Through the Lens - Cybersecurity
Is Cyber the Next Leg Up for IaaS?
Cyber is a tricky business.
Over the last decade, cyber powerhouse Palo Alto Networks (NASDAQ:PANW) has pursued an acquisition strategy that is best understood not as opportunistic deal-making, but as deliberate construction of an ecosystem. Rather than relying solely on internal R&D to extend its product line, the company consistently used acquisitions to assemble a portfolio of cybersecurity software applications that integrate tightly with its core firewall and network security platforms.
In doing so, Palo Alto Networks brought not only new technologies into the firm, but also engineering talent, operating cultures, and a network of many of the most influential executives in the industry. With this comes established customer relationships that accelerated its evolution from a firewall company into a broad, subscription-driven cybersecurity platform.
Let’s Get the Relevant Jargon Out of the Way First
“Hyperscalers” — Alphabet, Amazon, Meta, Microsoft and Oracle.
“Platformization” — The strategic transition from managing a fragmented toolbox of individual, single-purpose software applications (point solutions) to adopting a unified, integrated platform that serves as a central, foundational hub.
“Agentic AI” — An artificial intelligence application that runs and is optimized to run alongside the specific application you’re using or is implemented in your compute framework. Agent AI acts as a “digital worker” or “colleague”.
“Observability” — A well-established category of cybersecurity applications that can find a live threat, then make it visible to network engineers and automated systems, allowing the ability to trace the bad actor even if its form morphs while inside the network.
“Identity Security” — In early days, cybersecurity applications were applied to machines, endpoints and servers. Lately, identity means machines, users and AI agents that operate inside the network firewall regardless of where the function is located in the stack.
“SaaS” — Software as a Service. A cloud-based software application that you don’t buy. It’s a subscription with the vendor with no compute ownership. Like subscribing to Hulu or Peacock on your TV except (this is a metaphor) it’s a software application, not streaming content. ChatGPT is a SaaS application.
“IaaS” — Infrastructure as a Service. A vendor controls your total compute experience, end-to-end, and owns all the underlying components of modern cloud networks: fiber circuits, data centers, submarine cable, network operations, and racks of equipment hosting data and software applications. In the 1990’s we would have called these ISP’s - “Internet Service Providers”.
Over a Decade of Tuck-In Acquisitions
There’s an inflection point, beginning in the last twelve months, where PANW ‘went big’ and completed the acquisition of Chronosphere, a next generation Observability platform for $3.35B. A recent asset sale prior to Chronosphere made by IBM to PANW bolstered the customer portfolio in that space. Then CyberArk (NASDAQ:CYBR) was announced, completed on February 11, 2026 for $25B, two months ahead of initial guidance. The latter is financed with cash and PANW stock. They inked the deal to bolster their Identity Security platform in a world where the AI threats escalate almost daily, and fringe networks are increasingly vulnerable. Like desktop applications, security platforms need AI Agents.
These are blockbuster deals compared with their acquisition history. Picking up CYBR for $25B is already an order of magnitude bigger than the Chronosphere deal at $3.35 billion. And the Chronosphere deal was already an order of magnitude bigger than PANW’s deal size over the past decade, $400m on average. These tuck-ins, privately funded, were successful exits for the VC-financed cyber community.
Modern network security is broadly considered an ecosystem, and it represents a fundamental shift from fragmented security apps. This results, in a maturing industry, to an integrated platform of cybersecurity solutions. Don’t exclude the “people factor”, the engineers who are building the ecosystem and the management teams with deep ties across the cloistered cybersecurity community. It’s a relatively modest niche in the business of Information Technology where management know each other and/or worked together at times along their career path.
The Notion of Acquisitions to Build an Ecosystem
But is this about growth or defensive posturing facing the Hyperscalers? Is PANW scaling by choice – or by necessity? Not sure, but probably both. Let’s use PANW as a proxy for cyber applications that Hyperscalers might want to buy. PANW is buying Chronosphere and CyberArk, at much higher consideration than the average of the deals they’ve done in more than the last ten years. It indicates they decided to add larger, horizontal acquisitions before a Microsoft or Google decide to spend their cash and beat them to it, such as buying Check Point or Fortinet for example. This ultimately would make a big cyber company part of the developing Infrastructure as a Service (IaaS) model for Hyperscalers.
Palo Alto Networks’ early success was anchored in next-generation firewall technology, but the company’s leadership recognized early that network security alone would not remain a sufficient control point in enterprise IT environments. As workloads migrated to the cloud, applications became distributed, and “Identity” replaced physical location as the primary security flash point. Identity can be a human, a machine, a database application, and lately some AI Agent running on networks live on the network. The firm faced a strategic choice: remain a best-in-class firewall vendor or expand into a broader security platform that accommodates Identity threats.
The acquisition path Palo Alto Networks chose suggests a clear answer. Rather than attempting to build every adjacent capability organically, the company found emerging cybersecurity niches and selectively acquired companies that were already credible players with a narrowly defined cyber solution. These acquisitions were rarely about scale. A catalog of the companies PANW acquired and solutions they served are in Table 1.
