Compete by Solution

GlobalProtect &
Prisma Agent

GP-to-SASE migration compete. ZTNA 2.0 vs. 1.0, competitive battle cards, migration plays, and objection handling for the GlobalProtect → Prisma Agent transition.

Agent Comparison

GlobalProtect vs. Prisma Agent

What changes — and what stays the same — when migrating from GP to PAA. New PAA license entitles both agents simultaneously.

Capability GlobalProtect Prisma Agent
Architecture Portal/Gateway on NGFW or Prisma Access Cloud-managed via Strata Cloud Manager; NGFW also supported
Management Plane PAN-OS portal on NGFW (or Panorama) Cloud-based via Strata Cloud Manager
Endpoint DLP None Built-in
Anti-Tamper Limited Kernel-Level
Remote Troubleshooting Limited Remote Shell
Staged Rollouts Manual/MDM Built-in
ADEM Integration Add-on Native
NGFW Support Native Dual-Mode
Coexistence N/A Side-by-Side

Zero Trust Deep Dive

ZTNA 2.0 vs. ZTNA 1.0

ZTNA 2.0 is PAN's framework for true Zero Trust. Every major competitor operates at ZTNA 1.0 — grant access and go dark. This is the single most important competitive positioning concept.

Pillar ZTNA 1.0 (Competitors) ZTNA 2.0 (Prisma Access)
Least Privilege Access IP/port-based coarse access; malware on allowed ports gets free access Layer 7 App-ID — access at app AND sub-app level, independent of network constructs
Continuous Trust Verification One-time auth; connection trusted forever Trust continuously assessed on posture, behavior — revoked in real-time on anomaly
Continuous Security Inspection Inspect at connection time only Ongoing deep inspection of ALL traffic including allowed connections
Protect All Data Little / no DLP Unified DLP across all apps (private, SaaS, cloud) via single policy engine
Secure All Apps Web apps only; fails on dynamic ports, server-initiated, SaaS Secures cloud-native, legacy, SaaS, dynamic ports, and server-initiated connections

Killer Question for Competitors

"Does your ZTNA solution inspect traffic after access is granted? No? Then it's ZTNA 1.0 — and 100% of breaches happen on allowed activity. You're flying blind once the connection is established." Log4Shell, SolarWinds, and similar supply-chain attacks exploited lateral movement through authorized connections. ZTNA 1.0 would not have stopped these. ZTNA 2.0's continuous inspection catches the anomalous behavior.

Feature Comparison

Competitive Matrix

PAN GP/PAA/Prisma Access vs. Zscaler, Netskope, Cisco, Fortinet, and CrowdStrike across key SASE and ZTNA capabilities.

Capability PAN Prisma SASE Zscaler Netskope Cisco Fortinet CrowdStrike
Gartner SASE MQ 2025 Leader (3X, #1) Visionary Leader Challenger Leader N/A
ZTNA Model ZTNA 2.0 1.0 (Proxy) 1.0 (NPA) 1.0 1.0 MFA Only
Secure Browser Prisma Browser None None None None None
Native SD-WAN Prisma SD-WAN None Limited Separate Native None
Endpoint DLP Endpoint + Network Network Only Network + SaaS Limited Limited Endpoint Only
NGFW Consistency Same Policy No NGFW No NGFW ASA/FTD FortiOS No NGFW
Continuous Post-Connect Inspection Yes (SP3) No No No No No
Agent PAA / GlobalProtect Zscaler Client Connector Netskope Client Cisco Secure Client FortiClient Falcon Sensor

Battle Cards

Competitor Deep Dives

Zscaler — Client Connector (ZIA/ZPA)

Pure-play SSE vendor with ZIA (SWG) and ZPA (ZTNA). #1 on Execution in 2025 Gartner SSE MQ with 500B+ daily transactions and 160+ PoPs. However, Zscaler dropped to Visionary in the 2025 SASE MQ due to lack of native SD-WAN. Their ZTNA (ZPA) follows the "allow and ignore" ZTNA 1.0 model — no continuous deep packet inspection after connection.

