Palo Alto Networks Bets Its Balance Sheet on an ‘Agentic’ Security Future

A platform built for an AI attack surface that is already speeding up

Palo Alto Networks used its fiscal second-quarter stage not merely to report another period of solid growth, but to sketch out a security landscape being redrawn by artificial intelligence—and to justify two of the most ambitious bets in its history.

Nikesh Arora, the group’s Chairman and CEO, opened by underscoring the urgency. Unit 42, its threat intelligence arm, now sees end‑to‑end attacks occurring four times faster than a year ago. In roughly a quarter of cases, attackers are not only in but have exfiltrated data in less than an hour. Yet, in Palo Alto’s diagnosis, nine out of ten breaches are still preventable; what is missing are coherent visibility and control across a sprawl of point products.

That narrative has been the backbone of the company’s “platformization” strategy for years. In Q2, it translated into approximately 110 net new “platformizations” — customers standardising on multiple Palo Alto platforms — a quarterly record outside the seasonally strong fourth quarter, and a 35% rise in total platformized customers to about 1,550. Among those, net retention stands at 119% with low single‑digit churn, evidence that once organisations commit to the platform, they keep layering on more.

The macro inflection, in Arora’s telling, is that AI is moving from experimentation to embedded workflow. That shift, he argued, changes the security question from “what can models do?” to “who and what can they safely control?” It is a framing that neatly connects Palo Alto’s core franchises—network, endpoint, cloud, and SOC—to the company’s latest moves in identity and observability.

Network security: SASE, the browser, and a post‑quantum drumbeat

The network security business delivered what Arora described as a “standout” quarter. SASE ARR has now pushed past $1.5 billion, growing around 40% year-on-year and, by management’s reckoning, making Palo Alto the fastest-growing SASE provider at scale. Underneath that headline is a quiet rotation: early pandemic-era SASE deployments are being revisited, as customers discover that first-generation offerings no longer match today’s threat and hybrid work complexity.

That reassessment benefits an integrated architecture. Palo Alto now pitches a single SASE fabric spanning hardware and software firewalls, cloud-delivered security, and a secure browser. The latter, born of the Talon acquisition, has become a central control point. Prisma Browser is in use at more than 1,500 customers, including around 10% of the Global 2000, with another 2 million seats sold in Q2 alone, bringing total licences to over 9 million.

Where rivals are only now turning their gaze to the browser layer, Palo Alto is positioning its approach as more fundamental—arguing the browser should act as a native security platform, not a retrofitted endpoint via extensions. In a world where users, data and AI agents intersect increasingly in the browser, control at that edge could prove economically and strategically pivotal.

Alongside SASE, the “hidden gem” of software firewalls continues to compound, with ARR up about 25%, reflecting demand in multi‑cloud environments, particularly as AI workloads distribute across infrastructures. Hardware, a softer spot last year, showed its best performance in several quarters with nearly 10% revenue growth, partly on early uptake of Gen 5 appliances.

There is also a more esoteric front: post‑quantum security. Arora highlighted growing concern over “harvest now, decrypt later” strategies, where adversaries steal encrypted data today in anticipation of quantum decryption tomorrow. Palo Alto recently hosted a quantum summit drawing nearly 5,000 attendees and has built quantum-aware capabilities not just for its own firewalls but, it says, integrating telemetry from ten other vendors into a new quantum-focused subscription. The pending Venafi acquisition, via CyberArk, is expected to extend this into certificate lifecycle management and a broader “next‑generation trust” offering.

Cortex and the AI SOC: XSIAM and AgentiX as automation engines

If the network is about control points, Cortex is about orchestrating them. Here, Palo Alto’s bet on an AI-driven SOC — made years before “copilots” became a staple of security marketing — is beginning to show scale.

XSIAM, its analytics and automation platform, has now surpassed $500 million in ARR, with nearly 150 new customers added in Q2, taking the total above 600. Average ARR per XSIAM customer hovers close to $1 million, underlining that these are architectural decisions rather than marginal tools. More important than the revenue line, management insisted, is what customers are seeing: more than 60% of deployed XSIAM users now record mean time to remediation under 10 minutes, compared with days or weeks previously.

