Sales Enablement
Conversation Guides
What to Say and When
Real-world scenarios, discovery questions, objection handling, and value propositions for every solution area. Written by sellers, for sellers.
By Solution Area
Choose Your Conversation
Each guide covers the buyer's situation, discovery questions, what they really mean, and how to handle objections.
The customer is running aging firewalls — PA-5200s approaching end-of-support, or worse, competitor firewalls with port-based rules they've never fully migrated. Their security team spends hours managing rule sets across Panorama and manual change windows. They're hearing about SASE and wondering if firewalls even matter anymore. Meanwhile, their encrypted traffic percentage is above 90% and they can't inspect most of it without killing performance.
Their CIO wants to simplify. The CISO wants better visibility. The network team just wants to stop fighting fires every patch Tuesday. The budget conversation will inevitably circle back to "can we do more with less?" — and the answer is yes, but only if you frame it as a platform conversation, not a box refresh.
If there's an OT/manufacturing component, they're also worried about operational technology threats and may have no segmentation between IT and OT networks. The K2-Series and IoT Security subscription are your foot in the door.
Qualifying
- What's your current firewall vendor and model? When does support expire?
- How many firewalls across how many locations? Any plans to consolidate data centers?
- Are you managing via Panorama, Strata Cloud Manager, or something else?
Technical Deep-Dive
- What percentage of your traffic is encrypted? Are you doing TLS decryption today, and if so, at what scale?
- How are you handling east-west segmentation in the data center? Is it micro-segmentation or zone-based?
- Do you have OT or IoT environments that need visibility? What's the segmentation story between IT and OT?
- How do you handle HA and failover today? Have you had any unplanned outages from firewall issues?
Business Case
- If you could cut your firewall management overhead by 50%, what would your team do with that time?
- How does your renewal cycle align with budget? Are you in a position to consolidate multiple security subscriptions into a platform deal?
- What would a breach-level firewall bypass cost your business in downtime and remediation?
They say:
"We're thinking about moving to SASE and eliminating firewalls."
They mean:
They heard a Zscaler pitch and think firewalls are dead. They haven't thought about campus, data center, or OT — where SASE doesn't apply.
Respond:
"SASE is perfect for remote users — we agree. But what about your data center, campus, OT environment, and on-prem apps? Those still need network security. The platform play is SASE for users + Strata for infrastructure, managed from one console (SCM)."
They say:
"Our Fortinet firewalls are cheaper and work fine."
They mean:
The network team picked FortiGate on price. They may not be aware of the App-ID throughput gap or the missing security subscription depth.
Respond:
"Compare all-services-enabled throughput, not sticker price. Then look at what you're missing: advanced URL filtering, DNS Security, IoT Security, and WildFire sandboxing. When you add those to FortiGate as separate modules, the gap shrinks — and you get deeper security with Strata."
They say:
"We don't want to rip and replace — it's too disruptive."
They mean:
They've been burned by a bad migration before. They need a phased approach with low risk.
Respond:
"Nobody wants big-bang migration. SCM supports gradual rollouts with per-admin config push/revert. We can start with new locations or the data center refresh, prove value, and extend to existing sites on your timeline. Many customers run dual-vendor for 6-12 months during transition."
They say:
"Panorama is complicated — we don't want more management overhead."
They mean:
Their Panorama deployment was set up years ago and hasn't been optimized. They associate PAN with management complexity.
Respond:
"That's exactly why Strata Cloud Manager exists — it's the next-generation management platform. Inline configuration checks, compliance center, global search, and a Panorama migration engine that moves your config with CVE-driven planning. It's a generational leap from Panorama."
They say:
"We need quantum-ready security."
They mean:
The CISO read a board report about quantum threats and wants to check a box. They may not have a specific technical requirement yet.
Respond:
"The PA-7500 and PA-5500 are quantum-ready with post-quantum encrypted traffic visibility built into the FE400 ASIC. You don't need a separate product or upgrade path — it's in the hardware today. Start building your crypto inventory now so you're ready when post-quantum migration mandates hit."
"PAN firewalls are too expensive."
Response: Compare total platform cost, not box cost. A PA-5445 replaces the PA-5260 at 2.5x performance — that's fewer boxes for the same throughput. Add SCM management savings, reduced FTE overhead, and the security subscription consolidation. Customers doing platformization deals save 20-40% on total security spend.
"We need something for small branches — PAN is overkill."
