Over the past few months, ServiceNow announced two major acquisitions, Veza (acquired for over $1B) and Armis (acquired for $7.75B). The latter also happens to be the largest acquisition in ServiceNow’s history which is quite impressive for a $150-billion company not widely known as a security player.

Some people read these events as ServiceNow trying to become a security vendor, but this is not at all the case. Instead, it looks like the company is betting on “workflow gravity” to become a leader in security. In this piece, I am explaining what ServiceNow bet is and why it stands a real chance of becoming a sizable player in cyber.

This issue is brought to you by… Drata.

Real-Time Visibility for Modern Security Teams

In a world where cyber threats evolve faster than manual audits, visibility and automation are key to reducing risk. Drata empowers security and compliance teams to continuously monitor and prove compliance across frameworks like SOC 2 and ISO 27001—without slowing business operations.

Our platform integrates with your existing tech stack to surface real-time risk insights, streamline evidence collection, and eliminate the manual overhead of compliance readiness.

Whether you’re protecting your organization’s reputation or building trust with customers and stakeholders, Drata helps you stay audit-ready and resilient—continuously.

See Drata in action

The concept of workflow gravity effect

To make sense of the strategy ServiceNow is going after, it’s important to understand the concept of workflow gravity and why it matters.

If you have read my previous deep dive about control points, this is going to sound very familiar, but if you haven’t, here’s a quick context. Every function of security has a centralized system where most of the work happens (I call these control points). For example, the entirety of security operations currently lives in a security information and event management (SIEM), while identity governance platforms like SailPoint remain the main operating system for enterprise identity.

Image Source: Owning the control point in cybersecurity

If we take a few steps back and look at the entirety of the enterprise, it’s easy to see that where work happens is largely defined by two factors: data gravity and workflow gravity.

I have previously talked about data gravity, and although years have passed, the idea remains as relevant today as it was then. In simple words, data gravity is what we see when something becomes a system of record for a function, and as more and more data is centralized in a single interface, it attracts even more data, creating a flywheel. Think about any SIEM: the more data a company sends into a SIEM, the more insight it can extract, and the more it makes sense to send other data to the same system. Over time, it becomes possible to add other offerings on top of that data, especially in security, where so much of what we do is just different ways of analyzing and correlating the same data.

Workflow gravity, on the other hand, is when a system becomes the system of action where work happens, and then uses this position to pull other work into the platform. While Splunk has successfully centralized enterprise data, ServiceNow has effectively won the title of becoming an operating system for enterprise IT. In effect, ServiceNow has become an enterprise “system of action” with unified data and AI experiences built into workflows. This is an incredibly powerful position because once a company owns where work flows, it gets the ability to influence and eventually own how decisions are made.

The workflow gravity effect creates a flywheel

One of the things that makes the workflow gravity effect so powerful is the fact that it creates a flywheel.

First, all work is centralized in one place, and all the incidents, changes, approvals, exceptions, tasks, evidence, etc., all of that becomes a record in a single workflow system. The more this system is used, the more context it accumulates. This context comes in all forms - change history, comments, links to additional information, and so on. ServiceNow contains a treasure trove of historical data about everything from who requested what to why a certain person requested access to a new application three years ago. Every action leaves some paper trail, and in the vast majority of large enterprises, all this lives in ServiceNow.

Once a single system accumulates so much business and technical context as well as history of what changed, when, how, and why, it becomes possible to automate triage, routing, prioritization, approvals, and remediation in a way that point tools struggle to do. The more automated it becomes, the more likely it is that anything still operating outside of these centralized systems will be integrated into the same workflow, as that’s where most of the work already occurs.

Cybersecurity is a perfect target for workflow gravity

Cybersecurity has three characteristics that make it especially workflow-native.

First, security is cross-functional by default. Nearly every security function is a part of some business process: cloud security is a function that impacts cloud engineering, application security impacts software engineering, identity security impacts identity and IT, and so on. Consider identity and access management, for example. When a user submits a ticket to request access to some application, someone has to review the request, make sure the policy & risk criteria are met, and then decide if it should be approved. At the end of this process, the user will be granted access, and the whole process will be documented as evidence for an audit.

Second, security is continuous (or rather, it should be continuous, though some companies are still stuck in the mindset of relying exclusively on periodic checks). Using identity as an example, it’s not enough to run quarterly checks to make sure that the right people have the right level of access (though they are still needed); the company needs to make sure that every request is evaluated and the risk implications of every single change are understood.

Lastly, security is a proof-driven discipline. Every single change needs to be documented along with its risk implications, so that the rationale for decisions is captured and stored for audit. The fact that ServiceNow is where workflows live makes it the place where audit evidence lives (this also means that ServiceNow is a treasure trove of data for companies using agents to automate manual GRC work, but that’s a separate conversation).

ServiceNow’s unique strategy of absorbing security categories into a unified “see, decide, act” platform

There is no shortage of companies fighting to win in the lucrative cybersecurity market. Each of the contenders is trying to capitalize on its core advantages:

• Palo Alto started as a firewall company and has now expanded into nearly all areas of security, which, as of recently, following their acquisition of CyberArk, includes identity. At the core, Palo Alto used the generous revenue it generates from its network security business to build an incredibly broad and deep cyber portfolio and push the idea of pjatformization to which the market responded very well.

