Prisma Cloud Licensing

and Editions Guide

This document provides guidance on the three editions of Prisma™ Cloud
and how workloads are defined for licensing.

Prisma by Palo Alto Networks | Prisma Cloud Licensing and Editions Guide | Datasheet 1
Which Edition Is Right for You?
Table 1: Prisma Cloud Editions—Feature Comparison
Business Edition Compute Edition Enterprise Edition

Deployment model SaaS only Self-hosted only SaaS only

IaaS, PaaS, hosts,

Coverage IaaS, PaaS only Hosts, containers, serverless only
containers, serverless
Asset inventory ● ● ●

Configuration and
● ● ●
compliance reporting
Network security ○ ● ●

User and entity behavior

○ ○ ●
analytics (UEBA)
Workload runtime
○ ● ●
protection
Vulnerability
○ ● ●
management
Automated response ● ● ●

Infrastructure as code
○ ○ ●
(IaC) config scan

Image vuln. scan ○ ● ●

○ No coverage ● Comprehensive coverage

Prisma Cloud Licensing Model How Are Compute Workloads Different?

Prisma Cloud is licensed based on the number of “workloads”
protected across both multi- and hybrid cloud environments.
It is available in one-, two-, or three-year subscriptions and
is currently sold in flexible increments of 100 workloads.
What Is a Workload?
Prisma Cloud Compute workloads are based on the number of
protected workloads (hosts, nodes running containers, or func-
tions) secured by Defenders. This applies to both the Compute
capabilities in Enterprise Edition as well as the self-hosted
Compute Edition. the "Compute: Defender-Based Workloads"
section of table 2 for licensing details.

In general, each resource in a cloud account (Amazon EC2®

instance, Relational Database Service [RDS], load b
­ alancer,
gateway, etc.) is counted as a workload. See Sthe "Cloud
­Resource-Based Workloads" section of table 2 for licensing
details.

Table 2: Prisma Cloud Licensing Breakdown

Cloud Resource-Based Workloads Business Compute Enterprise
(each instance of the below resource) Edition Edition Edition

AWS Azure GCP

EC2
RDS Google Compute Engine (GCE)
Virtual machines
RedShift Cloud SQL
SQL databases
DynamoDB*
Application Gateway*
Cloud Spanner* 1 N/A 1
ALB* & ELB (load Load balancer*
Load balancer
balancers) Cloud NAT*
NAT gateways

* Coming soon

Prisma by Palo Alto Networks | Prisma Cloud Licensing and Editions Guide | Datasheet 2
 Table 2: Prisma Cloud Licensing Breakdown (continued)
Compute: Defender-Based Workloads Business Compute Enterprise
(each instance of the below resource) Edition Edition Edition
Host Defender: Linux/Windows
This Defender type lets you extend protection on all the hosts in your environ-
ment, regardless of their purpose. Defender runs as a system service on Linux N/A 1 1
machines or Windows service on Windows machines. This is for hosts where
Docker engine is not installed. Counted per host.
Container Defender: Linux/Windows
Install Container Defender on any host that runs a container workload.
Container Defender protects both your containers and the underlying host.
N/A 8 8
Counted per host.
Orchestrator deployments, such as Kubernetes/OpenShift, are also counted
per host.

Serverless Defender
1 = 1M function 1 = 1M function
Serverless Defenders offer runtime protection for AWS Lambda functions.
N/A executions/ executions/
Serverless Defender can be embedded in your functions or added to them as a
month month
layer. Counted by executions of protected serverless functions.

Container Defender: App-Embedded

Deploy App-Embedded Defender in AWS Fargate, Azure Container Instances
(ACI), Pivotal Cloud Foundry (PCF), or any container environment where you
don’t have access to the host and can’t deploy the regular Container Defender:
N/A 1 1
Linux/Windows. Container-on-demand services are a typical use case for this
Defender. Counted per container they are embedded in.
PCF Blobstore Scanner
PCF Defenders run on your PCF infrastructure and scan the droplets in your blob-
stores for vulnerabilities. The PCF Defender is delivered as a tile. N/A 0 0

Not counted in licensing, free of cost.

Prisma Cloud Plugins and Other Features

IDE and SCM Plugins

IaC (AWS CloudFormation templates [CFT], Terraform, Kubernetes App Manifest N/A N/A 0
YAML) config scan.
CI/CD Plugins
IaC (AWS CFT, Terraform, Kubernetes App Manifest YAML) config scan and con- N/A 0** 0
tainer image scan for vulnerabilities and compliance.
Registry Scanning
All remote image scanning from registries such as Docker hub, ECR, JFrog N/A 0 0
­Artifactory, private registries, etc.

Serverless Function Scanning N/A 0 0

** Container image scan for vulnerabilities and compliance only

Other features, such as Prisma Cloud Compute Cloud Discovery of
protected and unprotected resources, are also included in licens-
ing without additional charges.
How Is Licensing Measured During
Your Subscription?
Prisma Cloud is licensed based on the average number of billable
workloads monitored across cloud environments. Billable work-
loads are calculated as the average number of workloads moni-
tored each quarter, based on hourly snapshots that roll into daily,
weekly, and monthly averages. This prevents overages based on
short-term bursts.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered
­trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
prisma-cloud-licensing-and-editions-guide-ds-040220

www.paloaltonetworks.com