Zscaler Internet Access (ZIA) Zscaler Private Access (ZPA) Zscaler Client Connector ZDX (Digital Experience) ZPA Launchpad

Where PAN Wins

  • SASE, not just SSE: Zscaler is a Visionary in the 2025 Gartner SASE MQ because they lack real SD-WAN. PAN is a 3X SASE Leader with native Prisma SD-WAN. If the customer needs branch connectivity, Zscaler sends them to a third-party vendor.
  • ZTNA 2.0 vs. 1.0: ZPA is a ZTNA 1.0 solution — "allow and ignore." Once access is granted, traffic is implicitly trusted with no deep inspection. Prisma Access continues inspecting every byte after connection via SP3.
  • Full L7 vs. Proxy: PAN's Single-Pass Parallel Processing (SP3) inspects App-ID, threats, and DLP simultaneously with minimal latency. Zscaler's proxy only sees web traffic, not custom protocols.
  • Natively integrated secure browser: Only PAN has a natively integrated enterprise browser (Prisma Access Browser) for BYOD. Zscaler has no equivalent — they rely on third-party RBI.
  • NGFW-to-cloud policy consistency: If the customer has PAN NGFWs on-prem, the same policies extend identically to cloud users. Zscaler customers maintain separate ZIA/ZPA + on-prem policies — zero policy fragmentation with PAN.

Where They're Strong

  • SSE market position: #1 on Ability to Execute in 2025 Gartner SSE MQ; 4X SSE Leader, 10X SWG Leader. Massive Fortune 500 installed base (40%).
  • Pure proxy architecture: Outbound-only, no inbound listeners — theoretically smaller attack surface for SSE-only deployments.
  • Scale: 500B transactions/day across 160+ PoPs. Proven at massive scale with extensive SaaS optimization.
  • TLS inspection claims: Claims 100% SSL inspection with no performance degradation via multitenant proxy architecture.
  • ZDX (Digital Experience Monitoring): Deep DEM integration with ZIA/ZPA sessions, strong ISP and SaaS latency visibility.

Landmines to Set

  • "Where is Zscaler in the SASE MQ?" — Point out Zscaler is Visionary (not Leader) in the 2025 SASE MQ due to their SD-WAN gap. They need a separate SD-WAN vendor, creating policy fragmentation.
  • "Does ZPA inspect traffic after access is granted?" — The answer is no. ZPA grants access then goes dark. 100% of breaches happen on allowed activity.
  • "How do you handle BYOD without an agent?" — Zscaler has no natively integrated enterprise browser. Force them to describe their agentless solution vs. Prisma Access Browser.
  • "How many separate consoles do you log into?" — ZIA and ZPA historically have separate management consoles with separate policies — operational friction.
  • "What about server-initiated connections?" — ZPA architecture makes server-to-client traffic (patch management, helpdesk tools) difficult without complex B2B configuration.

Traps They Set

  • "PAN uses firewalls and VPNs with exposed IPs that can be exploited" — Counter: Prisma Access is a cloud-delivered SASE platform, not a VPN. Prisma Agent connects to 100+ global PoPs with a dedicated data plane per customer — no exposed IP addresses, no noisy neighbor problems. This is the same architecture as Zscaler, but with deeper inspection.
  • "Zscaler is the SSE leader" — Counter: "We agree Zscaler leads in SSE. But SSE is only half of SASE. In the 2025 SASE MQ, Zscaler is a Visionary, not a Leader. If you want secure branches, MPLS migration, and remote users with one platform and one policy, only PAN delivers that."

Key Objections

Zscaler is the best at SSE — they're bigger in SSE.

Response: Zscaler leads in SSE — we don't dispute that. But SSE is only half of SASE. In the 2025 Gartner SASE MQ, Zscaler is a Visionary, not a Leader, because they have no real SD-WAN. If you want to secure your branches, your MPLS migration, and your remote users with one platform and one policy, only PAN delivers that. Zscaler will send you to a third-party SD-WAN vendor and you're back to managing two separate security policies.

Zscaler has more PoPs and better scale.

Response: Zscaler claims 160+ PoPs, but PAN's Prisma Access has 100+ PoPs across 87 countries on an AWS+GCP hyperscaler backbone with a dedicated data plane per customer. Zscaler's multitenant proxy means your traffic shares infrastructure with other customers. PAN gives you tenant isolation at the data plane — no noisy neighbor issues and consistent performance.

