Platform — Secure Access

Prisma SASE 3.0
Secure Access for the AI Era

The industry's most complete SASE platform — converging network security, SD-WAN, secure browser, and AI-powered DLP into a single cloud-delivered service.

Architecture

SASE Components

Five integrated capabilities delivered from a unified cloud platform.

Prisma Access
ZTNA · SWG · CASB · FWaaS
Zero Trust Network Access, Secure Web Gateway, Cloud Access Security Broker, and Firewall-as-a-Service in one cloud-delivered service. Protects all users, all apps, everywhere.
Prisma SD-WAN
CloudGenix
Autonomous SD-WAN that connects branches, data centers, and cloud environments with optimal performance, full-mesh connectivity, and integrated security.
Access Browser 2.0
Talon · 1,500+ Customers
Enterprise-grade secure browser with 9M+ licenses deployed. Extends DLP, threat protection, and SaaS access controls into the browser layer — wherever work happens.
ADEM
AIOps Root Cause Analysis
Autonomous Digital Experience Management with AI-powered root cause analysis. Identifies and resolves connectivity and performance issues before users notice.
App Acceleration
AI-Powered · Up to 5x
AI-powered application acceleration delivering up to 5x improvement in SaaS app performance. Unique to Palo — Zscaler has no equivalent capability.

Deep Dives

Component Deep Dives

Click any component to explore architecture details, key metrics, and what's new.

~6,000

SASE Customers

36%

ARR Growth YoY

3x

Gartner MQ Leader

150+

Global Locations

ZTNA 2.0 Architecture

Purpose-built cloud-native platform with Single-Pass Parallel Processing (SP3) — inspects App-ID, User-ID, Content-ID, and WildFire in a single pass. Enabling additional security features does not add latency. Multicloud backbone across Google Cloud, AWS, and Oracle Cloud with true multi-tenancy.

ZTNA 1.0 (Legacy)

Coarse IP/port access, allow-and-ignore trust, limited app coverage, multiple consoles

ZTNA 2.0 (Prisma Access)

App-ID Layer 7 granularity, continuous trust verification, deep DLP inspection, all apps covered, single pane

What's New in SASE 3.0
  • AI-Powered Data Security — LLM classification with 20x accuracy improvement over traditional DLP
  • App Acceleration (Zycada) — up to 5x faster SaaS performance via AI-driven prefetching
  • ADEM with AIOps — AI-driven root cause analysis with automated ITSM remediation
  • Enterprise DLP + Prisma Browser Integration (Dec 2025) — dynamic sync of 1,000+ classifiers

Competitive edge: Only vendor named Leader in all three Gartner Magic Quadrants — SASE Platforms, SSE, and SD-WAN. Highest Ability to Execute axis. 40% of new SASE customers are net-new to Palo Alto Networks.

Acquired as CloudGenix for $420M in 2020. Prisma SD-WAN provides application-defined networking with AI-powered path selection, connecting branches, data centers, and multi-cloud environments on a unified platform managed through Strata Cloud Manager.

ION Device Family

ION 1000

Small branch / retail / remote workers

ION 9000

Large enterprise / campus / high throughput

Virtual ION

Software-defined for cloud deployments

AI-Powered Capabilities
  • AIOps Command Center — AI dashboard for WAN performance, automated root cause analysis, closed-loop remediation
  • SD-WAN Copilot (Feb 2025) — AI assistant combining SD-WAN data with best-practice guidance, automated support case creation
  • Dynamic Path Selection — ML-driven real-time optimization across private/public VPN, Direct Internet, with automated asymmetry correction
Native SASE Integration

Direct onboarding of SD-WAN sites to Prisma Access without CloudBlade (Feb 2025). Both managed via Strata Cloud Manager — single pane of glass. Branch offices and mobile users share identical security profiles (Antivirus, Anti-Spyware, URL Filtering, DNS Security). NGFW + SD-WAN integration at data centers (Aug 2025) combines PAN-OS security with SD-WAN on a single platform. CDSS Branch Security (Oct 2025) adds on-box protection for intra-branch policy enforcement.

