>
    Strata Copilot
    SaaS Security License Types
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. SaaS Security License Types
    Download PDF
    SaaS Security

    SaaS Security License Types

    Table of Contents

    SaaS Security License Types

    Learn about the user-based and volume-based license models that Palo Alto Networks offers for SaaS Security.
    Where Can I Use This?What Do I Need?
    Data Security, SaaS Security Posture Management, and Behavior Threats:
    • Strata Cloud Manager
    SaaS Security Inline:
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    One of the following SaaS Security licenses:
    • Data Security license, and a NGFW or Prisma Access license
    • SaaS Security Inline license
    • SaaS Security Posture Management license
    Or any of the following licenses that include one of the SaaS Security licenses:
    • CASB-X
    • CASB-PA

    Data Security Licenses

    • Data Security All Apps—The All Apps user-based license grants one user the right to use Data Security to secure sanctioned SaaS apps. You purchase this license in one-year or three-year terms, and it unlocks the following features:
      The Data Security All Apps license does not cover Public Storage apps (AWS S3, Azure Storage, and Google Cloud Storage), which require a separate Add-on License.
      Learn more about Enterprise Data Loss Prevention (E-DLP) if you have purchased Enterprise DLP or opted in for a trial. For Enterprise DLP licensing, see:
      • Automatic discoveryEnterprise DLP automatically scans cloud resources for over 20 SaaS apps using predefined data patterns, classifies all documents using machine learning, and checks the hash on all Microsoft Office documents, PDF, and portable executable files against Advanced WildFire rules—without requiring you to create any policy rules.
        Monitoring—You can review user activity logs to monitor and investigate actions that your end users take on data and assets stored in your apps, including risky or suspicious user or administrator behavior. You can track events such as file and folder downloads and uploads, failed login attempts, and how users share or collaborate on assets in your SaaS apps.
      • Advanced data classification—When you configure data classification labels for the files in your third-party apps, you can control data sharing and prevent data exfiltration.
      • Policy enforcement—Policies let you monitor and enforce responsible use of assets and protect them from malware, malware propagation, and data leaks.
      • Malware detectionAdvanced WildFire detects and protects against malware propagation by scanning files using Advanced WildFire and identifying known threats based on file hash (a unique fingerprint that results from running the file through a cryptographic hash function).
      • Machine learningEnterprise DLP uses supervised machine learning algorithms to sort sensitive documents into Financial, Legal, and Healthcare categories for document classification to guard against exposures, data loss, and data exfiltration. To improve detection rates for the sensitive data in your organization, you can define machine learning data pattern match criteria to identify sensitive information in your cloud apps and protect it from exposure.
    • Data Security SupportData Security licenses include a premium support entitlement. You don't need to activate it separately.

    Add-on Licenses

    • SaaS Security InlineSaaS Security Inline works with Strata Logging Service to discover all the SaaS apps on your network. SaaS Security Inline discovers up to thousands of Shadow IT apps, along with their users and usage details. SaaS Security Inline also enforces SaaS policy rule recommendations across your existing Palo Alto Networks NGFW or Prisma Access tenants.
    • Public Cloud Storage—This volume-based license gives you bucket and blob visibility and control for your Public Storage apps (AWS S3, Azure Storage, and Google Cloud Storage) on Data Security. You purchase this license in one-year or three-year terms. You can identify and remove public buckets and blobs from inadvertent exposure or use. You can also prevent the propagation of malware and data exfiltration with advanced machine learning and Enterprise DLP, and view an audit trail for stored buckets and blobs to detect anomalies.

    SaaS Security Inline Licenses

    SaaS Security Inline works with Strata Logging Service to discover all SaaS apps on your network and enforce SaaS policy rule recommendations across your Palo Alto Networks NGFW or Prisma Access tenants. You can purchase SaaS Security Inline through bundles that combine it with other SaaS Security services, or as a standalone add-on for specific enforcement points.
    The following license options give you access to SaaS Security Inline. To determine the best option for your environment, contact your Palo Alto Networks sales representative.
    • CASB-X—A cross-platform bundle for Prisma Access and hardware next-generation firewalls. This bundle includes SaaS Security Inline for Prisma Access and NGFW. VM-Series software firewalls require additional Flex credits.
    • CASB-PA—A Prisma Access add-on bundle that includes SaaS Security Inline along with inline Enterprise DLP, Data Security, and SaaS Security Posture Management.
    • Prisma Access Enterprise Edition—The Prisma Access Enterprise Edition includes SaaS Security Inline.
    • SaaS Security Inline for Prisma Access—A standalone add-on license for Prisma Access base SKUs that covers both Mobile Users and Remote Networks. You must have Strata Logging Service to use this license. The minimum quantity for this license is 200 users.
    • SaaS Security Inline for NGFW—A per-NGFW subscription license for NGFW. You purchase this license for each firewall that processes egress traffic. You must have Strata Logging Service and register all products in the same Customer Support Portal account to use SaaS Security Inline features.
    • SaaS Security Inline for VM-Series (Flex)—You enable SaaS Security Inline on VM-Series software firewalls through software NGFW credits at 20% of the credits required per NGFW.
    • Enterprise License Agreement (ELA)—You can add SaaS Security Inline to an Enterprise License Agreement as an add-on subscription.

    SaaS Security Posture Management (SSPM) Licenses

    • SSPM —The SSPM user-based license grants one user the right to use SSPM to secure sanctioned SaaS apps. SSPM helps you detect and remediate misconfigured settings in sanctioned SaaS apps through continuous monitoring. SSPM detects misconfigurations by comparing SaaS app settings against built-in best practices, categorizes them by severity to help you prioritize risks, and suggests remediation actions. You can purchase SSPM as a standalone license on tenants that support tenant server groups (TSGs).
    • Palo Alto Networks includes SSPM as part of the following solutions:
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) for cross-platform license.
      • CASB on Prisma Access add-on for single tenant or multitenant.

    Behavior Threats Licenses

    • Behavior Threats —The Behavior Threats feature of SaaS Security helps you identify potential threats to your organization from compromised accounts, malicious insiders, and data breaches. Specifically, Behavior Threats examines how your organization’s users are interacting with sanctioned SaaS apps to identify suspicious user activities that might indicate attempts to steal or corrupt data.
    • The following licenses include Behavior Threats:
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X) for cross-platform license.
      • CASB on Prisma Access add-on for single tenant or multitenant.
      • Data Security license.

    © 2026 Palo Alto Networks, Inc. All rights reserved.