The $7.75 Billion Bet on the Invisible Attack Surface: ServiceNow Acquires Armis as AI Supercharges Cyber Threats

On December 23, 2025, ServiceNow announced its largest acquisition to date: a $7.75 billion all-cash deal for Armis, the cyber exposure management and security company that specializes in protecting the devices most organizations don’t even know exist. The transaction represents more than an enterprise software company buying a cybersecurity startup—it signals recognition that artificial intelligence has fundamentally transformed both the threat landscape and the defensive requirements protecting modern enterprises.

“In this AI world, especially with the agents, you’re going to need to protect these enterprises [because] every intrusion is a multimillion-dollar problem,” ServiceNow CEO Bill McDermott told CNBC following the announcement. The deal, expected to close in the second half of 2026, will more than triple ServiceNow’s market opportunity for security and risk solutions, bringing together ServiceNow’s workflow automation platform with Armis’s real-time visibility across IT, operational technology (OT), medical devices, and IoT environments.

The acquisition caps a year of unprecedented cybersecurity consolidation that has seen Google acquire Wiz for $32 billion and Palo Alto Networks buy CyberArk for $25 billion. Together, these three deals alone represent $64.75 billion in cybersecurity M&A—a dramatic statement about both the value and urgency companies place on security in an era when AI-powered attacks are scaling faster than traditional defenses can adapt.

The AI Threat Multiplier: How Attacks Are Evolving

The Exponential Escalation

The threat landscape ServiceNow and Armis aim to address has undergone explosive transformation driven by artificial intelligence. Recent threat intelligence data reveals the scale:

Attack Volume Surge:

• AI-powered cyberattacks increased 72 percent year-over-year, with global incidents rising from 10,870 in 2024 to 16,200 in 2025
• 87 percent of organizations worldwide experienced AI-driven cyberattacks in 2025, up from 52 percent in early 2024
• Organizations face an average of 1,938 cyber attacks per week in 2025, marking a 5 percent increase from 2024
• Automated scanning reached 36,000 attempts per second, a 16.7 percent year-over-year increase driven by AI and automation
• Approximately 2,200 cyberattacks occur globally each day

Phishing Evolution:

• Phishing attacks surged 1,265 percent since the advent of ChatGPT in 2022
• 202 percent increase in phishing email messages in the second half of 2024 alone
• 67.4 percent of all phishing attacks in 2024 utilized some form of AI
• 75 percent of cyberattacks began with a phishing email in 2024
• 68 percent of cyber threat analysts report AI-generated phishing attempts are harder to detect in 2025 than any previous year

Deepfake and Social Engineering:

• 85 percent of organizations reported some form of deepfake attack in 2025
• Deepfake incidents grew 19 percent in Q1 2025 compared to all of 2024
• In 2024, a multinational firm lost $25.6 million to deepfake scammers who impersonated executives on a video conference call
• 47 percent of organizations have experienced deepfake attacks as of 2025
• 53 percent of financial professionals have personally encountered deepfake-based fraud attempts

Financial Impact:

• Global average security breach cost: $4.9 million, marking a 10 percent increase since 2024
• Phishing-related breaches now average $4.88 million per incident
• 64 percent of U.S. companies faced Business Email Compromise scams in 2024, with average losses around $150,000 each
• USAID predicts global cybercrime costs will climb to $24 trillion by 2027
• 85 percent of cybersecurity professionals attribute the increase in cyberattacks to generative AI used by bad actors

How AI Changes Attack Dynamics

AI fundamentally alters attack methodologies across multiple dimensions:

Adaptive Malware: Unlike traditional malware following static patterns, AI-powered malware adapts to environments, analyzes security measures, and adjusts tactics to bypass defenses. Polymorphic malware that rewrites itself using AI evasion logic now represents 76.4 percent of all phishing campaigns and 22 percent of advanced persistent threats.

BlackMatter ransomware exemplifies this evolution, using AI-driven encryption strategies and live analysis of victim defenses to evade traditional endpoint detection and response systems. Some advanced strains generate new, unique versions of themselves every 15 seconds during attacks.

Automated Personalization: AI analyzes vast amounts of data—social media activity, network behavior, organizational hierarchies—to craft highly personalized attacks much harder to recognize than generic phishing. AI-generated phishing emails might reference familiar contacts, recent purchases, or adopt the writing style of trusted colleagues with 60 percent success rates comparable to human-crafted attacks.

Malicious large language models like WormGPT, FraudGPT, Fox8, and DarkBERT help threat actors create malware, malicious code, and sophisticated campaigns. Spammers save 95 percent on campaign costs using LLMs, dramatically amplifying attack scale.

Voice and Video Manipulation: AI-powered voice cloning and deepfake video enable scammers to impersonate executives with startling realism. In April 2024, a LastPass employee was targeted by an AI voice-cloning scam impersonating CEO Karim Toubba. The Hong Kong multinational deepfake case demonstrated how convincing these attacks have become—every person on the video call except the victim was AI-generated, yet the visual and auditory “proof” convinced the employee to authorize $25.6 million in transfers.

Speed and Scale: What once took hackers days or weeks to orchestrate, AI now executes in real time. Credential stuffing bots trained via reinforcement learning bypassed CAPTCHA and multi-factor authentication protections in 48 percent of tests in 2025. AI enables simultaneous, large-scale attacks across thousands of targets with minimal human intervention.

Zero-Day Exploitation: 41 percent of zero-day vulnerabilities in 2025 were discovered through AI-assisted reverse engineering by attackers. AI accelerates vulnerability discovery and exploit development, shrinking the window between vulnerability disclosure and weaponization.

