UK government-backed, industry-supported scheme to help organizations protect themselves against common online threats. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    PBMM (Canada Protected B)
    HELD

    The Canadian Centre for Cyber Security (CCCS) Protected B Medium Integrity Medium Availability (PBMM) assessment signifies an organization's adherence to stringent cybersecurity standards for protecting sensitive government information. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    NCSC CIR Enhanced Level (UK, Unit 42)
    HELD

    Unit 42 is one of few top-tier incident responders assured at the Enhanced level of the NCSC assured Cyber Incident Response (CIR) scheme, which gives clients confidence in providers that meet its rigorous standards for high quality cyber incident response.

    Verify on paloaltonetworks.com
    CIS Controls Accreditation
    HELD

    Palo Alto Networks has been awarded the CIS Controls Accreditation which confirms the ability to provide CIS Critical Security Controls implementation, auditing, and/or assessment with the assurance that we have met the consistent and rigorous standards of CREST certification.

    Verify on paloaltonetworks.com
    Global Cross-Border Privacy Rules (GCBPR)
    HELD

    Palo Alto Networks has been certified to the Global Cross-Border Privacy Rules system.

    Verify on paloaltonetworks.com
    Global Privacy Recognition for Processors (PRFP)
    HELD

    Palo Alto Networks has been certified to the Global Privacy Recognition for Processors system.

    Verify on paloaltonetworks.com
    ANSSI CSPN Top-Level Certification (France)
    HELD

    The Top Level Certification from ANSSI (National Agency for Information Systems Security) is a French Government certification for information security products recognized by the French administration and operators of vital importance. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    DODIN APL (U.S. DoD)
    HELD

    The Department of Defense Information Network Approved Products List (DODIN APL) includes products that have completed cybersecurity and interoperability requirements for sale to the U.S. Department of Defense. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    CSfC (NSA Commercial Solutions for Classified)
    HELD

    The Commercial Solutions for Classified (CSfC) Program has been established by the U.S. National Security Agency (NSA). It enables organizations to transmit classified information using commercially available technology. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com
    ACN (Italy)
    HELD

    The Agenzia per la Cybersicurezza Nazionale (ACN) certification system is a key part of Italy's cybersecurity framework, designed to ensure the security and reliability of IT products and services used by the public administration and critical national infrastructure. [Listed as held on Palo Alto Networks certifications page.]

    Verify on paloaltonetworks.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Multi-region: US, EU, and additional regions. Data transfer impact assessments cover US, India, Singapore, Costa Rica, Colombia, Australia, and Mexico. EEA transfers are protected via Standard Contractual Clauses and Transatlantic Data Privacy Framework. Regional cloud deployment options are available with subprocessor locations publicly documented.

    XSOAR GenAI/RAG documentation explicitly states 'Private, customer data not used in training a commercial LLM model.' Palo Alto Networks publishes AI Transparency Datasheets for 15+ Cortex and Prisma products explaining 'how they use data and the steps we take to ensure fair, responsible results.' The company holds ISO 42001 (AI Management System) and publishes Responsible AI Principles and Responsible AI Framework whitepapers. The broader Cortex platform AI training policy is not consolidated in a single public policy page; enterprise contracts are the definitive source for contractual commitments on this topic.

    // Security controls

    Encryption in transit

    TLS (enterprise standard implied; specifics documented in Statement of Applicability available under NDA via Trust Center request desk)

    paloaltonetworks.com

    Encryption at rest

    Confirmed via SOC 2+ and ISO 27001 controls coverage; detailed cryptographic specifications available under NDA. FIPS 140 certified cryptographic modules.

    paloaltonetworks.com

    Vulnerability management

    Security Assurance and Vulnerability Disclosure Policy in place; active security advisories published via PSIRT portal; penetration test results available under NDA via Trust Center service desk

    paloaltonetworks.com

    Operational resilience

    Operational Resilience Program integrates 'industry-leading protocols to protect data integrity and enable enhanced continuity of operations across global infrastructure.' ISO 22301 (Business Continuity) certified.