Response: The new PA-500 series is purpose-built for enterprise branches with up to 24 high-speed ports, 330W PoE, and ZTP on SCM. Same App-ID, same security subscriptions, same management as your data center firewalls. No separate branch security stack needed. Plus the PA-415-5G handles cellular-connected sites.
"We're moving everything to the cloud — why invest in hardware?"
Response: VM-Series and CN-Series run in every major cloud and Kubernetes environment. But most enterprises are hybrid for years to come. The platform value is that VM-Series in the cloud, PA-hardware at the DC, and Prisma SASE for users all share the same policies, same management, and feed telemetry into XSIAM. That's the platform advantage.
"We just did a FortiGate refresh last year."
Response: Don't fight the installed base. Lead with SASE for remote users, XSIAM for the SOC, or Cortex Cloud for cloud workloads — areas where Fortinet has gaps. Once the customer sees the platform integration value, the next firewall refresh naturally gravitates to Strata for unified management.
1 One Management Plane for Everything
Strata Cloud Manager unifies NGFW + SASE management with inline compliance checks, CVE-driven migration, and ZTP for new deployments. One team manages all network security from one console.
Proof: SCM handles per-admin config push/revert and includes a Panorama migration engine — reducing change window risk.
2 Performance Without Compromise
PA-7500 delivers 1.5+ Tbps App-ID throughput with 400M+ concurrent L7 sessions. All security services run simultaneously without the "enable this, lose that" tradeoff of competitors.
Proof: FE400 ASIC is purpose-built for security processing — unlike competitors who use off-the-shelf chips with software-defined security layers.
3 Platform Gateway to Bigger Deals
Strata is often the entry point for platformization. Existing NGFW customers add SASE, XSIAM, and Cortex Cloud because the telemetry from their firewalls already feeds the platform. Average customer reduces from 15+ vendors to 3-5.
Proof: 1,550+ platformization deals with 119% net retention rate. $50M+ automotive deal led with SASE + XSIAM combination.
The customer is mid-journey on remote/hybrid work security. They may have deployed a VPN concentrator during COVID and never upgraded, or they picked Zscaler's ZIA for web filtering and now realize they need more — private app access, DLP, SD-WAN, and a secure browser for BYOD/contractors. The CISO is tired of point solutions that don't talk to each other.
Budget is usually held by the CIO or VP of Infrastructure, not the CISO. The conversation often starts as "VPN replacement" but the real opportunity is full SASE — and the platform deal that comes with it. If they're a Zscaler shop, they've likely hit pain around SD-WAN integration, browser-based DLP gaps, and SaaS app performance.
The most common buying trigger: a failed Zscaler POC for something beyond web filtering, or a board mandate to enable secure BYOD for a contractor workforce that's growing faster than the full-time headcount.
Qualifying
- How many remote/hybrid users do you have? What about contractors and BYOD?
- What's your current VPN solution? How many concurrent connections does it handle?
- Are you using Zscaler, Netskope, or another SSE today? What's your contract timeline?
Technical Deep-Dive
- How many branch locations need SD-WAN? What's your current WAN architecture (MPLS, broadband, hybrid)?
- What's your DLP strategy? Are you protecting data in SaaS apps, browsers, and email — or just web traffic?
- How do you secure BYOD and contractor access today? Is there a managed browser component?
- What SaaS apps are business-critical? Have users complained about performance through your current proxy?
Business Case
- How much are you spending annually on VPN, SWG, CASB, and DLP as separate products?
- Have you calculated the productivity loss from SaaS app slowdowns through your current security proxy?
- What's the cost of a data leak through an unmanaged contractor's browser?
They say:
"We already have Zscaler and it's working."
They mean:
The ZIA deployment for web filtering is working. They haven't evaluated ZPA at scale, don't have browser-based DLP, and are using a separate SD-WAN vendor.
Respond:
"Great — web filtering is table stakes. But SASE is bigger than SWG. How are you handling SD-WAN, secure browser for BYOD, SaaS acceleration, and AI-powered DLP that classifies data in real time? Prisma SASE 3.0 does all of that in one platform with $1.5B+ ARR proving enterprise-scale delivery."
They say:
"We need SD-WAN but our network team doesn't want to change the security stack."
They mean:
The network team controls SD-WAN budget and the security team controls SSE budget. They're not aligned.