The Invisible Attack Surface: Why Armis Matters

The OT/IoT Security Gap

Armis specializes in a cybersecurity domain that most organizations struggle to even see, let alone secure: unmanaged devices across operational technology, Internet of Things, and medical equipment. These are assets that cannot easily run traditional security software but increasingly connect to corporate networks.

The Expanding Universe: The global OT security market is projected to grow from $23.47 billion in 2025 to $50.29 billion by 2030 at a 16.5 percent CAGR. The IoT security market follows similar trajectories, with solutions retaining a 58 percent market share in 2024. Several factors drive this explosive growth:

• 51 percent of organizations report the number of IoT devices they manage will rise in 2025 compared to 2024
• Global ICS/OT exposure rose 12 percent in 2024, with more than 180,000 devices visible each month, expected to approach 200,000 in 2025
• Manufacturing, energy, healthcare, and critical infrastructure increasingly rely on connected devices for operations
• IT-OT convergence means operational networks once isolated now connect to corporate clouds for predictive maintenance and analytics

The Visibility Problem: Despite growing exposure, organizations lack basic visibility into these assets:

• 52 percent of companies have already experienced cyberattacks through OT or IoT devices
• Only 26 percent of companies consider their cybersecurity maturity in product and project development “adequate”
• Many companies focus on protecting payment systems (42 percent), corporate networks (39 percent), and customer data (36 percent) while underestimating OT/IoT risks
• Over 2,000 new software vulnerabilities are identified each month, and companies failing to update are asking not if but when they’ll be attacked

Attack Surface Characteristics: OT/IoT environments present unique security challenges:

• Medical devices in hospitals
• Industrial control systems in factories
• Smart building technology in offices
• Connected vehicles
• Critical infrastructure like power grids and water treatment facilities
• Operational equipment running outdated firmware with default credentials

Brute-forcing default SSH and Telnet credentials remains the top technique cybercriminals use to gain access to IoT devices. Once inside, attackers use shell commands to explore environments, achieve persistence, replace SSH keys, and move laterally through networks.

Armis’s Approach: Asset Intelligence and Cyber Exposure Management

Armis addresses these challenges through comprehensive cyber exposure management:

Real-Time Discovery and Classification: Armis provides real-time discovery and classification of managed and unmanaged assets, creating a continuously updated map of enterprise environments. The platform identifies devices across IT, OT, cloud, and IoT environments without requiring agents installed on devices themselves.

Protocol Coverage: Supporting over 300 OT/IoT protocols, Armis enables organizations to discover and manage devices across all Purdue levels. This extensive protocol support is particularly critical in sectors like healthcare, manufacturing, and critical infrastructure where diverse equipment from multiple vendors operates across heterogeneous networks.

Threat Detection and Vulnerability Prioritization: Beyond visibility, Armis provides actionable intelligence on vulnerabilities, threats, and risks. The platform assesses which assets are most critical, which vulnerabilities pose the greatest exposure, and what remediation actions to prioritize. This contextual risk assessment addresses a fundamental problem: with thousands of vulnerabilities identified monthly, security teams need guidance on what to fix first.

Cyber-Physical Security: Armis bridges digital compromise and real-world disruption. A cyberattack on industrial control systems isn’t just data theft—it could shut down manufacturing lines, disrupt power grids, or compromise medical equipment treating patients. Armis’s focus on cyber-physical security reflects recognition that OT/IoT breaches have consequences extending beyond information systems into physical operations.

Market Position and Recognition

Armis has achieved significant market penetration and industry recognition:

Customer Base:

• Trusted by Global 2000 enterprises
• Over 35 percent of Fortune 100 companies
• Seven of the Fortune 10
• Public-sector organizations and government agencies globally
• Approximately 950 employees (as of deal announcement)

Financial Performance:

• Surpassed $340 million in annual recurring revenue (ARR)
• Year-over-year ARR growth exceeding 50 percent (up from $300 million in August 2025)
• Raised $435 million in November 2025 at a $6.1 billion valuation
• Founded in 2015 by co-founder and CEO Yevgeny Dibrov

Industry Recognition:

• Named a Leader in the 2025 Gartner Magic Quadrant for Cyber-Physical Systems Protection Platforms
• Inc. Best in Business honoree for Innovation
• Recognized for innovation and platform leadership across enterprise IT, OT, cloud, and IoT environments

Co-founder Dibrov had stated Armis was looking to go public in 2026 or 2027, with a main objective to surpass $1 billion in ARR. The ServiceNow acquisition provides an alternative path to scale, leveraging ServiceNow’s massive customer base and distribution capabilities.

ServiceNow’s 2025 Acquisition Spree: Building the “AI Control Tower”

The Armis Deal in Context

The $7.75 billion Armis acquisition represents ServiceNow’s largest deal ever, but it’s the culmination of an aggressive 2025 acquisition strategy:

Major 2025 Acquisitions:

• Moveworks (March 2025): $2.85 billion for AI agent platform and enterprise search
• Veza (December 2025): Approximately $1 billion for identity security and governance
• Logik.ai: $506 million for configuration and pricing solutions
• Armis (December 2025): $7.75 billion for cyber exposure management

With Armis signed, ServiceNow has inked at least seven acquisitions in 2025. Total known spending exceeds $11 billion in a single year—a dramatic escalation from the company’s historical acquisition pace.

Strategic Rationale: CEO Bill McDermott frames this as building an “AI control tower for business reinvention.” The acquisitions create a coherent stack:

1. Workflow Foundation: ServiceNow’s core platform with 75 billion workflows running annually
2. AI Assistant Layer: Moveworks provides intuitive front-end AI assistant and enterprise search
3. Identity & Access: Veza governs permissions for AI agents at scale
4. Asset & Exposure: Armis delivers visibility across IT, OT, IoT, and medical devices
5. Security Operations: Combined capabilities for real-time threat detection and response

President and COO Amit Zavery stated: “In the agentic AI era, intelligent trust and governance that span any cloud, any asset, any AI system, and any device are non-negotiable if companies want to scale AI for the long-term. Together with Armis, we will deliver an industry-defining strategic cybersecurity shield for real-time, end-to-end proactive protection across all technology estates.”

