// Trust & Security Report
Palo Alto Networks, Inc.
Cortex: AI-driven security operations platform including XDR (endpoint/XDR), XSIAM (AI-powered SOC and next-gen SIEM), XSOAR (security orchestration and automation), Xpanse (attack surface management), Cortex Cloud (CNAPP), Advanced Email Security, and AgentiX (agentic AI security workforce)
Certifications held
31
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on paloaltonetworks.com“SOC 2+ represents an additional level of certification against an expanded control set, including control alignment against the HIPAA Security Rule, and additionally maps product controls to key controls for GDPR, PCI DSS, and UK NCSC Cloud Security Principles.”
Verify on paloaltonetworks.com“ISO certification(s) demonstrates to customers that Palo Alto Networks has been independently assessed to have appropriate processes in place to help ensure the security and reliability of sensitive customer data. Certified standards include ISO 27001 (Information Security Management System).”
Verify on paloaltonetworks.com“Palo Alto Networks holds ISO 27017 certification, which provides guidance on the information security aspects of cloud computing, recommending cloud-specific information security controls and implementation guidance specific to cloud service providers.”
Verify on paloaltonetworks.com“Palo Alto Networks holds ISO 27018 certification, a code of practice focusing on protection of personal data in the cloud, providing implementation guidance on controls applicable to public cloud PII.”
Verify on paloaltonetworks.com“Palo Alto Networks holds ISO 27701 certification, which specifies requirements for establishing a privacy information management system (PIMS) as an extension to ISO 27001.”
Verify on paloaltonetworks.com“Palo Alto Networks holds ISO 42001 certification — the first international management system standard for artificial intelligence. MSECB certificate PDF hosted at paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/legal/technical-certifications/iso-42001.pdf. Confirmed on ISO certifications page listing ISO 42001 among held certs.”
Verify on paloaltonetworks.com“Palo Alto Networks holds ISO 22301 certification for Business Continuity Management System, supporting its Operational Resilience Program.”
Verify on paloaltonetworks.com“The Payment Card Industry Data Security Standards (PCI DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. [Listed as held on Palo Alto Networks certifications page. SOC 2+ also maps controls to PCI DSS.]”
Verify on paloaltonetworks.com“Cortex has achieved FedRAMP High Authorization, marking a significant milestone for government security operations. As the first and only AI-driven SOC platform to secure FedRAMP High Authorization, Cortex empowers federal agencies with industry-leading capabilities. (Authorized January 30, 2025; covers Cortex XDR, XSIAM, XSOAR, Xpanse.)”
Verify on paloaltonetworks.com“Palo Alto Networks delivers the most comprehensive suite of AI-powered cybersecurity solutions authorized for use in federal networks at the Moderate and High Impact level, with 20+ FedRAMP Authorized solutions across network, cloud and security operations.”
Verify on paloaltonetworks.com“StateRAMP brings SLED customers together to develop standards for cloud security, educate on best practices, and recognize a common method for verifying the cloud security of service providers. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The CSA STAR (Security, Trust, Assurance, and Risk) Certification is a comprehensive security standard for cloud service providers. It evaluates the provider's security controls based on the Cloud Security Alliance's best practices, ensuring transparency, accountability, and trust in cloud environments. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“SOC 2+ includes control alignment against the HIPAA Security Rule. Cortex XSIAM meets FedRAMP High, HIPAA, and ISO requirements from day one, with 35+ security and compliance certifications and prebuilt templates to keep you audit-ready. Note: HIPAA is a regulatory posture, not a standalone certification; explicit BAA availability not confirmed in public documentation.”
Verify on paloaltonetworks.com“The Data Processing Addendum reflects Palo Alto Networks' pledge to privacy, security, and responsibility for our global customers. Standard Contractual Clauses available for EEA transfers; GDPR user rights (access, portability, rectification, erasure, restriction) documented. SOC 2+ maps controls to GDPR key controls.”
