Palo Alto Networks: The King of Cybersecurity M&A
How Nikesh Arora led Palo Alto Networks' acquisition strategy, transforming the company from firewall leader to the leading $100B+ cybersecurity platform
Palo Alto Networks (“PANW) began a bold acquisition spree in 2018 that has bolstered its trajectory to become the first $100B+ cybersecurity platform company. This aggressive M&A approach, largely driven by CEO Nikesh Arora since 2018, focused on expanding the company's capabilities in cloud security, AI-based security, and threat intelligence. PANW has yet to pay over $1B for any individual company, but repeatedly finds product-market fit for the companies it acquires. In the past decade, PANW has spent ~$5.5B on 17 acquisitions. These 17 acquisitions became the foundation of its next-generation security business that is approaching $5B ARR and almost half the overall business.
Of these 16 acquisitions, 9 were founded originally in Israel for an average purchase price of $350M, while 5 were founded in the Bay Area for an average price of $342M. NY had one company (IBM QRadar) which was a carve-out acquisition from IBM this year, versus a company being acquired. Washington DC had the final one, which was a consulting firm Crypsis. Read our prior piece which discusses how Israel became a global capital for the cybersecurity industry.
In this post, we'll explore the $100M+ acquisitions that have defined Palo Alto Networks' rise in the cybersecurity landscape over the past decade:
2024
QRadar (IBM)
Transaction: $500M (expected to close by September 2024) [announcement]
Category: SIEM
HQ: New York, NY
Why Acquired: PANW acquired QRadar to strengthen its AI-driven security operations and SIEM capabilities within their Cortex platform. This move aims to improve threat detection and response efficiency, allowing them to offer more comprehensive security solutions. Additionally, the acquisition facilitates a smoother transition for existing QRadar users into PANW's ecosystem. By acquiring QRadar, PANW gained more strength in its SIEM offerings to compete primarily with Splunk, but also with Sumo Logic, Datadog and Grafana.
2023:
Talon Cyber Security:
Transaction: $600M [announcement]
Category: Enterprise Browser
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Talon Cyber Security to enhance its enterprise browser security offerings, addressing the growing demand for secure remote work environments. By offering a contained browser experience, enterprise browsers reduce risks in areas like phishing and ransomware. Acquiring Talon positions PANW to effectively compete against Island (Talon’s chief competitor) as well as ZScaler and Fortinet in the SASE space. By integrating Talon’s capabilities, Palo Alto Networks aims to offer a more robust and secure browsing experience, catering to enterprises seeking comprehensive protection for their distributed workforce. This product has been repositioned as the Prisma Access Browser.
Dig Security:
Transaction: $400M [announcement]
Category: Data Security
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Dig Security to strategically enhance its data security capabilities, particularly in the cloud. The acquisition enables PANW to offer a more comprehensive Data Security Posture Management (DSPM) solution, crucial for organizations facing complex data protection challenges. By integrating Dig Security, Palo Alto Networks strengthens its competitive edge against major DSPM players like OneTrust, Rubrik, and Cyera. This move also aligns with PANW's broader goal of expanding its security offerings across cloud environments, ensuring robust data protection.
2022:
Cider Security:
Transaction: $300M [Announcement]
Category: Developer Security (“DevSec”)
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Cider Security to boost its DevSecOps capabilities, focusing on securing the software development lifecycle. This strategic move enables PANW to offer stronger protection for CI/CD pipelines, positioning itself against competitors like Snyk, GitLab, and Aqua Security. By integrating Cider Security, PANW aims to address potential vulnerabilities earlier in the development process, enhancing its comprehensive security offerings for development environments.
2021:
Bridgecrew:
Transaction: $200M [announcement]
Category: Infrastructure-as-code Security (“IaC Security”)
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Bridgecrew to strengthen its cloud security offerings, particularly in the area of infrastructure-as-code (IaC) security. This acquisition allows PANW to provide automated security checks within the development process, addressing vulnerabilities earlier in the software lifecycle. By integrating Bridgecrew, PANW enhances its Prisma Cloud platform and competes more effectively with other cloud security providers like HashiCorp, Snyk, and AWS’s security tools, ensuring comprehensive security for cloud-native applications.
2020:
Cortex Xpanse:
Transaction: $800M [announcement]
Category: Attack Surface Management and Vulnerability Scanning
HQ: San Francisco, CA
Why Acquired: PANW acquired Expanse to enhance its attack surface management and vulnerability scanner capabilities, which are essential for identifying and securing exposed assets across the internet. Expanse competes with other vulnerability management tools like RiskIQ, Tenable, and Rapid7. By integrating Expanse into its Cortex platform, PANW aims to offer a more comprehensive security solution that addresses the growing need for proactive vulnerability management and remediation.
Read the full presentation:
The Crypsis Group:
Transaction: $265M [announcement]
Category: Digital Forensics and Government Consulting
HQ: Washington, D.C.
Why Acquired: PANW acquired The Crypsis Group, a consulting firm specializing in incident response and digital forensics, to strengthen its competitive stance against Mandiant, known for its deep forensic services. This acquisition was also strategically important due to Crypsis's strong ties to Washington, D.C., where PANW has been expanding its federal business, now valued at over a billion dollars. Integrating Crypsis into PANW’s offerings bolsters its ability to support organizations in managing and recovering from cyber incidents.
