$PANW KEY READ-THROUGHS FROM PALO ALTO NETWORKS Q3 FY26 EARNINGS CALL
Palo Alto Networks’ Q3 FY26 call created a materially more constructive cross-sector signal for cybersecurity, AI infrastructure, observability, identity security, data-center networking, and selected semiconductor and electrical-infrastructure suppliers. The central message was that AI is not reducing the need for cybersecurity; it is increasing the required depth, speed, and breadth of enterprise security architecture. Management explicitly reframed frontier AI as a structural accelerant of attack velocity, telemetry volume, identity sprawl, network traffic, SOC automation demand, and platform consolidation. The call also contained several important negative read-throughs: point-product security architectures appear increasingly exposed, legacy SIEM and periodic vulnerability-scanning models are being structurally challenged, observability vendors face a new security-led competitor with a cost-disruption angle, SASE pure plays face more credible platform competition from firewall incumbents, and hardware OEMs face rising memory and storage component costs despite improving demand. The most actionable insight is that the AI investment cycle is broadening from compute into security, networking, observability, identity, power infrastructure, and enterprise architecture modernization, with Palo Alto positioning itself as a consolidation platform across several of those pools.
CYBERSECURITY PLATFORMS / BROADER SECURITY SOFTWARE
AI EXPANDS THE TERMINAL VALUE OF CYBERSECURITY RATHER THAN COMPRESSING IT (READ-THROUGH 1)
Affected companies: Palo Alto Networks (PANW: US), CrowdStrike (CRWD: US), Fortinet (FTNT: US), Zscaler (ZS: US), Cloudflare (NET: US), Check Point Software (CHKP: US), SentinelOne (S: US), Okta (OKTA: US), Tenable (TENB: US), Qualys (QLYS: US), Rapid7 (RPD: US)
Directional impact and magnitude: Positive for scaled cybersecurity platforms; high magnitude for Palo Alto Networks, medium-to-high for CrowdStrike, Fortinet, Zscaler, and Cloudflare, medium for the broader public cybersecurity complex. Negative for narrow point-product vendors lacking real-time telemetry, inline enforcement, identity context, or automated response; medium-to-high magnitude for static vulnerability-management and legacy SOC tooling vendors.
Supporting call evidence: Management stated that frontier AI has created “the era of truly cyber-capable systems,” with models capable of “autonomous capability to execute comprehensive attack campaigns from start to finish.” Management also stated: “Mark my words, Mythos has increased the terminal value of the entire cybersecurity industry.” The company cited a Unit 42 simulation of a ransomware campaign from initial entry to data exfiltration in 25 minutes, contrasted with typical enterprise breach detection still requiring days.
Transmission mechanism: The call supports the view that AI increases the velocity and complexity of attacks, raising required spend on real-time prevention, identity control, endpoint security, cloud runtime defense, observability, and SOC automation. The value chain shifts from compliance-oriented security budgets toward mission-critical infrastructure budgets. Scaled platforms benefit because customers need integrated telemetry, automated response, and policy enforcement across multiple control points. Point products are pressured because fragmented data creates latency, false positives, and incomplete context.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is improved sentiment toward the entire cybersecurity group after management pushed back against the market narrative that AI could commoditize security software. The longer-duration shift is a potential upward revision to sustainable growth assumptions for cybersecurity platforms if AI-driven attack velocity forces enterprises to modernize security architecture over multiple years.
FIREWALLS / NETWORK SECURITY / SECURITY APPLIANCES
AI DATA-CENTER TRAFFIC IS REACCELERATING NETWORK SECURITY AND EXTENDING THE LIFE OF FIREWALL APPLIANCES (READ-THROUGH 2)
Affected companies: Palo Alto Networks (PANW: US), Fortinet (FTNT: US), Check Point Software (CHKP: US), Cisco Systems (CSCO: US), F5 (FFIV: US), Arista Networks (ANET: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks. Positive medium magnitude for Fortinet, Check Point, Cisco, F5, and Arista as category beneficiaries of higher data-center traffic and inspection requirements, although Palo Alto’s share-gain language is competitively negative for peers.