Respond:
"That's actually the beauty of Prisma SASE — it bridges that gap. Prisma SD-WAN handles the network team's requirements (WAN optimization, path selection, HA), while Prisma Access handles security (ZTNA, DLP, CASB). Both teams get what they need from one vendor, one contract."
They say:
"Our users complain that the security proxy slows everything down."
They mean:
They're routing all traffic through a proxy architecture that adds latency. They need direct-to-app connectivity with inline security.
Respond:
"That's the proxy tax. Prisma SASE includes AI-powered App Acceleration that delivers up to 5x performance improvement for SaaS apps. We also offer SaaS performance SLAs on our multicloud backbone (AWS+GCP) — something Zscaler won't give you. Users get faster apps AND better security."
They say:
"We have too many contractors on BYOD — we can't manage all those devices."
They mean:
They need agentless access for unmanaged devices. A managed browser is the answer.
Respond:
"Prisma Access Browser 2.0 solves this — 9M+ licenses deployed, 1,500+ customers. Contractors access your apps through a secure browser that enforces DLP, prevents copy/paste of sensitive data, and gives you full visibility — without installing an agent on their device."
They say:
"We're looking at Netskope for CASB."
They mean:
Someone recommended a point-solution CASB. They haven't considered that CASB is a feature within SASE, not a standalone product.
Respond:
"CASB is one feature within Prisma SASE — included at no extra charge alongside SWG, ZTNA, FWaaS, DLP, and secure browser. Buying CASB as a separate product from a separate vendor means another console, another agent, another integration. Prisma SASE consolidates all of it."
"Zscaler is the SASE leader — why would we switch?"
Response: Both are Gartner Leaders. The difference: PAN delivers complete SASE (SSE + native SD-WAN + secure browser + app acceleration). Zscaler delivers SSE and partners for everything else. At $1.5B+ ARR with ~40% growth, Prisma SASE is proving that enterprises want the full stack from one vendor.
"SASE is too complex — we just want VPN replacement."
Response: Start with VPN replacement via Prisma Access ZTNA — it deploys in weeks, not months. But design the architecture for full SASE so you can add SD-WAN, DLP, and browser capabilities without rearchitecting. Future-proof the decision even if phase one is just ZTNA.
"Our current VPN is good enough."
Response: VPN gives all-or-nothing access to the network. ZTNA gives per-app access based on identity, device posture, and context. The first time a compromised contractor device gets lateral movement through your VPN, "good enough" becomes a board-level conversation. ZTNA eliminates that risk.
1 Complete SASE — Not Just SSE
Prisma SASE 3.0 = Prisma Access (ZTNA, SWG, CASB, FWaaS) + Prisma SD-WAN + Prisma Access Browser 2.0 + App Acceleration + AI-powered DLP. One vendor, one console, one agent.
Proof: $1.5B+ ARR with ~40% YoY growth. 9M+ browser licenses. 1,500+ browser customers. 2M seats added in Q2 alone.
2 Performance That Users Actually Notice
AI-powered App Acceleration delivers up to 5x performance for SaaS apps. SaaS performance SLAs backed by a multicloud backbone (AWS+GCP). Users get faster apps through security, not despite it.
Proof: Dedicated data plane with SaaS SLAs — competitors use shared proxy infrastructure with no performance guarantees.
3 The BYOD/Contractor Solution
Prisma Access Browser 2.0 secures unmanaged devices without agents. DLP enforcement, session recording, copy/paste controls — all through the browser. Solves the #1 CISO headache for contractor access.
Proof: 9M+ licenses and 1,500+ customers — this isn't a beta feature. Major enterprises use it for contractor workforces, M&A integration, and BYOD programs.
The SOC is drowning. They're running Splunk (expensive, complex), QRadar (being sunset by IBM), or Sentinel (death by data volume cost). Analysts face 500+ alerts/day, 4-5 different consoles for investigation, and an MTTR measured in hours or days. The CISO just told the board they need to modernize — but the SOC manager is terrified of migrating off a SIEM the team has spent years customizing.
The real opportunity isn't "replace your SIEM" — it's "transform your SOC." The buyer who needs XSIAM usually has all of these symptoms: high analyst turnover, too many tools, alert fatigue, manual playbooks in SOAR that nobody maintains, and a nagging feeling that they're missing attacks because they can't correlate across domains.
XSIAM deals average ~$1M ARR. These are strategic, multi-stakeholder deals that require CISO sponsorship, SOC manager buy-in, and a strong business case around analyst productivity and MTTR improvement. Lead with outcomes, not features.
