The Attack Surface Which Has Become a Major IT Deal Driver

The newly-published IT & Business Services M&A market report from Hampleton Partners has revealed the most important trends influencing acquisitions and investments in the sector right now. Among them is cybersecurity, which the report describes as “one of the major M&A momentum makers, with identity and observability emerging as core platform pillars.”

Identity is the new frontline in cybersecurity, with rapid cloud adoption, the normalisation of remote working, and the proliferation of complex tech stacks across user devices resulting in the dissolution of traditional network perimeters. The development of this new digital environment has led cybercriminals and state-backed hackers to pivot from exploiting infrastructure vulnerabilities and deploying brute-force attacks on firewalls, to targeting identity authentication flows. In other words, logging in rather than breaking in.

Of course, bad actors have long been attempting to breach organisations in this way, giving rise to the “zero trust” cybersecurity philosophy and its mantra “never trust, always verify”. But this attack surface has now become critical as AI enables unprecedentedly sophisticated phishing and deepfake intrusions, and fragmented cloud-based networks provide numerous access points for hackers to target. 

The new paradigm requires organisations to effectively treat every human and machine identity as a perimeter in their own right. This awareness is driving consolidation in the IT & Business Services space as companies pursue the kinds of identity security tools which are vital for the zero trust era. Let’s look at some of the landmark deals which have exemplified this trend.

One active consolidator is Palo Alto Networks, the cybersecurity giant known for its advanced firewall and cloud security products. It recently closed the biggest deal in its history: the mammoth USD 25b takeover of CyberArk, spurred by Palo Alto’s belief that “identity security has become foundational to protecting the modern enterprise”.

One of the leading identity security specialists, CyberArk has developed real-time access management tools which leverage adaptive multi-factor authentication and user behaviour analytics to continuously verify the legitimacy of the workforce and secure privileged credentials. Crucially, the platform also enables the management and verification of AI agents, so that organisations can keep close track of what agents are doing, and what they’re allowed to access, across cloud and SaaS environments. This was a key consideration for Palo Alto, whose CEO noted that “the emerging wave of AI agents will require us to secure every identity – human, machine and agent.”

The need to secure AI agents was also part of the rationale for another milestone in Palo Alto’s consolidation strategy: the recently announced purchase of Koi, a year-old startup which it is snapping up for USD 400m. Prior to the deal, Palto Alto had itself been a client of Koi, whose platform enables the monitoring of the agentic endpoint – the layer of browser-based agents, coding assistants and other machine identities on employee devices which constitute what Palto Alto’s boss describes as a “significant unmanaged attack surface”.

Koi’s capabilities, which encompasses the verification of agents across devices, will be integrated with Palo Alto’s AI security platform Prisma AIRS – a move underscoring how AI agent governance is now a critical component of endpoint security considerations. 

Palo Alto’s great rival in the cybersecurity space, CrowdStrike, has also leveraged M&A to enhance its identity security prowess, recently announcing its USD 740m acquisition of SGNL. The deal, described by CrowdStrike’s CEO as a “massive opportunity for us to disrupt the identity market”, will give it access to the startup’s expansive suite, including tools for managing and revoking privileged session access, allowing real-time authorisation of AI agents, and monitoring access to code repositories.

The transaction, which will see SGNL’s technology bolster CrowdStrike’s Falcon cybersecurity platform, is another signal of the transition to what has been dubbed “Continuous Identity”. This is described in cybersecurity journal SCWorld as a new approach which considers identity as a “constantly evaluated state” rather than a static claim, enabling “real-time session revocation, responsive access changes, and tighter alignment with zero trust principles”. 

ServiceNow, one of the biggest cloud computing platforms for business IT workflows, is another tech behemoth staking its claim on the identity security space. In December, it announced its acquisition of Veza, a platform which enables visualisation and management of identities – both human and machine – across cloud and on-prem platforms, SaaS applications and databases.

The USD 1b deal strengthens ServiceNow’s already lucrative cybersecurity portfolio by allowing it to integrate Veza’s Access Graph, its flagship tool which maps out identities and permissions. It also may give it a competitive edge over perennial rivals like Microsoft, Oracle and Salesforce, which as an industry analyst recently noted in Forbes, have yet to acquire “a standalone, authorization-centric identity platform specifically designed for non-human identity governance”.

Are you a founder or senior executive in the cybersecurity or any other IT & Business Services segment? Reach out to Konstantin Kastius, managing director at Hampleton Partners and one of the authors of our new report on the sector, to discuss your fundraising or exit goals.

Don’t forget to read our full IT & Business Services report, along with our other M&A market reports covering trends, transaction data and pivotal deals across a spectrum of tech sectors including Artificial Intelligence, Autotech & Mobility, and Enterprise Software. These are published twice-yearly, so subscribe now to ensure you’re automatically notified when they’re ready to read.