New Features - Prisma AIRS - April 2026

AI Red Teaming includes a dedicated trace header in every outbound request, enabling teams to distinguish AI Red Teaming traffic from the rest of the production traffic. To facilitate rapid identification by Engineering and security operations center (SOC) teams, all outbound requests (such as target profiling, target validation, and scans) include the x-airs-red-teaming-trace-id header, which contains a unique, randomized UUID.

This update enhances log attribution by using the UUID for direct correlation with internal system logs. As a result, the trace ID provides a way to improve troubleshooting efficiency. Moreover, by enabling teams to quickly filter out scan requests with attack prompts, this enhancement reduces alert fatigue and ensures that security teams remain focused on genuine external threats.

Furthermore, the trace header can help in streamlining the auditing process. It enables organizations to isolate all AI Red Teaming traffic through a single, simple query. This capability is a useful approach for accelerating compliance reporting and conducting comprehensive post-scan analyses. By providing clear visibility, this update ensures that AI Red Teaming Exercises provide maximum value without creating unnecessary noise within the production environment. You can consider leveraging this header to enable precise, stable identification of red teaming traffic, independent of IP addresses. This can also be utilized for adding rich context to observability and analytics, supporting policy control, and for making monitoring more accurate and scalable.

When you need to assess the security posture of your Microsoft Copilot Studio agents, AI Red Teaming now provides native, out-of-the-box integration that eliminates the manual configuration overhead previously required for agent security testing. This feature enables you to directly connect to your Copilot Studio deployments allowing you to immediately begin vulnerability assessments without the need to manually configure API endpoints, headers, or request-response schemas.

You can use this capability when you need to validate the security of Copilot-based workflows deployed across your organization, particularly when those agents have access to sensitive internal tools or Power Automate flows. The native integration is especially valuable if you are a security engineer responsible for evaluating tool-calling safety and preventing unauthorized execution of business-critical automation, or if you are an application security manager who needs to understand the real business impact of potential Copilot breaches. By selecting Microsoft Copilot Studio as your target type under the Agent category, you gain immediate access to automated agentic profiling that discovers your Copilot's system goals and integrated tools, then applies tailored AI Red Teaming attacks designed specifically for the unique vulnerabilities present in multi-agent architectures.

You should consider using this feature when you want to significantly reduce the time from agent discovery to first security scan, particularly if your organization relies heavily on the Microsoft ecosystem for AI agent deployment. This approach ensures that your security assessments accurately reflect the sophisticated attack vectors that could be exploited in production Copilot deployments, giving you confidence that your AI agents are hardened against both common and advanced threats before they impact your business operations.

The Multi-Lingual Support feature in the AI Red Teaming scanning evaluates your AI applications in multiple global languages while maintaining an English-based management interface. This capability addresses a critical security gap where large language models may exhibit inconsistent safety alignment across different languages, potentially refusing harmful requests in English while complying with identical requests in other languages such as German, French, Spanish, Russian, Portuguese, or Simplified Chinese.

You can use Multi-Lingual Support to validate the security posture of your AI applications before deploying them to international markets. When you configure an AI Red Teaming assessment, you select your target language from the available options, and the system delivers adversarial prompts in that language while capturing the model's responses in the same script. This allows you to identify vulnerabilities that only surface when your model processes non-English inputs, such as a model that refuses to generate phishing content in English but complies when prompted in another language. The feature provides you with individual reports that display both the attack prompts and model responses in their native language and script, ensuring you can review the exact interaction as it occurred. At the same time, executive summaries and insights remain in English, giving your global security teams a unified view of risk across all regional deployments from a single centralized dashboard.

You should consider using this feature if you operate AI applications that serve global users or if you need to meet compliance requirements for specific regional markets. The capability is particularly valuable when you need to assess how your models behave in local contexts with culturally relevant attack scenarios, going beyond simple translation to incorporate regional industry context and competitive intelligence into the testing methodology. By identifying cross-lingual vulnerabilities during your security assessment phase, you can prevent exploitation in production environments and ensure consistent safety alignment across all languages your applications support. Whether you are a security engineer validating localized applications or a global CISO reviewing risk assessments across international assets, this feature enables you to maintain comprehensive security oversight while benefiting from operational consistency through the unified English interface.

This feature provides comprehensive visibility into the versioning of your Network Channels clients. When you deploy Network Channels for connecting your AI Red Teaming operations to private network resources, you can now track and monitor the specific version of each client instance directly from the AI Red Teaming web interface. This enhancement addresses an important usability gap where you previously had no way to determine which client versions were running without manually logging into each host machine or reviewing local log files.

By implementing this version-tracking mechanism, you gain the ability to identify outdated clients at a glance through the Network Channel management interface. This functionality compares your installed client versions against the latest available version, and provides you with an option to perform an upgrade for leveraging the latest Network Channel capabilities such as custom SSL and proxy support. Moreover, for organizations running multiple client instances across different Network Channels for high availability purposes, the Channel Details page displays granular information including the client hostname, IP address, connection duration, and the specific version for each of the connected client.

API Rate Limiting for AI Runtime Security's Scan API controls the volume and frequency of API requests made by individual tenants. This mechanism enforces per-tenant limits on both the number of requests and the volume of tokens processed, ensuring equitable resource distribution and service stability in your environment. Without rate limiting, a single tenant could consume excessive API capacity, degrading service quality for other tenants sharing the same infrastructure. This feature mitigates that risk by enforcing limits derived from your tenant's subscription, preventing "noisy neighbor" issues and ensuring fair resource allocation.

Note: Per-tenant limits have an allocated cap on requests-per-second (RPS) and tokens-per-minute consumed by the AI Runtime API. By default, for each tenant, rate limits of 150 RPS and 15 million tokens per minute are enforced. Contact your Palo Alto Networks account team to request additional allocated throughput.

Note: To ensure service stability, requests that arrive in short bursts may be throttled even if the overall rate limit has not been reached. Palo Alto Networks recommends distributing requests evenly over time for best results.

WebSockets connection method support enables you to directly test and scan AI applications that rely on WebSocket protocols for real-time, streaming, and full-duplex communication. This feature extends Prisma AIRS automated AI Red Teaming capabilities beyond traditional REST APIs to cover modern AI systems such as real-time voice assistants, financial trading agents, and high-velocity chatbots that demand low-latency.

With this feature, you can now add WebSocket-based targets directly within the AI Red Teaming using the Add Target workflow. The feature supports all existing authentication methods and works seamlessly with publicly accessible endpoints or private network endpoints that have allowed IP addresses. You no longer need to create custom wrapper or middleware to translate REST calls into WebSocket messages, which eliminates the friction of integrating these modern AI services into your product. The feature supports streaming, but only for OpenAI-compliant formats.

You should consider using this feature when your organization deploys AI applications that communicate exclusively or primarily through WebSocket protocols and you need to validate their security posture using automated AI Red Teaming. This is particularly valuable for security engineers who must ensure the safety of real-time streaming applications and for DevSecOps teams looking to integrate comprehensive AI security testing for non-RESTful services. By eliminating the blind spot that WebSocket-only endpoints previously represented, you can achieve a more complete view of your organization's AI risk posture across all communication protocols.

WebSocket is a Beta feature. Please reach out to your Palo Alto Networks Account managers for any assistance.