Every platform giant is becoming a security company. As every enterprise is becoming more and more tech-enabled, the responsibility for protecting data, identities, and infrastructure starts to fall on the platforms where that work happens. Over the past several years, I have come to a simple realization: that every platform vendor eventually becomes a security vendor, whether they planned to or not. This trend has some very important implications for our industry in general, and for cybersecurity startups in particular. This is what today’s article is about.

This issue is brought to you by… Axonius.

51% of Security Teams Are Losing Critical Context

Most cybersecurity programs are rich in visibility — and struggling to act on it. So what separates the teams that actually move the needle?

Axonius partnered with the Ponemon Institute to find out. The 2026 Actionability Report reveals how top security teams turn data into decisive action. Only 45% consolidate exposure into a single source of truth. 51% lose critical context during remediation. 37% are still stuck in manual workflows.

The best teams have solved these problems, and this report shows exactly how.

Get the Research

Cybersecurity is breaking all records

If you have been following the news over the past several years, you know that cybersecurity has been exploding in growth. Let this sink in:

• Google’s largest-ever acquisition is a security company (Wiz).

• ServiceNow’s largest-ever acquisition is a security company (Armis).

• Mastercard’s second-largest ever acquisition is also a security company (Recorded Future).

• Cisco’s largest-ever acquisition is a security company (sure, not pure-play but cyber is a huge part of their business - Splunk).

If these aren’t the signs that something is changing, then nothing is. However, just looking at these figures won’t do them any justice without the surrounding context why we’re seeing what we are seeing. Let’s have a quick look at several different cases to understand how every platform company is becoming a security company.

Every platform company is becoming a security company: eight brief case studies

Case one: Google

Google’s largest acquisition ever is a security company, Wiz, purchased for $32 billion. That alone is remarkable, but it becomes even more impressive when you look at Google’s broader M&A history. Out of more than 260 acquisitions, only 65 had disclosed prices, and across those deals, Google spent nearly as much on just three cybersecurity companies (Siemplify, Mandiant, and Wiz, $37.9B combined) as it did on the other 62 disclosed acquisitions combined ($41B). This number is mindblowing.

Here’s a great chart that puts Google’s acquisition themes into perspective:

​

Source: FourWeekMBA​

What’s driving this shift is simple: Google is no longer just an advertising company, it is an enterprise cloud company competing with AWS and Microsoft. In the enterprise world, security is foundational, so if Google wants large organizations to run critical workloads on Google Cloud, it has to be able to offer first-class security capabilities natively. Acquiring companies like Mandiant and Wiz allows Google to instantly strengthen its credibility with CISOs and security teams, something that takes decades to build organically (and frankly, something that Google hasn’t been able to do on its own).

There is also a strategic platform play behind these acquisitions. Cloud platforms increasingly compete not just on compute and storage, but on the ecosystem of capabilities that sit on top - identity, observability, compliance, and security. By integrating security deeply into its cloud platform, Google can make its infrastructure stickier, (hopefully) attract security-conscious enterprises, and compete more directly with Microsoft, which has successfully turned security into a massive multi-billion-dollar business attached to its cloud. Moreover, having Wiz in their portfolio strategy gives Google deep visibility into customer deployments across other clouds. In that sense, cybersecurity isn’t just a product category for Google, it’s becoming a core pillar of its enterprise strategy.

Google’s competitors in the cloud space, Microsoft and AWS, have had a different approach to cybersecurity M&As. AWS acquired Sqrrl and harvest.ai in 2017, but didn’t do anything afterwards. Microsoft, on the other hand, has had a cyber acquisition spree between 2020 and 2022 but hasn’t done any new M&As since then (it bought CyberX in 2020, RiskIQ, CloudKnox, and ReFirm Labs in 2021, and Miburo in 2022). This does make sense if you consider that the way these two hyperscalers go to market is different as are the advantages that make them leaders in the cloud world.

Case two: ServiceNow

ServiceNow’s largest acquisition ever is also a security company, Armis, acquired for $7.75 billion in cash.

