Cybersecurity M&A is entering a new phase.

For years, buyers acquired tools that could detect threats, secure endpoints, monitor networks or manage vulnerabilities. That model worked when enterprise technology estates were easier to define. Today, the attack surface is much wider. Companies now operate across cloud environments, operational technology, connected devices, medical equipment, code repositories and AI agents.

That is the real logic behind ServiceNow’s acquisition of Armis.

In December 2025, ServiceNow agreed to acquire Armis for US$7.75 billion in cash, making it the company’s largest deal. The acquisition was completed in April 2026. Armis brings real time visibility and protection across connected assets, including OT, IoT, medical devices, physical AI, code and cloud.

At first glance, this looks like a cybersecurity bolt on. Strategically, it is closer to a platform expansion move.

ServiceNow already sits inside enterprise workflows. Its platform helps companies route work, manage incidents and automate processes across large organisations. Armis gives it something highly complementary: visibility into the assets that create cyber exposure.

That matters because modern cyber risk is increasingly a visibility problem before it becomes a response problem. Companies cannot secure assets they cannot see. They cannot prioritise vulnerabilities without understanding which systems matter most. They cannot govern AI agents without knowing what those agents can access.

This is why the Armis deal should not be read as another security software acquisition. It is a bet on control.

A traditional security tool can identify a problem. A control layer connects that problem to the asset, the owner, the business context and the remediation workflow. That is where ServiceNow wants to play. The company said Armis and Veza together are expected to more than triple its addressable market for security and risk solutions, with Armis adding asset intelligence and Veza adding identity visibility.

The strategic shift is clear. Cybersecurity buyers are no longer only asking whether a target can detect more threats. They are asking whether it can help enterprises reduce risk faster.

AI makes this more important. As companies deploy AI agents and connect more systems, the number of digital identities, permissions, data flows and connected assets increases. Security teams will need platforms that can see the environment, prioritise exposure and trigger action quickly.

For ServiceNow, Armis also expands the company into more asset heavy sectors such as healthcare, manufacturing, energy, public infrastructure and industrial environments. In these sectors, security is not only an IT issue. It is tied to operations, uptime, safety and business continuity.

The deal still carries execution risk. Large acquisitions are hard to integrate. ServiceNow will need to prove that combining workflow automation with asset intelligence produces measurable outcomes for customers, not just a broader product story.

But the direction of the market is hard to miss.

The next phase of cybersecurity M&A will not be defined only by who has the best detection engine. It will be defined by who can help enterprises move from visibility to prioritisation to action.

ServiceNow’s Armis acquisition captures that shift. The old question was: can we detect the threat?

The new question is: can we see the risk, understand the context and fix it before it becomes a business problem?

‍