Verify on paloaltonetworks.com“Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme to help organizations demonstrate operational security against common cyber-attacks when using cloud services. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Information Security Registered Assessors Program (IRAP) provides a framework for assessing the implementation and effectiveness of an organization's security controls against the Australian government's security requirements. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Information System Security Management and Assessment Program (ISMAP) is a Japanese government initiative to evaluate and certify the security of cloud service providers. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Trusted Information Security Assessment Exchange (TISAX) assessment is a European automotive industry-standard information security assessment catalog. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“Common Criteria for Information Technology Security Evaluation is an international standard (ISO-IEC 15408) providing assurance that specification, implementation, and evaluation of security measures has been conducted in a rigorous, standardized, and repeatable manner. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Federal Information Processing Standard (FIPS) 140 is a U.S. Government standard defining security requirements for cryptographic modules protecting sensitive information. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“Palo Alto Networks is Esquema Nacional de Seguridad (ENS) High certified. The ENS accreditation scheme has been developed by the Ministry of Finance and Public Administration and the CCN (National Cryptologic Centre).”
Verify on paloaltonetworks.com“Cyber Essentials Plus is a UK government-backed, industry-supported scheme to help organizations protect themselves against common online threats. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Canadian Centre for Cyber Security (CCCS) Protected B Medium Integrity Medium Availability (PBMM) assessment signifies an organization's adherence to stringent cybersecurity standards for protecting sensitive government information. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“Unit 42 is one of few top-tier incident responders assured at the Enhanced level of the NCSC assured Cyber Incident Response (CIR) scheme, which gives clients confidence in providers that meet its rigorous standards for high quality cyber incident response.”
Verify on paloaltonetworks.com“Palo Alto Networks has been awarded the CIS Controls Accreditation which confirms the ability to provide CIS Critical Security Controls implementation, auditing, and/or assessment with the assurance that we have met the consistent and rigorous standards of CREST certification.”
Verify on paloaltonetworks.com“Palo Alto Networks has been certified to the Global Cross-Border Privacy Rules system.”
Verify on paloaltonetworks.com“Palo Alto Networks has been certified to the Global Privacy Recognition for Processors system.”
Verify on paloaltonetworks.com“The Top Level Certification from ANSSI (National Agency for Information Systems Security) is a French Government certification for information security products recognized by the French administration and operators of vital importance. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Department of Defense Information Network Approved Products List (DODIN APL) includes products that have completed cybersecurity and interoperability requirements for sale to the U.S. Department of Defense. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Commercial Solutions for Classified (CSfC) Program has been established by the U.S. National Security Agency (NSA). It enables organizations to transmit classified information using commercially available technology. [Listed as held on Palo Alto Networks certifications page.]”
Verify on paloaltonetworks.com“The Agenzia per la Cybersicurezza Nazionale (ACN) certification system is a key part of Italy's cybersecurity framework, designed to ensure the security and reliability of IT products and services used by the public administration and critical national infrastructure. [Listed as held on Palo Alto Networks certifications page.]”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Multi-region: US, EU, and additional regions. Data transfer impact assessments cover US, India, Singapore, Costa Rica, Colombia, Australia, and Mexico. EEA transfers are protected via Standard Contractual Clauses and Transatlantic Data Privacy Framework. Regional cloud deployment options are available with subprocessor locations publicly documented.
XSOAR GenAI/RAG documentation explicitly states 'Private, customer data not used in training a commercial LLM model.' Palo Alto Networks publishes AI Transparency Datasheets for 15+ Cortex and Prisma products explaining 'how they use data and the steps we take to ensure fair, responsible results.' The company holds ISO 42001 (AI Management System) and publishes Responsible AI Principles and Responsible AI Framework whitepapers. The broader Cortex platform AI training policy is not consolidated in a single public policy page; enterprise contracts are the definitive source for contractual commitments on this topic.
