RSAC Conference 2025 | Nir Zuk, Palo Alto Networks

Clips
More from RSAC Conference 2025

Nir Zuk

Founder and Chief Technology Officer

Palo Alto Networks

play_circle_outline Importance of rethinking security architectures due to AI and automation

play_circle_outline Nation state attackers selling technology to criminals

play_circle_outline Focus on securing AI infrastructure to address future challenges

play_circle_outline Platformization and consolidation in cybersecurity industry

play_circle_outline Importance of platform approach and market dominance in cybersecurity

Info
Transcript

Nir Zuk, Palo Alto Networks

Nir Zuk

Founder and Chief Technology Officer Palo Alto Networks

Nir Zuk, founder and chief technology officer of Palo Alto Networks, joins theCUBE’s Dave Vellante and John Furrier at the RSAC 2025 Conference to examine how artificial intelligence is transforming cybersecurity. The conversation explores why traditional defense strategies must evolve to keep pace with AI-driven threats.

Zuk explains why organizations need to shift from purely preventive tactics to rapid detection and response. He emphasizes that fighting AI with AI is no longer optional: It’s the new baseline for security resilience.

Zuk, ... Read more

explore Keep Exploring

What has become easier with the use of AI and automation on the adversary side in terms of cybersecurity? add

What is happening with former nation state cyber attackers who start private companies to develop cyber attack technology? add

What area are we focusing more on and what recent acquisition did we announce at RSA? add

What indicators should observers look for to determine if platformization approach is broadly taking place in the cybersecurity industry? add

What is the current trend in the cybersecurity market in terms of the number of vendors present? add

bolt Powered by CUBE AI

Nir Zuk, Palo Alto Networks

search

Dave Vellante

>> All welcome back to Moscone West. You're watching theCUBE's continuous live coverage of RSAC 2025. I'm Dave Vellante, he's John Furrier, and he is Nir Zuk, who's the founder and CTO of Palo Alto Networks. Good to see you again. Thanks for coming on.

Nir Zuk

>> Thank you for having me again.

Dave Vellante

>> You're welcome. We had a great conversation. I'm sure you've had this many times at Palo Alto Ignite, and you basically were saying to me definitively that everything that we've done in security, the architectures, we have to rethink because of AI. And the premise was that we could handle 99% of the attacks previously with security tools, and that 1% the humans could take care of. But with automation, that all goes away. You have to fight AI with AI. Did I get that right? Is that your premise?

Nir Zuk

>> Almost. Yeah. What I said is that a good security product will be correct 99% of the time, like you said. The question is how much effort does it take to create 100 attacks so that one attack will go through? And it used to be very difficult, and now with the use of AI on the adversary side, not just AI, automation in general, on the adversary side, creating 100 different attacks such that 99 will be stopped and one will be successful has become relatively easy, which means that we need to rethink the way we approach cybersecurity, and not focused just on keeping the adversaries out, but spend more and more on assuming that they're in and now we need to go and find them and stop them because they are in.

Dave Vellante

>> So when I think about the adversary, it's simplified, nation state, organized crime, hackers. There's more of them at the bottom, more sophisticated at the top. Has AI just trickle down that sophistication?

Nir Zuk

>> Not just AI. In general, if you look at what happens in different countries around the world known for having a strong nation state cyber attack organization, and not just... both in the west and in other areas, what we're seeing happening is that some of those cyber attackers, the nation state cyber attackers, when they leave the service, they start private companies to develop cyber attack technology. And officially they're only selling it to other nation states. Practically, we've seen that technology being sold to anyone who's willing to pay. So I don't know if I would distinguish today between nation state attackers and criminals because the criminals do have access to nation state level technology.

Dave Vellante

>> And the other piece of this is essentially, you said every company has to be an AI company. If you're not an AI company, you're not going to be able to compete in cybersecurity.

Nir Zuk

>> Yeah. But that also has implications. Yeah. So what I said is that if you look at, okay, let's assume that the adversaries are inside, we need to go and find them and stop them. Humans can't do that because traditionally humans have been trying to do that in the SOC, in the security operations center. And when you measure how well they do, meaning you measure their mean time to detect, whenever an attack happens, you go back, you look for patient zero, and you see how much time passed and you average that over time, you see that it takes weeks on average from the time the adversaries are in until humans find them. So it's very clear that humans cannot do it. And it turns out that the only way to find them, at least the only way we found that works, is to use machine learning, which is a more stable type of AI, to do that, to find the adversaries and stop them.