Integration Strategy: Connecting Intelligence to Action

ServiceNow’s vision integrates Armis’s device intelligence with its Configuration Management Database (CMDB), which ties technical assets to business services and responsible teams:

Visibility to Remediation: Detecting vulnerable devices means little if organizations can’t act on findings. By connecting Armis’s real-time device data to ServiceNow’s workflow automation, the combined platform aims to not just identify risks but route remediation tasks to people who can implement fixes, tracking resolution through automated processes.

Single Pane of Glass: ServiceNow positions itself as providing “a single pane of glass that connects intelligence to execution across every corner of business.” The Armis integration extends this vision to encompass:

• Legacy systems
• Departmental tools
• Cloud applications
• AI agents
• Unmanaged IoT/OT devices
• Medical equipment
• Industrial control systems

Proactive Autonomous Cybersecurity: The acquisition accelerates ServiceNow’s roadmap toward “autonomous proactive cybersecurity.” Rather than reactive threat response, the platform aims to continuously assess exposure, predict potential breach pathways, and automatically trigger preventive actions before attacks succeed.

Market Opportunity Expansion

ServiceNow’s Security and Risk business crossed the $1 billion annual contract value threshold in Q3 2025, establishing the company as a security leader. The Armis acquisition is projected to more than triple ServiceNow’s market opportunity in security and risk solutions.

Target Markets:

• IT security and risk management
• Operational technology security
• IoT and cyber-physical systems protection
• Healthcare device security
• Critical infrastructure protection
• Compliance and governance
• Identity and access management

Worldwide end-user spending on information security is projected to increase 12.5 percent in 2026 to $240 billion, with rising threats and expanding AI/generative AI use as key growth drivers. ServiceNow aims to capture significant share of this expanding market through its integrated platform approach.

Investor Reaction and Integration Concerns

The market responded cautiously to ServiceNow’s acquisition spree:

Stock Performance:

• ServiceNow shares fell approximately 3 percent when the Armis deal was announced
• Shares had slumped nearly 12 percent on December 15 when Bloomberg first reported potential talks
• The selloff wiped approximately $20 billion from ServiceNow’s market value
• Stock was trading around $155 (split-adjusted) following the company’s recent 5-for-1 stock split

Investor Concerns: The steep valuation—approximately 23 times Armis’s $340 million ARR—raised questions:

1. Acquisition Premium: Even for high-growth cybersecurity, the multiple is elevated
2. Financing Mix: Combination of cash on hand and debt increases leverage
3. Integration Risk: Multiple large acquisitions in rapid succession can slow innovation
4. Organic vs. Inorganic Growth: Whether expensive acquisitions substitute for organic development
5. Execution Challenges: Combining multiple products and teams while maintaining customer experience

Analysts note ServiceNow maintained strong fundamentals—21.05 percent revenue growth, $162.54 billion market cap, impressive 78.05 percent gross margins—suggesting the company can support acquisitions financially. The concern centers on execution and whether acquisition-driven growth creates sustainable competitive advantages.

The Cybersecurity M&A Wave: 2025’s Mega-Deals

Unprecedented Consolidation

ServiceNow’s Armis acquisition occurs within a broader cybersecurity consolidation wave that has defined 2025 M&A activity:

The Big Three:

1. Google-Wiz (March 2025): $32 billion all-cash for cloud security platform
2. Palo Alto Networks-CyberArk (July 2025): $25 billion for identity security leader
3. ServiceNow-Armis (December 2025): $7.75 billion for cyber exposure management

These three deals alone total $64.75 billion. According to Kroll’s Spring 2025 analysis, Q1 deal value exceeded 90 percent of 2024’s total value thanks to Google-Wiz alone. Israel’s tech sector saw $74.3 billion in M&A activity in 2025, driven heavily by these cybersecurity mega-deals.

Other Significant 2025 Deals:

• Tenable-Vulcan Cyber (January 2025): Exposure management innovator acquisition
• Palo Alto Networks-Protect AI: Estimated $650-700 million for AI/ML model security
• ServiceNow-Moveworks: $2.85 billion for AI agent platform
• ServiceNow-Veza: Approximately $1 billion for identity security

Historical Context: According to Return on Security, cybersecurity M&A dropped 18 percent in 2023 versus 2022, but 2024 saw increases in both deal volume (5 percent) and transaction value (13 percent) over 2023. Notably, the top 10 deals accounted for 91 percent of total value, indicating concentration among mega-deals.

2025 accelerated this trend dramatically, with strategic buyers and investors consolidating capabilities across cloud security, exposure management, identity, and SecOps.

Why Consolidation Now?

Several factors drive the consolidation wave:

Platform Economics: Enterprises increasingly demand holistic platforms rather than siloed point solutions. Managing dozens of separate security tools creates complexity, integration challenges, and gaps in visibility. Platform consolidation promises unified dashboards, consistent policies, and coordinated response.

AI Complexity: Securing AI systems requires capabilities spanning multiple domains—model security, data governance, identity management, infrastructure protection. No single vendor historically offered comprehensive AI security, driving acquisitions to assemble capabilities.

Agentic AI Governance: As organizations deploy autonomous AI agents, identity and access management becomes critical. These agents need controlled permissions to act on behalf of users without creating security vulnerabilities. This requirement drives deals like ServiceNow-Veza and Palo Alto-CyberArk.