Qualifying
- What SIEM are you running today? When does the contract renew?
- How many analysts are in your SOC? What's your analyst turnover rate?
- What's your current daily log volume (GB/day)? How much of that is actually used in investigations?
Technical Deep-Dive
- How many data sources feed your SIEM? Are network, endpoint, cloud, and identity telemetry all correlated?
- How many consoles does an analyst use during a typical investigation? (The answer is usually 4-6.)
- Do you have SOAR automation today? What percentage of alerts get automated response vs manual triage?
- What's your mean time to detect and mean time to respond? Are you measuring these consistently?
Business Case
- What's your all-in SOC cost — SIEM licensing, SOAR licensing, XDR licensing, analyst salaries, and managed services?
- If you could automate 80% of tier-1 alert triage, how many analyst hours would that free up per week?
- What's the business cost of your current MTTR? If an attacker has 24-48 hours of dwell time, what's the exposure?
They say:
"We just renewed Splunk — we can't look at this right now."
They mean:
They're locked into a contract but not happy. They want to know what's possible without committing today.
Respond:
"Perfect timing to plan. Run XSIAM in parallel for new use cases — cloud security monitoring, UEBA, or a specific threat domain. Build the business case during your Splunk contract so you're ready to make the switch at renewal with data, not assumptions."
They say:
"We're concerned about migrating our custom Splunk content."
They mean:
They've invested years building SPL queries, dashboards, and alerts. Migration anxiety is real and legitimate.
Respond:
"PAN has migrated hundreds of Splunk environments. The pro-serv team has SPL-to-XQL translation playbooks, and XSIAM 3.4 includes natural language querying — so your analysts can describe what they want in plain English and the AI generates the XQL. The learning curve is dramatically shorter than you'd expect."
They say:
"AI in security is just hype — our analysts don't trust it."
They mean:
They've seen AI-washing from vendors. They need concrete evidence of AI delivering measurable outcomes, not marketing slides.
Respond:
"Fair skepticism. Here's the proof: 60%+ of XSIAM customers achieve MTTR under 10 minutes. That's not a marketing number — it's a measurable outcome of AI-driven alert grouping, automated investigation, and AgentiX autonomous remediation. Ask for a POC and measure your own MTTR improvement."
They say:
"We get Sentinel free with E5 — why would we pay for XSIAM?"
They mean:
The Microsoft team has anchored them on "free." They haven't calculated actual costs at real data volumes.
Respond:
"Pull your Sentinel bill. E5 includes ~5 MB/user/day for M365 logs only. Every firewall log, cloud trail, third-party feed, and endpoint telemetry source is additional per-GB cost. At enterprise data volumes, Sentinel often costs more than XSIAM — and XSIAM includes SOAR, XDR, ASM, and ITDR that Sentinel charges separately for."
They say:
"We're looking at CrowdStrike NG SIEM since we already run Falcon."
They mean:
The endpoint team is pushing their vendor's SIEM. They haven't evaluated it as a full SOC platform.
Respond:
"Keep Falcon for EDR — XSIAM ingests it natively. But LogScale was built as a log search engine, not a SOC platform. Can it correlate network + cloud + identity telemetry in one workflow? Can it run SOAR playbooks? Does it include ASM and ITDR? XSIAM does all of that in one console because it was built as a SOC platform from day one."
"XSIAM is too expensive at ~$1M ARR."
Response: Calculate your all-in SOC cost: SIEM license ($300-500K), SOAR license ($100-200K), XDR/EDR ($200-400K), ASM ($100K+), plus 8-12 analysts at $120K+ each. XSIAM replaces 3-4 tools AND improves analyst productivity by 80%+. The ROI comes from tool consolidation AND doing more with fewer (or the same) analysts.
"We don't want to be locked into one vendor for everything."
Response: XSIAM ingests telemetry from any source — CrowdStrike, Microsoft, Okta, AWS, Google Cloud, you name it. You're not locked in; you're consolidating the SOC platform while keeping best-of-breed data sources. The integration is actually better than multi-vendor SIEM deployments because the correlation engine is native, not connector-based.
"Our team knows Splunk SPL — they won't learn a new query language."
