Security & Attack Surface

security-attack-surface — Round 1 Research Report

Session: 20260321-0115 Domain: Security Posture — GlobalProtect Attack Surface vs NetBird Security Model Date: 2026-03-21 Tools Used: mcp__claude_ai_Tavily__tavily_search (12 queries), mcp__exa_websearch__web_search_exa (3 queries), WebSearch (0 — Tavily/Exa provided sufficient coverage)

Executive Summary

GSISG’s GlobalProtect deployment at vpn.gsisg.com (98.147.1.83) running on a PA-2020 firewall represents a severe and compounding security liability. The PA-2020 reached End-of-Sale on April 30, 2015 and End-of-Service-Life on April 30, 2020 — it has been unsupported for nearly six years. The maximum PAN-OS version it can run is 7.1 (itself EOL since June 30, 2020), meaning it cannot receive patches for any CVE discovered after mid-2020. The device’s TLS configuration (TLS 1.0/1.1 enabled, 3DES ciphers, no forward secrecy, unsafe legacy renegotiation) represents deprecated, exploitable cryptography that violates PCI DSS and modern security standards.

Meanwhile, a massive, ongoing credential-spraying campaign has been targeting GlobalProtect portals since December 2025, with 1.7 million login attempts recorded in a single 16-hour window and continued waves observed through at least February 2026. The PA-2020 at vpn.gsisg.com is a sitting target for this campaign.

NetBird presents a fundamentally different security architecture: no exposed login portal (eliminating credential spraying entirely), WireGuard-based encryption with formally verified cryptography, identity-provider-delegated authentication, optional post-quantum key exchange via Rosenpass, and a minimal CVE history. The security delta between the two solutions is not incremental — it is categorical.

Findings

Question 1: GlobalProtect Credential-Spraying Campaign (December 2025+)

Confidence: HIGH | Sources: GreyNoise, BleepingComputer, ELLIO, CybersecurityDive, Ampcus Cyber

Timeline and Scale:

Late November 2025: Unusual scanning activity targeting GlobalProtect portals begins (reported by GreyNoise).
December 2, 2025: SonicWall API scanning also begins, suggesting broader VPN reconnaissance.
December 11, 2025 (Peak): GreyNoise detects 1.7 million login sessions targeting GlobalProtect portals in just 16 hours. Over 10,000 unique source IP addresses participated.
December 12, 2025: Campaign pivots sharply to Cisco SSL VPN endpoints the following day.
February 23, 2026: ELLIO’s deception network records an 11x spike in scanning activity targeting GlobalProtect portals (/global-protect/login.esp). Over 48 hours, approximately 30,000 sessions from 8,575 unique IPs across three distinct waves, using 78 employee-style usernames and a single password (Password1).
March 2026: No direct evidence of cessation. ELLIO notes: “Each wave follows a similar playbook but rotates to fresh hosting infrastructure.” The campaign is assessed as ongoing.

Attribution:

Primary hosting infrastructure: 3xK GmbH (Germany) in the December wave.
February 2026 wave: GTT Communications (AS3257) as primary carrier.
No specific APT attribution. Assessed as professional, automated, infrastructure-backed credential probing at scale.

IOCs:

Target path: /global-protect/login.esp
Password used across all February 2026 attempts: Password1
78 employee-style usernames used in rotation
Over 10,000 unique source IPs (December), 8,575 unique IPs (February)
User agent and request structure consistent with scripted tooling

Palo Alto Response:

Palo Alto Networks confirmed awareness: “This activity reflects automated credential probing and does not constitute a compromise of our environment or an exploitation of any Palo Alto Networks vulnerability.”
Recommendations: strong passwords, MFA, audit appliances, block known malicious IPs.
No specific advisory number was issued — Palo Alto classified this as credential abuse, not a product vulnerability.

Impact on GSISG: vpn.gsisg.com has a publicly exposed GlobalProtect portal. If it lacks MFA and rate limiting (likely on PAN-OS 7.1), it is directly exposed to this ongoing campaign.