Talent and Expertise: The cybersecurity talent shortage is acute. Acquiring companies brings hundreds of specialized engineers, researchers, and analysts who would be nearly impossible to hire individually. Armis’s 950 employees join ServiceNow; CyberArk’s workforce doubles Palo Alto’s Israel presence.

Speed to Market: Building comprehensive security capabilities organically takes years. Acquisitions provide immediate market presence, customer bases, and revenue streams. For ServiceNow, Armis instantly provides OT/IoT expertise it would struggle to develop internally.

Market Share Consolidation: Nikesh Arora, Palo Alto Networks CEO, stated after the CyberArk deal: “Since I joined Palo Alto in 2018, we’ve crossed the 10 percent market share threshold, making us the first cybersecurity company to reach double-digit market share.” He expects ongoing consolidation over the next five years as major players capture increasing market share.

Valuation Normalization: After 2021-2022’s elevated valuations and 2023’s correction, 2025 represents a “Goldilocks” moment where targets are valuable enough to justify premiums but not priced at bubble levels. Many cybersecurity companies that IPO’d in 2020-2021 now trade below their IPO prices, making them attractive acquisition targets.

The Israeli Factor

Israeli cybersecurity companies feature prominently in 2025’s mega-deals:

Major Israeli Exits:

• Wiz: $32 billion to Google (founded by Assaf Rappaport)
• CyberArk: $25 billion to Palo Alto Networks (co-founded by Udi Mokady and Alon Cohen)
• Armis: $7.75 billion to ServiceNow (co-founded by Yevgeny Dibrov)

Remarkably, Israeli founders or leadership appears on both sides of the Palo Alto-CyberArk deal: Palo Alto was founded in 2005 by Nir Zuk (CTO), while CyberArk was founded in 1998 by Mokady and Cohen.

Israel’s Cybersecurity Dominance: Nikesh Arora stated: “I firmly believe that the most amount of innovation in cybersecurity comes out of Israel. It’s not for debate; it’s a fact.” Even during ongoing conflict and challenges to Israel’s international image, two of the three largest tech deals of 2025 emerged from Israeli companies.

Asked whether Israel’s military background remains an advantage in the AI era, Arora answered: “Yes, because this is still a security problem. No one studied AI in university the way it exists today. Anyone who knows how to secure systems can learn how to secure AI.”

Israel’s tech sector saw $15.6 billion in private funding in 2025 despite overall deal volume falling to 717 rounds, the lowest in a decade. The shift toward fewer, larger deals at higher valuations reflects “high-conviction maturity” rather than speculative investment.

Market Dynamics and Valuation Analysis

Pricing Cybersecurity in an AI World

The valuations in 2025’s mega-deals reveal how markets price cybersecurity assets:

Revenue Multiple Analysis:

Armis:

• Deal value: $7.75 billion
• ARR: $340 million
• Revenue multiple: ~23x
• Growth rate: >50 percent YoY

CyberArk:

• Deal value: $25 billion
• 2024 revenue: $1.1 billion
• Revenue multiple: ~23x
• 2025 projected revenue: $1.3 billion
• Operating margin: 17 percent

Wiz:

• Deal value: $32 billion
• ARR: $700 million (with path to $1 billion)
• Revenue multiple: ~46x (at $700M) or ~32x (if valued on $1B ARR)
• Previous rejection of $23 billion in July 2024
• Valuation: $12 billion (May 2024) → $16 billion (secondary sale) → $32 billion (Google deal)

Market Comparison: These multiples far exceed typical software valuations but reflect several premium factors:

1. Growth Rates: 50+ percent growth commands premium valuations
2. Strategic Value: Platform positioning and market expansion opportunities
3. Defensive Necessity: Cybersecurity is non-discretionary spending
4. AI Tailwinds: Expected acceleration as AI adoption increases attack surfaces
5. M&A Competition: Multiple bidders drive prices higher

Why Buyers Pay Premiums

Several strategic considerations justify elevated valuations:

Customer Overlap: ServiceNow and Armis share approximately 250 mutual customers already using both technologies. Cross-sell opportunities into ServiceNow’s broader base could dramatically accelerate Armis revenue growth beyond its current 50 percent trajectory.

Distribution Leverage: ServiceNow serves thousands of enterprise customers with established relationships and purchasing agreements. Selling Armis through ServiceNow’s channels eliminates customer acquisition costs and sales cycles that Armis would face independently.

Integration Synergies: Connecting Armis device visibility to ServiceNow workflows creates capabilities neither company offers alone. This integration could command premium pricing as customers consolidate security stacks.

Competitive Positioning: Acquisitions prevent competitors from obtaining strategic assets. If Microsoft, Oracle, or Salesforce had acquired Armis, ServiceNow would lose both a partner and face a strengthened rival. The defensive value justifies paying above standalone valuations.

Time Value: Building comparable capabilities organically would take years and might fail. Acquisitions provide immediate market presence in critical domains like OT/IoT security where ServiceNow lacked expertise.

Alternative Paths: IPO vs. Acquisition

Armis had planned to go public in 2026-2027, targeting $1 billion ARR before IPO. The ServiceNow offer presented a different calculus:

IPO Path Risks:

• IPO market volatility and uncertain reception
• Execution pressure to meet public market growth expectations
• Ongoing operational expenses as standalone company
• Competition from larger platforms with broader offerings
• Potential economic downturn affecting valuations

Acquisition Benefits:

• Immediate liquidity for founders and investors at premium valuation
• Access to ServiceNow’s distribution and customer base
• Integration into platform creating defensible positioning
• Reduced competitive pressure as part of larger ecosystem
• Certainty versus IPO timing and valuation uncertainty

Many cybersecurity companies that IPO’d in 2020-2021 now trade below their IPO prices, making the guaranteed premium exit attractive. CyberArk itself went public in 2014 at just $500 million valuation—it took over a decade to reach $25 billion as a public company before selling.