Response: Two things: First, XSIAM 3.4 introduces natural language querying — analysts describe what they want in English and AI generates the XQL. Second, most tier-1 and tier-2 analysts rarely write raw queries anyway — XSIAM's AI-driven investigation surfaces the answers automatically. The power users who write XQL will find it faster to learn than they expect — it took the average Splunk migration customer 2-3 weeks.
"We're evaluating multiple SIEMs — why should we choose XSIAM?"
Response: Stop evaluating SIEMs — evaluate SOC platforms. A SIEM is 2005 technology. XSIAM is SIEM + SOAR + XDR + ASM + ITDR + AI in one product. If you evaluate it as a SIEM, you'll miss 80% of the value. Ask every vendor: can your product autonomously investigate and remediate a cross-domain incident in under 10 minutes? Only XSIAM can say yes with 600+ customers proving it.
1 One Platform Replaces 3-4 SOC Tools
XSIAM = SIEM + SOAR + XDR + ASM + ITDR. One console, one data lake, one AI engine. Analysts go from 4-6 tools to one. Investigation time drops from hours to minutes.
Proof: $0.5B+ ARR, 600+ customers, 60%+ achieve <10 min MTTR. "One of the fastest-growing products in cybersecurity" — Nikesh Arora.
2 AI That Actually Works
AgentiX autonomous agents investigate and remediate incidents without human intervention. XSIAM 3.4 adds natural language querying, immersive AI analyst UX, and the Automation Engineer Agent that converts plain English into automation scripts.
Proof: Not AI-washing. Measurable outcomes: MTTR <10 min, 80%+ alert auto-triage, Cortex MCP Server for native AI agent interoperability.
3 Data Lake Economics
XSIAM 3.4 introduces a cost-effective Cortex Data Lake tier for compliance and long-term retention. No more choosing between data retention and budget — keep everything, search in real time, and only pay premium rates for active investigation data.
Proof: Replaces the Splunk "hot/warm/cold" tier complexity with a simple, predictable model. Federated Search in XDL queries AWS/GCP/Azure data without movement.
The customer is multi-cloud (usually AWS primary with Azure or GCP secondary) and their cloud security is a patchwork: CSPM from one vendor, container security from another, workload protection from a third. They might have Wiz for agentless CSPM and love the speed, but realize they have gaps in runtime protection, CDR, and code security.
The Cloud Architect drives the technical evaluation but the CISO controls the budget. The tension: cloud teams want developer-friendly, fast-to-deploy tools (Wiz). Security teams want comprehensive coverage that ties into the SOC. PAN's Cortex Cloud 2.0 bridges both — but you need to address the "Wiz is already here" conversation.
Qualifying
- Which clouds are you running production workloads on? What's the split?
- Do you have a CNAPP or cloud security tool today? When does it renew?
- How many cloud accounts, subscriptions, or projects are you managing?
Technical Deep-Dive
- Are you running Kubernetes in production? How many clusters and which distributions (EKS, GKE, AKS, OpenShift)?
- How do you handle cloud detection and response today? When there's a cloud security incident, how does it reach the SOC?
- Is your cloud security approach agent-based, agentless, or both? Are there gaps in runtime protection?
- How mature is your code-to-cloud pipeline? Do you have shift-left security (SAST, SCA, IaC scanning) integrated into CI/CD?
Business Case
- How many cloud security tools are you running? What's the total cost including analyst time?
- When was your last cloud-related security incident? How long did it take to detect and respond?
- What compliance frameworks apply to your cloud workloads (SOC 2, PCI, HIPAA, FedRAMP)?
They say:
"We already have Wiz — our cloud team loves it."
They mean:
The cloud team deployed Wiz for agentless CSPM. They don't have runtime protection, CDR, or ASPM — and the SOC isn't getting cloud alerts.
Respond:
"Don't fight the cloud team. Position Cortex Cloud as the runtime protection and CDR layer that connects to your SOC (XSIAM). Wiz finds misconfigurations; Cortex Cloud blocks exploits in real time and feeds incidents into your existing investigation workflows."
They say:
"We don't want agents in our cloud workloads."
They mean:
Performance concerns or DevOps pushback. They need to understand the agent-vs-agentless tradeoff.
Respond:
"Cortex Cloud 2.0 has a performance-optimized agent that uses 50% less resources than before — and it's optional. Use agentless for posture assessment and the agent for runtime protection where it matters. Both feed into the same console. You choose the level of protection per workload."
They say:
"Our cloud-native tools (GuardDuty, Security Hub) are sufficient."