>> I was watching a clip of the old Steve Jobs All Things D conference when he was alive, he said, "Apple's the biggest, we're so proud. Apple's the biggest startup. We operate like a startup. We have no committees." Was that seen? People might've seen it. And the key point was, Apple has to act like a startup. You're the founder, if you go back and look at when you founded Palo Alto Networks to kind of where you are now and you're essentially reinventing Palo Alto Networks because of the market conditions, you got to be that startup. What is the internal vision? What are you guys doing now? What's happening? What is actually happening with the product? How do you attack, how do you create this new market opportunity without disrupting existing?

Nir Zuk

>> Correct. So the vision of Palo Alto Networks from the beginning 20 years ago was to over time take more and more cybersecurity functions and deliver them as part of a platform on a best of breed basis. So we started with network security and then we moved to other areas. Like you said, we did that looking at also market conditions. So call it 10 years ago when the cloud started happening, many of our competitors were sure that cloud is not going to happen because they would lose a lot of money if they had to take their physical firewalls and make them virtual and run them in the cloud. So they bet on the cloud not happening. And we said, no, the cloud is going to happen. And yes, today you buy hardware costing millions of dollars to protect your physical data center and a software firewall in the cloud is a few thousand dollars, but we're going to do it anyways because if we don't do it, someone else will do it. And we did it and today we have a very big business protecting cloud.

>> So you had to cannibalize your existing business to bring in the new business.

Nir Zuk

>> Yeah. But over time, it turned out to be well, really good for us. And then we went all in with cloud security in general, not just network security in the cloud, and also we reinvented the SOC, the security operations center with a completely new platform that's been the best selling product in the history of cybersecurity. Okay. Not just ours, cybersecurity. So yeah, we've done it multiple times and I think that the main driver behind it is of course the innovative spirit that we all have, but more importantly, it's very important to identify disruptions early on and always embrace the disruptions. Most companies do not embrace this disruption. When they face the disruption, they fight the disruption and then they disappear over time. Just look at what happened to Nokia, which we all had their cellphones 20 years ago when Apple came out with the iPhone. Instead of embracing a brand new phone, brand new operating system with applications, no keyboard and so on, Nokia tried to fight it.

>> You guys ran.

Nir Zuk

>> And it happens all over the place.

>> You ran at the opportunity.

Nir Zuk

>> We run at the opportunity. Sometimes it hurts our performance in the short term, but we always gain in the long term.

>> And what are you running at now? If you had to kind of say, okay, cloud, people got that. What is the disruption you're going hard at right now?

Nir Zuk

>> So we still have a lot of work with cloud. It's just the beginning and we still have a lot of work with the SOC transformation from humans to AI, and there's a lot of work to do with network security still, with SASE and other things. One area that we announced this week here at RSA that we are focusing more on, and then we also announced an acquisition, is securing AI infrastructure. So a few minutes ago we talked about using AI for security. This is completely different. This is securing AI infrastructure. And the thing about AI infrastructure is that, do you remember the SolarWind attack five years ago ago?

>> Yeah, of course. Yeah.

Nir Zuk

>> The reason it was so successful is because SolarWind is a network monitoring tool, which means that it needs to have access to the entire network. And once you get a hold of the server or the tool, you're in, the firewalls will let you go through wherever you want because that's what it does.

>> It needs to observe.

Nir Zuk

>> Exactly. So AI is shaping to be somewhat the same, just probably on steroids, meaning the vision for AI is that an AI agent eventually will have access to everything that you have, right? One agent will run your entire life, which means that-

>> It needs all the data.

Nir Zuk

>> It means that it will need access to all the data. This is not network access, this is data, which is even worse. So we think that AI is going to cause some serious challenges to organizations, and we decided to tackle it early on with a lot of internal developments, organic development, especially around runtime security and with this acquisition that we announced this week of Protect AI around the non-runtime aspects of AI .