Supporting call evidence: Management said network security delivered its “strongest Q3 in several years” and hardware delivered “the strongest hardware performance in a decade.” Next-generation firewall bookings rose nearly 40% year-over-year. Management cited early access to “AI data center build-outs,” new buyers such as “sovereign infrastructure providers and AI labs,” and the need for “high-throughput hardware” as agentic AI increases machine-to-machine traffic. In Q&A, Arora stated: “As more traffic traverses networks, more inspection is needed. When more inspection is needed, hardware is the cheapest and fastest throughput mechanism to inspect the data.”
Transmission mechanism: AI agents create more east-west traffic, more API calls, more machine-to-machine interactions, and more sensitive data movement across cloud and data-center environments. That increases demand for high-throughput network inspection, firewall capacity, software firewalls, and consistent policy enforcement. Firewall appliances are no longer just perimeter tools; they become inline runtime enforcement points for AI-era traffic inspection. Palo Alto benefits most directly because the company reported nearly 40% growth in next-generation firewall bookings and called out share gains. Fortinet and Check Point benefit from the category reacceleration, but the read-through is partly offset by Palo Alto’s apparent competitive momentum.
Near-term trading catalyst versus long-duration shift: The near-term trading catalyst is positive for firewall-exposed names because Palo Alto validated a better-than-expected hardware and network security spending environment. The longer-duration shift is that AI may extend the useful strategic life of firewalls and inline inspection, undermining the prior market assumption that appliance security would steadily lose relevance to cloud-native and endpoint-first architectures.
SASE / SSE / ZERO TRUST NETWORK ACCESS
PALO ALTO’S “SECOND WAVE OF SASE” SIGNALS INCREASED COMPETITIVE PRESSURE ON SASE PURE PLAYS (READ-THROUGH 3)
Affected companies: Palo Alto Networks (PANW: US), Zscaler (ZS: US), Cloudflare (NET: US), Fortinet (FTNT: US), Cisco Systems (CSCO: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks. Negative medium-to-high magnitude for Zscaler and Cloudflare in enterprise SASE/SSE if Palo Alto’s firewall-installed-base advantage continues to convert into displacement wins. Positive medium for Fortinet and Cisco insofar as buyers increasingly value integrated network and security stacks, but negative where Palo Alto is displacing competitors.
Supporting call evidence: SASE ARR reached $1.6B, up 40% year-over-year. Management said Palo Alto remains the fastest-growing provider in the SASE market and highlighted nearly 50 displacement wins totaling $200M in contract value to date. Arora described Palo Alto as the “second wave of SASE” and argued that customers increasingly want “a comprehensive network stack,” “a single policy across multiple network capabilities,” and the ability to duplicate Palo Alto firewall policies across the entire network stack.
Transmission mechanism: SASE demand is shifting from simple VPN replacement and internet-access security toward integrated network transformation, SD-WAN, browser security, cloud security, software firewalls, and common policy architecture. Palo Alto benefits because it can sell SASE into an installed base that already uses its firewall policy model. Zscaler and Cloudflare face risk that large enterprises prefer consolidated network-security platforms rather than standalone SSE/SASE architectures. Fortinet and Cisco may benefit from the same integrated-stack preference, but Palo Alto’s displacement data indicates competitive share loss risk.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is negative for SASE pure-play sentiment because Palo Alto showed 40% ARR growth and disclosed $200M of displacement TCV. The long-duration shift is that SASE may increasingly be sold as part of a broader network-security platform rather than as a standalone category, which would structurally favor vendors with firewall, SD-WAN, browser, cloud, and policy-management breadth.
SOC / SIEM / SECURITY OPERATIONS
XSIAM’S TRACTION IS A DIRECT NEGATIVE READ-THROUGH FOR LEGACY SIEM AND QUERY-BASED SOC ARCHITECTURES (READ-THROUGH 4)
Affected companies: Palo Alto Networks (PANW: US), Cisco Systems / Splunk (CSCO: US), Elastic (ESTC: US), Rapid7 (RPD: US), IBM (IBM: US), CrowdStrike (CRWD: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks. Negative medium-to-high magnitude for Cisco/Splunk, Elastic, Rapid7, and IBM in legacy SIEM/log analytics use cases. Mixed medium impact for CrowdStrike, which benefits from the same SOC modernization theme but faces Palo Alto competition in security operations automation.
Supporting call evidence: XSIAM entered Q3 with more than $600M in ARR, up 100% year-over-year, across 740 customers. Management said XSIAM is “our primary response to the emerging frontier model threat” and argued that organizations “can no longer rely on legacy query-based architectures or manual dashboards.” Lee Klarich stated that customers cannot operate under a “legacy model of meantime detection of days” when attackers can execute attacks “start to finish in tens of minutes.”
