Core Defense connects Neo directly to your firewalls. Powered by Nodal OS, Neo investigates threats, audits policies, and monitors fleet health securely and automatically.
Your next-generation firewall inspects every packet, enforces every policy, and generates telemetry across traffic, threats, identity, and configuration. It is the most instrumented device on your network.
Nodal OS processes this data. It deploys Neo to cross-reference logs, test scenarios, and identify hidden issues.
Six integrated capabilities powered by Nodal OS — from rapid health checks to deep threat investigations.
Neo selects between quick diagnostics and deep threat hunts based on context. It tests multiple scenarios against live data before concluding.
Automated baseline monitoring that runs scheduled health assessments across your fleet. Detects configuration drift, resource anomalies, and silent failures before they become incidents.
Target individual firewalls or compare across your entire fleet. Per-device API integration with automatic routing — ask Neo about any device by name and it handles the rest.
Read-only enforcement, spending caps, circuit breakers, command filtering, human-in-the-loop approval, PII redaction, and authenticated API access. Safety is architecture, not afterthought.
Pull and analyze security policies, profiles, NAT rules, and objects in real time. The agent reads your running configuration and correlates it against active traffic and threat data.
Neo correlates traffic logs, threat events, and policies to identify root causes missed by standard queries.
Ask questions in plain English. No CLI required.
"Run a full health check and evaluate the dataplane."
"I think we've been breached through a security policy. Investigate."
"Compare the health of firewall-a and firewall-b."
"A user authenticated via VPN 15 minutes ago. Check for lateral movement."
"Why aren't there any threat logs?"
"Audit the security profiles on egress rules for misconfigurations."
A five-step process from query to resolution.
Neo auto-selects between Diagnostic mode (rapid health checks) and Investigate mode (deep threat analysis) based on your query.
Neo generates potential explanations and identifies the required evidence for each.
Autonomously chains diagnostic tools against your live firewall via the API. No human intervention. No pre-scripted sequences.
Cross-references shared keys — IPs, timestamps, rule names, profile groups — across independent data sources. The truth is in the intersection.
Delivers structured findings with severity ratings, causal graphs, evidence chains, and actionable remediation steps — grounded in real data.
Seven layers of protection between the AI and your infrastructure.
Neo can only read data, not change your configuration.
Strict cost caps prevent runaway API usage.
Hard limits on reasoning steps prevent infinite loops.
Dangerous commands are stripped before execution. The agent cannot reboot, wipe, or enter configuration mode.
Optional approval gates for sensitive operations. The operator always has the final say.
IP addresses and identifiers are automatically scrubbed from outputs. Sensitive data never leaves the perimeter.
Every request requires an API key before it hits the engine.
During a test against a live firewall, Neo was given a single prompt: "I think we've been breached through a security policy. Investigate."
In five steps, it ran 10 diagnostic tools to trace suspicious UDP traffic to a permissive rule and a bad enforcement profile. It found a gap we hadn't seen before.
The Anti-Spyware profile was set to alert on Critical threats without blocking them. The firewall was detecting threats but not enforcing protection.
Neo tests multiple scenarios against log data to ensure accurate root cause identification.
Core Defense is designed to assist qualified security professionals with analysis, investigation, and operational awareness. All outputs should be reviewed by qualified network or security personnel before being used for production decisions, configuration changes, or customer recommendations.
No. Core Defense operates in read-only mode by default. Neo can observe, query, and analyze your firewall telemetry, but it cannot push configuration changes, commit policies, or execute destructive commands.
Core Defense currently supports Palo Alto Networks firewalls via the PAN-OS XML API. This includes physical appliances (PA-Series), virtual firewalls (VM-Series), and cloud-deployed instances running PAN-OS.
Yes. Core Defense supports multi-firewall fleet management. You can target individual devices by name, compare health across your fleet, or let Neo automatically route queries to the appropriate device.
Contact us for pricing details. Investigations are designed to be cost-efficient, completing in seconds rather than minutes. Pricing scales with usage and fleet size.
No. Core Defense is not a firewall appliance or a replacement for any security platform. It is a reasoning layer powered by Nodal OS that sits on top of your existing firewall infrastructure to speed up investigations.
Core Defense is built for security engineers, SOC analysts, network operators, MSPs, and MSSPs who manage next-generation firewalls and want to resolve incidents faster.
For security teams and MSPs looking to automate their firewall operations.