They mean:
The cloud team is using native tools because they're free. They haven't experienced multi-cloud blind spots.
Respond:
"Native tools are great — for one cloud. The moment you have workloads in AWS and Azure, GuardDuty and Defender for Cloud don't talk to each other. Cortex Cloud provides equal-depth coverage across all three clouds with a unified risk view. And it connects to your SOC — which no native cloud tool does natively."
They say:
"We need to secure our AI workloads in the cloud."
They mean:
They're deploying LLMs and AI services in cloud and need to protect model pipelines, training data, and inference endpoints.
Respond:
"This is where Cortex Cloud + Prisma AIRS combine. Cortex Cloud secures the cloud infrastructure running your AI workloads. AIRS secures the AI models themselves — red teaming, runtime protection, posture management. Together they cover the full AI security stack from infrastructure to inference."
They say:
"There are too many findings — we can't prioritize."
They mean:
Their CSPM generates thousands of alerts. They need prioritization that considers real-world exploitability.
Respond:
"That's exactly what SmartScore solves. It prioritizes findings by real-world exposure — not just 'this is a critical CVE' but 'this critical CVE is on an internet-facing workload with network access to your database.' SmartGrouping consolidates related signals into cases so your team handles 10 cases instead of 1,000 alerts."
"Wiz is cheaper and deploys faster."
Response: For agentless posture, yes — Wiz deploys quickly. But you'll need additional tools for runtime protection, CDR, and code security. Cortex Cloud 2.0 does all of that in one platform with autonomous AI agents for remediation. Calculate the total cost of Wiz + runtime tool + CDR tool vs Cortex Cloud as one solution.
"We need something that doesn't slow down our DevOps pipeline."
Response: Cortex Cloud's ASPM module integrates into CI/CD natively with one-click remediation playbooks. Developers get PR-level feedback, not separate-console alerts. The Application Security Command Center gives security teams visibility without being a bottleneck in the pipeline.
"Google just bought Wiz — shouldn't we go with the bigger player?"
Response: Google bought Wiz for GCP. Now ask: how does a Google-owned security tool protect your AWS and Azure workloads? History shows cloud providers optimize for their own platform. PAN has no cloud allegiance — we protect equally across all three clouds.
1 Unified CNAPP + CDR
Cortex Cloud 2.0 merges cloud posture, workload protection, code security, and cloud detection & response in one platform. SmartScore and SmartGrouping mean your team handles actionable cases, not a flood of alerts.
Proof: Autonomous AI agents (AgentiX-powered) enable one-click remediation playbooks. Cloud Security Command Center provides unified visibility.
2 SOC Integration That Competitors Can't Match
When Cortex Cloud detects a cloud threat, it flows directly into XSIAM for cross-domain investigation. A cloud compromise that involves network lateral movement and identity escalation is one case in XSIAM — not three separate alerts in three tools.
Proof: Wiz, Lacework, and other CNAPP vendors send alerts to your SIEM but don't own the investigation workflow. PAN does — end to end.
3 Agent + Agentless Flexibility
Choose agentless for posture and the performance-optimized agent (50% lighter) for runtime protection. No forced tradeoff. Both feed into the same console, same SmartScore, same cases.
Proof: XSIAM Enterprise Plus tier includes XDR Cloud per Host + cloud detection + Kubernetes/OpenShift support for full stack coverage.
Every enterprise is deploying AI — LLMs, copilots, AI agents, custom models. The CISO was told after the fact and is now scrambling to understand the attack surface. They've heard about prompt injection, data exfiltration via AI, and model poisoning but don't have tooling to monitor or protect any of it. This is greenfield — nobody has a mature AI security posture.
The buyer is usually the CISO or a VP of Security working with the AI/ML engineering team. Budget is often net-new (not taken from existing security budget) because AI security didn't exist as a category 18 months ago. The conversation should focus on risk visibility first, then protection.
Qualifying
- How many AI/ML models are in production today? How many are in development?
- Are you using third-party AI services (OpenAI, Azure OpenAI, Bedrock) or self-hosted models?
- Has your security team been involved in AI deployment decisions, or is it developer-led?
Technical Deep-Dive
- What's your visibility into AI model inventories? Do you know every model in production, including shadow AI?
- How are you protecting against prompt injection, data leakage, and hallucination risks in your LLM applications?
- Are you deploying AI agents that can take actions (API calls, data access)? How do you govern agent identity?
