Cloud-Delivered Security Service (CDSS) March Newsletter

Cloud-Delivered Security Service: The Monthly Newsletter for Security That Never Sleeps

Welcome to the March edition of the Cloud-Delivered Security Service (CDSS) Newsletter

This month brings powerful momentum across CDSS, including new innovations that help organizations eliminate security blind spots and stop threats earlier in the attack lifecycle. As hybrid work expands and attackers move faster than ever, visibility gaps across DNS, web, and network traffic continue to put organizations at risk.

In this edition, we highlight how Advanced DNS Security Resolver with Prisma Access Agent extends always-on protection to users wherever they work, along with the latest product updates, insights, and best practices to help you adopt a prevention-first approach and stay ahead of modern threats.

What’s New In CDSS 

• New Advanced DNS Security Resolver and Prisma Agent Blog: Discover how Advanced DNS Security Resolver, integrated with Prisma Access Agent, extends always-on DNS protection to users wherever they connect. The blog explores how securing DNS traffic off the corporate tunnel helps eliminate visibility gaps, enforce consistent policy, and stop DNS-based threats in real time. See how you can strengthen protection for your hybrid workforce without adding complexity.

Security Spotlight of the Month

Advanced DNS Security Resolver with Prisma Agent

As users move outside the corporate network, DNS traffic can go uninspected, creating blind spots that attackers exploit for phishing, command-and-control, and data exfiltration. Advanced DNS Security Resolver, combined with Prisma Agent, closes this gap by ensuring DNS traffic is continuously protected, even when users are off the corporate tunnel. This extends visibility and control to every user, device, and location, eliminating the inconsistencies that leave organizations exposed.

With always-on DNS protection, every DNS request is inspected in real time to detect and block malicious domains before connections are established. Organizations benefit from consistent policy enforcement, stronger protection against DNS-based threats, and a seamless user experience that does not impact productivity. The result is simpler operations, fewer security gaps, and the confidence that one of the earliest and most targeted attack vectors is fully secured wherever users work.

Latest Product Updates Across CDSS Core Subscriptions

FedRAMP Moderate: FedRAMP Moderate authorization for ALL of the CDSS Core Subscriptions is complete. Refer to all Palo Alto Networks FedRAMP Authorized services here. 

Advanced URL Filtering

• Update: Login Required for Category Changes: Starting March 15, 2026, users must log in to submit URL category change requests via Test A Site. This update enhances security and prevents misuse. No login required for Category Lookups. No Account? Create one for free.

Advanced Wildfire

• In-Line Cloud Analysis to effectively defeat metamorphic malware - Currently available as Beta for Prisma Access 6.1.1 with Explicit Proxy. It supports the scanning of all file types, up to 100MB, ensuring prevention within seconds. 
• Codegene: The proprietary Codegene database to automatically identify and fingerprint shared malware logic. By identifying "fingerprints" in malicious code logic reused across malware families, the system automatically deploys high-confidence YARA rules.

Advanced Threat Prevention

• NSS Labs EFW 2025 – Palo Alto Networks has been upgraded to a “Recommended” rating after a Follow-On Enterprise Firewall test results. 
• SecureIQ 2025 Command and Control Comparative report – 97.02% Overall Block Rate (Next best 46.59%), 100% Empire Block Rate, 94.04% Cobalt Strike Block Rate.

Advanced DNS Security

• Two new ADNS  Detections:
• Malicious Software Hosting Domains: Malicious software hosting domains are increasingly used to mimic legitimate software providers, tricking users into downloading trojanized applications or compromised files. New detection capabilities identify and block these domains in real time at the DNS layer, helping stop threats before connections are established and reducing the risk of infection, data theft, and lateral movement.
• Stealthy Redirection to Dangling Domains: Stealthy redirection to dangling domains occurs when expired or unclaimed third-party domains are re-registered by attackers and used to silently redirect users to malicious destinations. New detection capabilities identify and block these high-risk domains in real time at the DNS layer, helping prevent malware delivery and exploitation before a connection is established.
• Advanced DNS Security Resolver (ADNSR) for Prisma Access Agent: Extends real-time protection to every Windows and macOS endpoint, regardless of location. Armed with ADNSR, prisma access agent can now stop zero-day DNS threats even when the tunnel is disconnected: Blog, Tech Doc1, Tech Doc2

Tips & Best Practices

Tip of the Week: Focus on stopping threats at first contact
Most attacks succeed because they are detected after initial access. Attackers move quickly, often progressing from entry to impact in minutes. Prioritize security controls that inspect traffic inline and stop threats at the earliest point of connection, before malware executes, users click, or data is exfiltrated. This reduces dwell time and limits the blast radius of attacks.

What is the best practice?
Modern threats move too quickly for reactive security models. Leading organizations are shifting to a prevention-first approach that stops threats inline across DNS, web, and network layers before they can establish a foothold. With cloud-delivered security services (CDSS), this means applying advanced protections that analyze and block threats in real time across all traffic, ensuring consistent security without added complexity or gaps between tools.

Did You Know Threat Facts & Insights

Did you know… Many ransomware attacks begin with outbound connections to attacker-controlled infrastructure, often using DNS to establish command-and-control before encryption even starts.

To stop this, organizations should inspect and control DNS traffic in real time, blocking malicious domains and suspicious communication before connections are established. This prevents ransomware from reaching command-and-control infrastructure, effectively stopping attacks at their earliest stage.

Explore More Cloud-Delivered Security Services  Resources

• CDSS Website 
• CDSS 30-day Free Trial Page 
• Advanced Threat Prevention 
• Advanced WildFire
• Advanced DNS Security | Advanced DNS Security Resolver 
• Advanced URL Filtering 
• Device Security
• Palo Alto Networks LIVEcommunity YouTube channel 
• Cloud Delivered Security Service YouTube Channel 
• CDSS PAN TV Episodes 
• CDSS Infographic
• CDSS Ebook

Stay Protected with Cloud-Delivered Security Services

Palo Alto Networks Cloud-Delivered Security Services (CDSS) help organizations stay ahead of modern threats with unified, AI-driven protection across DNS, web, network, and device environments. This month’s highlights demonstrate how a prevention-first approach can eliminate blind spots, stop threats at the earliest point of connection, and ensure consistent protection across all users and locations.

To learn more about how CDSS can strengthen your security strategy, including hands-on experience through the CDSS Ultimate Test Drive, contact your Palo Alto Networks representative. Stay tuned for next month’s updates as we continue to deliver innovations that simplify security and improve protection across your environment.