The next leg of that story is AgentiX, Palo Alto’s framework for what Arora described as a “workforce of autonomous AI agents”. Unlike traditional tools that remain confined to their own silos, these agents are intended to operate across first- and third-party infrastructure: detecting an issue in XSIAM, then reaching into cloud consoles, identity providers or firewalls to remediate at machine speed. Around 200 XSIAM customers already have early access.

In this vision, XSIAM provides the data and decisioning backbone, while AgentiX supplies the actuators. That combination becomes more potent when fused with a high-scale observability layer—precisely what the Chronosphere acquisition is meant to furnish.

Prisma AIRS and Koi: assembling a universal AI security platform

Beyond using AI internally, Palo Alto is racing to secure AI itself. Over the last two years, the company has stitched together a stack of AI security capabilities; in Q2, management framed these collectively as a “universal AI security platform” designed to protect models, agents, and the runtime environments where they operate.

At its core sits Prisma AIRS, launched only a few quarters ago but now supporting more than 100 customers. From Q1 to Q2, customer count more than tripled, while bookings doubled, and Arora spoke of a nine‑figure pipeline already in view. Prisma AIRS spans model sandboxing, red‑teaming, and runtime defences across AI‑powered applications — an answer, the company says, to enterprises that have moved past pilots and now want guardrails.

The other, more nascent, risk surface is at the endpoint. As AI agents proliferate in the form of MCP servers, browser extensions, plug-ins and ephemeral local code, much of that activity falls outside traditional XDR visibility. Here, Palo Alto has opted for M&A again. It announced its intent to acquire Koi, an Israeli start‑up focused on securing what Arora calls the “agentic endpoint.” Palo Alto itself has been a Koi customer since mid‑2025.

Koi’s technology will be pulled into XDR 2.0, and over time integrated with Prisma AIRS and Prisma Browser. The ambition is comprehensive visibility and governance over AI software and agents that live and operate on endpoints and in browsers—precisely the layer that, in Arora’s words, is currently “an unmanaged attack surface”.

The urgency is reinforced by recent concerns around “open cloud” developers tools and AI assistants, which can quietly introduce privileged code to endpoints. Koi, together with AIRS, is intended to position Palo Alto ahead of what management portrays as the next big endpoint threat cycle.

Chronosphere: observability as the nervous system for autonomous enterprises

Chronosphere, whose acquisition closed near the end of Q2, barely moved the quarter’s revenue needle but already looms large in Palo Alto’s strategic architecture. The observability specialist is generating roughly $200 million in ARR—“well above” expectations, according to Arora—and has signed a multi‑year, nine‑figure expansion with a leading AI model provider, displacing an incumbent in the process.

Chronosphere’s appeal lies in a re‑architected observability stack that can handle the telemetry demands of AI‑native and cloud‑born companies at lower cost than legacy systems. Over 80% of its new logos last year landed with multiple products — metrics, logs and traces — suggesting that even at this stage, customers are adopting it as a platform rather than a point solution.

For Palo Alto, the combination of Chronosphere’s “deep visibility” with AgentiX’s autonomous agents forms the technical basis for what Arora calls a “self‑healing autonomous enterprise.” Observability identifies and contextualises anomalies; agents act. That closed loop, if it can be generalised beyond a handful of marquee AI customers, could shift how security and operations budgets are allocated.

CyberArk and identity: securing humans, machines and AI agents

If observability and AI agents are one new pillar, identity is the other. Palo Alto closed its acquisition of CyberArk early in Q3, adding more than 4,000 employees and—by management’s accounting—about $1.2 billion of next-generation security ARR as of December 2025.

CyberArk arrives with momentum: its most recent quarter produced record net new ARR and 30% subscription ARR growth at scale. Palo Alto is not merely buying that franchise; it is re‑casting identity as the gating layer for a world in which AI agents “log in” at machine speed.