Netskope — Netskope Client (Netskope One)

SSE/SASE platform built on the NewEdge global backbone. #1 for Completeness of Vision in 2025 Gartner SSE MQ (3X) and a 2025 SASE MQ Leader. Strong inline DLP depth and SaaS API integrations, but weaker on network-layer threat prevention and no NGFW product line for on-prem consistency.

Netskope One Netskope Private Access (NPA) Netskope Client NewEdge Backbone SSPM

Where PAN Wins

  • Security depth: PAN has the most comprehensive threat prevention stack (WildFire, ATP, DNS Security, Advanced URL Filtering) — built from the same engine as the world's most-deployed NGFW. Netskope's threat capabilities are comparatively lighter, relying more on third-party feeds.
  • Platform breadth: PAN covers NGFW + SASE + SD-WAN + Endpoint (Cortex XDR) + Browser. Netskope is SSE-centric with no NGFW consistency for on-prem enforcement points.
  • ZTNA 2.0: Prisma Access provides continuous traffic inspection post-connection. NPA (Netskope Private Access) still follows an access-grant-and-trust pattern — no continuous deep inspection.
  • Prisma Access Browser: For BYOD and unmanaged device scenarios, PAN's natively integrated browser has no Netskope equivalent.

Where They're Strong

  • DLP leadership: Industry-leading inline DLP depth and granularity; #1 for Completeness of Vision in SSE MQ (3X).
  • Cloud-native architecture: Built ground-up for cloud with deep SaaS API integrations and strong SaaS Security Posture Management (SSPM).
  • Intelligent steering: Netskope Client is praised for flexible per-app split tunnel configurations.
  • SASE MQ Leader: Named a Leader in the 2025 Gartner SASE MQ alongside PAN and Fortinet.

Landmines to Set

  • "What does Netskope do for on-prem security?" — They have no NGFW product line. Organizations maintaining any on-prem enforcement need a separate vendor — creating policy fragmentation.
  • "How does NPA handle legacy protocols and server-initiated connections?" — NPA is newer vs. Prisma Access; lacks support for complex legacy protocols.
  • "What's your SD-WAN story for branch connectivity?" — Netskope has limited SD-WAN compared to PAN's native Prisma SD-WAN.

Traps They Set

  • "Netskope has better DLP" — Counter: Netskope's inline DLP is strong for SaaS and web. But PAN's Enterprise DLP covers network, endpoint (USB/printer control via PAA), SaaS, and cloud with a single policy. PAN also has the Prisma Access Browser for browser-level DLP enforcement. Compare apples to apples — full-stack DLP coverage, not just inline web DLP.
  • "Netskope is cloud-native, PAN is a firewall company" — Counter: Prisma Access runs on the same hyperscaler backbone (AWS+GCP) as any cloud-native vendor, with SP3 architecture processing all security in a single pass. The NGFW heritage is an advantage — it means deeper security inspection, not a liability.

Key Objections

Netskope's DLP is better than PAN's.

Response: Netskope's inline DLP is excellent for SaaS and web traffic. But PAN's Enterprise DLP covers network, endpoint (USB/printer control via Prisma Agent), SaaS, and cloud — all from a single policy engine with 1,000+ built-in classifiers, OCR, ML/NLP, EDM, and IDM. Plus the Prisma Access Browser provides browser-level DLP for BYOD. It's the difference between DLP for one channel vs. DLP everywhere.

Cisco — Secure Client (formerly AnyConnect)

AnyConnect is the #1 installed VPN client globally. Cisco's SASE story stitches together Umbrella (SWG/CASB), Duo (MFA), ISE (posture), and Secure Client (agent) — multiple acquisitions assembled, not built as a platform. Cisco is a Challenger in the 2025 Gartner SASE MQ with execution gaps in unified SASE delivery.

Cisco Secure Client Cisco Secure Connect Cisco Umbrella Cisco Duo Cisco ISE Viptela SD-WAN

Where PAN Wins

  • Unified SASE vs. multi-product: PAN Prisma SASE is a single platform from a single vendor. Cisco's SASE requires orchestrating Umbrella + Duo + Secure Client + SD-WAN — each with separate contracts, consoles, and support paths.
  • Analyst recognition: PAN is the #1 SASE Leader (highest Ability to Execute) in the 2025 Gartner SASE MQ. Cisco is a Challenger — Gartner sees execution gaps.
  • ZTNA 2.0 vs. legacy VPN: Cisco Secure Client with AnyConnect roots is still fundamentally a VPN replacement with limited ZTNA depth. PAN provides genuine ZTNA 2.0 with continuous post-connection inspection.
  • No secure browser: Cisco has no natively integrated enterprise browser for BYOD. PAN has Prisma Access Browser.

