For centuries, the biggest challenge facing every growing organization was surprisingly simple: the larger the workforce became, the harder it became to know who was doing what.
Table of Contents
That’s why Palo Alto Networks Inc (NASDAQ: PANW)fiscal Q3 2026 earnings left me thinking about something far bigger than firewalls or ransomware
The company reported third-quarter earnings per share of $0.80 on revenue of $2.29 billion, beating Wall Street expectations on both measures. Those numbers were strong enough on their own, yet the figure that kept pulling me back is the NGS ARR. Next-Generation Security ARR climbed 34% to $5.06 billion while Remaining Performance Obligations reached $13.5 billion, up 19%.
In short, customers are committing dollars far faster than Palo Alto is recognizing revenue. And whenever future commitments accelerate ahead of current business activity, I stop asking what customers bought and start asking what they think is coming.
A Different Kind Of Threat
Most cybersecurity spending follows a predictable pattern. A new threat emerges, businesses react, budgets increase, and security vendors benefit. That framework explains much of the industry’s history, but it doesn’t fully account for what I’m seeing in Palo Alto’s results.
Revenue increased 15% year-over-year. Non-GAAP net income climbed to $577.8 million. Operating cash flow reached $578 million. Adjusted free cash flow exceeded $500 million. Gross margins remained among the strongest in enterprise software. In other words, this wasn’t a quarter held together by hype. Growth, profitability, margins, and cash generation were all moving in the right direction.
Yet management continues investing aggressively in products that seem designed for problems most enterprises have barely encountered.
The company completed its acquisition of Portkey, an AI gateway platform. It launched Prisma AIRS 3.0 to secure agentic AI. It introduced Idira to address next-generation identity management. It unveiled a secure browser built for AI-powered work environments. It rolled out Next-Generation Trust Security.
Individually, each announcement looks like another cybersecurity product. But together, they point toward a very specific concern – Oversight
The Next Cybersecurity Crisis May Begin With Permission
The first wave of enterprise AI largely focused on productivity, with most AI systems acting like assistants sitting beside workers. That world is already changing. The next generation of AI won’t just answer questions. It will access systems, retrieve data, execute workflows, communicate with applications, interact with customers, approve routine actions, and increasingly operate with a degree of autonomy that traditional software never possessed.
Now imagine what happens when thousands of those systems exist inside a large enterprise.
Who approved an action? Who granted access? Which system made a decision? Which model touched sensitive customer information? Who is accountable when something goes wrong?
Now look at the products Palo Alto keeps building, and a pattern emerges. Portkey focuses on observing and managing AI interactions. Identity products determine what receives access and under what conditions. Prisma AIRS governs AI applications and agent behavior. Secure Browser aims to control how AI-powered work is conducted within an organization.
You don’t build all those products because you’re worried about yesterday’s cybersecurity challenges. You build them because you’re preparing for tomorrow’s.
Forget Revenue. Focus On ARR Instead
This is where the ARR growth becomes so important.
Revenue tells us what customers need today. ARR tells us what customers believe they’ll need tomorrow.
That’s why the 34% growth in Next-Generation Security ARR may be the most revealing figure in the entire report. Customers are making long-term commitments before many of these AI governance problems become widespread.
The market tends to focus on visible threats because visible threats create headlines. A ransomware attack makes headlines. A data breach makes headlines. A phishing campaign makes headlines.
The challenge Palo Alto appears to be preparing for is quieter.
Every AI model, AI agent, machine identity, browser session, workflow automation, cloud application, and connected system adds another layer of decision-making inside an enterprise. The number of actions taking place grows exponentially, while the number of people capable of overseeing them does not.
Historically, companies solved growth problems by hiring managers. Every additional layer of scale required additional layers of oversight.
The AI era may be creating a similar problem, except this time the workforce isn’t growing. The number of digital actors operating inside organizations is.
No wonder investors remain enthusiastic about Palo Alto despite the stock’s massive run over the past three months.
After bottoming near $145 in March, shares have more than doubled and now trade around $297, comfortably above the 20-day, 50-day, and 200-day moving averages, a sign that both short-term momentum and long-term trend remain firmly aligned.
Even after earnings, buyers showed little interest in locking in long-term profits. Volume surged to more than 20 million shares as the stock pushed to fresh highs near $300, suggesting institutions were still accumulating rather than distributing shares.
Momentum indicators may look stretched after such a sharp move, which explains some hesitation around the psychologically important $300 level. Yet the chart tells a simple story: investors continue treating Palo Alto as a premium AI and cybersecurity name, even as expectations grow increasingly demanding.
A Cybersecurity Company In Transition
Investors often describe Palo Alto as one of the highest-quality cybersecurity businesses, and the financial results support that view. What interests me is what management appears to be building toward.
The acquisitions, product launches, and customer commitments all suggest a future where the challenge is no longer stopping unauthorized access, but maintaining visibility and control after access has already been granted.
That’s a very different problem.
And if I’m right, the next cybersecurity crisis won’t begin with a hacker breaking into a system.
It will begin when organizations discover they have given thousands of AI systems the authority to make decisions, yet lack the oversight required to understand those decisions at scale.
Leave a Reply