CloudGenix:
Transaction: $420M [announcement]
Category: SD-WAN
HQ: San Jose, CA
Why Acquired: PANW acquired CloudGenix to enhance its secure SD-WAN offerings, integrating them into the Prisma Access platform. This acquisition allowed PANW to provide better connectivity and security for distributed enterprise networks, particularly branch offices and remote work environments. The move was also strategic in positioning PANW against competitors like Cisco's Viptela, VMware's VeloCloud, and Silver Peak (acquired by HPE), which also offer SD-WAN solutions. By acquiring CloudGenix, PANW strengthened its ability to support modern enterprise network architecture with a focus on security and performance.
2019:
Aporeto:
Transaction: $150M [announcement]
Category: Zero Trust Cloud Security
HQ: San Jose, CA
Why Acquired: PANW acquired Aporeto to strengthen its microsegmentation and identity-based security within cloud-native environments. Aporeto’s technology allows for the enforcement of identity-driven security policies across applications, making it a key addition to PANW's Prisma Cloud platform. This acquisition enhances PANW's ability to compete with other security providers like Aqua Security, Sysdig, and Illumio, all of which offer solutions in securing containerized and microservices-based applications in hybrid and multi-cloud environments.
Twistlock:
Transaction: $410M [announcement]
Category: Container Security
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Twistlock to enhance its container security capabilities, integrating Twistlock's technology into its Prisma Cloud platform. Twistlock specialized in securing containerized applications and microservices, a critical area as enterprises increasingly adopt cloud-native architectures. This acquisition positioned PANW to compete more effectively with other leaders in container security, such as Aqua Security, Sysdig, and Illumio. By bringing Twistlock into its portfolio, PANW strengthened its ability to offer comprehensive security solutions across hybrid and multi-cloud environments. Twistlock is now Prisma Cloud Compute.
Demisto:
Transaction: $560M [announcement]
Category: Security orchestration, automation, and response (SOAR)
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Demisto to enhance its security orchestration, automation, and response (SOAR) capabilities, which streamline and automate incident response processes. Demisto's platform enables security teams to coordinate and automate tasks across different tools, reducing response times and improving efficiency. This acquisition strengthened PANW's ability to compete with other SOAR providers like Splunk Phantom, IBM Resilient, and ServiceNow Security Operations, by integrating Demisto into its broader security operations suite. Demisto became Cortex XSOAR.
2018:
Redlock:
Transaction: $173M [announcement]
Category: Cloud Security Posture Management
HQ: Menlo Park, CA
Why Acquired: PANW acquired RedLock to strengthen its cloud security capabilities, particularly in providing visibility, threat detection, and compliance management for multi-cloud environments. RedLock's technology enabled organizations to detect and respond to security risks in real-time across AWS, Google Cloud, and Microsoft Azure. This acquisition was a key move for PANW to enhance its Prisma Cloud offering, positioning it against competitors like Dome9 (acquired by Check Point), Evident.io (which PANW also acquired), and CloudCheckr in the cloud security space.
Secdo:
Transaction: $100M [announcement]
Category: Endpoint Security
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Secdo to enhance its endpoint detection and response (EDR) capabilities by integrating Secdo's technology, which specializes in incident response and forensic analysis. Secdo's solution provided advanced threat hunting and investigation tools, allowing for quicker identification and remediation of cyber threats. This acquisition helped PANW compete more effectively with other EDR vendors such as CrowdStrike, Carbon Black (acquired by VMware), and FireEye. Integrating Secdo's capabilities into PANW’s Cortex platform strengthened its overall security offering.
Evident.io:
Transaction: $300M [announcement]
Category: Cloud Security and Monitoring
HQ: Pleasanton, CA
Why Acquired: PANW acquired Evident.io to enhance its cloud security and compliance capabilities, particularly in monitoring and securing AWS environments. Evident.io's technology focused on continuous monitoring and compliance automation, which helped organizations identify and remediate security vulnerabilities in real-time. This acquisition allowed PANW to strengthen its cloud security offerings within the Prisma Cloud platform, competing against other cloud security and compliance providers such as Dome9 (acquired by Check Point), RedLock (which it also later acquired), and CloudCheckr.
2017:
LightCyber:
Transaction: $105M [announcement]
Category: Behavioral Analytics
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired LightCyber to enhance its capabilities in behavioral analytics and advanced threat detection. LightCyber's technology focused on identifying threats based on anomalous user behavior, allowing organizations to detect and respond to attacks that traditional security measures might miss. This acquisition enabled PANW to offer more comprehensive threat detection across network and endpoint environments, positioning it against competitors like Darktrace, Vectra AI, and Cisco Stealthwatch.
2014:
Cyvera:
Transaction: $200M [announcement]
Category: Endpoint Security
HQ: Tel Aviv, Israel
Why Acquired: PANW acquired Cyvera to strengthen its endpoint security capabilities, focusing on preventing zero-day attacks and advanced threats targeting endpoints like desktops and servers. Cyvera's technology became the foundation for PANW's Traps advanced endpoint protection product. This acquisition allowed PANW to compete more effectively with other endpoint security providers such as Symantec, McAfee, and CrowdStrike, which also offered solutions aimed at protecting endpoints from sophisticated cyber threats.