New URL Filtering Category: Browser-Runtime-Attack
We intend to introduce a new category called “Browser-Runtime-Attack” under Advanced URL Filtering.
ACTION REQUIRED: An action may be required. The “Browser-Runtime-Attack” category action is currently set to ALERT only for the default profile. If you have multiple URL Filtering security profiles, you may need to update the default action to the recommended ALERT.
How is the Browser-Runtime-Attack category defined?
The Browser-Runtime-Attack category identifies URLs that have been analyzed and detected as malicious by Advanced Web Protection through real-time inspection as the page renders in the browser.
Why introduce this category?
To protect users from a new class of highly evasive post-load, in-browser attacks that assemble dynamically during browser execution, Palo Alto Networks introduced Advanced Web Protection, a capability available to Prisma Browser that brings real-time, in-browser inspection to web security.
When Advanced Web Protection detects these runtime threats, the detection is shared with Advanced URL Filtering under the new "Browser-Runtime-Attack" category to help protect the broader install base. This category provides clear visibility into detections that originate from Advanced Web Protection real-time, in-browser inspection, helping customers understand how the threat was discovered.
What is the recommended action for the Browser-Runtime-Attack category?
The recommended action for this category is Alert.
Is this a single-category or a multi-category classification?
The Browser-Runtime-Attack category is a multi-category classification. It is used together with an existing malicious category, such as phishing, malware, grayware, command-and-control, and others.
The existing malicious categories describe what type of threat it is, while "Browser-Runtime-Attack" shows how the threat was detected during browser execution.
How can we identify this category in the URL filtering log?
In URL Filtering logs, the "Browser-Runtime-Attack" category will appear in the URL Category List field alongside other applicable categories.
For example: malware,browser-runtime-attack
This allows administrators to clearly identify detections that originated from real-time, in-browser inspection.
Can customers submit a change request (CR) for this category?
No. The "Browser-Runtime-Attack" category does not support change requests (CRs). However, customers can still submit change requests against the associated malicious category (such as phishing or malware) for the same URL, following the standard URL Filtering change request process.
When will the Browser-Runtime-Attack category appear in Content Updates?
The "Browser-Runtime-Attack" category is scheduled to appear in Content Updates on January 30, 2026. At this time, the category will be visible under URL filtering profiles but will not yet be functional.
When will the Browser-Runtime-Attack category be functional?
The "Browser-Runtime-Attack" category is scheduled to become functional on March 28, 2026.
Will the Browser-Runtime-Attack category be visible across all PAN-OS versions?
Yes, the Browser-Runtime-Attack category will be visible on all supported PAN-OS software versions.
Additional Information
For more information on best practices when managing URL Filtering categories, check out these resources:
Complete List of PAN-DB URL Filtering Categories
For more information on Advanced Web Protection, check out these resources:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like |
