Listen to this Post

Introduction:
The modern cyberattack is no longer a single, isolated event. It is a systematic, multi-stage process that adversaries meticulously execute to achieve their objectives — from initial reconnaissance to final data exfiltration. In today’s AI-driven threat landscape, where attacks can move from initial access to exfiltration in as little as 72 minutes, organizations can no longer afford to rely on siloed, point-in-time security solutions. Palo Alto Networks Cloud-Delivered Security Services (CDSS) address this challenge through a unified, Precision AI®-powered platform that provides prevention across the entire attack lifecycle, stopping threats at every stage before they can cause harm.
Learning Objectives:
- Understand the five-stage attack lifecycle and how Palo Alto Networks CDSS provides targeted prevention at each phase
- Learn to configure and operationalize Advanced URL Filtering, Advanced WildFire, Advanced Threat Prevention, Advanced DNS Security, and AI Access Security
- Gain hands-on knowledge of CLI commands, API integrations, and best practices for deploying CDSS in enterprise environments
- Initial Access — Advanced URL Filtering: Stopping Phishing and Malicious Links Before They Reach Users
The attack begins with initial access — often through a phishing email, a compromised website, or a malicious link. Advanced URL Filtering (AURL) serves as the first line of defense, blocking phishing and malicious web-based attacks in real time before a user can interact with them.
Unlike traditional URL filtering solutions that rely solely on static databases, AURL combines the renowned PAN-DB malicious URL database with the industry’s first real-time web protection engine. When a user requests a web page, the firewall queries PAN-DB for the site’s risk category. If the URL displays risky or malicious characteristics, the web payload data is submitted to Advanced URL Filtering in the cloud for real-time analysis using machine learning (ML) and deep learning models. These models are continuously updated automatically, without requiring administrator intervention.
Step-by-Step Guide — Configuring Advanced URL Filtering:
- Verify Licensing: Ensure your Advanced URL Filtering license is active.
- Access URL Filtering Profile: Navigate to Objects > Security Profiles > URL Filtering and select Add or modify an existing profile.
- Configure Categories: Define site access for URL categories (allow, block, alert, or continue).
- Enable Inline ML: Select Inline ML to enable real-time machine learning-based categorization.
- Set Real-Time Detection: Configure the real-time-detection (cloud inline categorization) action to alert for active profiles.
- Attach to Security Policy: Apply the URL Filtering profile to your Security Policy rules that allow internet access.
CLI Configuration Example:
<blockquote> configure Create a custom URL category set url-category custom "Blocked-Malicious" url "malicious-site.com" Create a URL filtering profile with the custom category set profile-url-filtering "Block-Phishing" action "Blocked-Malicious" block Commit the changes commit
- Execution — Advanced WildFire: Detecting and Blocking Malicious Files in Real Time
Once the attacker gains initial access, the next stage is execution — delivering and running malicious files. Advanced WildFire (AWF) is the industry’s largest cloud-based malware prevention engine, protecting organizations from highly evasive threats using patented machine learning detection engines.
Advanced WildFire employs a multi-layered approach. First, static analysis with machine learning initially determines if known samples or variants are malicious. For unknown files, Advanced WildFire Inline Cloud Analysis holds files from downloading while performing real-time cloud-based analysis. The cloud-based ML detection engines analyze PE (portable executable) files traversing the network to detect and prevent unknown malware in real time. This includes detecting never-before-seen malware (zero-day threats) and blocking it from entering the network environment.
Step-by-Step Guide — Enabling Advanced WildFire:
- Verify License: Ensure you have an active Advanced WildFire license.
- Configure WildFire Analysis Profile: Navigate to Objects > Security Profiles > WildFire Analysis.
- Enable Inline ML: Select the WildFire Inline Machine Learning models and apply an Action Setting for each model.
- Enable Inline Cloud Analysis: In the WildFire Analysis profile, enable Inline Cloud Analysis for real-time PE file inspection.
- Set Forwarding: Configure automatic forwarding of unknown files to the Advanced WildFire cloud.
- Attach to Security Policy: Apply the WildFire Analysis profile to your Security Policy rules.
CLI Configuration Example:
<blockquote> configure Configure WildFire cloud intelligence forwarding set deviceconfig setting wildfire cloud-intelligence enabled yes Set the WildFire cloud server URL set deviceconfig setting wildfire cloud-server wildfire.paloaltonetworks.com Commit the changes commit
Manual File Submission via WildFire Portal:
Administrators can manually submit files for analysis using the Advanced WildFire portal. Submitted samples receive a verdict of benign, grayware, malicious, or phishing, along with a detailed analysis report.
