Palo Alto Networks has the most complex pricing portfolio in enterprise security — three business units, three pricing models, and a "platform deal" that bundles them all. This guide breaks down what you're actually paying for across Strata, Prisma, and Cortex, and the negotiation tactics that drive real savings.
As covered in our cybersecurity software licensing guide, Palo Alto Networks has built the broadest security portfolio in the industry through a combination of organic development and acquisitions. The company organises its products into three divisions — Strata (network security), Prisma (cloud security and SASE), and Cortex (AI-powered security operations) — each with distinct pricing models and sales teams.
The strategic implication for buyers is significant: you're effectively dealing with three separate vendors who happen to share a brand. The cross-divisional "platform deal" that Palo Alto's account executives pitch is real, but evaluating whether the bundle discount justifies purchasing all three simultaneously — rather than best-of-breed selection — requires careful unit economics analysis for each division independently.
Palo Alto's fiscal year ends July 31. The best negotiation windows are Q3 (February–April) and Q4 (May–July), with July being the peak quarter-end pressure point. Unlike CrowdStrike and SentinelOne whose fiscal years end in January, Palo Alto's summer fiscal year-end is less widely exploited by buyers — making it a particularly valuable timing advantage for those who know it.
Palo Alto's Strata division covers next-generation firewalls (physical, virtual, and cloud-delivered). The base hardware or virtual firewall is licensed by model/throughput capacity. Subscription services layered on top include Threat Prevention, URL Filtering, DNS Security, WildFire (cloud malware analysis), and GlobalProtect (VPN/ZTNA). Support and maintenance contracts are sold separately.
Want independent help negotiating better terms? We rank the top advisory firms across 14 vendor categories — free matching, no commitment.
| Strata Component | Pricing Model | Indicative Annual Cost | Notes |
|---|---|---|---|
| PA-Series NGFW (hardware) | One-time + subscription | $5K–$200K+ hardware | Throughput-tiered from PA-400 to PA-7000 series |
| VM-Series (virtual) | Per vCPU tier | $3K–$50K/year | 4 to 64 vCPU models available |
| CN-Series (container) | Per cluster | $8K–$25K/year | Kubernetes network security |
| Threat Prevention | % of hardware cost/year | 15–20% of hardware | IPS, anti-malware, C&C prevention |
| URL Filtering | Per device/year | $500–$8K/device/year | PAN-DB or third-party URL databases |
| WildFire | Per device/year | $300–$5K/device/year | Cloud sandbox for unknown file analysis |
| DNS Security | Per device/year | $200–$3K/device/year | Malicious domain blocking |
| Panorama (management) | Per device managed | $500–$3K/device/year | Centralised firewall management |
The most common mistake in Palo Alto NGFW procurement is budgeting only for the hardware or virtual firewall cost. Subscription services (Threat Prevention, URL Filtering, WildFire, DNS Security) typically add 50–80% to the hardware cost annually. A PA-3220 appliance at $15,000 hardware cost will typically cost $8,000–$12,000 per year in subscriptions. Over a 5-year lifecycle, subscriptions often exceed the original hardware investment.
The "Prisma" brand covers two completely different products: Prisma Access (SASE/cloud-delivered network security) and Prisma Cloud (cloud security posture management and workload protection). They are often conflated in Palo Alto sales presentations, which creates confusion in procurement evaluations.
Prisma Access is Palo Alto's SASE (Secure Access Service Edge) platform, delivering Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) as a cloud service. It competes directly with Zscaler and Netskope. Pricing is per-seat (user) with three main tiers: Prisma Access Business, Prisma Access Enterprise, and Prisma Access Platform (including ZTNA 2.0 capabilities).
| Prisma Access Tier | Indicative Price/User/Year | Key Inclusions |
|---|---|---|
| Business | $100–150 | SWG, CASB, basic ZTNA, SD-WAN |
| Enterprise | $150–220 | Business + Advanced CASB, DLP, Identity-Based Access |
| Platform | $200–300 | Enterprise + ZTNA 2.0, AIOps, autonomous digital experience |
Prisma Cloud secures cloud infrastructure across AWS, Azure, and GCP. It uses a credit-based model (Palo Alto Cloud Security Units — PCSUs) that allows organisations to allocate coverage across different modules. The actual cost depends heavily on the number of cloud workloads, containers, and cloud resources being monitored.
