| Hardware status | EOSL since April 2020 (6 years unsupported) | Software-only, always current |
| Attack surface | Login portal on public internet (actively targeted) | No exposed portal — credential spraying is architecturally impossible |
| Encryption | IPsec/SSL with TLS 1.0/1.1, 3DES, no PFS | WireGuard (ChaCha20-Poly1305, Curve25519), formally verified |
| Code audit | IPsec: no formal verification | WireGuard: formally verified (Tamarin, CryptoVerif, ProVerif, eCK) |
| Codebase size | IPsec: ~100,000+ lines | WireGuard: ~4,000 lines |
| Authentication | Firewall-local credentials / LDAP | Microsoft Entra ID SSO + MFA via OIDC |
| Traffic routing | All traffic through PA firewall (bottleneck) | Peer-to-peer mesh (no central bottleneck) |
| CVE history | PAN-OS 7.1: multiple unpatched CVEs, no new patches possible | 2 CVEs total (both server-side, non-critical) |
| Credential spraying risk | HIGH — exposed login endpoint, active campaign | NONE — no login endpoint exists |
| Post-quantum | No | Rosenpass (experimental, desktop/server) |
| Device compromise response | Manual credential revocation | Instant peer deletion + IdP-driven revocation + configurable session expiry |
| User offboarding | Manual — must revoke PA credentials | JWT session expires within configured period (recommend 24h) |