Where They're Strong

  • Ubiquitous install base: AnyConnect/Secure Client is the #1 installed VPN client globally. Near-universal enterprise familiarity creates significant switching friction.
  • Cisco ecosystem lock-in: Deep integration across ASA/FTD firewalls, ISE, Duo, and Umbrella for customers already in the Cisco stack.
  • Duo MFA: Market-leading MFA with native integration into Secure Client. Strong identity story.
  • Enterprise account presence: Massive enterprise account teams and support infrastructure.

Landmines to Set

  • "How many separate consoles does your security team log into?" — Umbrella, Duo admin, ISE, Secure Connect, Viptela SD-WAN vManage — expose the management fragmentation.
  • "Where is Cisco in the SASE MQ?" — Challenger, not a Leader. Gartner sees execution gaps in their unified SASE story.
  • "Does Cisco Secure Client do continuous post-connect inspection?" — No. It's a VPN replacement with ZTNA 1.0, not continuous zero trust.

Traps They Set

  • "We're already a Cisco shop — it's simpler to stay" — Counter: Cisco has an installed base, but their SASE story stitches together Umbrella (acquired), Duo (acquired), Viptela SD-WAN (acquired) — each with separate management. PAN Prisma SASE was built as a platform, not assembled through acquisitions. You can keep Cisco for networking while using PAN for security.
  • "Cisco Duo gives us MFA built-in" — Counter: PAN supports SAML, RADIUS, LDAP, OTP, certificate-based, and smart card auth natively. Cloud Identity Engine provides centralized identity federation. Duo is strong for MFA but doesn't address the broader SASE, DLP, or continuous inspection requirements.

Key Objections

We're a Cisco shop — we'll use Secure Client.

Response: Cisco has an installed base, but look at where they are in the SASE MQ — Challenger. That means Gartner sees execution gaps. Their SASE story stitches together Umbrella (acquired), Duo (acquired), Viptela SD-WAN (acquired) — each with separate management. PAN Prisma SASE was built as a platform. And Cisco Secure Client doesn't have ZTNA 2.0, no continuous inspection, and no native secure browser for BYOD. If your SASE journey requires MPLS migration, secure BYOD, and Zero Trust enforcement without user bypass — you'll outgrow Cisco Secure Connect fast.

Fortinet — FortiClient (FortiSASE)

FortiClient is Fortinet's endpoint security + VPN/ZTNA agent, tightly integrated with FortiOS. FortiSASE is their cloud-delivered SSE/SASE offering. A 2025 SASE MQ Leader, strong on cost and SD-WAN, but with weaker L7 app detection ("L4 with some L7") and basic ZTNA 1.0 — grant access and ignore.

FortiClient FortiSASE FortiGate NGFW FortiManager FortiGuard Labs

Where PAN Wins

  • App-ID depth: PAN's App-ID is the industry's most granular L7 application identification with hundreds of sub-app identifications. FortiGate is widely described as "L4 with some L7" — inferior application granularity for policy enforcement.
  • ZTNA 2.0 vs. ZTNA 1.0: Fortinet ZTNA is a basic access broker — grant and ignore. PAN continuously verifies trust and inspects traffic post-connection.
  • Security track record: Fortinet has had repeated critical NGFW CVEs with slow patch response timelines. PAN's security patching and Unit 42 threat research provide a cleaner track record.
  • Cloud-native vs. adapted: Prisma Access is architected cloud-native on AWS+GCP. FortiSASE is FortiOS adapted to cloud — architectural differences matter at scale.

Where They're Strong

  • Cost / SMB positioning: Generally less expensive; SD-WAN included natively in every FortiGate with no extra license. Compelling for cost-sensitive deployments.
  • Native OS integration: FortiOS as single codebase across NGFW, SD-WAN, ZTNA, switching, and Wi-Fi — tight integration within the Fortinet stack.
  • 2025 SASE MQ Leader: Fortinet is a Leader in the 2025 Gartner SASE MQ — strong execution at scale.
  • Routing capability: FortiGate widely praised for advanced routing and SD-WAN features.

