Core Defense

Your firewall sees every packet.
Neo reasons about every event.

Core Defense connects Neo directly to your firewalls. Powered by Nodal OS, Neo investigates threats, audits policies, and monitors fleet health securely and automatically.

60+ Diagnostic Capabilities
<60s Investigation Time
7 Safety Layers
neo-agent — investigation
Investigate: "Check for breach via security policy"
[CLASSIFY] Mode: Investigate — Threat Hunt
[TURN 1] Analyzing security rulebase...
[TURN 2] Scanning application cache for evasion...
[TURN 3] Threat signatures detected — action: allow
[TURN 4] Tracing enforcement profile chain...
[FINDING] Anti-Spyware profile: alert-only on Critical
[VERDICT] Misconfiguration confirmed — enforcement gap
✓ Investigation complete. 10 tools. 5 turns. Real finding.

Two systems. One defense.

PAN-OS: The Sensing Layer

Your next-generation firewall inspects every packet, enforces every policy, and generates telemetry across traffic, threats, identity, and configuration. It is the most instrumented device on your network.

+
Nodal OS: The Reasoning Layer

Nodal OS processes this data. It deploys Neo to cross-reference logs, test scenarios, and identify hidden issues.

Purpose-built for firewall operations.

Six integrated capabilities powered by Nodal OS — from rapid health checks to deep threat investigations.

Autonomous Investigation

Neo selects between quick diagnostics and deep threat hunts based on context. It tests multiple scenarios against live data before concluding.

Defense Deck

Automated baseline monitoring that runs scheduled health assessments across your fleet. Detects configuration drift, resource anomalies, and silent failures before they become incidents.

Fleet Management

Target individual firewalls or compare across your entire fleet. Per-device API integration with automatic routing — ask Neo about any device by name and it handles the rest.

7-Layer Safety Stack

Read-only enforcement, spending caps, circuit breakers, command filtering, human-in-the-loop approval, PII redaction, and authenticated API access. Safety is architecture, not afterthought.

Live Configuration Inspection

Pull and analyze security policies, profiles, NAT rules, and objects in real time. The agent reads your running configuration and correlates it against active traffic and threat data.

Cross-Correlation Engine

Neo correlates traffic logs, threat events, and policies to identify root causes missed by standard queries.

Ask your firewall anything.

Ask questions in plain English. No CLI required.

"Run a full health check and evaluate the dataplane."

"I think we've been breached through a security policy. Investigate."

"Compare the health of firewall-a and firewall-b."

"A user authenticated via VPN 15 minutes ago. Check for lateral movement."

"Why aren't there any threat logs?"

"Audit the security profiles on egress rules for misconfigurations."

How the agent thinks.

A five-step process from query to resolution.

01

Classify

Neo auto-selects between Diagnostic mode (rapid health checks) and Investigate mode (deep threat analysis) based on your query.

02

Hypothesize

Neo generates potential explanations and identifies the required evidence for each.

03

Execute

Autonomously chains diagnostic tools against your live firewall via the API. No human intervention. No pre-scripted sequences.

04

Correlate

Cross-references shared keys — IPs, timestamps, rule names, profile groups — across independent data sources. The truth is in the intersection.

05

Report

Delivers structured findings with severity ratings, causal graphs, evidence chains, and actionable remediation steps — grounded in real data.

Safety is architecture, not afterthought.

Seven layers of protection between the AI and your infrastructure.

01

Read-Only Enforcement

Neo can only read data, not change your configuration.

02

Spending Controls

Strict cost caps prevent runaway API usage.

03

Circuit Breaker

Hard limits on reasoning steps prevent infinite loops.

04

Command Filtering

Dangerous commands are stripped before execution. The agent cannot reboot, wipe, or enter configuration mode.

05

Human-in-the-Loop

Optional approval gates for sensitive operations. The operator always has the final say.

06

PII Redaction

IP addresses and identifiers are automatically scrubbed from outputs. Sensitive data never leaves the perimeter.

07

Authenticated Access

Every request requires an API key before it hits the engine.

Case Study

In testing, Neo discovered a real misconfiguration in under 60 seconds.

During a test against a live firewall, Neo was given a single prompt: "I think we've been breached through a security policy. Investigate."

In five steps, it ran 10 diagnostic tools to trace suspicious UDP traffic to a permissive rule and a bad enforcement profile. It found a gap we hadn't seen before.

The Anti-Spyware profile was set to alert on Critical threats without blocking them. The firewall was detecting threats but not enforcing protection.

Key Insight

Neo tests multiple scenarios against log data to ensure accurate root cause identification.

Read the Full Analysis
Autonomous Investigation Trace
Suspicious Host UDP/443 Evasion Traffic
Turn 1 — Policy Inspection
Security Rule application: ANY
Turn 3 — Profile Tracing
Profile Group Attached but misconfigured
Turn 5 — Root Cause
Enforcement Gap Action: ALERT (not block)

Operator-assist, not autopilot.

Core Defense is designed to assist qualified security professionals with analysis, investigation, and operational awareness. All outputs should be reviewed by qualified network or security personnel before being used for production decisions, configuration changes, or customer recommendations.

Frequently asked questions

No. Core Defense operates in read-only mode by default. Neo can observe, query, and analyze your firewall telemetry, but it cannot push configuration changes, commit policies, or execute destructive commands.

Core Defense currently supports Palo Alto Networks firewalls via the PAN-OS XML API. This includes physical appliances (PA-Series), virtual firewalls (VM-Series), and cloud-deployed instances running PAN-OS.

Yes. Core Defense supports multi-firewall fleet management. You can target individual devices by name, compare health across your fleet, or let Neo automatically route queries to the appropriate device.

Contact us for pricing details. Investigations are designed to be cost-efficient, completing in seconds rather than minutes. Pricing scales with usage and fleet size.

No. Core Defense is not a firewall appliance or a replacement for any security platform. It is a reasoning layer powered by Nodal OS that sits on top of your existing firewall infrastructure to speed up investigations.

Core Defense is built for security engineers, SOC analysts, network operators, MSPs, and MSSPs who manage next-generation firewalls and want to resolve incidents faster.

Request access.

For security teams and MSPs looking to automate their firewall operations.

Early access to the platform
Priority onboarding support
Direct feedback channel