>> You guys get in early, deep, early.

Nir Zuk

>> We have to.

>> Yeah, I totally agree.

Dave Vellante

>> And your premise is you have to have complete control of the entire platform to succeed. If you don't, if you're plugging in Lego blocks like some say, it's not as effective. Explain why.

Nir Zuk

>> So our premise is that more and more of cybersecurity is becoming based on data, as opposed to rules or signatures and other things we used to do in the past. More and more of cybersecurity is becoming based on data, mostly machine learning using data. And machine learning and data is very hard to make work in a multivendor environment. It's very hard for two vendors, and in this case it'll be 3000 vendors, you probably walked the floor.

>> Yeah, you see them all there

Nir Zuk

>> To sit down and all agree on exactly which data is going to be collected and how it's going to be collected and so on. I think that's what it means is that cybersecurity will need to become more of a platform and the data portion of it will need to come from a small select number of vendors within one ecosystem.

Dave Vellante

>> Wouldn't it be a viable strategy? Okay, so you've got the chops to basically build an architecture, but wouldn't it be a viable strategy for the company to say, okay, I do really well in this space. I'm not an identity player, I'm going to go partner with them, plug them in. Maybe I have a SASE partner, I'm going to plug them in. We will agree on those standards, and then we're going to take up a chunk of the market. Why is that not viable?

Nir Zuk

>> So identities will be different because what the data we need from identity is provided by all identity providers, and also we support some of these identity vendors like Microsoft and Okta and others, and we make them part of the ecosystem. Regarding SASE for example, it's very difficult. It's very difficult because what we need from an access solution like SASE or a network solution, we need all HTTP headers in both directions. We'll need all DNS traffic, all the HTTP traffic, all database access and so on, and they just don't have it. They're not sitting in the right place in the infrastructure to have it. And even if they have it, take a look at this scenario, a new attack is spreading out, none of the existing machine learning models is able to catch it. I have really hardworking research team sitting down developing a new machine learning model that I want to deploy tomorrow morning to all my customers. That machine learning model needs a new piece of data that's not being collected today. What do I do? I call 3000 vendors and tell them tomorrow morning, "I need your product to collect this data because I have these customers using your products." It's not going to happen. The only thing that's going to happen is my data collection team will reprogram our network endpoint cloud and so on solutions to collect that data tomorrow morning. And we talked before about this example of I don't think we'll ever get to a point where you're going to be able to buy a car from one manufacturer. The different sensors, LIDAR, sonar, visual and so on from other manufacturers, the self-driving software from yet another manufacturer and integrate it yourself with best of breed. You're going to buy a package and you're not going to be able to choose which components go into that package.

>> Nir, this is a great conversation because you're bringing up kind of homogenic and heterogenic challenges. It might be good to say something's homogeneous if it's got a hard top on top of it.

Nir Zuk

>> AI is going to force an homogeneous world, or world made of homogeneous platforms.

>> Heterogeneous world of homogeneous packages.

Nir Zuk

>> Yes.

>> Because this is an operating system. If you guys are going down the platform route, you got highly cohesive elements decoupled nicely in a platform, but now the ecosystem needs to connect in. So how do you guys look at that integration? Because all the customers have everything now, all the 7000 customers.

Nir Zuk

>> They are replacing everything. If you look at Palo Alto Networks, if you look at ourselves, if you look at the large deals that we announced announced in previous quarters, it's very clear that the world is moving towards big platforms, mainly driven by the need to supply the right data to AI.

>> With AI and open source communities and the homogeneous platforms, where is the heterogeneous interoperability or where does it exist? What does that look like?

Nir Zuk

>> Okay, I think we're talking about two different AIs. I think you're talking about LLM based AI, like ChatGPT. I'm not talking about that. I'm talking about machine learning based AI, which needs very specific data.

Dave Vellante

>> Deterministic.

>> Fraud detection, highly targeted.