Prisma Cloud competes with Wiz (which has disrupted the CSPM market with simpler, agent-less pricing), Microsoft Defender for Cloud, and Lacework. Wiz's competitive pressure has created significant pricing flexibility in Prisma Cloud renewals — organisations that run a Wiz evaluation before Prisma renewal consistently report 20–35% improvement in PCSU pricing.
Cortex is Palo Alto's AI-driven security operations division. The main products are Cortex XDR (extended detection and response — competitor to CrowdStrike Falcon and SentinelOne), Cortex XSOAR (security orchestration and automation — SOAR platform), and Cortex XSIAM (AI-driven security operations platform that combines XDR, SOAR, and SIEM).
Get the IT Negotiation Playbook — free
Used by 4,200+ IT directors and procurement leads. Oracle, Microsoft, SAP, Cloud — all covered.
Cortex XDR is licensed per-endpoint per-year, similar to CrowdStrike. Cortex XSIAM is Palo Alto's AI SOC platform — a significant investment intended to replace Splunk SIEM, XSOAR, and EDR with a single integrated platform. XSIAM pricing is typically $15–25 per endpoint per year for the full platform, positioning it as comparable in per-unit cost to CrowdStrike Falcon when the SIEM replacement value is factored in.
| Cortex Product | Pricing Model | Indicative Cost | Competes With |
|---|---|---|---|
| Cortex XDR Prevent | Per endpoint/year | $8–14 | CrowdStrike Prevent, SentinelOne Core |
| Cortex XDR Pro | Per endpoint/year | $18–28 | CrowdStrike Insight, SentinelOne Complete |
| Cortex XSIAM | Per endpoint/year | $25–45 | CrowdStrike Falcon + Splunk SIEM combined |
| Cortex XSOAR | Per user or flat fee | $150K–$500K+/year | Splunk SOAR, ServiceNow Security Ops |
| Cortex Xpanse | Per asset | $8–18/asset/year | Tenable, Qualys external attack surface |
Palo Alto's account teams are incentivised to sell cross-divisional platform deals that bundle Strata, Prisma, and Cortex products at an enterprise-wide discount. These deals — typically structured as 2–3 year commitments with annual minimum spend thresholds — can deliver 20–30% discount compared to buying each division independently.
The fundamental question for any platform deal is whether you'll actually use all three divisions at the volume required. Many enterprises find they have strong Strata (NGFW) requirements, partial Prisma requirements, and limited Cortex footprint — making the platform deal economics questionable when compared to best-of-breed selection for underweight areas.
Before accepting a Palo Alto platform deal: (1) Model each division independently at standalone pricing with achievable discounts. (2) Calculate the total cost of the platform bundle including division-specific discounts. (3) Identify which platform bundle elements you'll deploy within 12 months vs 24 months. (4) Model the cost of best-of-breed alternatives for each division (Fortinet/Check Point for NGFW, Zscaler for SASE, CrowdStrike for XDR). (5) Only accept the platform deal if the aggregate bundle discount exceeds what you'd achieve through competitive procurement for each division.
Palo Alto's negotiation leverage is significantly reduced when credible competitive alternatives are present in each division. The following competitive dynamics are particularly useful in commercial negotiations:
Managing a complex Palo Alto Networks portfolio?
Our vetted advisors help enterprises optimise Palo Alto Networks licensing across Strata, Prisma, and Cortex — typically achieving 20–35% savings through competitive evaluation and platform deal analysis.