Question 2: Critical CVEs Affecting Palo Alto PA-2020 / PAN-OS

Confidence: HIGH | Sources: NVD, Palo Alto Security Advisories, Rapid7, Tenable, Wiz, watchTowr

CVE-2024-3400 (CVSS 10.0 CRITICAL)

Type: Command injection via arbitrary file creation in GlobalProtect feature
Impact: Unauthenticated RCE with root privileges
Affected versions: PAN-OS 10.2, 11.0, 11.1 only
PA-2020 relevance: NOT DIRECTLY AFFECTED — PA-2020 cannot run PAN-OS 10.2+
However: The PA-2020 runs PAN-OS 7.1 maximum, which is so old it predates this vulnerability’s codebase but also predates all modern security hardening

CVE-2024-0012 (CVSS 9.3 CRITICAL)

Type: Authentication bypass in PAN-OS management web interface
Impact: Unauthenticated attacker gains admin privileges; enables chaining with CVE-2024-9474
Affected versions: PAN-OS 10.2, 11.0, 11.1, 11.2
PA-2020 relevance: NOT DIRECTLY AFFECTED — requires PAN-OS 10.2+
Exploitation: Active in the wild since November 2024 (“Operation Lunar Peek”), 2,000+ instances compromised worldwide, public PoC available (trivial X-PAN-AUTHCHECK: off header bypass)

CVE-2024-9474 (CVSS 6.9 MEDIUM)

Type: Privilege escalation in PAN-OS management web interface
Impact: Authenticated admin gains root privileges via PHP session manipulation
Affected versions: PAN-OS 10.1, 10.2, 11.0, 11.1, 11.2
PA-2020 relevance: NOT DIRECTLY AFFECTED — requires PAN-OS 10.1+
Exploitation: Chained with CVE-2024-0012 for unauthenticated RCE

Critical Observation: While these three specific CVEs do not directly affect the PA-2020 (which maxes out at PAN-OS 7.1), this is not a security advantage. PAN-OS 7.1 reached EOL on June 30, 2020, and has received no security updates for nearly 6 years. Any vulnerabilities in PAN-OS 7.1 or earlier are permanently unpatched. The device is running on a version so old it falls outside the scope of modern vulnerability research and disclosure — researchers do not test against it because it is assumed decommissioned.

The PA-2020’s real vulnerability exposure includes:

All unpatched vulnerabilities in PAN-OS 7.1 and below
TLS/cipher vulnerabilities (Sweet32/3DES, BEAST/TLS 1.0, Lucky13/TLS 1.1)
No support for modern TLS 1.3
No forward secrecy capability
Unsafe legacy TLS renegotiation (CVE-2009-3555)

Question 3: PA-2020 End-of-Life / End-of-Support Status

Confidence: VERY HIGH | Sources: Palo Alto Networks official EoL pages, Park Place Technologies, Procurri, Router-Switch

Milestone	Date
End-of-Sale (EOS)	April 30, 2015
End-of-Service-Life (EOSL)	April 30, 2020
Maximum PAN-OS Version	PAN-OS 7.1
PAN-OS 7.1 EOL	June 30, 2020
Last PAN-OS 7.1 release	7.1.26 (April 30, 2020)
Recommended replacement	PA-1400 Series

Key facts:

The PA-2020 has been end-of-sale for over 11 years and end-of-support for nearly 6 years.
It is NOT listed in the current Palo Alto compatibility matrix (which starts at PA-220).
The maximum PAN-OS it can run (7.1) has itself been EOL since June 30, 2020.
No security updates of any kind are available. Not through standard support, not through extended support.
The device is not eligible for any Palo Alto support contract.

Question 4: WireGuard vs IPsec/SSL Security Model Comparison

Confidence: HIGH | Sources: WireGuard.com, Tailscale, zenarmor, NDSS Symposium papers, IVPN, ExpressVPN, academic papers

Cipher Suites

Aspect	WireGuard (NetBird)	GlobalProtect IPsec/SSL
Symmetric Encryption	ChaCha20-Poly1305 (AEAD)	Configurable: AES-128/256-CBC/GCM, 3DES (PA-2020 uses 3DES)
Key Exchange	Curve25519 (ECDH)	Configurable: DH groups, RSA (PA-2020 likely weak groups)
Hashing	BLAKE2s, SipHash24	SHA-1, SHA-256 (configurable)
Key Derivation	HKDF	PRF-based (IKE)
Forward Secrecy	Built-in (ephemeral keys per handshake)	Optional, configuration-dependent
Cipher Negotiation	None — single fixed suite	Full negotiation (attack surface for downgrade)

Code Size & Attack Surface

Metric	WireGuard	IPsec (OpenSwan)	OpenVPN/OpenSSL
Lines of Code	~4,000	~100,000+	~100,000+
Cipher Suite Options	1 (fixed)	Dozens (including legacy)	Dozens
Protocol Complexity	Minimal (3 message types)	High (IKE phases, SA negotiation)	High (TLS handshake, channel)
Kernel Integration	Linux kernel mainline (since 5.6)	Kernel + userspace (complex)	Userspace only