Landmines to Set

  • "Ask Fortinet to demonstrate L7 application identification at the sub-app level — how many sub-app actions can FortiGate enforce policy on vs. PAN's App-ID?"
  • "Does FortiClient ZTNA do continuous deep inspection after access is granted, or does it grant access and go dark?"
  • "Ask about FortiSASE's PoP footprint and cloud-native scalability vs. PAN's 100+ PoPs across 87 countries on hyperscaler backbone."

Traps They Set

  • "Fortinet is cheaper and good enough" — Counter: FortiClient customers often need separate DLP, CASB, and posture tools. PAN bundles all of that. FortiSASE still requires a separate DLP tool, CASB tool, and endpoint DLP. TCO evaporates when you factor in security outcomes and operational overhead.
  • "FortiOS is a single codebase" — Counter: A single codebase is good for integration but doesn't address the fundamental architecture gaps — FortiSASE is FortiOS adapted to cloud, not cloud-native. And "FortiDamager" management inconsistency is a well-known pain point among practitioners.

Key Objections

Fortinet is cheaper and good enough.

Response: FortiClient and FortiSASE are good for simple deployments. But consider: FortiGate is widely called "L4 with some L7" — Palo Alto's App-ID is genuinely L7 with hundreds of sub-app identifications. Fortinet ZTNA is access-grant and ignore. And Fortinet has had repeated critical CVEs with slow patch response. For organizations where security posture matters, the cost difference evaporates when you factor in security outcomes, operational overhead, and the fact that FortiSASE still requires separate DLP, CASB, and Endpoint DLP tools. PAN bundles all of that.

CrowdStrike — Falcon ZTNA / Falcon Identity Protection

Primarily an endpoint security (EDR/XDR) platform with ZTNA capabilities built through Falcon Identity Protection — MFA enforcement, conditional access, identity threat detection. CrowdStrike does not have a traditional VPN, SASE platform, SWG, CASB, FWaaS, or SD-WAN. Different category — often confused with ZTNA in "zero trust" conversations.

Falcon Sensor Falcon Identity Protection Charlotte AI Falcon XDR

Where PAN Wins

  • Different categories entirely: CrowdStrike competes with Cortex XDR for endpoint/EDR, not with Prisma Agent for ZTNA/SASE. Don't let customers conflate them in "zero trust" discussions.
  • SASE is not CrowdStrike: CrowdStrike has no SWG, no CASB, no SD-WAN, and no remote access infrastructure. They have no answer for "how do users securely connect to corporate apps?"
  • Data protection gap: CrowdStrike's DLP is endpoint-only with no network-based data protection. PAN's Enterprise DLP covers network, endpoint, SaaS, and cloud simultaneously.
  • Network-layer blind spots: Falcon's ZTNA is identity-centric only — no network traffic inspection, no app-layer policy, no continuous deep packet inspection.

Where They're Strong

  • Endpoint security leadership: 6X consecutive Gartner EPP MQ Leader. Widely considered best-in-class EDR/XDR. Single lightweight Falcon agent.
  • AI-native platform: Charlotte AI for detection triage, investigation, and agentic response workflows.
  • Identity threat detection speed: 85% faster identity attack detection with adaptive MFA and risk-based access.
  • Operational simplicity: Single console, single agent — praised for ease of management in the endpoint domain.

Landmines to Set

  • "Ask CrowdStrike: how do users securely connect to corporate applications from home? What's your remote access story?" — They don't have one. Falcon doesn't replace VPN or provide SASE.
  • "CrowdStrike's DLP is endpoint-only. How do you enforce data protection for SaaS apps, cloud resources, and network traffic?" — They can't.

Traps They Set

  • "CrowdStrike does Zero Trust too" — Counter: CrowdStrike is excellent at endpoint security and identity-based MFA — that's their lane. But they have no SWG, no CASB, no SD-WAN, and no remote access infrastructure. CrowdStrike and PAN are complementary — many enterprises run both. If you're looking for ZTNA, secure BYOD, SaaS visibility, and remote access, that's Prisma Access. EDR is a separate evaluation.

Key Objections

CrowdStrike does Zero Trust too.