Historically, CyberArk has been strongest in privileged access management (PAM) at the high end of the market. Lee Klarich, Chief Product and Technology Officer, suggested the category itself is in the midst of a transformation towards “modern PAM”: just‑in‑time controls, zero standing privileges and more user‑friendly workflows. Those shifts both harden security and reduce the friction that has long limited adoption beyond the most security‑sensitive enterprises.

The roadmap now runs through three layers:

• Humans: Broadening CyberArk’s reach from privileged users to a fuller human identity stack, potentially integrated directly into the Prisma Browser where users concretely work.
• Machines: Using CyberArk’s machine identity and Venafi’s certificate lifecycle management to automate what are today human‑intensive, failure‑prone tasks. Palo Alto is already building a subscription that combines firewall telemetry with Venafi’s capabilities to discover and remediate certificate and cryptographic weaknesses, including in a post‑quantum context.
• AI agents: Treating agentic identities as a hybrid of machine and privileged user, requiring new policy models and enforcement hooks. Here, integration with Prisma AIRS — which already has deep ties into AI infrastructure — is expected to be central.

The controlling thesis is stark: when agents become operational entities in their own right, “logging in becomes a primary attack vector.” By owning both identity verification (“who”) and control point enforcement (“what”), Palo Alto aims to be, in Arora’s words, “the only company that can verify the who and secure the what simultaneously.” Management is explicit that the long‑term goal is to become the largest player in identity security.

Financial contours: growth, leverage and a heavier capital structure

Beneath the strategic narrative, Q2’s numbers showed the familiar pattern of steady growth and expanding profitability, albeit now layered with significantly more balance-sheet risk.

Next‑generation security ARR rose 33% year-on-year to $6.33 billion. Stripping out the roughly $200 million from Chronosphere, organic NGS ARR growth was 28%, with net new ARR up 11%. The engine remains SASE, software firewalls and XSIAM, supported increasingly by early contributions from Prisma AIRS.

Total revenue expanded 15% to $2.59 billion, with services up slightly above 13% and product up 22%. Software form factors now constitute 45% of product revenue over the trailing twelve months, up from 38% a year ago. That shift, together with better hardware demand, is altering the gross margin mix: product gross margin rose 150 basis points year-on-year to 78.2%, but dipped 180 basis points sequentially as hardware volumes ticked up. Services gross margin fell 100 basis points to 75.6% amid a positive mix shift towards SASE, which remains in its scale‑up phase.

Regionally, growth was broad-based: the Americas rose 14%, EMEA 17%, and JPAC 17%. Remaining performance obligation reached $16.0 billion, up 23%, with current RPO at $7.1 billion, up 18%. Chronosphere contributed around $150 million to the total RPO, though its usage-based economics mean ARR and recognised revenue are more revealing indicators.

Operating discipline remains a key part of the story. Non‑GAAP operating margin hit 30.3%, up 190 basis points year-on-year, marking the third consecutive quarter above 30%. Non‑GAAP EPS was $1.03, again above guidance, and adjusted free cash flow for the trailing 12 months was $3.75 billion, a 37.9% margin. Management reiterated its ambition to reach a 40% free cash flow margin by fiscal 2028 and $20 billion of NGS ARR by 2030.

The balance sheet, however, is changing shape. Palo Alto ended Q2 with $7.9 billion in cash and equivalents after paying $2.6 billion in cash for Chronosphere. The CyberArk close in Q3 adds another $2.3 billion outlay, taking the combined cash spend on these two deals to $4.9 billion. On top of this, Palo Alto has guaranteed CyberArk’s 2030 convertible notes and, because the acquisition triggered a make‑whole fundamental change, must offer to repurchase them.

Dilution is also material: 112 million shares were issued for CyberArk. For Q3, management expects 812–817 million fully diluted shares, and 768–773 million for the full fiscal year, reflecting timing of the acquisition and buyback dynamics.

Guidance: a bigger base, more moving parts

The fiscal 2026 outlook now folds in both CyberArk and Chronosphere, as well as a definitional shift: CyberArk’s previously bookings-based ARR metric has been conformed to Palo Alto’s revenue-based NGS ARR definition, resulting in a 2%–3% lower reported figure than CyberArk’s own metric would have implied.