Strategic Implications: The Future of Enterprise Security

The Platform Wars Begin

The mega-deals signal a shift from point solutions to comprehensive platforms:

The Emerging Stack: Modern enterprise security requires capabilities spanning:

1. Identity & Access: Who can access what systems and data
2. Asset Intelligence: Visibility into all devices including unmanaged IoT/OT
3. Cloud Security: Protection across multi-cloud environments
4. Network Security: Traditional perimeter and zero-trust architectures
5. Endpoint Protection: Detection and response on devices
6. Exposure Management: Continuous risk assessment and prioritization
7. Security Operations: Incident response and orchestration
8. Compliance & Governance: Policy enforcement and audit trails
9. Threat Intelligence: Understanding adversary tactics and campaigns
10. AI Security: Protecting models, data, and AI agent behaviors

Platform Advantages: Unified platforms offer benefits difficult to achieve with point solutions:

• Single Pane of Glass: Consistent dashboards and reporting
• Correlated Intelligence: Connecting signals across domains to identify sophisticated attacks
• Automated Response: Orchestrating actions across multiple security tools
• Simplified Management: Reducing complexity and operational overhead
• Cost Efficiency: Consolidated contracts and integrated deployments

Competitive Landscape Evolution

The acquisitions reshape competitive dynamics:

The Leaders: Several companies emerge as platform leaders:

Palo Alto Networks: With CyberArk integrated, commands ~10 percent market share (first cybersecurity company to reach double digits), combines firewall, cloud security, endpoint protection, and identity. CEO Nikesh Arora spent over $7 billion on acquisitions since 2018, establishing aggressive M&A as core strategy.

Microsoft: Leveraging Azure and Office 365 integration, vast enterprise relationships, and deep AI expertise. Defender suite spans endpoints, cloud, identity, and operations.

Google Cloud (with Wiz): $32 billion Wiz acquisition provides multi-cloud security platform. Combines with Google’s infrastructure security and AI capabilities.

ServiceNow (with Armis, Moveworks, Veza): Workflow automation with comprehensive security coverage including identity, exposure management, and AI agent governance. Positions as “AI control tower.”

Amazon Web Services: Built-in cloud security, GuardDuty threat detection, and extensive partner ecosystem.

The Challengers: Other significant players pursuing platform strategies:

• Cisco: Splunk acquisition ($28 billion in 2024) combines networking and security operations
• CrowdStrike: Endpoint-centric platform expanding into cloud and identity
• Fortinet: Unified security with Security Fabric integrating networking and security
• Broadcom (Symantec): Enterprise security with cloud and endpoint focus
• Check Point: Network security expanding into cloud protection

Market Concentration Risks

The consolidation wave raises concerns about market concentration:

Reduced Vendor Choice: As platforms absorb point solution providers, customers face fewer alternatives. While platforms offer convenience, concentration reduces competitive pressure on pricing, innovation, and service quality.

Integration Lock-In: Platform strategies create switching costs. Once an organization deeply integrates ServiceNow workflows with Armis asset discovery and Veza identity governance, migrating to competing platforms becomes prohibitively expensive and disruptive.

Innovation Concerns: Acquired startups often lose entrepreneurial agility. While they gain resources, they also face enterprise processes, compliance requirements, and strategic direction from acquirers that may slow innovation compared to independent operation.

Regulatory Scrutiny: Large acquisitions face antitrust review. ServiceNow’s Moveworks deal underwent antitrust review for months before closing in December 2025. Google-Wiz required DOJ clearance (received in November 2025) before finalizing. As cybersecurity companies grow larger through M&A, future deals face increasing regulatory hurdles.

Talent Retention: Acquisition integration creates uncertainty for employees. While acquirers tout joining as positive, reality includes organizational changes, role uncertainties, and cultural clashes. Key talent may depart, undermining the acquisition’s strategic value.

The Exposure Management Paradigm Shift

Beyond Vulnerability Management

Armis represents a fundamental shift from traditional vulnerability management to comprehensive exposure management:

Traditional Vulnerability Management: Historically focused on:

• Scanning known systems for CVEs (Common Vulnerabilities and Exposures)
• Prioritizing patches based on CVSS scores
• Tracking remediation timelines
• Generating compliance reports

Limitations include:

• Only addresses managed systems
• Reactive rather than proactive
• Limited business context
• Doesn’t account for attack surface complexity
• Struggles with unmanaged IoT/OT devices

Modern Exposure Management: The emerging approach encompasses:

Holistic View: Attack surface includes not just software and hardware but cloud infrastructure, third-party vendors, IoT devices, social networks, and human vulnerabilities. Ivanti reports 51 percent of organizations expect IoT device numbers to rise in 2025, expanding the exposure footprint.

Continuous Assessment: Rather than periodic scans, real-time monitoring continuously identifies exposures as systems change, new devices connect, and configurations evolve. BitSight data shows ICS/OT exposure rising 12 percent in 2024 with devices approaching 200,000 monthly visibility.

Contextual Prioritization: Not all vulnerabilities pose equal risk. Exposure management considers asset criticality, exposure to threats, exploit availability, business impact, and compensating controls to prioritize remediation based on actual risk rather than theoretical severity.

Business Alignment: Security decisions integrate with business objectives, not isolated technical concerns. Risk-reduction decisions involve both security and business stakeholders based on shared understanding of organizational risk appetite.

Proactive Prevention: Anticipating potential consequences of attack types and addressing vulnerabilities before exploitation rather than responding after breaches occur.