In the late 1990’s and early 2000’s, specialized cyber software applications lived on separate physical or virtual servers whose code and operations swirled around the native functions of the firewall. This created silos where data was redundant between apps and soon became a management nightmare. The modern firewall ecosystem consolidates this collection of standalone applications into a single, high-performance software platform that runs in conjunction with the hardware and monitors/protects all of these data assets.
In 2018, New Edge Analytics published a group of articles about PANW as a proxy for the industry simply because of their firewall legacy. The tuck-in acquisitions PANW was making then are better called “vertical integration” now by M&A analysts, and for PANW this fits a recognizable pattern; deals ranging in size from $150m to $700m.
These were classic tuck-ins: small enough not to strain the balance sheet, but large enough to materially advance the firm’s technical roadmap. In economic terms, these deals increase control over the entire security stack and raise revenue through cross-selling. This creates a value chain and reduces time-to-market with new features, rather than requiring time spent on R&D and internal coding.
| Year | Company | Deal Size | Core Capability | Headquarters |
|---|---|---|---|---|
| Tuck-In Acquisitions (2015–2024) | ||||
| 2015 | Cyvera | $200M | Endpoint Security | Tel Aviv, Israel |
| 2016 | LightCyber | $100M | Behavioral Analytics | Herzliya, Israel |
| 2017 | Evident.io | $300M | Cloud Security Posture | San Mateo, USA |
| 2018 | RedLock | $173M | Cloud Compliance | Tel Aviv, Israel |
| 2019 | Twistlock | $410M | Container Security | Herzliya, Israel |
| 2019 | Demisto | $560M | SOAR Automation | Tel Aviv, Israel |
| 2019 | PureSec | $50M | Serverless Security | Tel Aviv, Israel |
| 2019 | Zingbox | $75M | IoT Security | San Jose, USA |
| 2019 | Aporeto | $150M | Workload Identity | San Jose, USA |
| 2020 | CloudGenix | $420M | SD-WAN / SASE | San Jose, USA |
| 2020 | Crypsis Group | $265M | Incident Response | McLean, USA |
| 2020 | Expanse | $670M | Attack Surface Mgmt | San Francisco, USA |
| 2021 | Bridgecrew | $156M | DevSecOps | Tel Aviv, Israel |
| 2022 | Cider Security | $195M | Application Security | Tel Aviv, Israel |
| 2023 | Dig Security | $350M | Data Security | Tel Aviv, Israel |
| 2023 | Talon Cyber Security | $625M | Secure Browser | Tel Aviv, Israel |
| 2024 | Protect AI | $675M | AI Model Security | Seattle, USA |
| Recent Additions Affecting Capital Structure (2024–2026) | ||||
| 2024 | IBM QRadar SaaS Assets | $1.14B | SIEM Expansion | Global |
| 2026 | Chronosphere | $3.35B | Cloud Observability | San Mateo, USA |
| 2026 | CyberArk | $25B | Identity Security | Petah Tikva, Israel |
Executive Pedigree, and Quality of Earnings
An underappreciated dimension of Palo Alto Networks’ acquisition strategy, in terms of the companies acquired, is the consistent presence of senior executives, both within PANW and among acquired companies, who trace their professional careers to the Israeli Army’s intelligence community, particularly Unit 8200. This pedigree is not relevant as a matter of geopolitics or covert activity. Its importance lies in how it shapes strategic priorities, authenticates customer credibility, and fosters peer communication to line up government contracts – which are a more stable sales pipeline than experienced with commercial customers.
At the center of this lineage is PANW founder Nir Zuk, who served in Unit 8200 prior to founding the company in 2005 and, at the time of the 2018 NEA publications, was Chief Technology Officer and a board member (a role he continues to hold). His background established early cultural norms around PANW’s signals intelligence work, and implementation of large-scale systems engineering projects.
| Executive | Company | Role | InfoSec Background | Acquisition Year | Current / Subsequent Role |
|---|---|---|---|---|---|
| Nir Zuk | Palo Alto Networks | Founder; CTO (2018); Board Member | Unit 8200 (SIGINT) | N/A | Board Member |
| Assaf Rappaport | Cyvera | Co-founder / CEO | Unit 8200 | 2015 | Former PANW exec; Founder of Wiz |
| Lior Div | Cyvera | Co-founder / President | Unit 8200 | 2015 | Former PANW exec; Founder of Wiz |
| Adi Dar | Cyvera | Co-founder | Unit 8200 | 2015 | Former PANW engineering leadership |
| Nir Gaist | LightCyber | Co-founder / CTO | Unit 8200 | 2016 | Former PANW analytics leadership |
| Idan Tendler | Bridgecrew | Co-founder / CEO | Unit 8200 | 2021 | Senior leader, PANW AppSec |
| Daniel Krivilevich | Cider Security | Co-founder / CTO | Unit 8200 | 2022 | Senior technical leader, PANW AppSec |
| Dan Benjamin | Dig Security | Co-founder / CEO | Unit 8200 | 2023 | Senior leader, PANW Data Security |
| Ofer Ben-Noon | Talon Cyber Security | Co-founder / CEO | Unit 8200 | 2023 | Senior leader, PANW Endpoint |
The US intelligence community equivalent of Unit 8200 owning the SIGINT charter is the National Security Agency, but NSA is much larger. PANW works here too. Government contracts – particularly in the US defense and intelligence agencies – tend to be longer-term, budgeted years in advance, and less sensitive to short-term IT spending cycles. It’s public knowledge that the US is a political and military ally with Israel. It’s easy to rationalize that PANW has predictable cash flow from government contracts which improve what we call earnings quality.
