AI-Driven Cybersecurity: What Palo Alto Networks is Doing in Threat Detection and Response

Are you confident in your organization’s cyber-resilience strategy? 🤔 Hosts Patrick Moorhead and Daniel Newman sat down with Nir Zuk, Founder and CTO of Palo Alto Networks, at MWC25 for an in-depth discussion on the power of AI to finetune enterprise cybersecurity. They share insights on AI’s potential in threat detection, response, and the shaping of future security measures.

‍

‍Their conversation covers 👇

‍

🔹How AI is reshaping the threat landscape: AI empowers both attackers and defenders, rendering old security methods obsolete and demanding new strategies.

🔹Defense in the age of AI: The need for cybersecurity to shift from prevention to rapid detection and response, leveraging AI to scale and accelerate these efforts.

🔹Going beyond cat-and-mouse: AI-powered behavioral analysis can detect anomalies regardless of the attack method, potentially ending the constant cycle of vulnerability patching.

🔹The future of security expertise: AI will automate mundane tasks, freeing security analysts to focus on higher-level threats and become machine learning experts. Learn more at Palo Alto Networks. Watch the full video above, and be sure to subscribe to our YouTube channel, so you never miss an episode.

Patrick Moorhead:
The Six Five is On The Road here at Mobile World Congress 2025 in Barcelona. And as you would expect, it’s all about connectivity. It’s all about AI. And of course, we are talking about security.

Daniel Newman:
Yeah, Pat, this is a big show every single year we come here. But you’ve seen the transformation. Yes. a lot of service providers are still here. Lots of talk about mobile and devices in the edge, but we’ve also seen it kind of shift to more enterprise, more. Of course, you said cloud, and then now, I mean, just the theme of the industry has been AI. And I think if we didn’t expect this to be a big show about AI, then we would probably be missing the expectation. And of course, as you said, bringing together AI, we have to be thinking about security.

Patrick Moorhead:
Yeah. Listen, every fundamental shift that we’ve seen in technology and computing that I’ve chronicled over the last 35 years, security postures change. And also we have nation states with incredible budgets and technologies that are pretty much doubling down on stealing all your data and all your money. But with that said, I can’t imagine a better person to talk to. CTO and founder, Palo Alto Networks near Zookeeper. Welcome to the show.

NirZuk:
Thank you for having me.

Patrick Moorhead:
Yes. And I just have to say happy birthday. Happy anniversary. 20th anniversary.

Nir Zuk:
Yeah, just a few days ago.

Patrick Moorhead:
Yeah. That’s incredible. Incredible run.

Daniel Newman:
So, Nir, you sort of heard us in the preamble setting this up. We had a great chance to talk backstage a little bit, talking about kind of how the security has really moved away from traditional endpoint, traditional network. It’s moving to the cloud. And of course, AI is changing everything. Love to get your kind of take on how AI is transforming the cybersecurity space at large.

Nir Zuk:
Of course. So the headline is AI is transforming cybersecurity, both on the attacker side and on the defender side. From the attacker perspective, the use of AI and generally automation, not just AI, is rendering many traditional defense mechanisms useless. It’s become virtually impossible to detect malware because the detection in malware is mostly based on knowing something about the malware in advance and then looking for polymorphism of that malware. And today, with AI, they can generate new malware or take an existing one and completely modify it like that. So malware detection is virtually impossible. Today, anti-phishing is not working because LLMs can generate phishing that is virtually impossible to detect. And we can go one by one through different attack mechanisms and show how automation, and specifically AI based automation is rendering those useless.

So the main change is that we cannot assume anymore that we can keep our adversaries outside of our infrastructure. Another way to look at it is it’s always been true that we need to be successful. Sorry. It’s always been true that if they try enough times, let’s say a thousand times, they’ll be in because we’re not going to be correct a thousand out of a thousand times at detecting them. It’s extremely difficult. It’s just that traditionally trying a thousand different attacks has been very, very expensive and was limited to very specific attackers. Today, generating a thousand different attacks is no brainer. And therefore stopping them again being correct a thousand out of a thousand times has become impossible. So what it does is it makes us shift the defense from let’s keep them out to let’s assume that they’re in and now let’s go and find them and stop them as quickly as we can. And that’s where AI comes into play on the defense side.