Formal Verification Status

WireGuard has undergone extensive formal verification — a rarity among VPN protocols:

Symbolic Verification (Tamarin Prover): Joint work by Jason Donenfeld and Kevin Milner. Verified properties: correctness, strong key agreement & authenticity, key-compromise impersonation resistance, unknown key-share attack resistance, key secrecy, forward secrecy, session uniqueness, identity hiding.
Computational Proof (eCK Model): By Dowling and Paterson — “A Cryptographic Analysis of the WireGuard Protocol.” Proved security in the computational model (stronger than symbolic).
Computational Proof (CryptoVerif): Additional computer-aided computational verification.
Symbolic Verification (ProVerif): Comprehensive analysis by Nadim Kobeissi covering the full Noise framework.
Unified Symbolic Analysis (SAPIC+/TAMARIN/ProVerif): 2024 NDSS paper providing the most complete analysis, confirming agreement, key secrecy, and PFS. Identified a minor anonymity limitation (mac1 field allows responder identity probing — not exploitable for data compromise).
Verified C Implementation of Curve25519: The cryptographic primitive itself has been formally verified.

IPsec has NOT undergone comparable formal verification. Its large codebase and numerous cipher suite combinations make comprehensive formal verification infeasible.

SSL/TLS (as used by GlobalProtect portal): The protocol itself is well-studied, but the PA-2020’s configuration (TLS 1.0/1.1, 3DES, no PFS, unsafe renegotiation) uses deprecated, formally broken configurations.

Audit History

WireGuard: Multiple independent audits. Small codebase makes it auditable by individual researchers.
IPsec: Various implementations audited independently (OpenSwan, strongSwan), but the protocol’s complexity means audits are never comprehensive.
Note: Leaked NSA presentations suggest IKE (IPsec key exchange) may be exploitable in unknown ways to decrypt IPsec traffic (per IVPN documentation).

Question 5: NetBird Authentication Model & Credential Spraying Prevention

Confidence: HIGH | Sources: NetBird official docs, NetBird knowledge hub, ISO 27001/SOC 2 compliance docs

Why credential spraying is architecturally impossible against NetBird:

No exposed login portal. NetBird has no web-based login page on the public internet. There is no /global-protect/login.esp equivalent. There is no URL an attacker can send credentials to. The management dashboard is accessed through authenticated OIDC flow, not a publicly exposed form.
Authentication is delegated to Identity Providers (IdPs). NetBird uses OpenID Connect (OIDC) protocol. Supported IdPs include:
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- JumpCloud
- Keycloak
- Any OIDC-compatible provider
The IdP handles all authentication, including MFA enforcement, rate limiting, account lockout, and brute-force protection. These are mature, hardened authentication systems.
Peer registration requires either:
- Interactive IdP login (OIDC flow with browser redirect — not scriptable for credential spraying)
- Setup key (pre-generated, time-limited, usage-limited token — not a username/password)
WireGuard Cryptokey Routing. Each peer authenticates via its WireGuard public key. Incoming connections are accepted ONLY if the peer’s public key is pre-authorized in the management server. There is no “login” — either you have a valid cryptographic identity or the connection is silently dropped.
No listening ports on protected resources. Resources behind NetBird do not expose any ports to the public internet. An attacker cannot even discover that NetBird is in use, let alone attempt authentication.

Technical mechanism: When a new device joins:

User initiates netbird up or uses the GUI
Client generates a WireGuard keypair locally
Client authenticates via OIDC (browser redirect to IdP) or setup key
Management server validates the JWT token from the IdP
Public key is registered and distributed to authorized peers
WireGuard tunnel is established using cryptographic identity only

At no point is there a username/password prompt exposed to the network.

Question 6: NetBird CVE History

Confidence: HIGH | Sources: NVD, CERT Polska, NetBird knowledge hub, NetBird Trust Center

NetBird has a minimal CVE history:

CVE-2025-10678 (Use of Default Credentials)

Severity: Medium
Description: NetBird VPN, when installed using the vendor’s provided installation script, failed to remove or change the default password of an admin account created by ZITADEL (the default identity provider for self-hosted instances).
Impact: Self-hosted instances installed via the provided script retained a default admin credential. Docker-based installations were also affected if the default password was not changed.
Fixed in: Version 0.57.0 (October 2025)
Scope: Self-hosted deployments only. Cloud-hosted NetBird was not affected.
Assessment: A deployment hygiene issue, not a protocol or architectural vulnerability.

