Palo Alto Networks Is Really Buying Portkey’s Open-Source Chokepoint

Palo Alto Networks is not really buying an announcement here. It is buying a piece of open-source plumbing that already sits between enterprise AI apps and the models they call, which means it can watch, route, and potentially control the traffic every time an AI agent asks to do something.

That matters because Portkey's code and usage are unusually inspectable for a company at the center of the agent stack. Its GitHub repository shows a lightweight gateway proxy anyone can audit, and one Portkey repository says more than 200 enterprises already run 400 billion tokens through that gateway every day. Palo Alto Networks, the cybersecurity giant behind Prisma and Unit 42, separately said Portkey is already processing trillions of tokens per month.

Portkey built its business around an AI gateway, software that gives companies one control point for model traffic that would otherwise scatter across OpenAI, Anthropic, Google, Amazon Bedrock, and other providers. The gateway handles retries when a model API fails, routes requests to different models, and applies guardrails before results come back to the application. In plain English, it is the chokepoint where an enterprise can decide what an agent is allowed to call, what gets logged, and what gets blocked.

That chokepoint is exactly what Palo Alto Networks said it wants. In its announcement, the company said Portkey will become the AI gateway inside Prisma AIRS, its platform for securing enterprise AI systems. Lee Klarich, Palo Alto Networks' chief product officer, said autonomous agents are becoming a new unmanaged attack surface.

The logic is straightforward. If companies are going to let software agents query models, call tools, and move through internal systems on their own, the most valuable place to sit is the layer that sees every request. A gateway can enforce identity rules, inspect prompts and outputs for abuse, limit which models or tools an agent may reach, and preserve an audit trail after the fact. Traditional endpoint and network security products do not naturally see that traffic in the same way.

The uncomfortable part is what this does to Portkey's neutrality. The startup's appeal was not just that it simplified model routing. It was that companies could use one independent layer instead of tying their AI traffic to a specific model vendor or a specific security vendor. Once that layer belongs to Palo Alto Networks, customers have to decide whether they still view it as neutral infrastructure or as one more strategic dependency.

That question matters because Portkey is not a toy project. One Portkey GitHub repository says the gateway powers cost attribution for more than 200 enterprises handling 400 billion tokens a day. Palo Alto's press release makes the same point in broader terms, saying Portkey processes trillions of tokens each month. If those figures are even directionally right, Palo Alto is buying an unusually deep view into live enterprise AI traffic.

Portkey also did not raise much money before getting here. Inc42 reported in February that the company raised a $15 million Series A led by Elevation Capital with Lightspeed participating, bringing total funding to more than $18 million. Tracxn says Portkey has raised $18 million across three rounds. That is a small funding base for a company claiming this level of traffic, which makes the acquisition look less like a mature software exit and more like a fast grab for code, customers, and control of a strategic layer.

The competitive pressure now lands on the rest of the independent gateway market. Cloudflare has an AI Gateway product. LiteLLM offers an open-source proxy that many developers already use to route model calls. OpenRouter aggregates access to multiple models through one interface. Helicone sells observability and caching around model traffic. All of them now have to answer a harder question: what is the independent value proposition when a $70 billion security company owns one of the best-known control points in the category?

This also fits Palo Alto's broader acquisition pattern. The company completed its Protect AI acquisition on July 22, 2025, adding model and data security to Prisma AIRS. Portkey pushes that strategy down into the runtime layer, where agent requests are actually routed and inspected. The combined pitch is obvious enough: secure the models, secure the data, then secure the traffic between them.

What is not obvious yet is whether Portkey's open-source community will keep trusting an upstream controlled by Palo Alto, how quickly Prisma AIRS will absorb the product, and whether customers that chose Portkey to avoid vendor lock-in now start looking for a new escape hatch. The code is still auditable on GitHub. The ownership is what changed.