From an equity analysis perspective, this distinction is material. Revenue streams with lower volatility support more durable growth projections in discounted cash-flow models and ultimately lead to higher valuations – an advantage (better terms) when financing acquisitions. When viewed through this lens, PANW’s pattern of integrating executives with Unit 8200 pedigree is not incidental. It’s an intentional complement to the firm’s acquisition-driven expansion across both government and commercial cybersecurity markets.
The Other Side of the Inflection Point
For nearly a decade, Palo Alto Networks deployed capital in increments measured in hundreds of millions of dollars. The objective was consistent: acquire specific capabilities, integrate them into the platform, and expand depth across the cybersecurity stack. Beginning in 2024, that pattern changed. Transactions moved from feature acquisition to capitalization strategies. The difference is not merely scale. It reflects a shift in corporate posture.
The acquisition of IBM’s QRadar SaaS assets marked the first signal of that transition. This was not a narrow technology addition. It expanded distribution and brought an installed enterprise base into the PANW Cortex ecosystem – their brand of AI-driven, cloud-native security operations. Chronosphere extended that logic into Observability, increasing telemetry depth and positioning PANW closer to infrastructure-level visibility. CyberArk moved further still, adding Identity Security at enterprise scale after closing on February 11, 2026. Identity Security is the buzz of this deal. Unlike earlier tuck-ins, CYBR required capital deployment including the use of equity. That alone signals structural change for Palo Alto. All of the prior deals were done in cash.
Figure 1. Cumulative acquisition spend, 2015–2026
Capital deployment is steady through 2024, then steps up sharply in 2026 with Chronosphere and CyberArk.
The cumulative investment curve illustrates the break. Capital deployment was steady through 2024. Beginning in 2025 and into 2026, the curve turns sharply upward. The competitive landscape provides context. Hyperscalers control IaaS and increasingly embed security within compute environments. As AI workloads expand, Observability and Identity Security sit adjacent to core infrastructure. A large acquisition by a Hyperscaler in these domains would reshape competitive positioning. Scaling now reduces the probability that PANW remains confined to its historical perimeter, they have a seat at the table in other words.
This is not a departure from prior discipline. It is the logical extension of a decade spent building platform depth. The difference is that depth alone is no longer sufficient. Capital scale, distribution breadth, and balance sheet flexibility now matter. The inflection point represents maturity, not abandonment of strategy, but it introduces a new phase in which capitalization becomes as important as integration.
Through the Lens of New Edge Analytics
Is cyber really a tricky business? Well, there still is a great deal of fragmentation, some consolidation, and a lot of moving parts. And the fear of losing control of your destiny in the cyber market to a Hyperscaler isn’t entirely unfounded. In December 2025, PANW announced the intent to spend $10B in partnership with Google to migrate key internal workloads to Google Cloud. The companies said the deal is an expansion of their existing strategic partnership and will deepen their engineering collaboration. Palo Alto Networks is now using Google’s Gemini AI models to power its copilots, and it is also using Google Cloud’s Vertex AI platform.
Vertical deals optimize what PANW can sell. CyberArk and Chronosphere are horizontal integrations. Horizontal deals expand who PANW can sell to. These deals add large groups of new customers and substantially more Annual Recurring Revenue. It stabilizes cash flow. This immediately expands market share in the whole of the cybersecurity industry. The resulting aspect, scaling the platform through sheer growth in the number of customers, creates the opportunity to deploy PANW’s vertically integrated ecosystem across a much broader customer base by cross-selling in both government and commercial markets.
PANW began to pursue horizontal expansion only after it had a sufficiently deep, internally integrated platform to monetize effectively. And the ferocious adoption of AI solutions is impacting the cybersecurity industry as a whole creating a race to be a market leader.
Finally, and not to be overlooked, PANW has a history of bringing industry leaders along with the tuck-in acquisitions, and by way of that, their relationships with senior executives in the industry – simply meaning they know the space. And with that pedigree, a depth of professional relationships across the customer base and industry peers.
Taken together, the progression to larger mega deals paid for with stock suggests strategic maturity rather than strategic drift (a loss of focus) and that’s a reasonable justification to do the deals. PANW first invested in building depth – owning the technical primitives of modern cybersecurity – before committing capital to expand breadth, adding companies who already have a large and mature customer base. A motive force that’s likely to continue for them.
Copyright © 2026 New Edge Analytics. All rights reserved.