CVE-2024-41260 (Static Initialization Vector)

Severity: 7.5 HIGH (CISA-ADP assessment)
Description: A static initialization vector (IV) in the encrypt function of NetBird management’s service (v0.23.2 to v0.29.1) could allow attackers to obtain sensitive information (email addresses) if they had possession of the audit events database.
Impact: Information disclosure of email addresses — requires pre-existing access to the database.
Fixed in: Version 0.29.1+
Scope: Server-side management service only. Does not affect the WireGuard data plane.
Assessment: Requires database access as a prerequisite, significantly limiting practical exploitability.

Spear-Phishing Campaign Abuse (May 2025)

Not a CVE — NetBird was misused by threat actors, not exploited.
A spear-phishing campaign targeting financial executives (tracked by Trellix) used NetBird as post-compromise infrastructure. Attackers installed NetBird on compromised machines to establish C2 connectivity.
NetBird confirmed: “There was no vulnerability in the NetBird platform exploited during this incident.”
A single malicious account registered 197 machines and was subsequently disabled.
NetBird responded by blocking the account and implementing additional abuse prevention measures.

Overall Assessment: NetBird has no critical protocol or architectural vulnerabilities in its CVE history. The two CVEs are server-side management issues with limited scope. The WireGuard data plane has never been compromised. NetBird maintains ISO 27001:2022 certification and publishes penetration test reports through its Trust Center (trust.netbird.io).

Question 7: Device Compromise & Revocation Mechanisms

Confidence: HIGH | Sources: NetBird docs, NetBird knowledge hub, ISO 27001/SOC 2 compliance documentation

If a laptop with always-on NetBird VPN is stolen, the following mechanisms exist:

Immediate Revocation

Peer deletion from management dashboard: Admin removes the peer (device) from the NetBird dashboard. The device immediately loses authorization — its WireGuard public key is removed from all peers’ allowed lists. Connection drops within seconds.
IdP-driven revocation: Deactivate the user in the IdP (Okta, Azure AD, Google Workspace, etc.). NetBird’s IdP sync automatically revokes all associated device access. This is the recommended approach for employee departure or device theft.
Setup key revocation: If the device was enrolled via a setup key, revoking or deleting the key prevents re-enrollment.

Continuous Verification

Login expiration: NetBird supports configurable peer login expiration. After the expiration period, the peer must re-authenticate with the IdP. A stolen device with an expired session cannot reconnect without valid IdP credentials.
Device posture checks: NetBird integrates with EDR/MDM platforms (CrowdStrike Falcon, Microsoft Intune, SentinelOne Singularity) to verify device compliance. A device flagged as compromised or non-compliant is automatically blocked from network access in real-time.
Geolocation restrictions: Posture checks can restrict access by geographic location, blocking connections from unexpected locations.
OS version enforcement: Posture checks can require minimum OS versions and NetBird client versions.

Access Control Containment

Micro-segmentation: Even if a device remains connected, NetBird’s access policies limit what resources it can reach. A stolen developer laptop cannot access production databases if the policy does not permit it.
Group-based isolation: Admins can move a compromised peer to an isolated group with no access policies, effectively quarantining it without deletion.

Comparison to GlobalProtect: GlobalProtect’s revocation requires modifying firewall policies or disabling VPN user accounts. On a PA-2020 running PAN-OS 7.1, granular per-device revocation capabilities are severely limited compared to NetBird’s identity-aware, policy-driven approach.

Question 8: Rosenpass Post-Quantum Key Exchange

Confidence: HIGH | Sources: NetBird docs, Rosenpass.eu, NetBird knowledge hub, CCC talk, GitHub

What is Rosenpass?

Rosenpass is a post-quantum secure key exchange protocol that enhances WireGuard VPNs against quantum computer attacks. It uses two post-quantum key exchange methods:

Classic McEliece — code-based cryptography
ML-KEM (Kyber) — lattice-based cryptography, selected by NIST as a post-quantum standard

Rosenpass operates as a sidecar to WireGuard: it negotiates a symmetric key using post-quantum algorithms and supplies it to WireGuard as a pre-shared key (PSK). This provides hybrid security — the connection is protected by both WireGuard’s classical Curve25519 exchange AND Rosenpass’s post-quantum exchange. Breaking the connection requires defeating BOTH.

