Cortex by Palo Alto Networks—the AI-based continuous security operations platform—extends next-generation security into cloud. This simplifies deployment and reduces infrastructure and operational overhead. You can use the hub to discover, activate, and access Cortex apps. Most Cortex apps rely on the Cortex Data Lake to analyze and report on your network, cloud, and endpoint data.

Recent Cortex News!

Date Highlight
9 August 2021

Cortex Xpanse Documentation is now available!

This cloud-based subscription provides a complete and accurate inventory of an organization’s global internet-facing assets and misconfigurations to continuously discover, evaluate, and mitigate an external attack surface without the need for any installation/agents.  Cortex Xpanse consists of three products - Cortex Xpanse Expander, Cortex Xpanse Behavior, and Cortex Xpanse Link.

  • Cortex Xpanse Expander identifies and attributes an organization's internet-facing assets to identify sanctioned and unsanctioned assets to map the enterprise attack surface.
  • Cortex Xpanse Behavior uses global Internet flow data to surface communications between Internet-connected assets to detect and stop risky or out-of-policy communications that can be exploited for data breaches or ransomware attacks.
  • Cortex Xpanse Link continuously identifies Internet assets, risky services, or misconfigurations in third parties to help secure a supply chain or identify risk during M&A due diligence. Cortex Xpanse bolsters the broader PANW portfolio by integrating with Prisma Cloud to identify unmanaged cloud assets and integrates with Cortex XSOAR to automate remediation of discovered issues.
15 January 2021

You can now search, filter, and export your Cortex Data Lake log data from within the Cortex Data Lake app. As a result, the individual Explore app will be phased out.

Visit the Cortex Data Lake documentation for help interacting with your logs, information about new features, and all future updates.

Cortex Infrastructure


The hub is the home for all apps built on Cortex. Use it as a launch pad to discover, use, and build apps.

Cortex Data Lake

The Cortex Data Lake stores the context-rich enhanced network logs generated by our security products, including our next-generation firewalls, GlobalProtect cloud service, and Traps management service. Cortex apps use the Cortex Data Lake to access, analyze, and report on your network data.

Cloud Identity

Cloud Identity Engine reduces the complexity of deploying a comprehensive identity solution or transitioning from an on-premises LDAP authentication solution to a cloud-based identity provider (IdP).

Apps Built on Cortex

Cortex XDR

Cortex XDR consumes data from the Cortex Data Lake and correlates logs from different network sensors to reveal threat casualties and timelines—it's your mission control for complete visibility into all your network traffic. The Cortex XDR app triggers alerts based on indicators of compromise (including behavioral anomalies) and can send those alerts to the Cortex Data Lake. Cortex XDR provides a single interface from which you can investigate and triage alerts, take remediation actions, and define policies to prevent future attacks.


AutoFocus® is a cloud-based threat intelligence service that enables you to easily identify critical attacks, so that you can triage effectively and take action without requiring additional IT resources. AutoFocus correlates threat data from your network, industry, and global intelligence feeds, and surfaces what’s most important. This includes giving you a direct pipeline to actionable intelligence from Unit 42, the Palo Alto Networks threat research team—AutoFocus lets you know if Unit 42’s newly-discovered adversaries, campaigns, and exploits have targeted your network, or networks like yours.

Cortex XSOAR

Demisto is now Cortex XSOAR! Learn more about the Cortex XSOAR platform and how it can help you automate your security operations.

Security Lifecycle Review (SLR)

Security Lifecycle Review (SLR) reports now include even more threat data. Get visibility into malware that was first detected on the endpoint, threats that are known to be connected to high-profile attacks, targeted campaigns, or malicious actors, and countries most targeted by threats found on your network.

Cortex Xpanse

Cortex Xpanse is an automated Attack Surface Management (ASM) platform that provides a complete and accurate inventory of an organization’s global internet-facing assets and misconfigurations to continuously discover, evaluate, and mitigate an external attack surface, flag risky communications, evaluate supplier risk or assess the security of M&A targets.


Explore the Cortex Data Lake by searching, filtering, and exporting log data. This app offers you critical visibility into your enterprise's network activities by allowing you to easily examine network and endpoint log data.