I feel that Palo Alto Networks AutoFocus can improve, especially since most of the OEMs are implementing MDR, Managed Service feature, which is still not available with Palo Alto. The MDR feature is the only aspect that bothers me today, as other OEMs such as Sophos are analyzing Palo Alto and providing recommendations on strengthening that part. Additionally, the earlier complimentary BPA practice assessment has now become chargeable, which means we cannot assess the posturing of our firewall. They are providing a solution, but a separate license is required for the BPA.
While Palo Alto Networks AutoFocus is effective, I always prefer to have a second source of threat intelligence feed to ensure coverage for zero-day vulnerabilities that might be missed. This is more about architecture than a flaw in AutoFocus itself.
There is room for improvement in the pricing model. For additional features, maybe Palo Alto could improve their documentation. It would be helpful to have better documentation for configuring and installing the solution. Currently, the documentation is not very comprehensive, and there isn't much information available. Sometimes it's difficult to understand how to use it.
Senior Staff Security Engineer at a renewables & environment company with 1,001-5,000 employees
Real User
2021-03-14T23:45:25Z
Mar 14, 2021
At times in AutoFocus, when you have a homegrown application or you check another threat intelligence feed, it's not malicious but is still categorized as gray. We need to request a change in the verdict, AutoFocus then deals with it and sends us an update that it is benign for us. It would be better if they used the threat intelligence feeds directly from their side and changing the verdict instead of us requesting it.
Find out what your peers are saying about Palo Alto Networks, Cisco, Recorded Future and others in Threat Intelligence Platforms. Updated: August 2025.
I would like to have more technical documentation that contains greater detail on the types of threats that are occurring. Examples of things that I would like more technical details about are specific malware and APTs. This solution seems to run slowly, although I haven't used another similar solution that I can use to compare it.
Threat Intelligence Platforms offer organizations tools to identify, assess, and manage cyber threats efficiently. They integrate with existing security systems, enhancing threat detection and response capabilities to ensure robust cybersecurity defenses.These platforms aggregate and analyze threats from numerous sources, providing valuable insights into potential vulnerabilities and attack vectors. They are essential for organizations looking to streamline their cybersecurity efforts by...
I feel that Palo Alto Networks AutoFocus can improve, especially since most of the OEMs are implementing MDR, Managed Service feature, which is still not available with Palo Alto. The MDR feature is the only aspect that bothers me today, as other OEMs such as Sophos are analyzing Palo Alto and providing recommendations on strengthening that part. Additionally, the earlier complimentary BPA practice assessment has now become chargeable, which means we cannot assess the posturing of our firewall. They are providing a solution, but a separate license is required for the BPA.
While Palo Alto Networks AutoFocus is effective, I always prefer to have a second source of threat intelligence feed to ensure coverage for zero-day vulnerabilities that might be missed. This is more about architecture than a flaw in AutoFocus itself.
I would like the tool to see more integration with Cortex XDR. There is no real reason to keep them separate.
There is room for improvement in the pricing model. For additional features, maybe Palo Alto could improve their documentation. It would be helpful to have better documentation for configuring and installing the solution. Currently, the documentation is not very comprehensive, and there isn't much information available. Sometimes it's difficult to understand how to use it.
It must be on-premises as well; it must have a server on-premises. It is a completely cloud-based product at present.
At times in AutoFocus, when you have a homegrown application or you check another threat intelligence feed, it's not malicious but is still categorized as gray. We need to request a change in the verdict, AutoFocus then deals with it and sends us an update that it is benign for us. It would be better if they used the threat intelligence feeds directly from their side and changing the verdict instead of us requesting it.
I would like to have more technical documentation that contains greater detail on the types of threats that are occurring. Examples of things that I would like more technical details about are specific malware and APTs. This solution seems to run slowly, although I haven't used another similar solution that I can use to compare it.