Third-Party Risk: Managing supplier, vendor, and partner ecosystems that connect to organizational systems, extending exposure management beyond direct control.

The Global Exposure Management Market

Market projections reflect growing adoption:

Market Size:

• Vulnerability management market: $14.94 billion (2024) → $24.08 billion (2030) at ~8 percent CAGR
• Exposure management market: Growing at 22+ percent CAGR in Europe, 24.7+ percent in Asia Pacific through 2030
• OT security market: $23.47 billion (2025) → $50.29 billion (2030) at 16.5 percent CAGR
• IoT security market: Substantial growth with solutions at 58 percent market share (2024)

Regional Dynamics:

• North America: 39 percent of AI-driven cyberattacks, mature market with high security spending
• Europe: 28 percent of AI-related breaches, strong regulatory drivers (Cyber Resilience Act, GDPR)
• Asia-Pacific: 56 percent rise in AI-enabled attacks, rapid industrialization and IoT adoption
• Middle East: 31 percent increase in AI-assisted espionage campaigns, critical infrastructure focus

Industry Verticals: Top adopters include:

• IT and Telecom: Largest market share due to network complexity and cloud reliance
• Financial Services: 47 percent YoY increase in AI-enhanced malware, top target for deepfakes and BEC fraud
• Healthcare: Medical device security, 5.5 million patient record exposure incidents
• Manufacturing: ICS/OT vulnerability to ransomware and operational disruption
• Government/Defense: National security concerns, critical infrastructure protection
• Energy/Utilities: Grid security, ransomware targeting power systems

Regulatory Drivers

Government regulations accelerate exposure management adoption:

United States:

• FCC Consumer IoT Labels (2024): Allowing buyers to compare security maturity
• CISA KEV Catalog: Tracking known exploited vulnerabilities
• NIST Cybersecurity Framework: Emphasizing risk-based approaches
• Sector-Specific Requirements: Financial (SEC), healthcare (HIPAA), critical infrastructure (TSA)

European Union:

• Cyber Resilience Act (January 2025 phased enforcement): Mandatory security requirements for connected products
• NIS2 Directive: Critical infrastructure and essential services cybersecurity
• GDPR: Data protection driving security investments
• Product Security Standards: ETSI EN 303 645, ISO 27400 compliance

United Kingdom:

• PSTI Act (April 2024): Banning default passwords, mandating update windows
• National Cyber Security Strategy: Enhancing national resilience
• Critical Infrastructure Protection: Sector-specific requirements

Asia:

• China: Cybersecurity Law, Data Security Law, MLPS requirements
• India: 71 percent rise in AI-generated phishing, increasing regulatory focus
• Japan: Cybersecurity management guidelines
• Singapore: Cybersecurity Act requirements

Compliance drives exposure management adoption as organizations must demonstrate continuous security posture monitoring, vulnerability remediation, and risk management processes across all connected assets.

Looking Forward: The 2026-2030 Cybersecurity Landscape

Technology Evolution

Several technological trends will shape cybersecurity:

AI Arms Race: Both attackers and defenders leverage AI, creating asymmetric dynamics:

Offensive AI Maturation:

• 76 percent of organizations cannot match AI attack speed
• 2025-2027 represents critical window where offensive AI may temporarily outpace defenses
• 91 percent of security experts anticipate further AI attack increases through 2028
• Polymorphic malware, deepfakes, and automated social engineering become sophisticated and accessible

Defensive AI Adoption:

• AI security platforms detect threats 60 percent faster than traditional methods
• 95 percent detection accuracy versus 85 percent with traditional tools
• Average breach cost reduction of $1.9 million for AI-powered defenses
• Incident response times cut 30-50 percent
• Global AI security spending: $25.35 billion (2024) → $93.75 billion (2030) at 24.4 percent CAGR

Quantum Computing Implications: Post-quantum cryptography becomes urgent as quantum capabilities advance. Organizations must inventory cryptographic systems, deploy quantum-resistant encryption, and prepare for “harvest now, decrypt later” threats.

Zero Trust Architecture: Continuing migration from perimeter-based security to zero trust principles assuming breach and verifying every access request. Identity becomes the new perimeter, driving acquisitions like Veza and CyberArk.

Cloud-Native Security: As workloads migrate to cloud and hybrid environments, security tools must operate natively in cloud architectures. Google-Wiz reflects this trend, providing multi-cloud security without agent deployment challenges.

Autonomous Security Operations: ServiceNow reports its AI agents now resolve 90 percent of IT and 89 percent of customer support requests autonomously, cutting resolution times nearly sevenfold. Similar automation will extend to security operations, with autonomous agents investigating alerts, containing threats, and executing responses without human intervention.

Market Consolidation Continues

Expect ongoing M&A activity:

Likely Targets:

• Exposure Management Specialists: Following Armis’s success
• AI Security Vendors: Model protection, data governance, agent control
• OT/ICS Security: Critical infrastructure protection specialists
• Identity Providers: Okta, Ping Identity, ForgeRock
• MDR/MSSP: Managed detection and response providers
• Threat Intelligence: Vendors with unique data and analysis

Likely Acquirers:

• Microsoft: Defender expansion, cloud security integration
• Amazon: AWS security services enhancement
• Oracle: Cloud security gaps
• IBM: Platform modernization
• Salesforce: Customer trust layer development
• Private Equity: Thoma Bravo, Vista Equity, others consolidating mid-market

Valuation Trends: Revenue multiples likely remain elevated (15-30x) for high-growth cybersecurity companies given:

• Strong demand fundamentals
• AI threat acceleration
• Platform consolidation economics
• Regulatory compliance drivers
• Talent acquisition value

However, growth rates matter: companies demonstrating 50+ percent growth command premium multiples while slower-growth assets face compression.