• Cisco, a company that acquired the largest number of cybersecurity companies, has initially capitalized on its deep roots in the networking space and used cash from networking to fund its expansion in cyber. Today, with the acquisition of Splunk, it also has the data gravity working in its favor. Notably, Cisco’s strategy has always been very different than that of Palo Alto: instead of integrating the acquired companies into a single platform, Cisco likes to give them the freedom to operate independently, but with additional resources of a global powerhouse.

• Microsoft has been highly successful relying on its strategy of bundling to get enterprises to consolidate a wide range of security capabilities with the same vendor that already handles a lot of their IT.

• CrowdStrike has used its leadership in one of the largest cyber markets - endpoint - to also expand into adjacent security categories, and its growth over the past decade clearly shows that that strategy has been highly successful.

• Zscaler, on its part, has relied on its ability to inspect traffic to add a wide range of security offerings and also become one of the top global cybersecurity leaders. Recently, the company has finally entered the security operations space with the acquisition of Red Canary.

Each of the contenders for the title of the winner of the cybersecurity market is leveraging different strengths and taking a different path to the same goal.

ServiceNow stands out as a player with a distinctively unique set of advantages. ServiceNow’s core differentiator is its ability to turn messy cross-team work into structured workflows that can be measured, governed, automated, and secured at scale. Let me be clear though: the fact that ServiceNow has security ambitions isn’t new, as the company has had security operations offerings for years (incident response, vulnerability management, etc.), and it has a strong track record connecting security tools and streamlining response. To date, ServiceNow acquired six companies focused on security, compliance, and risk management: Intréis (2015), Brightpoint Security (2016), Fairchild Resiliency Systems (2019), Mission Secure (2024), Veza (2025), and Armis (2025).

What’s different about this phase of ServiceNow strategy is that instead of integrating with security solutions, the new move is much more aggressive: to acquire control points in security where “visibility + prioritization” decisions start.

The acquisitions of Veza and Armis make this strategy rather obvious, as both of the acquired companies fit the gravity model very well. Identity decisions create constant work, from access requests, access reviews, managing exceptions, and remediation, which is exactly the space where Veza has been playing. From the security standpoint, the answer to identity problems isn’t just detection, it’s approval combined with enforcement and evidence collection, something that lands itself in the workflow territory. Armis, on the other hand, is an exposure management platform, and exposure management produces arguably the most “workflowable” output in security: prioritized risk that needs action (assignments, fixes, compensating controls, exceptions, etc.). Both platforms create cross-org coordination work: in the case of identity, it’s between employees, IT, and security, and in the case of OT/IoT/medical devices, it’s between facilities, biomed, IT, security, and so on. Put simply, Veza helps ServiceNow own “who/what can access,” and Armis helps it own “what’s out there and how risky it is.” Both of these are upstream decision points that feed everything else. It’s pretty obvious that these acquisitions aren’t about adding another security SKU to the broader portfolio; they’re about assembling a platform where security decisions get made and implemented. You can read it as a three-layer stack ServiceNow is trying to own: see (gain visibility into different aspects of security), decide (understand impact, prioritize, govern, etc.), and act (ServiceNow’s bread and butter of ticketing and workflows).

Data may be the new oil, but it’s workflows that get redefined with AI agents

People like to say that in the age of AI, data is the new oil. I am not going to dispute that, but I do want to point out an important nuance. Having quality data has been critical for over a decade, ever since tools like data science and machine learning became ubiquitous in the tech world. The impact of AI agents is not really changing the importance of data. What it’s doing is raising the importance of workflows.

The current generation of AI, and specifically AI agents, makes it possible to automate a lot of work that has previously needed to be done by humans. The most impactful innovation of the present is about workflows, and guess what, no single system on the planet houses more enterprise workflows than ServiceNow. This is why, in my view, ServiceNow is the platform that has very high chances of benefiting from AI agents for everything, including automating security workflows.

Closing thoughts

I think that the ServiceNow strategy isn’t just a very smart move for the company, but it can also be great news for the industry. We like to talk about security by design and embedding security into the products from the very moment we design a new solution. This surely is something that we should be aspiring toward, but even if that were to happen (which I am not overly optimistic about), I don’t think it’d have as much impact as people believe it would. The majority of risks aren’t an outcome of poorly designed products; they are an outcome of organizational complexity. Since I’ve used identity as an example throughout this article, I’ll use it here as well. It’s not that all applications get shipped with broken authentication and authorization functionality, it’s that at enterprise scale, it’s insanely hard to get these right.

We’ve all read reports that over 99% of all breaches will be the result of misconfigurations, and I am a firm believer that that’s exactly what’s going to happen (if it hasn’t already). If we want to solve the problems of enterprise security, we need to find a way to embed security into the enterprise workflows. I don’t think there’s anyone who would be in a better position to do this than ServiceNow. If it plays its cards well and if it uses the advantages it gets with AI, it can very well reshape the way cybersecurity is done.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.