ServiceNow built its empire by becoming the system of record for enterprise workflows, from IT and HR to customer support, and increasingly operations across the entire organization. Once you own the workflows that run the enterprise, security naturally becomes part of the conversation. Every incident, vulnerability, asset, configuration change, and compliance process ultimately turns into a workflow.

ServiceNow is betting on what I call the “workflow gravity” effect - the fact that ServiceNow has become an enterprise “system of action” with unified data and AI experiences built into workflows. This is an incredibly powerful position because once a company owns where work flows, it gets the ability to influence and eventually own how decisions are made. ServiceNow’s bet is so interesting that I wrote an entire dedicated deep dive about it: ServiceNow is betting on “workflow gravity” to win against the platforms of Palo Alto, CrowdStrike, Cisco, Zscaler, and Microsoft.

If you look at this chart by CB Insights, it becomes clear that ServiceNow has its hands in virtually every enterprise workflow:

Source: Jason Saltzman on LinkedIn

And yet, it is clear that a company best known for owning enterprise workflows is increasingly becoming a cybersecurity company. This ambition is why ServiceNow paid so much for Armis, and also why it acquired Veza in a $1 billion deal around the same time.

Atlassian, which competes with ServiceNow with its Jira offerings, hasn’t been a significant player in the cybersecurity space. The company has largely missed the opportunity to dominate developer security (which it definitely had the chance to do) or to capitalize on its dominance in the developer and IT workflows space (unlike ServiceNow). It has made some deals, like its acquisition of Borneo in 2025, but it never truly played big in the cybersecurity market.

Case three: Mastercard

Mastercard’s second-largest acquisition in history also happens to be a cybersecurity company, Recorded Future, for which in 2024 the company paid $2.65B. This move, which surprised a lot of people, showed how financial networks think about security. Mastercard isn’t just a payment processor, it operates one of the largest global transaction networks. For them, protecting that ecosystem from fraud, cybercrime, and nation-state threats is critical to the business. By bringing Recorded Future’s intelligence capabilities in-house, Mastercard can better detect threats targeting banks, merchants, and payment infrastructure across its network. At the same time, it could even allow Mastercard to expand its security offerings to financial institutions and enterprises, basically turning cybersecurity into both a defensive capability and a new growth business built on top of the company’s global data and network visibility.

For Mastercard, Recorded Future most definitely wasn’t its first step into cybersecurity. Before investing nearly $3 billion in security, the company has made a long list of smaller acquisitions, including Ethoca (2019), RiskRecon (2019), and Baffin Bay Networks (2023).

Mastercard also isn’t the only payments network that has acquired or partnered with cybersecurity and fraud prevention companies. Visa, for example, bought Featurespace (2024) and CyberSource (2020, acquired in a transaction worth $2 billion), and in 2020 it invested in Very Good Security.

Case four: Cisco

Cisco’s largest ever acquisition is also a security company, Splunk, for which it paid $28 billion. Sure, some may argue that Splunk isn’t a pure-play security company, but given how much of their business comes from security, I’d say it is a security company.

When I looked at how, in some 20 years, over 200 companies in cyber consolidated into just 11, I pointed out that if you asked most people in security who the biggest acquirer of cybersecurity companies is, the answer would almost certainly be Palo Alto Networks. That makes sense since the company has been pushing the consolidation narrative (or, as they call it, “platformization”) harder than anyone else, and we’ve seen that they have brought together over 30 players. However, while Palo Alto may be the most visible acquirer, it’s not the biggest. That title belongs to Cisco, which has absorbed more than 40 (!) security companies over the past two decades.

Source: 20 years of cybersecurity consolidation: how 200 companies became 11

Cisco’s strategy here is deeply tied to its evolution as a company. For decades, Cisco dominated networking infrastructure, but as the industry shifted toward cloud, software, and observability, simply selling routers and switches was no longer enough. Security became the natural extension of Cisco’s position in the network: if you sit in the data path, you are uniquely positioned to detect threats, analyze behavior, and enforce policy. By acquiring Splunk, Cisco effectively adds one of the most powerful data and analytics platforms in security to its portfolio, allowing it to combine network telemetry, security signals, and observability into a single platform.