Response: CrowdStrike is excellent at endpoint security and identity-based MFA — that's their lane. But CrowdStrike has no SWG, no CASB, no SD-WAN, and no remote access infrastructure. They literally have no answer for "how do users securely connect to corporate apps?" CrowdStrike and Palo Alto are complementary — many enterprises run both. If you're looking for Zero Trust network access, secure BYOD, SaaS visibility, and remote access, that's Prisma Access. If you're looking for EDR, that's a separate evaluation.

Migration Play

GP → SASE Migration Phases

The GP-to-SASE migration is not "rip and replace" — it's a platform expansion. The new PAA license covers both agents, giving a natural upgrade path. Position as: "You've already invested in GlobalProtect. Now extend those security policies to every user, every device, every location."

Cloud-Delivered Security (Prisma Access SSE)

  • Replace on-premise internet breakout with Prisma Access cloud gateways
  • Move GP client to connect to Prisma Access instead of on-prem NGFW
  • No more hair-pinning internet traffic through the datacenter — 5X faster app performance
  • Security policies automatically follow users regardless of location
  • Existing HIP checks, App-ID rules, DLP policies migrate to cloud

SD-WAN Branch Transformation

  • Replace MPLS / legacy WAN with Prisma SD-WAN
  • Connect branches directly to Prisma Access for cloud and internet
  • Use service connections back to datacenter for private apps
  • Eliminate branch firewalls — consolidate into SASE platform
  • Zero Touch Provisioning (ZTP) for branch onboarding

BYOD / Unmanaged Devices (Prisma Browser)

  • Deploy Prisma Access Browser for contractors and BYOD users
  • Eliminate agent requirement for web-based and private app access
  • Browser-level DLP: copy/paste, print, screenshot, upload/download controls
  • Advanced WildFire inline — 77M+ files analyzed in-browser
  • Full SASE controls without touching the device's OS

Full PAA Migration

  • Upgrade from GlobalProtect client to Prisma Agent
  • Gain: Endpoint DLP (USB/printer/network share control)
  • Gain: Tamper-resistance — users cannot disable/bypass agent
  • Gain: Remote troubleshooting without contacting end users
  • Gain: Built-in staged rollouts with rollback functionality
  • Cloud-managed via SCM instead of PAN-OS portal

Migration Enablers

🔄 Coexistence: GP and PAA can be installed simultaneously. Admin switches between them via PACli — zero disruption testing.
🔑 LDAP auth continuity: PAA supports LDAP via GP portal for seamless auth migration. No reskilling.
📋 Shared licensing: New PAA SKU entitles both agents. No licensing disruption at renewal.
📐 Policy reuse: Existing NGFW App-ID/User-ID policies directly apply in Prisma Access.

Selling Tips

Lead with ZTNA 2.0: Every competitor is ZTNA 1.0. "Does your ZTNA inspect after access is granted?" is the single most powerful question. 100% of breaches happen on allowed activity — ZTNA 1.0 can't stop them.
"You already trust PAN": For existing NGFW customers, position the migration as extension, not replacement. Same App-ID rules, same User-ID policies, same security profiles — now cloud-delivered. Zero reskilling.
Tamper-proof is the GP upgrade killer: Users routinely disable GlobalProtect to bypass corporate controls. Prisma Agent is tamper-resistant by design. "Your existing GP users can disconnect themselves. PAA users cannot."
GP EOL creates urgency: GP 6.3 goes EOL June 2026; GP 6.2 goes EOL December 2026. No GP 6.4 announced. The new PAA SKU already entitles both agents — there's no cost barrier to evaluating PAA today.
BYOD with Prisma Browser is unique: No competitor has a natively integrated enterprise browser in SASE. Deploy a browser profile via MDM or email link, instantly protect BYOD. No agent, no OS enrollment.
Zscaler = Visionary in SASE: Zscaler leads SSE, but dropped to Visionary in SASE MQ. If the customer needs branches + remote users + BYOD under one policy, Zscaler can't deliver that without third-party SD-WAN.
3X SASE Leader is the proof point: Only vendor named Leader in all three Gartner MQs — SSE, SASE Platforms, and SD-WAN. Plus Forrester ZT Leader with highest Current Offering score (Q3 2025). Use analyst data in every conversation.
99.999% uptime SLA + SaaS perf SLAs: PAN offers industry-leading availability SLA and is the only vendor with SaaS performance SLAs for O365, Salesforce, etc. 30.9B threats stopped per day. Lead with operational confidence.