SMB Vulnerability

Small and medium businesses face particular challenges:

Growing Target:

• 62 percent of SMBs faced AI-driven attacks in 2025
• Deepfake audio and video scams rising sharply against SMEs
• Traditional “low-risk target” perception no longer accurate

Resource Constraints:

• Limited security budgets and expertise
• Cannot afford enterprise platforms
• Struggle to keep pace with threat evolution
• 60 percent rate cybersecurity budgets as inadequate or uncertain

Managed Service Opportunity: Managed security service providers will grow as SMBs outsource protection:

• 24/7 monitoring
• Threat intelligence sharing
• Automated response
• Compliance assistance

Services segment expected fastest growth in vulnerability management market as talent shortages push outsourcing.

Conclusion: Security Defines the AI Era

ServiceNow’s $7.75 billion Armis acquisition crystallizes a fundamental truth about the AI era: security determines who successfully deploys artificial intelligence and who suffers devastating breaches that destroy trust and business operations.

The deal’s strategic logic is clear. AI expands attack surfaces exponentially—every connected device, every API endpoint, every data pipeline, every autonomous agent becomes a potential vulnerability. Traditional security approaches focused on managed IT systems cannot address the millions of unmanaged IoT, OT, and medical devices now connected to enterprise networks. Armis provides visibility into this invisible infrastructure, enabling organizations to understand their true exposure.

Simultaneously, AI supercharges attackers. Phishing attacks that once required human craftspeople can now be generated at scale by LLMs. Deepfakes that would have required Hollywood production budgets are created with consumer tools. Malware that once followed predictable patterns now adapts in real-time to evade detection. Traditional defenses built for yesterday’s threats fail against AI-powered adversaries.

The $64.75 billion spent across just three mega-deals—Google-Wiz, Palo Alto-CyberArk, ServiceNow-Armis—represents recognition that cybersecurity has become existential. Companies believe whoever builds the most comprehensive security platforms first will define enterprise IT for decades.

Whether ServiceNow’s acquisition spree succeeds depends on execution. Can the company integrate Moveworks, Veza, and Armis while maintaining innovation velocity? Will customers embrace the unified platform or resist vendor lock-in? Can ServiceNow’s sales organization effectively market specialized security capabilities they’re still learning?

Investors’ cautious response—$20 billion in market value erased when the deal leaked—reflects legitimate concerns about valuation, integration risk, and whether inorganic growth substitutes for organic innovation. The 23x revenue multiple for Armis is steep even by cybersecurity standards.

But the alternative may be worse. Without comprehensive security spanning identity, assets, exposure, and operations, ServiceNow’s AI control tower vision faces fundamental vulnerability. Organizations deploying autonomous AI agents require absolute confidence that security protects both the agents and the systems they access. A single breach involving AI agents could undermine years of trust-building.

The broader cybersecurity consolidation will continue. Platform economics favor integration over fragmentation. Talent scarcity makes acquisitions more efficient than hiring. Regulatory complexity rewards comprehensive solutions. AI’s dual nature—accelerating both attacks and defenses—creates winner-take-most dynamics where the best platforms with the most data, the best models, and the most comprehensive coverage win.

For enterprises, the message is stark: the invisible attack surface Armis specializes in securing is likely the largest vulnerability most organizations face. The IoT devices in conference rooms, the medical equipment in clinics, the industrial controllers in factories, the connected vehicles in fleets—these unmanaged assets don’t just pose risks, they represent the primary attack vectors sophisticated adversaries exploit.

ServiceNow’s $7.75 billion bet is that securing this invisible infrastructure becomes as critical as protecting traditional IT systems. Based on the threat landscape data—87 percent of organizations hit by AI-driven attacks, $4.9 million average breach costs, and 1,938 attacks per week per organization—that bet looks increasingly sound.

The AI era demands security that’s autonomous, comprehensive, and intelligent. Whether ServiceNow successfully delivers on this vision will determine not just the company’s competitive position but potentially which enterprises survive in an environment where every intrusion is indeed a multimillion-dollar problem.