More broadly, Cisco’s history of acquiring over 40 cybersecurity companies reflects a long-standing belief that networking and security are inseparable. From firewalls and cloud security to identity and zero trust, Cisco has spent two decades building a massive security portfolio around its network footprint. To them, security is not just an opportunity to upsell customers who are already relying on Cisco for their networking needs, but also a way to reinvent the business and position it for the future.

Cases five, six, seven, and eight

There are many, many more cases we can look at when a company that isn’t known as a cybersecurity player acquires a security startup. Here are four more just to give you some examples:

• Mitsubishi Electric acquired Nozomi Networks for $1 billion to strengthen its capabilities in securing industrial and OT environments. By acquiring Nozomi, Mitsubishi can embed security directly into the increasingly interconnected industrial systems it sells to factories, energy systems, and critical infrastructure.

• HP acquired Bromium to use security as a selling point for its devices. Bromium pioneered isolation that protected users from malware by containing threats inside micro-virtual machines. By integrating this technology into HP laptops and workstations, HP could make security a native feature of the device instead of relying on third-party security products.

• Hewlett Packard Enterprise (HPE) acquired Axis Security. The acquisition helped HPE move deeper into the convergence of networking and security (Axis’s zero-trust network access tech fit naturally into HPE’s broader strategy around Aruba).

• Apple acquired mobile security firm AuthenTec for $356 million. AuthenTec’s expertise in fingerprint sensors allowed Apple to develop and integrate Touch ID, starting with the iPhone 5S, offering a secure, intuitive authentication method.

Different motivations, the same outcome

Every single one of the companies I mentioned here has different reasons to get into cybersecurity. For Google, for example, cybersecurity is a way to assemble a differentiated cloud offering so that it can more confidently compete with AWS and Azure. For ServiceNow, cybersecurity is a way to capitalize on the “workflow gravity” effect and its position as the owner of enterprise workflows. For Mastercard, cybersecurity is a way to protect its business-critical operations, prevent disruptions, and reduce the amount of money it needs to pay to bad actors. For Cisco, cybersecurity is both a way to further capitalize on its deep embeddedness into the enterprise infrastructure and a way to reinvent the business and position it for the future. This list can go on and on.

Regardless of the motivations, the outcome is the same: every significant B2B company is becoming a security company. Security is no longer a standalone category reserved for specialized vendors, it has become a foundational capability expected from every enterprise platform. If you operate critical infrastructure, host enterprise data, run workflows, or power digital payments, customers expect you to secure it by default. This shift is slowly changing the cybersecurity industry. Instead of security being purchased exclusively from dedicated security vendors, it is increasingly embedded into the platforms enterprises already rely on. The result is a world where cybersecurity is both its own massive market and a horizontal capability that every major B2B company must build, buy, or partner to deliver.

What cybersecurity startup founders should keep in mind

For founders of cybersecurity startups, this changes the strategic landscape. On one hand, the bar is higher than ever: if a platform vendor can ship a “good enough” native security capability, a standalone product has to be substantially better to justify its existence. Many of the point solutions have been struggling with this. At the same time, there’s a massive opportunity to build the innovation layer that large B2B platforms will eventually integrate, partner with, or acquire.

In other words, the future of cybersecurity startups is increasingly connected to the ecosystems of large B2B platforms, not just security products. Founders may still look at the usual suspects like Palo Alto Networks, CrowdStrike, Zscaler, Fortinet, and Check Point as natural acquirers, but as I’ve discussed here, the list of potential buyers is expanding far beyond the traditional cybersecurity industry. The past several years alone have shown how aggressively companies like ServiceNow, Google, and Mastercard are investing in security, and I am pretty sure we will see more of that in the decade to come. For founders, that means thinking differently about where their company fits in the broader technology ecosystem. The most successful cybersecurity startups won’t just build tools for security teams; they will build products that become strategically important to the platforms where core business actually happens.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.

Share