// Security controls
Encryption in transit
TLS (enterprise standard implied; specifics documented in Statement of Applicability available under NDA via Trust Center request desk)
paloaltonetworks.comEncryption at rest
Confirmed via SOC 2+ and ISO 27001 controls coverage; detailed cryptographic specifications available under NDA. FIPS 140 certified cryptographic modules.
paloaltonetworks.comVulnerability management
Security Assurance and Vulnerability Disclosure Policy in place; active security advisories published via PSIRT portal; penetration test results available under NDA via Trust Center service desk
paloaltonetworks.comOperational resilience
Operational Resilience Program integrates 'industry-leading protocols to protect data integrity and enable enhanced continuity of operations across global infrastructure.' ISO 22301 (Business Continuity) certified.
paloaltonetworks.comSupply chain security
Documented supply chain integrity program aligned with government-promoted best practices for ICT ecosystem resilience
paloaltonetworks.comSecurity reporting and transparency
Trust 360 Program: 'security, compliance, and privacy controls in place to safeguard customers' most sensitive data.' SOA and penetration test reports available under NDA on request. Compliance reports available via service desk.
paloaltonetworks.comTechnical and organizational measures
Documentation outlines 'technical and organizational security measures to minimize the risk of incidental loss, destruction, alteration, unauthorized disclosure, unauthorized access, or unlawful destruction of data.'
paloaltonetworks.com// Products & data scope
data: Endpoint telemetry (process, file, network events), threat intelligence, identity data; integrates network and cloud telemetry
FedRAMP High authorized; 100% detection in MITRE ATT&CK Evaluations; Gartner Magic Quadrant EPP leader
data: Unified security telemetry from endpoint, network, cloud, identity, email; all data ingested into Extended Data Lake (XDL)
FedRAMP High authorized (Jan 2025); HIPAA, FedRAMP High, and ISO requirements met; 35+ compliance prebuilt templates
data: Incident data, threat intelligence feeds, third-party integration data; 1,300+ prebuilt playbooks
FedRAMP authorized; GenAI RAG feature explicitly states customer data is not used to train commercial LLMs
data: Internet-facing asset inventory and metadata; passive scan data across all 65,000 ports; no customer-sensitive content stored
FedRAMP authorized; industry-leading ASM with 100% asset coverage claim
data: Cloud workload telemetry, application code scan results, IaC configurations, runtime security data
FedRAMP High and Moderate authorized (launched Feb 2025); vendor claims first and only FedRAMP High authorized CNAPP
data: Email content, headers, and attachments processed for threat detection; LLM-driven analytics applied
AI/LLM-driven phishing and advanced threat detection; AI Transparency Datasheet published
data: Security operations workflows, AI agent actions and audit logs; newest platform product
Governed by Responsible AI Principles and ISO 42001 framework; described as 'industry's most secure platform to build, deploy, and govern the AI agent workforce'
// What to watch
- AI training posture: explicit 'customer data not used for training commercial LLMs' statement found only in Cortex XSOAR GenAI/RAG documentation; no single authoritative public policy page covers all Cortex products. ISO 42001 certification and published Responsible AI Principles substantially mitigate this risk.
- SOC 2+ exact report period and precise in-scope product list are not publicly disclosed; available only under NDA via Trust Center request desk.
- HIPAA: compliance posture confirmed via SOC 2+ HIPAA Security Rule alignment and XSIAM product claims; explicit Business Associate Agreement (BAA) availability not confirmed in public documentation. Enterprise contracts typically include BAA.
- ISO 42001 certificate PDF is hosted at paloaltonetworks.com but binary encoding prevented text extraction; confirmation of this cert relied on ISO certifications trust center subpage listing.
- Certifications page lists all certs at the company level (Palo Alto Networks, Inc.) without specifying which apply to each Cortex sub-product. FedRAMP authorizations explicitly name Cortex products; other certs may vary by product scope.
// At a glance
Pricing model
Enterprise subscription (SaaS); per-product licensing with endpoint counts and data volume tiers; no public per-seat pricing; contact sales or demo required
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Palo Alto Networks, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
paloaltonetworks.com