Transmission mechanism: AI-driven attacks reduce the acceptable time window for detection and response. That shifts SOC budgets away from manual dashboards, query-based investigation, and retrospective log search toward automated, AI-driven platforms capable of ingesting massive telemetry volumes and initiating remediation in minutes. Palo Alto benefits because XSIAM is positioned as the platform that turns telemetry from network, endpoint, cloud, identity, AI, and observability into automated response. Legacy SIEM vendors are at risk if customers view their architectures as too slow, too manual, or too expensive at AI-scale telemetry volumes.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is positive for Palo Alto and negative for legacy SIEM-exposed vendors because XSIAM’s $600M+ ARR and 100% growth provide evidence that the platform is already scaling. The longer-duration shift is a secular re-architecture of the SOC around automated response, telemetry consolidation, and machine-speed remediation.
OBSERVABILITY / LOG MANAGEMENT / DEVOPS INFRASTRUCTURE
CHRONOSPHERE CREATES A NEW SECURITY-LED COMPETITIVE THREAT TO OBSERVABILITY INCUMBENTS (READ-THROUGH 5)
Affected companies: Datadog (DDOG: US), Dynatrace (DT: US), Elastic (ESTC: US), Cisco Systems / Splunk (CSCO: US), Palo Alto Networks (PANW: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks. Negative medium-to-high magnitude for Datadog, Dynatrace, Elastic, and Cisco/Splunk, particularly in AI-native and high-volume telemetry accounts.
Supporting call evidence: Chronosphere ARR surpassed $300M in Q3, up more than 50% from Q2 and nearly doubling since the acquisition announcement. Management disclosed that Palo Alto surpassed $200M in ARR with a leading frontier AI lab using Chronosphere for observability across training and inference clusters, with expected growth next quarter as migration continues. Arora stated that Chronosphere can deliver comparable observability capability at “approximately half the cost of what the industry charges.” Klarich also described future “cross-pollination” between observability data and security use cases.
Transmission mechanism: AI workloads generate extreme telemetry volumes from model training, inference, agents, infrastructure, and application performance. High telemetry volumes intensify observability cost pressure. Chronosphere’s pitch appears to combine lower cost, AI-scale architecture, and security-data adjacency. That creates competitive pressure on observability incumbents whose pricing models may become problematic for AI-native customers. Palo Alto gains both direct observability ARR and indirect security advantage because observability data becomes another sensor for XSIAM and broader platform defense.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is negative for observability pure-play multiples because Palo Alto provided evidence of a large AI-native customer migration and rapid ARR growth. The longer-duration shift is potentially more important: observability and security may converge at the data layer, creating an advantage for platforms that can monetize telemetry across both performance and security use cases.
IDENTITY SECURITY / PAM / MACHINE IDENTITY
AGENTIC AI EXPANDS THE IDENTITY SECURITY TAM BUT SHIFTS THE CENTER OF GRAVITY TOWARD SECURITY PLATFORMS (READ-THROUGH 6)
Affected companies: Palo Alto Networks (PANW: US), Okta (OKTA: US), Microsoft (MSFT: US), CyberArk as part of Palo Alto Networks, IBM (IBM: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks through CyberArk and Idira. Mixed-to-negative medium magnitude for Okta and Microsoft identity franchises: the TAM expands, but Palo Alto is positioning identity as part of a broader security platform rather than a standalone IAM layer.
Supporting call evidence: Management launched Idira as “our next-generation identity platform for the AI-driven enterprise.” Arora stated that the industry previously operated under the “IAM fallacy,” the belief that only privileged administrators needed to be secured. He argued that “every identity, whether human, machine, or software agent, now possesses the potential to access the sensitive systems at machine speed.” CyberArk exceeded internal benchmarks, and joint go-to-market efforts initiated approximately 1,000 cross-organization engagements.