    paloaltonetworks.com

    Supply chain security

    Documented supply chain integrity program aligned with government-promoted best practices for ICT ecosystem resilience

    paloaltonetworks.com

    Security reporting and transparency

    Trust 360 Program: 'security, compliance, and privacy controls in place to safeguard customers' most sensitive data.' SOA and penetration test reports available under NDA on request. Compliance reports available via service desk.

    paloaltonetworks.com

    Technical and organizational measures

    Documentation outlines 'technical and organizational security measures to minimize the risk of incidental loss, destruction, alteration, unauthorized disclosure, unauthorized access, or unlawful destruction of data.'

    paloaltonetworks.com

    // Products & data scope

    Cortex XDREndpoint Protection / Extended Detection and Response

    data: Endpoint telemetry (process, file, network events), threat intelligence, identity data; integrates network and cloud telemetry

    FedRAMP High authorized; 100% detection in MITRE ATT&CK Evaluations; Gartner Magic Quadrant EPP leader

    Cortex XSIAMAI-driven SOC Platform / Next-Gen SIEM

    data: Unified security telemetry from endpoint, network, cloud, identity, email; all data ingested into Extended Data Lake (XDL)

    FedRAMP High authorized (Jan 2025); HIPAA, FedRAMP High, and ISO requirements met; 35+ compliance prebuilt templates

    Cortex XSOARSecurity Orchestration, Automation and Response (SOAR)

    data: Incident data, threat intelligence feeds, third-party integration data; 1,300+ prebuilt playbooks

    FedRAMP authorized; GenAI RAG feature explicitly states customer data is not used to train commercial LLMs

    Cortex XpanseAttack Surface Management (ASM)

    data: Internet-facing asset inventory and metadata; passive scan data across all 65,000 ports; no customer-sensitive content stored

    FedRAMP authorized; industry-leading ASM with 100% asset coverage claim

    Cortex CloudCloud-Native Application Protection Platform (CNAPP)

    data: Cloud workload telemetry, application code scan results, IaC configurations, runtime security data

    FedRAMP High and Moderate authorized (launched Feb 2025); vendor claims first and only FedRAMP High authorized CNAPP

    Cortex Advanced Email SecurityEmail Security

    data: Email content, headers, and attachments processed for threat detection; LLM-driven analytics applied

    AI/LLM-driven phishing and advanced threat detection; AI Transparency Datasheet published

    Cortex AgentiXAgentic AI Security Workforce Platform

    data: Security operations workflows, AI agent actions and audit logs; newest platform product

    Governed by Responsible AI Principles and ISO 42001 framework; described as 'industry's most secure platform to build, deploy, and govern the AI agent workforce'

    // What to watch

    • AI training posture: explicit 'customer data not used for training commercial LLMs' statement found only in Cortex XSOAR GenAI/RAG documentation; no single authoritative public policy page covers all Cortex products. ISO 42001 certification and published Responsible AI Principles substantially mitigate this risk.
    • SOC 2+ exact report period and precise in-scope product list are not publicly disclosed; available only under NDA via Trust Center request desk.
    • HIPAA: compliance posture confirmed via SOC 2+ HIPAA Security Rule alignment and XSIAM product claims; explicit Business Associate Agreement (BAA) availability not confirmed in public documentation. Enterprise contracts typically include BAA.
    • ISO 42001 certificate PDF is hosted at paloaltonetworks.com but binary encoding prevented text extraction; confirmation of this cert relied on ISO certifications trust center subpage listing.
    • Certifications page lists all certs at the company level (Palo Alto Networks, Inc.) without specifying which apply to each Cortex sub-product. FedRAMP authorizations explicitly name Cortex products; other certs may vary by product scope.

    // At a glance

    Pricing model

    Enterprise subscription (SaaS); per-product licensing with endpoint counts and data volume tiers; no public per-seat pricing; contact sales or demo required

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Palo Alto Networks, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    paloaltonetworks.com

    > Browse all vendor trust reports