Integration in NetBird

Available since: NetBird v0.25.4
Implementation: Golang implementation of the Rosenpass protocol (from the cuniicu project), embedded directly in the NetBird agent
PSK rotation: Every 2 minutes, Rosenpass generates and applies a new pre-shared key to each WireGuard connection
Activation: netbird up --enable-rosenpass
Permissive mode: netbird up --enable-rosenpass --rosenpass-permissive allows mixed networks where some peers lack Rosenpass support

Production Readiness

Status: Experimental — NetBird explicitly documents this as “an experimental feature, may contain bugs”
Platform limitation: Not supported on mobile devices (iOS, Android)
Desktop support: Functional on Linux, Windows, macOS
Known issues: GitHub issue #2973 reports PSK rotation not updating correctly in some configurations (as of v0.33.0, December 2024)
Strict mode default: If enabled, peers without Rosenpass cannot connect (unless permissive mode is used), which enforces full quantum resistance across the network

Assessment

Rosenpass in NetBird is production-functional for desktop/server use cases but should be considered early production / late experimental. For an organization preparing for post-quantum threats, it provides a viable path with hybrid security (no regression from classical WireGuard security). The core Rosenpass protocol has been formally analyzed and the Rust reference implementation is open-source under Apache 2.0/MIT dual license.

Question 9: Audit Logging and SIEM Integration

Confidence: HIGH | Sources: NetBird docs, NetBird knowledge hub, Datadog integration docs

Built-in Audit Logging

NetBird provides comprehensive audit event logging enabled by default for every network. Tracked events include:

Peer Management:

Peer added, removed, renamed, login expired, SSH enabled/disabled

Access Control:

Policy created, updated, deleted
Group created, updated, deleted
Posture check created, updated, deleted

User Management:

User invited, joined, role changed
Owner role transferred
Dashboard login events

Network Configuration:

Route created, updated, deleted
DNS settings modified
Setup key created, revoked, overused

System Events:

Account settings changed
Integration created/updated/deleted

Events include timestamps, source IPs, associated user identities, and affected resources.

SIEM Integration (Cloud Version)

NetBird supports streaming audit events to third-party SIEM platforms:

Integration	Method	Status
Datadog	Datadog Log Collection HTTP API	Production
Amazon S3	Direct S3 bucket delivery	Production
Amazon Data Firehose	Kinesis Firehose streaming	Production
SentinelOne Data Lake	Native integration	Production
Generic HTTP	POST to any HTTP/S endpoint (custom payload templates)	Production (since June 2025)

The Generic HTTP integration enables connectivity to any SIEM including Splunk, Elasticsearch/OpenSearch, Sumo Logic, or custom systems. It supports:

Token and Basic authentication
Custom payload templates (JSON templating engine)
Real-time event delivery

Limitation: SIEM streaming is only available in the cloud version of NetBird, not self-hosted deployments.

Comparison to GlobalProtect

GlobalProtect on PAN-OS 7.1 provides basic syslog output. It lacks the structured event streaming, identity-aware event tagging, and native SIEM integrations that NetBird offers. Modern PAN-OS versions (10.2+) have significantly better logging, but the PA-2020 cannot run them.

Question 10: NetBird Zero Trust vs GlobalProtect Zone-Based Security

Confidence: HIGH | Sources: NetBird docs, Palo Alto product documentation, comparison analyses

Architectural Difference

Aspect	GlobalProtect (Zone-Based)	NetBird (Zero Trust)
Trust Model	Perimeter-based: once authenticated to VPN, user enters a “trusted” zone	Zero Trust: every connection verified independently, no implicit trust
Network Model	Centralized hub-and-spoke: all traffic routes through firewall	Decentralized peer-to-peer: direct encrypted tunnels between endpoints
Access Granularity	Zone-based policies (inside/outside/DMZ), IP-based rules	Identity-based policies per user/group/device, resource-level granularity
Authentication	Username/password to VPN portal (credential spraying target)	IdP-delegated OIDC + WireGuard cryptographic identity (no exposed portal)
Lateral Movement	Once in the VPN zone, lateral movement limited only by internal firewall rules	Each resource requires explicit policy; default deny
Device Posture	Requires HIP (Host Information Profile) — available on modern PAN-OS only	Native EDR/MDM integration (CrowdStrike, Intune, SentinelOne), OS version checks, geo checks
Single Point of Failure	VPN concentrator (firewall) is SPOF	No SPOF: peer-to-peer mesh, multiple relay servers
Scalability	Limited by firewall throughput and session capacity	Scales horizontally; traffic does not traverse central infrastructure