Patrick Moorhead:
So how does AI help in the detection and the response? And maybe if you can highlight too, because AI has been around for a while, right? There was a big boom in machine learning, I think seven or eight years ago. So this latest crop of AI, how does it help?

Nir Zuk:
So as I said, we are shifting our thinking in cybersecurity to let’s assume we’ve been breached, the attackers are inside, let’s go and find them and stop them. And there are a few ways to do that, but it turns out that all of them are based on machine learning. So one way is to look for the command and control connections that are almost always required where the attacker is controlling something that’s inside. Turns out that machine learning is the best way to detect those based on DNS queries, based on URLs and other things like that. And then more importantly, the traditional role in the enterprise of assuming that the attackers are inside, let’s detect them and stop them has been the one of the security operations center which is all human analysts based. It’s just that the human analyst can only investigate very few events every day, which makes the mean time to detect and the meantime to remediate be measured in weeks. Machine learning is really good at taking what the analysts do and scaling it up from a few events per day to millions and tens of millions and hundreds of millions of events per second. So essentially what we do with machine learning based AI is, is take what the human analysts would do when assuming that the attacker is inside and we need to find them and stop them. And we scale it up to a point where it becomes extremely effective. Bringing down the meantime to detect and the meantime to respond. Remediate, recover risk, whatever you want the art to be for a few minutes.

Patrick Moorhead:
Understood.

Daniel Newman:
So the whole security industry is a bit of a, you know, colloquialism would be a cat and mouse game like the nation states and the hackers invest big and then companies build solutions to stop them and then they build, and then you build something to compete. AI has changed the, you know, the telemetry, it’s going so much faster. The reaction time. You kind of mentioned they used to wait for something for malware and then they would build something to see it. Now AI can almost auto generate new malware in real time. How is this, how does this get played out over time as they become more competent in their threats and their attacks? It means Palo Alto and companies in this space have to be even more proactive, more on top of it. Is AI going to enable security companies to sort of win here in some ways or is it going to always be this game of back and forth between the bad actors and the companies trying to stop them?

Nir Zuk:
So that’s an excellent question. Turns out that the way we use AI, specifically machine learning based AI on the defense side, ends this mouse and cat game. It ends. And the reason it ends is because while traditionally we’ve been looking for specific attack methods, they’ll develop malware, we look for the malware, they have new ways of developing malware, we look for the new ways of developing malware. They find vulnerabilities and exploit these vulnerabilities. We find these vulnerabilities and block their exploits and so on. It’s been this game with AI on the defense side, especially when you assume that you have been breached and now you’re going to find the attacker and stop them. We don’t look for specific attacks anymore. What we look for is for behaviors. So specifically what we use machine learning for is to study and learn the specific infrastructure of each customer separately. So we learn the behavior of entities, users, applications, machines, workloads in the cloud. We learn the behavior of those for each and every specific infrastructure. Each part of the infrastructure and then we look for things that don’t make sense.

So that means that it doesn’t matter how the attacker got in, it doesn’t matter how they move laterally inside the organization. It doesn’t matter what they’re after and how they’re going to get there and what they’re going to do with it and how they’re going to take it out if that’s their goal. What we’re looking for is something that behavior wise, doesn’t make any sense in the infrastructure. That’s what SOC analysts have always been looking for through correlation rules and through looking through events. But they couldn’t do it because of the scalability challenges. That’s what we do with machine learning based AI. We look for behaviors that don’t make sense and that ends the cat and mouse game. I don’t care how they got in, I don’t care what they do, how they did it. I just want to look for things that don’t make sense in the context of the specific infrastructure I’m watching.