- Have you done any red teaming of your AI models? What vulnerabilities were found?
Business Case
- What's the business exposure if an AI model leaks sensitive training data or makes a harmful decision?
- Do EU AI Act or ISO 42001 compliance requirements apply to your AI deployments?
- What's the board's AI risk appetite? Have they asked the CISO for an AI security assessment?
They say:
"We're not ready for AI security yet — we're just getting started with AI."
They mean:
Shadow AI is already in production. They just don't know about it.
Respond:
"That's the perfect time to start. AIRS AI Posture Management gives you visibility into your entire AI ecosystem — including shadow AI your developers have deployed without security review. Start with discovery, then layer on protection as your AI footprint grows."
They say:
"Our cloud provider handles AI security."
They mean:
They're using Azure OpenAI or Bedrock and assume the provider secures the model layer. They haven't thought about application-level attacks.
Respond:
"Cloud providers secure the infrastructure. They don't protect against prompt injection, data exfiltration via model responses, or AI agent identity impersonation. That's the application layer — and that's where AIRS AI Runtime Security and AI Agent Security operate."
They say:
"We just need a WAF with AI rules."
They mean:
They're thinking about AI security as a perimeter problem. They need to understand the AI-specific attack surface.
Respond:
"A WAF protects web apps. AI threats are fundamentally different — prompt injection bypasses WAF rules, model poisoning happens in the training pipeline, and AI agent tool misuse happens at the application logic layer. AIRS is purpose-built for AI threats across 25+ threat categories and 35+ model file types."
"AI security is too early-market — we'll wait."
Response: The EU AI Act is already in effect. ISO 42001 compliance is being required in procurement. Your AI deployments are being targeted today — not next year. Start with AI Posture Management for visibility and AI Red Teaming to find vulnerabilities before attackers do. You don't need to boil the ocean — start with assessment.
"We don't have budget for this."
Response: AI security often comes from new budget, not existing security budget. Frame it as "enabling safe AI adoption" — a business initiative, not just security. The Protect AI integration ($650-700M acquisition) and partnerships with Google Cloud, IBM, and ServiceNow demonstrate that the market is forming now. Early movers get budget; late movers get blame after an incident.
1 Complete AI Security Stack
AIRS covers the entire AI lifecycle: Model Security (35+ file types), Red Teaming (automated pen testing), Posture Management (AI ecosystem visibility), Runtime Security (LLM app protection), and Agent Security (identity, memory, tool governance).
Proof: No competitor offers all five layers. Protect AI integration adds the industry's largest model threat database.
2 Platform Integration
AIRS feeds into Cortex Cloud for cloud-hosted AI workloads and XSIAM for SOC-level incident response. AI security isn't a silo — it's part of the unified platform.
Proof: Integrations with Google Cloud, IBM, and ServiceNow. Koi Security acquisition (pending, ~$400M) will extend agentic endpoint security.
3 Compliance Ready
XSIAM 3.4 includes EU AI Act and ISO/IEC 42001:2023 compliance standards. AIRS provides the technical controls that map to these regulatory requirements. Be ahead of mandates, not chasing them.
Proof: CISO Priority #2 for 2026 is "Securing own AI deployments" — this is board-level visibility that creates budget.
Identity is the new perimeter, and the customer knows it. They're probably running Microsoft Entra ID for basic identity, maybe CyberArk for PAM on a narrow set of admin accounts, and have zero governance over machine identities, service accounts, or the new wave of AI agent identities. The 80:1 machine-to-human identity ratio means their biggest attack surface is one they can barely see.
The $25B CyberArk acquisition (closed Feb 2026) makes this a fundamentally new conversation. PAN now owns the identity pillar — not as an add-on, but as a core platform capability covering human, machine, and agentic AI identities. This is the most significant platform expansion since XSIAM.
The buyer is usually the CISO or VP of Security, with procurement heavily involved because identity touches every user. Budget may be split between IAM (IT) and PAM (security). Unifying these under the PAN platform is the strategic play.
Qualifying
- What's your current PAM solution? Does it cover just admin accounts or all privileged access?
- How are you managing machine identities — service accounts, API keys, certificates?
- Are you deploying AI agents that need their own identity governance?
Technical Deep-Dive
- How many service accounts and machine identities exist in your environment? Can you inventory them today?
- What's your approach to just-in-time privileged access? Do admins have standing privileges?
- How do you detect identity-based attacks — credential stuffing, lateral movement, privilege escalation?