3M+

Licenses Sold

11x

YoY Growth (Q3 FY25)

1,000+

DLP Classifiers

40%

More Threats Blocked

Built on the Talon Cyber Security acquisition (~$625M, Nov 2023). The browser is now the primary enterprise interface — 85%+ of enterprise activity flows through it. Prisma Browser extends Zero Trust and SASE protection directly into the browser, closing the "last mile" visibility gap that exists even when SASE is deployed. Further enhanced by the Koi Security acquisition (~$400M, Feb 2026) for agentic endpoint and extension security.

Security Capabilities

Data Protection

  • • LLM-augmented DLP (20x accuracy)
  • • Block clipboard, screenshots, printing
  • • Watermarking & file encryption
  • • Camera/microphone controls
  • • GenAI prompt auditing (GDPR, PCI, EU AI Act)

Threat Prevention

  • • AI phishing detection (CV + NLP)
  • • Extension governance (install/runtime/update)
  • • Behavioral scoring & keylogger detection
  • • QUIC, ECH, large file inspection
  • • 30.9B+ attacks blocked daily (Precision AI)
Three-Layer Architecture

Managed + Agent

Full SASE via GlobalProtect tunnel

Managed + Browser

Adds last-mile in-tab controls

Unmanaged + Browser

No agent needed — BYOD/contractor

Customer proof: SecurityScorecard achieved 100K+ user events visible in 7 days with >90% of endpoints secured in 30 days. A leading cybersecurity company saw 95% reduction in data leakage instances with 20,000 endpoints onboarded in 2 months.

By the Numbers

SASE at Scale

$1.5B
Annual Recurring Revenue
~40%
Year-over-Year Growth
1,500+
Browser Customers
9M+
Browser Licenses
5x
App Performance Boost

What's New

SASE 3.0 Features

AI-native capabilities that redefine secure access for the modern enterprise.

AI-Powered DLP
LLM classification engine with automatic data labeling. Detects and protects sensitive data with AI precision.
Browser DLP
Extends DLP policies directly into the secure browser, covering copy/paste, upload/download, and screen capture.
End-User Coaching
Real-time in-browser coaching to educate users about risky actions and enforce data handling policies.
Data Security Dashboard
Unified dashboard providing visibility into data security posture across all SASE-protected channels.
ML Behavioral Detection
Machine learning models that detect anomalous user and entity behavior patterns in real time.

Evolution

SASE Evolution

From first-gen SASE to the AI-native platform of today.

SASE 1.0
Foundation
  • Prisma Access launched — cloud-delivered ZTNA + SWG
  • CloudGenix SD-WAN acquisition and integration
  • First unified SASE offering from a major vendor
SASE 2.0
Expansion
  • Talon (Access Browser) acquisition and integration
  • ADEM for autonomous digital experience management
  • Advanced CASB and inline DLP
  • Multicloud backbone (AWS + GCP)
SASE 3.0 Current
AI Era
  • AI-powered DLP with LLM classification
  • Access Browser 2.0 with browser DLP
  • End-user coaching and Data Security Dashboard
  • ML behavioral detection
  • App Acceleration — up to 5x SaaS performance
  • SaaS performance SLAs (unique in market)

Pre-Sales

Scoping Checklist

Key data points to collect before any SASE engagement.

User Count — Total users requiring remote/hybrid access (by location and type)
Locations — Number and distribution of office locations, remote workers, and regions
Current VPN / Proxy — Existing VPN and web proxy solutions, pain points, and contract dates
SaaS Applications — Critical SaaS apps (M365, Google, Salesforce, etc.) and performance requirements
Bandwidth Needs — Per-site and aggregate bandwidth requirements for all traffic types
Branch Count — Number of branch offices requiring SD-WAN connectivity and local internet breakout

Conversations

Discovery Questions

Questions to open SASE conversations and surface network transformation opportunities.

01 How are you securing remote and hybrid workers today — legacy VPN, proxy, or a cloud-based approach?
02 What is your experience with SaaS application performance for remote users? Are you meeting productivity expectations?
03 How are you handling data loss prevention for users accessing sensitive data from unmanaged devices or personal browsers?
04 Are you backhauling branch traffic to a central data center, or have you moved to direct internet access?
05 How many separate point products are you using for remote access, web security, CASB, and SD-WAN today?
06 Have you considered a secure enterprise browser to extend protection into unmanaged and BYOD environments?