Patrick Moorhead:
So AI, obviously one of these next round breaking technologies that is changing everything, including security. And I’m a little bit of a history buff and historically with new technology people were initially feared of losing their jobs. But what ended up happening is it actually ended up being a net adder creating jobs. You talked a little bit about the security analysts. With all this great technology, do we even need security analysts anymore?

Nir Zuk:
The answer is yes, we need security analysts. We need security analysts to develop different skills. And by the way, they’re all happy about it because it’s not about chasing specific events and malware and exploits and things like that. Their job right now is turning into helping the AI to do what it does, which means that AI is doing all the mundane stuff and analysts are doing the really difficult things that AI cannot do and probably will never be able to, right? So that’s one thing. The second thing is as a vendor, the kind of machine learning based AI models that we can provide our customers and today we provide about 2,000 of them. These were all developed in our case by ex, what you call nation state attackers. So we hire those attackers in different countries and they come and work for us and they use their attack knowledge to develop machine learning kind models that will detect the attacks that they know how to perform. But there are still attacks that are specific to each customer industry or each customer specific case attacks that can only be detected using not just the data that we collect from the network, from endpoints, from the cloud, from applications and so on, but data that’s relevant for that specific customer industry or specific customer scenario.

So for example, airlines might be collecting information about ticket sales. They might be collecting information from the planes that are flying. Banks might be collecting information that’s related to fraud. Manufacturers might be collecting information that’s related to OT and IOT devices that you don’t see on the network, that you can only see in their control systems. And then analysts that work for each of these specific enterprises need to take the data that’s collected specific to that enterprise, plus the data that’s collected by the cybersecurity vendors, combine them together and run machine learning on that. So they need to become machine learning experts. So certainly the job is changing. It’s probably going to require more people, not less, and people with different skills. So if you’re a security analyst in the SOC and you’re watching this, sign up for an online machine learning course and start learning about that.

Patrick Moorhead :
Interesting. That’s a great take. Unique take by the way.

Daniel Newman :
It’s interesting too, these former nations state bad actors proving that crime does pay as they get great jobs working with a company.

Nir Zuk:
So I want to say something about that. You’ve mentioned nation state attackers a few times already and I’ve been waiting for the right moment to say what I’m going to say right now.

Patrick Moorhead:
So.

Nir Zuk:
So we are hiring some of these nation state attackers to work on the good side, not that nation state. In some, I consider some nation states. Okay, yeah, yeah. So we hired them only from the good nation states to work for us on the defense side developing machine learning models to detect the kind of attacks that they know how to perform. But some of these ex nation state attackers are also moving to the dark side and are building companies that are developing attack toolkits as a service. As a service. Some of them supposedly only sell it to other nation states. But if you’ve been following some of these companies from Israel and some of these companies from the US and I’m sure in other countries it’s even worse. They have not always sold just to government organizations and this kind of technology is finding itself into the hands of criminal organizations. So I think that the discussion about nation state attacks versus criminally motivated or activism motivated or whatever the motivation is is mute. Meaning we just cannot distinguish between nation state attackers and traditional attackers or criminal attackers or other motivation based attackers to the same degree that we could have in the past. The only difference is still the amount of money that they’re willing to invest, but with the amount of money that’s needed going down. I wouldn’t make that distinction anymore.

Daniel Newman:
I appreciate your breakdown.

Patrick Moorhead:
Interesting.

Daniel Newman:
But you know, we started talking about your 20 years, so now, you know, 20 years later, the company is doing very different things and it’s continuing to evolve. Share a little bit in your perspective about how Palo Alto Networks is leading the charge. How are you? Because everything we’ve talked about so far you could sort of say is broadly painted about how companies in this space are addressing it. How’s Palo Alto thinking about and making sure it maintains a leadership position in this AI driven cybersecurity world?