- Are your PAM tools integrated with your SIEM/SOC, or are identity alerts handled separately?
Business Case
- What percentage of your security incidents involve compromised credentials? (Industry average: 60%+)
- How does identity governance factor into your compliance requirements (SOX, PCI, HIPAA)?
- If you could bring PAM, identity governance, and ITDR under one platform with your network and SOC security, what would that do to your vendor count and integration complexity?
They say:
"We already have CyberArk."
They mean:
They have CyberArk PAM for admin accounts. They may not be using full identity governance, secrets management, or machine identity capabilities.
Respond:
"Great — CyberArk is now part of PAN. This means your existing CyberArk investment becomes part of the platform. The integration with Cortex and Strata is underway — identity telemetry feeding into XSIAM, identity-aware network policies in Strata, and unified governance across human, machine, and AI identities. Your CyberArk investment just got more valuable."
They say:
"Microsoft Entra handles our identity needs."
They mean:
Entra ID handles authentication. They likely don't have PAM, secrets management, or machine identity governance.
Respond:
"Entra ID is an identity provider — it authenticates users. CyberArk/PAN provides privileged access management, identity governance, secrets management, and machine identity security that Entra doesn't cover. They're complementary, not competitive. The gap is in what happens after authentication — governing what identities can do."
They say:
"Machine identities aren't a priority for us."
They mean:
They haven't quantified the risk. They probably don't know how many machine identities exist.
Respond:
"There are 80 machine identities for every human identity in most enterprises. Service accounts with standing privileges are the #1 target for lateral movement. When was the last time someone rotated your Kubernetes service account credentials or expired those API keys from three years ago? That's the gap CyberArk fills."
They say:
"The acquisition just closed — integration will take years."
They mean:
Valid concern. They want to know what's available today vs roadmap.
Respond:
"CyberArk's products are mature and production-ready today — they have the most comprehensive PAM platform in the market. Integration with Cortex and Strata is actively underway, with identity telemetry in XSIAM being the first milestone. Buy CyberArk for what it does today; the platform integration is upside."
They say:
"What about AI agent identities? That seems like science fiction."
They mean:
They're curious but don't have concrete use cases yet. This is a forward-looking conversation.
Respond:
"AI agents are already in production — in customer service, DevOps automation, and security operations. Each agent needs an identity, permissions, and audit trail. CyberArk covers agentic AI identity governance alongside human and machine identities. This is CISO Priority #3 for 2026 — identity governance across all identity types."
"We're not ready for a full identity platform."
Response: Start with PAM for your most critical admin accounts. Then expand to machine identity governance. Then add ITDR integration with XSIAM. CyberArk supports a crawl-walk-run approach. The acquisition means you're investing in a platform that grows with you — not a point solution you'll outgrow.
"Identity should be separate from our security platform."
Response: 60%+ of breaches involve compromised credentials. If your identity platform doesn't talk to your SOC, how do you detect credential theft in real time? The PAN platform integrates identity signals into XSIAM for automated detection and response — that's the whole point of platformization.
"$25B is a lot — is PAN going to support CyberArk long-term?"
Response: $25B is the largest cybersecurity acquisition ever. Nikesh Arora called identity the "4th core pillar" of the platform. CyberArk's team, products, and R&D are fully supported — this isn't a tuck-in acquisition that gets deprecated. It's a strategic pillar investment.
1 The 4th Core Pillar
Identity joins Network, Cloud, and SecOps as a core PAN platform pillar. CyberArk covers human identities (PAM, governance), machine identities (secrets, certificates), and agentic AI identities — all under one platform.
Proof: $25B acquisition — the largest in cybersecurity history. Closed Feb 11, 2026. TASE dual-listing under "CYBR."
2 SOC-Integrated Identity Threat Detection
CyberArk identity telemetry flowing into XSIAM creates the industry's first SOC platform with native identity context. Detect credential theft, privilege escalation, and lateral movement as part of the unified investigation workflow.
Proof: XSIAM already includes ITDR as an add-on module. CyberArk integration deepens this to the identity source itself.
3 80:1 Machine Identity Coverage
80 machine identities for every human. CyberArk manages the entire identity lifecycle — from service accounts and API keys to Kubernetes secrets and certificates. PAM isn't just for admin accounts anymore.
Proof: CyberArk is the market leader in PAM, now with the platform reach of PAN's 6,000+ enterprise customers.