Nir Zuk

>> For example, fraud and cybersecurity detection, which is very different than what the LLM folks are doing because what the LLM folks are doing is they're collecting data that's generally available to anyone. They take data from the internet, whatever, Wikipedia, blogs, other sources of data, and they create a model around it, which also makes it relatively easy for a new entrant like DeepSeek to enter, collect the same data and do it. So this is an attribute of LLM, and LLM will be an open system and it's going to be a race to the bottom as to who's the cheapest one. With machine learning, it's a little bit different. With machine learning, the data that you use is very specific, so you need to be responsible both for generating and collecting the data. This is not general data from the internet. So you have to be responsible for generating and collecting the data. In the case of cybersecurity on the network side, on the endpoint side and so on. In the case of self-driving cars, you need to collect the data from laser and sonar and so on. And then you need the actual software, the machine learning itself that uses the data. And these are going to be closed systems.

>> They have to be because they have to work.

Nir Zuk

>> They have to be because they have to work.

Dave Vellante

>> You reinvented yourself a couple of times, I think you've shared, you rewrite the architecture or you develop it. So you do a lot of organic development, you do a lot of M&A. How do you ensure, what's your architectural discipline to make sure that when you bring together all those pieces, it's not just a bunch of pieces cobbled together, that it's truly integrated? Can you explain and double-click on the architectural ethos that you have to ensure that?

Nir Zuk

>> Yeah, so I said we have a platform. We used to have three platforms. We brought it down to two. We still have work to do, and we combine two platforms together, the cloud and the SOC platform, and everything we do has to go into that platform, meaning everything we do has to be not a separate product, but a new service, a new function, running on top of the same platform using the same data. So that's the approach. Now, organically that's easy to do because you start from zero, you start from scratch, you just build it into the platform. When we acquire companies, so first, as part of the due diligence, we make sure that whatever it is that we acquire can be fitted into one of these platforms relatively easily. And second, we make it our top priority. So usually we even take it out of the market, or at least we stopped development for some time and we use the engineers of the acquired company to integrate their software into one of the platforms, and then we bring it back to the market or continue selling it only as part of the platform, not standalone. And this is a discipline that we've been following since our first acquisition more than 10 years ago, and we continue with that to date with 30-something acquisitions, I think.

Dave Vellante

>> In the history of the industry, you've seen some companies that are pretty good at that. Others, I mean, I would say, I don't know about currently, but ServiceNow used to be pretty good at it. They may still be, I just don't know. IBM I would say not so good at it. Oracle with Fusion pretty good at it. We were talking about EMC before are not good at it. So you're saying this is a very disciplined approach that you force as the technical leader of the company?

Nir Zuk

>> Yeah. In cybersecurity, it's always been horrible. If you remember the days of McAfee and Symantec, where you were running really 10 separate agents on each endpoint coming with 10 different acquisitions, different UIs, different everything from different vendors.

>> It's like Swiss cheese.

Nir Zuk

>> We decided to take the opposite approach and make sure everything is integrated and we don't sell standalone solutions.

>> I think your bet that, what I'm hearing you saying, the cloud example is a great example. The people who go, "No, cloud's never going to make it." They're in denial. You guys saw it. I think what you said earlier about the one out of 99 times, that's the market force. So a company has a choice. Do you want to bet against that?

Nir Zuk

>> Exactly.

>> And you're saying, "We'll take that bet. Palo Alto will secure you."

Nir Zuk

>> Yeah.

>> That's your pitch.

Nir Zuk

>> Yeah. So-

>> No your pitch, but Palo Alto's pitch.

Nir Zuk

>> It is the pitch.

>> Yeah.

Nir Zuk

>> I say it a little bit differently. What I tell customers is forget about the statistics. Adversaries will get into your organization. I claim that it's relatively easy, it's one in 100 attacks. It's easy to create 100 attacks. You say it happens once every few months. Okay.

>> They're in.

Nir Zuk

>> They're in. The question is, okay, what do you do about it? I think that focusing on bringing down your mean time to detect and mean time to remediate is a very simple way to test yourself as a customer, as an organization, as to whether you're doing a good job or not. They're very easy to measure. You always find or almost always find patient zero, measure the time.

>> Let them all in. Start killing when they get in. That's the philosophy.

Nir Zuk

>> Measure it. If you are at a few minutes, you don't need anything. If you're not at a few minutes, come talk to us. Maybe we have competitors that do that too. Find a solution that can bring down your mean time to detect to a few minutes, and a mean time.

