This post is also available in: 日本語 (Japanese)

Unit 42 is the global threat intelligence team at Palo Alto Networks® and a recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around the world. Our analysts are experts in hunting and collecting unknown threats as well as completely reverse-engineering malware using code analysis. With this expertise, we deliver high-quality, in-depth research that provides insight into tools, techniques, and procedures threat actors execute to compromise organizations. Our goal is to provide context wherever possible, explaining the nuts and bolts of attacks as well as who’s executing them and why so that defenders globally can gain visibility into threats to better defend their businesses against them.

Our Mission

Our mission is to research and document the details of adversaries’ playbooks and quickly share them with systems, people and organizations that can use them to prevent successful cyberattacks.

How Unit 42 Works

Our team follows a traditional intelligence cycle, starting with direction from our leadership in the form of Critical Intelligence Requirements, or CIRs. These help our analysts determine what data is necessary to answer specific questions about threats to Palo Alto Networks and our customers. Unit 42 collects that data from internal and external sources and runs it through a detailed threat analysis process that includes not only automated systems to correlate incoming data but also expert human analysis to interpret the data, identify patterns, formulate hypotheses and evaluate them against our entire data set. By doing this, our team can put threats into context and help others determine how to best defend against future attacks. Unit 42 is also backed by the Palo Alto Networks Engineering and Critical Response teams, offering years of experience detecting and preventing attacks.

Unit 42 Adversary Playbooks

Adversary Playbooks are discrete products that contain actionable intelligence on one or more adversaries, describing campaign stop and start dates, tactics, techniques, and procedures (plays) as defined by the international MITRE ATT&CK standard. When adversaries run these plays on victim networks, they leave indicators of compromise in their wake that network defenders can use to detect adversaries attacking their networks. Defenders can use these plays and the subsequent indicators of compromise to develop prevention and detection controls designed for specific adversaries.
Playbooks enable the network defender community to change the intelligence paradigm with automation. Instead of manually crossing the last mile with intelligence, using humans to analyze the data as well as develop prevention and detection controls, we can automatically cross it with intelligence, organizing the information so machines can read it as well as automatically deploy prevention and detection controls for each adversary. See our Adversary Playbooks.

Work with Unit 42

We invite you to visit the Palo Alto Networks Careers page, which lists any open positions in Unit 42.