An outpost enables you to have security scans performed on infrastructure in a cloud account owned by you. Learn about outpost fundamentals and what to consider when planning your outpost.
Notice
Requires the Cortex Cloud Posture Management or Cortex Cloud Runtime Management add-on.
This topic explains the basic fundamentals for planning and deploying outpost infrastructure.
Important
While outposts provide maximum control over the scanning environment, cloud scan mode is the recommended default for most organizations.
When to choose outpost scan
Cloud scan offers lower operational overhead, faster onboarding, and Palo Alto Networks assumes the associated cloud compute costs.
Outpost scan mode should typically only be reserved for specific architectural requirements or strict data residency constraints.
If you determine you do need outpost scanning, consider the following differences between the scan modes, which might impact your decision.
Cloud Scan (Recommended) | Outpost Scan |
|---|---|
Configure a managed outpost when there is sufficient trust between you and Cortex Cloud. Cortex accesses your environment more extensively and with less mediation. | Choose to deploy and manage your own outpost if:
In these cases, you might prefer to keep your data within your own network boundary. |
Most of the cloud resources involved are charged to Palo Alto Networks instead of to you, so scan costs are reduced. | This mode requires additional cloud provider permissions and may incur additional cloud costs. |
Cortex-managed outposts require zero management from you. | Outposts incur some additional maintenance overhead. This includes securing the outpost, managing the necessary IAM roles and permissions, upgrading versions, and adjusting cloud provider quotas to meet workload demands. Actively manage your capacity and quotas to meet the workload requirements. |
For DSPM, your actual data is accessible to Palo Alto Networks—not just metadata. Rest assured, your data are deleted after scanners have completed. Zero trust security is used to secure your data in Palo Alto Networks-owned accounts. | For DSPM, only metadata is accessible to Palo Alto Networks—not your actual data. |
DSPM on SaaS (such as for Snowflake and Office 365) is currently supported only for cloud scan. | DSPM on SaaS (such as for Snowflake and Office 365) is not supported for outpost scan. |
Outpost security concepts and component handling
This section presents outpost-related concepts and a high-level overview of how outposts perform scanning on your resources and data without putting them at risk. For a deeper understanding, contact your Palo Alto Networks representative.
Concept | Description |
|---|---|
Trust model | Cortex XDR interacts with your environment via dedicated IAM roles within the outpost. This establishes a secure trust relationship that adheres to the principle of least privilege. |
Data security and residency | Outposts utilize a regionally symmetric architecture, processing data locally within the same cloud region and provider where it resides. Only metadata is ever sent back to Cortex XDR. |
Scan operations | Scanning is performed by task-specific, ephemeral VMs built from hardened and continuously patched images. These instances are automatically terminated and all temporary resources are purged immediately after a scan completes. |
Secure orchestration storage (such as buckets) | Scanner VMs operate in isolated private subnets without direct internet or Cortex XDR access. They communicate exclusively through encrypted, cloud-native storage used for operational data and scan results—never raw customer data. |
Temporary processing storage (such as artifact buckets) | For specific scans where direct data sharing is restricted, data is temporarily placed in encrypted regional storage for analysis. Cortex XDR has no read permissions on this storage, and all data is deleted immediately after the job finishes. |
Scanner isolation | Each scanner VM is purpose-built with a strictly defined set of permissions and network access tailored to its specific job. This ensures complete compartmentalization between different scan types. |
Data encryption | Security is enforced through universal encryption at rest and in transit. Advanced egress filtering locks down external traffic to verified destinations, and secrets are managed via your own cloud-native secret management service. |
Outpost planning
Before creating outposts, we recommend you become familiar with how outposts work and then plan accordingly. For example, some points to consider include:
A dedicated account is required for the outpost account. Make sure the dedicated account is free from other resources.
Each cloud account (AWS account, Azure subscription, GCP project) can host only one outpost.
An individual outpost instance is strictly bound to a single Cortex XDR tenant and cannot be used to scan resources belonging to a different tenant or organization.
Using an outpost requires additional cloud provider permissions and may incur additional cloud costs.
Familiarize yourself with the needed permissions and resources expected to be added to the outpost during creation.
For exact implementation details, contact your Palo Alto Networks representative.
About outpost creation
After planning, you can create and configure your outpost in the following ways:
Before onboarding your Cortex XDR with the cloud service provider (CSP) onboarding wizard, create an outpost by navigating to → → .
Alternatively, while onboarding your Cortex XDR with the cloud service provider (CSP) onboarding wizard, the wizard prompts you to choose a scan mode: Cloud scan or Outpost scan. When choosing Outpost scan, you have the opportunity to create your outpost. To start the cloud service provider (CSP) onboarding wizard, navigate to → → .
Note
Notes:
Before you create your outpost, verify that your internet connection is active. An active internet connection is necessary for the notification to be sent to Cortex XDR to create the new outpost.
(Azure) Due to limitations in Terraform, the Azure subscription name cannot contain blanks. Take this into account while onboarding.
For details, see Create an outpost.
What's next?
View and manage existing outposts by navigating to → →