Transmission mechanism: Agentic AI creates many new non-human identities with access to tools, data, code repositories, infrastructure, and enterprise workflows. That expands the need for privileged access controls, machine identity governance, certificate management, and real-time access enforcement. Palo Alto benefits because CyberArk gives it a strategic identity-security pillar that can be integrated into network security, Cortex, Prisma AIRS, and SOC automation. Okta and Microsoft benefit from a broader identity TAM, but face risk that security buyers increasingly view identity not as a standalone authentication layer, but as an embedded control surface within integrated cyber platforms.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is positive for Palo Alto because CyberArk integration appears ahead of plan and has not disrupted top-line momentum. The longer-duration shift is that identity security may become inseparable from AI-agent governance, privileged access, runtime authorization, and security telemetry, making standalone IAM less defensible unless tightly integrated with security operations and policy enforcement.
ENDPOINT SECURITY / EDR / AI DEVELOPER WORKSTATIONS
AGENTIC ENDPOINT SECURITY IS EMERGING AS A NEW BATTLEGROUND, VALIDATING ENDPOINT TAM BUT RAISING FEATURE-GAP RISK FOR INCUMBENTS (READ-THROUGH 7)
Affected companies: CrowdStrike (CRWD: US), SentinelOne (S: US), Microsoft (MSFT: US), Palo Alto Networks (PANW: US)
Directional impact and magnitude: Positive medium-to-high for endpoint TAM overall. Positive medium for Palo Alto Networks through Koi and platform adjacency. Mixed for CrowdStrike, SentinelOne, and Microsoft: positive category expansion, but negative competitive risk if agentic endpoint controls require new architecture rather than incremental EDR features.
Supporting call evidence: Management said the acquisition of Koi has already generated interest from more than 150 customers. Klarich said “the endpoint really changed” because AI and vibe-coding tools bring “skills and hooks and scripts and MCP servers and all sorts of other stuff” onto the endpoint. He stated that this creates “a whole new endpoint ecosystem on top of the one that already existed” and “requires specialized functionality,” not “just adding a couple features.”
Transmission mechanism: AI coding tools, local agents, MCP servers, scripts, plug-ins, and workflow automation expand the endpoint attack surface. Existing EDR products monitor process behavior, malware, and exploit activity, but agentic workflows introduce new risk around code execution, tool permissions, credential access, and autonomous actions. Endpoint vendors benefit from renewed customer urgency, but those without specialized controls for agentic development environments may face competitive displacement or roadmap pressure. Palo Alto can use Koi as a wedge into a new endpoint control plane tied to Prisma AIRS, XSIAM, and identity.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is limited because Koi was immaterial to Q3 results, but the 150-customer interest signal is notable. The longer-duration shift is more important: endpoint security may move from traditional EDR toward governance of autonomous agents, coding assistants, local toolchains, scripts, and machine identities.
CLOUD SECURITY / CNAPP / VULNERABILITY MANAGEMENT
STATIC POSTURE MANAGEMENT AND PERIODIC SCANNING LOOK STRUCTURALLY IMPAIRED AS ATTACK WINDOWS COMPRESS (READ-THROUGH 8)
Affected companies: Tenable (TENB: US), Qualys (QLYS: US), Rapid7 (RPD: US), Palo Alto Networks (PANW: US), CrowdStrike (CRWD: US)
Directional impact and magnitude: Negative medium-to-high for Tenable, Qualys, and Rapid7 where revenue is tied to periodic vulnerability scanning, VM, or legacy exposure management. Positive medium for Palo Alto and CrowdStrike where cloud and endpoint platforms can integrate real-time detection, runtime defense, and automated remediation.
Supporting call evidence: Management stated that “traditional periodic scanning is insufficient when attack timelines are measured in minutes.” Palo Alto said it proactively transitioned its cloud portfolio “from static posture to real-time detection through Cortex Cloud” and expects most Prisma customers to migrate to Cortex Cloud by the end of the fiscal year. Arora also said frontier models can identify and weaponize vulnerabilities in “mere minutes,” versus processes that previously required months of manual effort.
Transmission mechanism: If attackers can exploit vulnerabilities within minutes, periodic scanning loses strategic relevance unless connected to real-time enforcement, runtime protection, prioritization, and remediation. VM and CSPM budgets may migrate toward continuous exposure management, CNAPP, runtime cloud protection, and SOC-integrated workflows. Tenable, Qualys, and Rapid7 face risk if customers view scan-centric architectures as too slow or disconnected from enforcement. Palo Alto benefits if Cortex Cloud turns Prisma customers into a real-time cloud detection and response base, although management acknowledged that the migration is still incomplete.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is negative for static VM/CSPM sentiment because Palo Alto explicitly called out the inadequacy of periodic scanning. The long-duration shift is a budget reallocation from visibility-only tools to integrated platforms that can detect, prioritize, and remediate at machine speed.