- Command & Control — Advanced Threat Prevention: Disrupting Attacker Communications
After successful execution, malware typically establishes Command & Control (C2) communication to receive instructions from the attacker. Advanced Threat Prevention (ATP) stops C2 traffic by analyzing traffic patterns rather than relying on static signatures.
ATP is an advanced intrusion prevention system (IPS) that detects and blocks malware, vulnerability exploits, and C2 across all ports and protocols. With Inline Cloud Analysis enabled, suspicious traffic is sent to globally distributed, cloud-hosted machine learning and deep learning models for additional in-depth inspection. The firewall intelligently holds the last byte of traffic until the cloud-based analysis is complete, with verdicts returned at lightning speed — enabling real-time inspection without impacting end-user experience.
ATP identifies and stops highly evasive C2 traffic, including those using DNS tunneling or custom-built protocols. It also supports detection of unknown C2 threats developed using frameworks like Sliver C2.
Step-by-Step Guide — Enabling Advanced Threat Prevention:
- Verify License: Ensure you have an active Advanced Threat Prevention license.
- Enable Inline Cloud Analysis: Navigate to Objects > Security Profiles > Anti-Spyware and enable Inline Cloud Analysis.
- Configure Threat Prevention: Go to Device > Setup > Content-ID > Threat Prevention Inline Cloud Analysis to configure proxy settings if needed.
- Create Threat Prevention Profile: Navigate to Objects > Security Profiles > Threat Prevention and configure antivirus, antispyware, and vulnerability protection settings.
- Attach to Security Policy: Apply the Threat Prevention profile to your Security Policy rules.
CLI Configuration Example:
<blockquote> configure Enable Threat Prevention set deviceconfig setting threat-prevention enabled yes Configure Inline Cloud Analysis for Anti-Spyware set profile-spyware "Default" inline-cloud-analysis yes Commit the changes commit
- Lateral Movement — Advanced DNS Security: Blocking Malicious DNS Activity
Lateral movement occurs when attackers use compromised devices to move across the network, often leveraging DNS for command-and-control communication, tunneling, and data exfiltration. Advanced DNS Security (ADNS) provides real-time, AI-powered analysis to protect against sophisticated threats at the DNS layer.
Unlike standard DNS Security, which primarily checks if a requested domain is known to be malicious, Advanced DNS Security inspects the full content of DNS responses to identify signs of tampering, manipulation, and architectural weaknesses. It detects hijacking attempts where an adversary modifies a DNS response to redirect users to fraudulent sites, even if the domain name itself is legitimate. ADNS also identifies DNS tunneling — where malware hides data exfiltration within standard DNS queries — and can detect and categorize hijacked and misconfigured domains in real time.
Step-by-Step Guide — Enabling Advanced DNS Security:
- Verify Licenses: Ensure you have an active Advanced DNS Security license and either Advanced Threat Prevention or Threat Prevention license.
- Update Content Release: Update the content release version to 8832 or later.
- Verify Connectivity: Use the CLI to verify firewall connectivity to the DNS Security service at
dns.service.paloaltonetworks.com. - Create or Modify Anti-Spyware Profile: Navigate to Objects > Security Profiles > Anti-Spyware and enable Advanced DNS Security queries.
- Configure DNS Security Profile: Navigate to Manage > Configuration > NGFW and Prisma Access > Security Services > DNS Security and create or modify a DNS Security profile.
- Attach to Security Policy: Apply the Anti-Spyware profile with ADNS enabled to your Security Policy rules.
CLI Configuration Example:
<blockquote> configure Verify DNS Security connectivity test dns-security connectivity Configure DNS Security settings set deviceconfig setting content-id dns-security enabled yes Commit the changes commit
Advanced DNS Security Resolver and Prisma Agent:
For always-on protection, organizations can deploy the Advanced DNS Security Resolver via the Prisma Agent. This extends protection beyond traditional network boundaries and directly to users, even when they disconnect from the main VPN tunnel. When a user disconnects, DNS traffic is automatically routed to the Palo Alto Networks Advanced DNS Security Resolver, ensuring the same protections are delivered regardless of location.
- Data Exfiltration — AI Access Security: Protecting Sensitive Data Across GenAI and SaaS Apps
The final stage of the attack lifecycle is data exfiltration — the unauthorized transfer of sensitive data. With the proliferation of Generative AI (GenAI) applications, organizations face new risks: employees inadvertently exposing sensitive or proprietary data in prompts and malicious content in responses.
AI Access Security provides comprehensive visibility, granular control, and data protection for both sanctioned and shadow AI applications. It includes an extensive dictionary of over 500 GenAI apps and 60+ attributes to accurately discover and monitor GenAI usage. Security administrators can create fine-grained access control policies to prevent exfiltration of sensitive data to GenAI apps while simultaneously blocking access when necessary.