GlobalProtect on PA-2020 Specifically

The PA-2020’s zone-based security model is further limited by:

PAN-OS 7.1: Lacks modern App-ID signatures, URL filtering databases, and threat prevention content
No User-ID agent support for modern IdP integration
No HIP checks comparable to NetBird’s device posture
No micro-segmentation within VPN zones
Session capacity: PA-2020 supports a maximum of 250,000 sessions and 1 Gbps firewall throughput — adequate for a small branch but not a modern security architecture
No SSL decryption capability for inspecting encrypted traffic (limited by hardware era)

NetBird’s Zero Trust Implementation

NetBird implements NIST SP 800-207 Zero Trust Architecture principles:

All data sources and computing services are considered resources — no distinction between “internal” and “external”
All communication is secured regardless of network location — WireGuard encryption on every connection
Access to individual resources is granted on a per-session basis — policies evaluated per connection
Access is determined by dynamic policy — including user identity, device state, behavioral attributes, and environmental conditions
Enterprise monitors and measures integrity and security posture — continuous device posture verification via EDR/MDM integration
Authentication and authorization are dynamic and strictly enforced — IdP-driven with periodic re-authentication

Gaps & Uncertainties

Credential spraying campaign current status (March 2026): The most recent confirmed wave was February 23, 2026 (ELLIO). No evidence of campaign cessation was found. Confidence that it is ongoing: MEDIUM-HIGH (pattern suggests recurring waves with infrastructure rotation).
PA-2020 exact PAN-OS version at vpn.gsisg.com: Research confirms maximum possible version is PAN-OS 7.1, but the actual running version could be older (6.x or even 5.x). This cannot be determined without access to the device. Impact: If running anything below 7.1, the vulnerability exposure is even worse.
Undisclosed PAN-OS 7.1 vulnerabilities: Since PAN-OS 7.1 is EOL and no longer tested by security researchers, there may be undisclosed vulnerabilities that will never be patched. Confidence in completeness of vulnerability assessment: LOW — we can only assess known CVEs.
NetBird self-hosted SIEM streaming: SIEM event streaming is only available in NetBird’s cloud version. If GSISG self-hosts NetBird, they would need to build custom log forwarding. Impact on Question 9: Moderate — self-hosted deployments still have audit logs accessible via API and UI, just no native SIEM push.
Rosenpass mobile support timeline: No public roadmap found for when Rosenpass will support iOS/Android. Impact on Question 8: Minor — post-quantum protection for mobile VPN is not an immediate operational concern.
NSA exploitation of IKE/IPsec: The claim that NSA can exploit IKE to decrypt IPsec traffic comes from Snowden-era disclosures (2013) and is referenced by multiple VPN comparison sources. Confidence: MEDIUM — the specific exploitation method has never been publicly detailed.

Sources & Tool Usage Log

Tavily Search Queries (12)

“GlobalProtect credential spraying campaign 2024 2025 Palo Alto Networks advisory” — 10 results
“CVE-2024-0012 CVE-2024-9474 CVE-2024-3400 Palo Alto PA-2020 PAN-OS vulnerability” — 10 results
“Palo Alto PA-2020 end of life end of support date PAN-OS” — 10 results
“NetBird VPN security architecture authentication model credential spraying prevention” — 10 results
“NetBird CVE vulnerability history security audit” — 10 results
“WireGuard security audit formal verification cipher suite comparison IPsec SSL VPN” — 10 results
“NetBird Rosenpass post-quantum key exchange WireGuard production ready” — 10 results
“NetBird device revocation stolen laptop zero trust access control audit logging SIEM” — 10 results
“CVE-2024-3400 PAN-OS GlobalProtect command injection CVSS 10 affected versions PA-2020” — 5 results
“WireGuard formal verification Tamarin prover symbolic model computational soundness” — 5 results
“NetBird peer revocation device compromise stolen device management dashboard” — 5 results
“GlobalProtect credential spraying campaign March 2026 ongoing still active” — 5 results

Exa Web Search Queries (3)

“PA-2020 maximum PAN-OS version supported compatibility matrix” — 5 results
“NetBird event streaming SIEM integration Datadog Splunk Elasticsearch” — 5 results
“GlobalProtect zone-based security vs zero trust network access ZTNA comparison” — 5 results

Additional Tavily Queries (2)

“GlobalProtect TLS 1.0 TLS 1.1 3DES cipher legacy renegotiation security risk” — 5 results
“NetBird vs traditional VPN comparison no exposed portal no login page architecture” — 5 results