>> So you can optimize your engineering on that principle.

Nir Zuk

>> We have a big part of our engineering optimized at this.

>> Because you're focusing on the problem you're solving for, which is detect and remediate them there and also the other factors you provide with the data.

Nir Zuk

>> Correct. So a lot of our focus is there. Cybersecurity has three pillars to it. The first one is visibility. So we take care of visibility across network, cloud and SOC. The second one is hygiene. Most of cybersecurity is actually around hygiene, network hygiene, data hygiene and access and so on. There's some part of cybersecurity is about cybersecurity, is about detecting bad things and stopping them. The focus there is, as you said, bring down the mean time to detect and mean time-

>> And know your data collection. All that hygiene is data collection, governance or no or?

Nir Zuk

>> Hygiene needs some data collection. It's a side effect of hygiene. Hygiene is mostly policy.

Dave Vellante

>> You were saying before how it's happening, you were saying it to John, just consolidation, it's happening. Platformization is the term you use. Other than Microsoft, you guys often say no cybersecurity vendor has more than single digit market share. So you're seeing the consolidation happen. The broader industry's still not there, but that means a lot of upside for you. At what point should we as observers think that, okay, Palo Alto's market share has, let's say it hits 15%. Okay, is that a fair indication? Does it have to be higher than that? Maybe you don't care, but at what point are we going to be able to see as an industry that this platformization approach is actually broadly taking place?

Nir Zuk

>> So I think the indication that platforms are taking place might be less about market share and it's going to be more around the number of vendors in the industry and their size.

Dave Vellante

>> Because you're consolidating the number of vendors and how big each vendor is.

Nir Zuk

>> Yeah, I think that, look, it happens in every industry. You mentioned some industries before where you used to have many different vendors, and then we went down to-

Dave Vellante

>> Disk drives....

Nir Zuk

>> one CRM, one ERP solution.

>> There's two, there used to be 80.

Nir Zuk

>> There used to be many database vendors, now there are very few and so on. So cybersecurity is no there, but if you look at the Microsoft and Palo Alto Networks relative to other vendors in the industry, you can see the beginning of it and you can see how we might be marching towards a more-

>> Dominant position.

Nir Zuk

>> A more sane market, more traditional market where you have very, very few large vendors and the rest are relatively much smaller.

Dave Vellante

>> I have an answer for this question, but I want to hear you as well, how do you respond to people saying, "Well, I'm nervous because now my blast radius is in Palo Alto's hands, they've got to be perfection."

Nir Zuk

>> Two answers. First, you can say the same thing about salesforce.com and about SAP or whatever other solutions you choose. And second, you don't have a choice. AI, machine learning based AI is forcing you to consolidate. There's just no other choice. If you want humans to continue looking for attacks and stopping them, do whatever you want.

>> Good luck with that.

Nir Zuk

>> If you want machine learning based AI to do that, sorry, you need a platform.

>> You're an awesome guest. We're out of time. Tell us the story about how you named the company.

Nir Zuk

>> Palo Alto Networks. So 20 years ago when I started the company, I used to live in Palo Alto, and the lawyers really needed a name to go and register the company in Delaware. And back then it was very difficult to find domain names. So I logged in and I saw PaloAltoNetworks, PaloAltoSecurity and PaloAltoSystems.com were available, registered them and said, "Okay, we'll change it later. Use that." Engineers, need, get it done, click the button. It actually turns out that using a name like Palo Alto Networks, I had a friend back then that was with a company called Shasta Networks, and they were the same. When you go to customers outside of the US and say, "We are Palo Alto Networks," in the beginning they're like, "Oh, we heard about you." I'm like, "You didn't hear about us, you heard about Palo Alto. You don't really know what Palo Alto is."

>> Stanford's there.

Nir Zuk

>> It's a small town in California, but fine. You heard about us. We're big. Buy the product. So it really works well in the beginning.

Dave Vellante

>> Nir Zuk, thanks so much for your time.

>> Great to see you. Thanks, great comments.

Dave Vellante

>> All right, and John Furrier, this is Dave Vellante. Keep it right there, RSAC 2025. We'll be right back, right after this short break. You're watching theCUBE.