Sources

1. ServiceNow Business Wire – ServiceNow to acquire Armis (December 23, 2025) https://www.businesswire.com/news/home/20251222437177/en/ServiceNow-to-acquire-Armis-to-expand-cyber-exposure-and-security
2. CNBC – ServiceNow acquiring cybersecurity startup Armis (December 23, 2025) https://www.cnbc.com/2025/12/23/servicenow-armis-cybersecurity-acquisition.html
3. Bloomberg – ServiceNow to Buy Cyber Startup Armis for $7.75 Billion (December 23, 2025) https://www.bloomberg.com/news/articles/2025-12-23/servicenow-agrees-to-buy-cyber-startup-armis-for-7-75-billion
4. Dataconomy – ServiceNow Agrees To Buy Armis For Record $7.75 Billion (December 23, 2025) https://dataconomy.com/2025/12/23/servicenow-armis-deal-affects-servicenow-stock/
5. CyberScoop – ServiceNow agrees to buy cyber firm Armis for $7.75B (December 23, 2025) https://cyberscoop.com/servicenow-armis-acquisition-ai-cybersecurity/
6. Investing.com – ServiceNow to acquire Armis for $7.75 billion (December 23, 2025) https://www.investing.com/news/company-news/servicenow-to-acquire-armis-for-775-billion-in-cybersecurity-push-93CH-4421290
7. Axios – ServiceNow to buy cybersecurity company Armis for $7.75B (December 23, 2025) https://www.axios.com/pro/enterprise-software-deals/2025/12/23/servicenow-armis-agentic-cybersecurity
8. Tech Advisors – AI Cyber Attack Statistics 2025 (September 2025) https://tech-adv.com/blog/ai-cyber-attack-statistics/
9. CybelAngel – The Rise of AI-Powered Phishing 2025 (February 2025) https://cybelangel.com/blog/rise-ai-phishing/
10. Cyber Defense Magazine – The Growing Threat of AI-powered Cyberattacks in 2025 (June 2025) https://www.cyberdefensemagazine.com/the-growing-threat-of-ai-powered-cyberattacks-in-2025/
11. AllAboutAI – AI Cyberattack Statistics 2025 (November 2025) https://www.allaboutai.com/resources/ai-statistics/ai-cyberattack/
12. Capitol Technology University – Emerging Threats to Critical Infrastructure: AI Driven Cybersecurity Trends for 2025 https://www.captechu.edu/blog/ai-driven-cybersecurity-trends-2025
13. Fortinet – Cybersecurity Statistics 2025: Rising Threats and Industry Insights https://www.fortinet.com/resources/cyberglossary/cybersecurity-statistics
14. StrongestLayer – AI-Generated Phishing: The Top Enterprise Threat of 2025 https://www.strongestlayer.com/blog/ai-generated-phishing-enterprise-threat-2025
15. SQ Magazine – AI Cyber Attacks Statistics 2025 (October 2025) https://sqmagazine.co.uk/ai-cyber-attacks-statistics/
16. Hoxhunt – Phishing Trends Report (Updated for 2025) https://hoxhunt.com/guide/phishing-trends-report
17. DeepStrike – AI Cybersecurity Threats 2025: Surviving the AI Arms Race (August 2025) https://deepstrike.io/blog/ai-cybersecurity-threats-2025
18. Nozomi Networks – OT/IoT Cybersecurity Trends & Insights 2025 https://www.nozominetworks.com/ot-iot-cybersecurity-trends-insights-february-2025
19. Markets and Markets – Top Companies in Operational Technology (OT) Security Market https://www.marketsandmarkets.com/ResearchInsight/operational-technology-ot-security-market.asp
20. Industrial Cyber – BitSight warns of surge in ICS/OT Internet exposure (September 2025) https://industrialcyber.co/reports/bitsight-warns-of-surge-in-ics-ot-internet-exposure-raising-critical-infrastructure-cybersecurity-concerns/
21. GlobeNewswire – Vulnerability Management Research Report 2024 & 2025-2030 (March 2025) https://www.globenewswire.com/news-release/2025/03/24/3047727/0/en/Vulnerability-Management-Research-Report-2024-2025-2030
22. ONEKEY – Cybersecurity Report 2024: OT/IoT attacks on the rise (November 2025) https://www.onekey.com/resource/ot-iot-cybersecurity-report-2024
23. Grand View Research – Exposure Management Market Size | Industry Report, 2030 https://www.grandviewresearch.com/industry-analysis/exposure-management-market-report
24. Mordor Intelligence – IoT Security Market Size, Growth, Share & Trends Report 2030 (July 2025) https://www.mordorintelligence.com/industry-reports/iot-security-market
25. Ivanti – State of Cybersecurity Trends Report 2025 (March 2025) https://www.ivanti.com/resources/research-reports/state-of-cybersecurity-report
26. Markets and Markets – Operational Technology (OT) Security Market Size | 2025-2030 https://www.marketsandmarkets.com/Market-Reports/operational-technology-ot-security-market-18524133.html
27. Fortinet – 2025 State of Operational Technology and Cybersecurity Report https://www.fortinet.com/resources/reports/state-ot-cybersecurity
28. CNBC – ServiceNow’s deal blitz gives it an ‘AI control tower’ (December 23, 2025) https://www.cnbc.com/2025/12/23/servicenow-armis-cybersecurity-acquisition.html
29. ServiceNow Business Wire – ServiceNow completes acquisition of Moveworks (December 15, 2025) https://www.businesswire.com/news/home/20251215128980/en/ServiceNow-completes-acquisition-of-Moveworks
30. Moveworks – Moveworks Acquired by ServiceNow: The Future of Agentic AI (December 15, 2025) https://www.moveworks.com/us/en/resources/blog/servicenow-moveworks-acquisition-closed
31. Security Boulevard – Palo Alto’s Acquisition of CyberArk Could Set Off Wave of Consolidation (July 2025) https://securityboulevard.com/2025/07/palo-altos-acquisition-of-cyberark-could-set-off-a-wave-of-consolidation-in-the-cyber-world/
32. Calcalist – Palo Alto Networks CEO: “We’re happy Wiz is now part of Google” (December 2025) https://www.calcalistech.com/ctechnews/article/sytckfcmzx
33. CSO Online – Top cybersecurity M&A deals for 2025 (August 2025) https://www.csoonline.com/article/1298623/top-cybersecurity-ma-deals-this-year.html
34. Google Blog – Google announces agreement to acquire Wiz (March 18, 2025) https://blog.google/inside-google/company-announcements/google-agreement-acquire-wiz/
35. TechCrunch – Palo Alto Networks agrees to buy CyberArk for $25 billion (July 30, 2025) https://techcrunch.com/2025/07/30/palo-alto-networks-agrees-to-buy-cyberark-for-25-billion/
36. CNBC – Palo Alto Networks stock falls after announcing $25 billion CyberArk deal (July 30, 2025) https://www.cnbc.com/2025/07/30/palo-alto-networks-cyberark-deal.html
37. Calcalist – Why CyberArk sold at the peak: Inside the $25 billion deal (July 31, 2025) https://www.calcalistech.com/ctechnews/article/hysppc00pee
38. The Tribune – Israel’s tech sector surges in 2025 despite fewer deals (December 22, 2025)https://www.tribuneindia.com/news/ai-impact/israels-tech-sector-surges-in-2025-despite-fewer-deals-15-6b-in-funding