Nir Zuk:
Of course. So first, I wouldn’t say that Palo Alto Network has changed its mission over the last 20 years. I started the company 20 years ago with the mission of over time taking more and more cyber security functions and delivering them on a best of breed basis as part of a platform. Right. The cyber security market is very fragmented.

Patrick Moorhead:
Sure.

Nir Zuk:
I was there in the early days. So 30 years ago I started with a small startup in Israel called Check Point and I built a lot of the products there and that was really the first cyber security company. Maybe there were a few endpoint security companies before that, but that was the real first cybersecurity company. It’s just that the company took the wrong turn when they decided to focus just on basic network security and let other sub markets evolve. Right. There was identity and access management with Secure ID in the mid-90s and IDS, IPS with ISS in the mid-90s and URL filtering with surf control and others and so on. It shouldn’t have been like that. It should have been a normal market where one vendor is able to do all the different things. So I started Palo Alto Networks 10 years later in February of 2005 to change that back to where it should be. A platform that’s doing everything that cybersecurity needs on a best of bit basis, best of breed basis, but it takes time. So we started with network security, we took over the network security market and then we continued to other spaces, namely endpoint security, cloud security, soc, to a point where today we’re by far the largest cybersecurity vendor in the world. And we’re continuing to do that and we’re seeing more and more cybersecurity functions being delivered as part of this platform. So that’s one thing about Palo Alto Networks now in the world of AI, and not just for cybersecurity. In the world of AI generally the competition between different vendors is based on how much data you have. And the quality of the data.

Look, I’ve been using machine learning in the early 90s, okay? It’s not new. Yeah, GPT is a little bit newer, but still everybody knows the algorithm. They’re open source. Now the difference between the vendors is a little bit, the models are important. But the biggest part of what differentiates different vendors in the space is the quantity and quality of the data that you have. And that makes the larger vendors disproportionately much more competitive than the smaller ones. The dynamic is, okay, you’re the largest vendor, you have all the data in the world and you have high quality data because you control the network secure collection and the endpoint collection and the cloud collection and so on. So you have the best AI because you have the best data. And then you compete against the smaller vendors and they’re not in that position. So you win, which means you have more data and more high quality data. And it’s a snowball. And you see it in every other industry. The reason everybody’s using Google and not Bing is not because the Google algorithms are better than the search algorithms that Bing has. It’s because they have 10 times more data. Right. They’ve been doing it for longer and they know that when you do a search and they know which one, which search results you like, it’s the one you never come back from. So they have more data and their search is more accurate and then you use it more and then the search becomes more, becomes more accurate and so on. And the same is true for any AI based company in space. The largest vendors are in a position where it’s very, very hard to unseat them. And it’s going to be a world of large vendors.

Daniel Newman :
Yeah, I want to say thank you so much for spending some time. Very, very interesting conversation. We’re going to have to mark that last sort of part right there, the big prediction on it. I mean, I think we agree philosophically that the largest vendors across the technology space have continued to only further in a day. Breaking in like an open AI has been incredibly hard and required immense amounts of capital to be able to remember.

Nir Zuk:
With OpenAI, the data is publicly available. Scraped it all with cybersecurity and with search and with things like that. It’s proprietary data. You cannot just go out and buy the last 20 years of data collection from anyone.

Daniel Newman:
Right, right, absolutely. And even in their case though, the amount of money it’s required to even be playing while they still burn billions of dollars a year, it’s been very impressive to watch your journey. Congratulations. I’d love to have you back on sometime soon. We look forward to watching. We’ll see you again soon. Have a great MWC.

Nir Zuk:
Thank you for having me.

Daniel Newman:
Thank you, everybody, for being part of this Six Five On The Road. We’re here at Mobile World Congress 2025 in Barcelona, Spain. It is humming in here. There’s a lot going on. That was a great conversation on all things cyber security. And wow, a lot of change in this space. Powered by AI, but really powered by a future where data and all the value, quality, quantity of high value data will make the difference for this episode, for this show, for Patrick and myself. Time to say goodbye. See you all later.