AI SECURITY / AI GATEWAYS / MODEL RUNTIME DEFENSE
PRISMA AIRS VALIDATES A NEW AI SECURITY BUDGET, BUT THE MARKET IS LIKELY TO CONSOLIDATE INTO BROADER PLATFORMS (READ-THROUGH 9)
Affected companies: Palo Alto Networks (PANW: US), Cloudflare (NET: US), Zscaler (ZS: US), CrowdStrike (CRWD: US), Microsoft (MSFT: US)
Directional impact and magnitude: Positive high magnitude for Palo Alto Networks. Positive medium for Cloudflare, Zscaler, CrowdStrike, and Microsoft as AI security budgets develop. Negative medium for vendors that can only provide isolated AI gateway or model-scanning functionality without identity, runtime, network, SOC, and observability integration.
Supporting call evidence: Prisma AIRS reached more than 300 customers in Q3, tripling from approximately 100 at the end of Q2. Management said Prisma AIRS has “clear visibility towards $100 million in ARR within the next couple of quarters” and called it “the fastest-growing product in our history.” A global consulting leader signed a deal for more than $20M, selecting Prisma AIRS to secure a fleet of AI apps and agents running more than 2T tokens per month on Palo Alto’s platform. The Portkey acquisition was described as adding an AI gateway capable of processing trillions of tokens monthly and applying real-time policy to agent-to-agent interactions.
Transmission mechanism: Enterprises are moving AI applications and agents into production, creating budget demand for AI model scanning, red teaming, prompt and data controls, runtime policy enforcement, token monitoring, agent identity governance, and AI gateway inspection. Palo Alto benefits because Prisma AIRS is presented as an end-to-end AI security platform rather than a narrow point product. Cloudflare, Zscaler, CrowdStrike, and Microsoft can participate in AI security budgets, but the call suggests buyers may prefer platforms that integrate AI gateways with identity, network traffic inspection, endpoint control, cloud runtime protection, and SOC response.
Near-term trading catalyst versus long-duration shift: The near-term catalyst is positive for Palo Alto because the customer count tripled sequentially and management provided visibility to $100M ARR. The longer-duration shift is that AI security may become a required enterprise platform layer, but standalone AI-security tools may be vulnerable to consolidation into larger security stacks.
HYPERSCALERS / CLOUD INFRASTRUCTURE
ENTERPRISE AI SECURITY WORKLOADS ARE REINFORCING HYPERSCALER CENTRALITY, NOT DRIVING A RETURN TO ON-PREM (READ-THROUGH 10)
Affected companies: Microsoft (MSFT: US), Amazon (AMZN: US), Alphabet (GOOGL: US), Oracle (ORCL: US), Palo Alto Networks (PANW: US)
Directional impact and magnitude: Positive medium for hyperscalers. Positive high for Palo Alto’s cloud-native virtual firewall and AI-security overlay. The magnitude is medium for hyperscalers because security is a second-order demand signal relative to total cloud consumption, but the strategic signal is important.
Supporting call evidence: Arora stated: “AI is not an on-prem event. It’s typically a cloud event hyperscaler.” He added that Palo Alto had built native virtual machine capability in many hyperscalers and that “native firewalls sitting in those hyperscalers allow us to inspect traffic, not just regular cloud traffic, but also AI traffic.”
Transmission mechanism: As AI models, artifacts, agents, and data pipelines are hosted in public cloud, enterprises require security controls embedded directly in hyperscaler environments. This increases stickiness and consumption for Microsoft Azure, AWS, Google Cloud, and Oracle Cloud, while creating demand for third-party security overlays that can inspect cloud-native AI traffic. Palo Alto benefits because native virtual firewalls and Prisma AIRS can be deployed where AI workloads reside. Hyperscalers benefit because the AI security stack reinforces cloud as the default execution environment.
Near-term trading catalyst versus long-duration shift: The near-term trading catalyst is modest because the hyperscaler revenue base is large and the call does not quantify cloud consumption. The longer-duration shift is more meaningful: enterprise AI security architecture appears cloud-native by default, reinforcing hyperscaler strategic relevance and increasing cloud security attach opportunities.