I feel that Palo Alto Networks AutoFocus can improve, especially since most of the OEMs are implementing MDR, Managed Service feature, which is still not available with Palo Alto. The MDR feature is the only aspect that bothers me today, as other OEMs such as Sophos are analyzing Palo Alto and providing recommendations on strengthening that part. Additionally, the earlier complimentary BPA practice assessment has now become chargeable, which means we cannot assess the posturing of our firewall. They are providing a solution, but a separate license is required for the BPA.
While Palo Alto Networks AutoFocus is effective, I always prefer to have a second source of threat intelligence feed to ensure coverage for zero-day vulnerabilities that might be missed. This is more about architecture than a flaw in AutoFocus itself.
There is room for improvement in the pricing model. For additional features, maybe Palo Alto could improve their documentation. It would be helpful to have better documentation for configuring and installing the solution. Currently, the documentation is not very comprehensive, and there isn't much information available. Sometimes it's difficult to understand how to use it.
Senior Staff Security Engineer at a renewables & environment company with 1,001-5,000 employees
Real User
Mar 14, 2021
At times in AutoFocus, when you have a homegrown application or you check another threat intelligence feed, it's not malicious but is still categorized as gray. We need to request a change in the verdict, AutoFocus then deals with it and sends us an update that it is benign for us. It would be better if they used the threat intelligence feeds directly from their side and changing the verdict instead of us requesting it.
Find out what your peers are saying about Palo Alto Networks, Cisco, Recorded Future and others in Threat Intelligence Platforms (TIP). Updated: March 2026.
I would like to have more technical documentation that contains greater detail on the types of threats that are occurring. Examples of things that I would like more technical details about are specific malware and APTs. This solution seems to run slowly, although I haven't used another similar solution that I can use to compare it.
Threat Intelligence Platforms improve an organization's cybersecurity by collecting and analyzing threat data. They offer insights into potential cyber threats, enabling proactive security measures to protect networks.These platforms help organizations manage and analyze threat data from different sources, providing a comprehensive view of potential threats. By integrating seamlessly with existing security systems, TIPs enhance the decision-making process for security teams, enabling them to...
I feel that Palo Alto Networks AutoFocus can improve, especially since most of the OEMs are implementing MDR, Managed Service feature, which is still not available with Palo Alto. The MDR feature is the only aspect that bothers me today, as other OEMs such as Sophos are analyzing Palo Alto and providing recommendations on strengthening that part. Additionally, the earlier complimentary BPA practice assessment has now become chargeable, which means we cannot assess the posturing of our firewall. They are providing a solution, but a separate license is required for the BPA.
While Palo Alto Networks AutoFocus is effective, I always prefer to have a second source of threat intelligence feed to ensure coverage for zero-day vulnerabilities that might be missed. This is more about architecture than a flaw in AutoFocus itself.
I would like the tool to see more integration with Cortex XDR. There is no real reason to keep them separate.
There is room for improvement in the pricing model. For additional features, maybe Palo Alto could improve their documentation. It would be helpful to have better documentation for configuring and installing the solution. Currently, the documentation is not very comprehensive, and there isn't much information available. Sometimes it's difficult to understand how to use it.
It must be on-premises as well; it must have a server on-premises. It is a completely cloud-based product at present.
At times in AutoFocus, when you have a homegrown application or you check another threat intelligence feed, it's not malicious but is still categorized as gray. We need to request a change in the verdict, AutoFocus then deals with it and sends us an update that it is benign for us. It would be better if they used the threat intelligence feeds directly from their side and changing the verdict instead of us requesting it.
I would like to have more technical documentation that contains greater detail on the types of threats that are occurring. Examples of things that I would like more technical details about are specific malware and APTs. This solution seems to run slowly, although I haven't used another similar solution that I can use to compare it.