For Q3 2026, management guided to:

• NGS ARR of $7.94–$7.96 billion, up 56%, including $1.47 billion from M&A.
• RPO of $17.85–$17.95 billion, up 32%–33%, with $1.6 billion from M&A.
• Revenue of $2.941–$2.945 billion, up 28%–29%, including $340 million from M&A.
• Non‑GAAP EPS of $0.78–$0.80.

For the full fiscal year 2026, expectations are:

• NGS ARR of $8.52–$8.62 billion, up 53%–54%, including $1.52 billion from M&A.
• RPO of $20.2–$20.3 billion, up around 28%, including $1.6 billion from M&A.
• Revenue of $11.28–$11.31 billion, up 22%–23%, including $760 million from M&A.
• Operating margin of 28.5%–29%.
• Non‑GAAP EPS of $3.65–$3.70.
• Adjusted free cash flow margin of 37%.

Within that, product revenue is projected to grow about 25% in Q3 and in the low‑20s for the year, with CyberArk’s term and perpetual licence components hitting the product line, while Chronosphere’s revenue is entirely within services.

There are also supply chain nuances. Dipak Golechha, CFO, noted “marginal” pressure from higher memory and storage costs in product cost of goods, but argued that the company’s growing software mix, scale, and prior experience navigating COVID-era constraints should blunt the impact. Pricing actions later in the fiscal year are intended to offset much of the cost inflation and have been baked into guidance.

Execution risk: integrating identity and observability at speed

For investors, the strategic logic of this M&A‑fuelled platform expansion is straightforward: AI is rapidly changing how software is built and run; security must migrate to where agents act, identities are asserted, and systems self‑heal. Palo Alto wants to be the fabric tying those pieces together.

The risk lies in execution. Chronosphere and CyberArk are not tiny tuck-ins; they are, in headcount and ARR terms, substantial enterprises with their own cultures and cadences. Bringing more than 4,000 identity specialists and roughly 250 observability engineers into Palo Alto’s operating model, while keeping existing growth engines humming, is non‑trivial.

Management’s answer is process. Arora emphasised that both deals have been months in preparation. At CyberArk, he said, every employee was assigned a role and OKRs for the combined entity and informed within 48 hours of close. Cross‑functional integration workstreams across IT, finance, HR, product and go‑to‑market have been set up with clear governance.

On the field side, the company has already mapped overlapping pipelines and aligned incentives to encourage joint selling. Early signs, Arora suggested, are promising, with CyberArk reps surfacing Palo Alto opportunities and vice versa even as systems integration lags.

Chronosphere, by contrast, will initially be run with a lighter touch: its go‑to‑market will continue to hunt “whale” observability deals, with Palo Alto providing selective air cover on key accounts while engineering teams focus on wiring AgentiX into Chronosphere’s stack and, longer term, building out more turnkey enterprise features to displace incumbents and DIY deployments.

Behind the operational choreography is a more philosophical bet. Arora drew a careful distinction between Palo Alto’s data and that of typical enterprise applications. The latter tend to encode structured business processes; security data, by contrast, is live telemetry from control points, refined by blocking some 30 billion attacks a day and processing 15 petabytes of telemetry in its AI SOC. In his framing, “precision AI” is not a copilot bolted onto a product set, but models trained on this proprietary activity and embedded at the moment of decision.

Whether large language models become existential threats to SIEM‑like systems was a question the CEO brushed aside. Today’s LLMs, he argued, are immensely useful in classification and summarisation, but their 5% error rate is disqualifying in a domain where defenders must be right all of the time and attackers right only once. More to the point, Palo Alto’s products sit at the edges that create novel, domain‑specific telemetry; that, he contends, is not something generic LLMs can magic away.

For now, the numbers still bear out the thesis that AI is more tailwind than threat. The true test will be whether, as enterprise AI usage finally catches up with the massive capex in AI data centres, Palo Alto’s enlarged platform — spanning identity, observability, AI agents and the traditional control points — can convert that wave into measurable acceleration, without stumbling on the sheer complexity of what it has just set out to integrate.