Palo Alto Networks acquires Koi for agentic AI security; unveils Managed XSIAM amid fast breaches

New defences for an AI-era threat landscape

Palo Alto Networks moves to plug a newly identified AI security gap with a definitive agreement to acquire Koi, a specialist in "Agentic Endpoint Security," the company announces on Feb. 17. The deal targets risks created by autonomous AI agents and developer tools that act as powerful insiders with broad permissions and deep access to sensitive data, bypassing traditional file‑based controls. Palo Alto frames the acquisition as a way to restore centralized oversight across distributed automation by surfacing agent identities, actions, permissions and model artifacts so security teams can enforce least‑privilege policies and prevent weaponization of trusted automation.

The acquisition is positioned to augment Palo Alto’s Prisma AIRS™ AI security platform and to strengthen Cortex XDR® endpoint protections once integrated, executives say. Koi’s capabilities are described as addressing behavior changes driven by extensions, plugins, scripts and model artifacts operating outside centralized oversight — elements that conventional endpoint detection misses. By bringing these signals into Prisma AIRS and Cortex XDR, Palo Alto aims to broaden visibility across the AI attack surface and give customers policy and enforcement tools tailored to agentic workflows.

Company technologists argue the move is part of a broader push to reduce attack velocity rather than merely detect threats post‑breach. Lee Klarich, chief product and technology officer, says agentic tools act like “ultimate insiders” and that Agentic Endpoint Security is the next frontier of enterprise risk reduction. Palo Alto stresses that the integration will enable enterprises to deploy agentic automation with confidence by combining telemetry, policy controls and automated remediation at the endpoint and across cloud-native workflows.

Managed SOC push: MSIAM 2.0 aims to outpace attacks

On the same day Palo Alto introduces a managed offering, Unit 42 unveils Managed XSIAM 2.0 (MSIAM), a 24/7 managed SOC built on the AI‑driven Cortex XSIAM platform that pairs continuous expert hunting with a 250‑hour Breach Response Guarantee. The service is designed to boost SOC maturity on day one, integrate third‑party EDR and existing tools, and bridge the gap between machine‑speed attacks and human response while addressing industry talent shortages.

Unit 42 report: AI and identity compress breach timelines

Palo Alto’s Unit 42 2026 Global Incident Response Report finds attackers using AI and automation to compress the time from initial access to data exfiltration to as little as 72 minutes in the fastest cases, a roughly fourfold acceleration year‑over‑year. The report links 90% of breaches to misconfigurations or security gaps, notes identity is involved in 89% of investigations and warns that third‑party SaaS supply‑chain attacks have risen sharply, recommending unified platforms, elimination of implicit trust and AI‑enabled detection to contain high‑velocity incidents.