Step-by-Step Guide — Configuring AI Access Security:
- Verify License: Ensure you have an active AI Access Security license, CASB-PA license, or CASB-X license.
- Access AI Access Security Dashboard: In Strata Cloud Manager, navigate to Insights > AI Access to discover risks posed by GenAI apps.
- Configure Security Policy Rules: Create custom Security Policy rules to control the use of GenAI apps and prevent exfiltration of sensitive data.
- Enable Enterprise DLP: Configure Enterprise Data Loss Prevention (DLP) for inline inspection of data at rest.
- Apply GenAI Best Practice Snippet: Enable the Gen-AI-Best-Practice snippet to quickly implement recommended Security policy rules.
Policy Configuration Example:
Create a security policy rule to block unsanctioned GenAI apps <blockquote> configure set rulebase security rules "Block-Unsanctioned-GenAI" from "trust" to "untrust" set rulebase security rules "Block-Unsanctioned-GenAI" source "any" destination "any" set rulebase security rules "Block-Unsanctioned-GenAI" application "genai-unsanctioned" set rulebase security rules "Block-Unsanctioned-GenAI" action deny set rulebase security rules "Block-Unsanctioned-GenAI" log-start yes set rulebase security rules "Block-Unsanctioned-GenAI" log-end yes commit
CDSS APIs: Extending Threat Intelligence to Your Security Ecosystem
Palo Alto Networks provides RESTful APIs for CDSS, enabling customers to access threat intelligence and analysis data programmatically. The Threat Vault API provides access to threat signature metadata and published release note contents. Advanced Threat Prevention subscription holders can additionally access cloud reports and related PCAP data analyzed by inline deep learning and machine learning models. The DNS Security API (currently in BETA) allows retrieval of DNS domain details, including categorization information.
API Call Example Using cURL:
Retrieve threat information using Threat Vault API curl -H 'X-API-KEY: your_api_key_here' \ 'https://api.threatvault.paloaltonetworks.com/service/v1/threats?id=30001'
What Undercode Say:
- Prevention is proactive, not reactive: CDSS shifts security from reactive firefighting to proactive, lifecycle-based prevention. Organizations must stop treating security as a checklist of isolated products and instead adopt a unified architecture where intelligence is shared seamlessly across all services.
-
AI-powered defense is non-1egotiable: With the complete collapse of the zero-day clock — where vulnerabilities can be discovered and exploited in minutes — traditional signature-based defenses are obsolete. CDSS, powered by Precision AI®, combines machine learning, deep learning, and generative AI to deliver real-time protection against known and unknown threats.
-
Unified visibility drives faster remediation: Disconnected tools create a “silo tax” — the critical window of time required for detection. CDSS provides a unified view of the entire attack continuum, enabling security teams to identify and neutralize threats faster. With Threat Insights and AI agents in Strata Cloud Manager, organizations can transform dashboards from visualization tools into active workspaces for autonomous threat contextualization and remediation.
-
Scale and intelligence matter: CDSS analyzes up to 5.43 billion new events daily, detects nearly 8.95 million never-before-seen attacks, and blocks up to 30.9 billion threats inline. This scale, combined with shared threat intelligence from more than 70,000 customers globally, enables industry-leading prevention accuracy.
Prediction:
-
+1 The adoption of AI-powered, lifecycle-based prevention platforms like CDSS will become the industry standard within the next 3–5 years, as organizations recognize that point solutions cannot keep pace with autonomous AI attackers.
-
+1 Precision AI® and inline deep learning will continue to evolve, enabling even faster detection and prevention of zero-day threats — potentially reducing the attack-to-prevention window from minutes to milliseconds.
-
-1 Organizations that fail to adopt unified, AI-powered security architectures will face increasingly severe breach consequences, as attackers leverage autonomous tools to discover and exploit vulnerabilities at machine speed.
-
-1 The proliferation of GenAI applications will create new data exfiltration vectors that traditional DLP solutions cannot address, forcing organizations to rapidly adopt AI Access Security or risk sensitive data exposure.
-
+1 The integration of AI agents for autonomous threat contextualization and remediation will dramatically reduce mean time to detection (MTTD) and mean time to response (MTTR), shifting security teams from manual triage to strategic oversight.
-
+1 CDSS APIs will enable deeper integration with SIEM and SOAR platforms, allowing organizations to build custom security workflows that leverage Palo Alto Networks threat intelligence for faster, more informed decision-making.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=DzE0cDzFQ80
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Dhari Alobaidi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


