ServiceNow on Tuesday announced that it would buy cybersecurity vendor Armis for $7.75 billion in cash. This builds on its December purchase of identity security vendor Vezas, and the closing of its acquisition of AI vendor Moveworks.
Analysts and cybersecurity practitioners mostly applauded the move, but cautioned that this could force CIOs and CISOs away from a best-of-breed strategy and into a classic suite approach, where the individual elements may be merely good enough.
“This is an extension of what we have been seeing at the ERP application layer,” said Scott Bickley, an advisory fellow at the Info-Tech Research Group. “ServiceNow is basically saying ‘We don’t want to be a point solution. We want to be the platform by which you coordinate and solve all of your problems.’”
Bickley noted that this trend has been ongoing for a few years, with many of the largest vendors trying to offer suites that deliver everything. “Microsoft was the initial poster child of this,” he said. “They are going to start to embed [AI and cybersecurity] capabilities into their suites and bundles, where you don’t necessarily have an opt-out solution. You will get ‘maybe good enough’ versus best of breed.”
But looking at ServiceNow’s two other recent acquisitions, Vezas and Moveworks, could suggest parallel strategies. “ServiceNow has hedged their bets without saying that they are hedging their bets,” Bickley said.
Pablo Stern, EVP and general manager of tech workflow products at ServiceNow, confirmed in an interview that the Armis acquisition is the largest in ServiceNow’s history. He added that the companies have been partnering “for well more than two years.”
ServiceNow’s statement about the Armis deal described the two firms as creating “a unified, end-to-end security exposure and operations stack that can see, decide, and act across the entire technology footprint.” It said that it expects to fund the transaction through a combination of cash on hand and debt. The deal is expected to close in the second half of 2026, subject, as always, to regulatory approvals and closing conditions.
Pressure from Agentic AI
The statement quoted ServiceNow COO Amit Zavery suggesting that agentic developments are a key part of the strategy.
“In the agentic AI era, intelligent trust and governance that span any cloud, any asset, any AI system, and any device are non-negotiable if companies want to scale AI for the long-term,” Zavery said in the announcement. “Together with Armis, we will deliver an industry-defining strategic cybersecurity shield for real-time, end-to-end proactive protection across all technology estates. Modern cyber risk doesn’t stay neatly confined to a single silo, and with security built into the ServiceNow AI Platform, neither will we.”
The soaring popularity of autonomous agents that figure out on their own how to perform various tasks has concerned many cybersecurity executives, as the risk of security holes created by enterprise agentic trials is becoming clear.
Most cybersecurity practitioners saw the move as the latest indicator that CIOs and CISOs must rethink how they do their jobs, given how AI is forcing changes in data management and data leakage.
Visibility is the key
“For decades, the CIO’s white whale has been a precise, real-time Configuration Management Database [CMDB]. Most are outdated the moment they are populated,” said Whisper Security CEO Kaveh Ranjbar. The Armis acquisition “is an admission that in an era of IoT, OT, and edge computing, you cannot rely on manual entry or standard agents anymore. The system of action needs to own the system of record for the unmanaged world. For CIOs, this signals that automated, continuous discovery is now the only acceptable standard for IT asset management. You can’t automate workflows on assets you don’t know exist.”
The lesson, Ranjbar said, is different for the CISO. “CISOs have historically suffered from the swivel-chair problem: one screen shows the vulnerability and another screen is needed to patch it. This deal collapses that gap. It validates that visibility is the new perimeter. As OT and IT converge, the attack surface has become too complex for fragmented tools. CISOs should view this as a mandate to consolidate their visibility stacks.”
Sanchit Vir Gogia, the chief analyst at Greyhound Research, agreed that this acquisition will likely accelerate IT and security structural changes.
“This acquisition represents a fundamental repositioning of ServiceNow from a coordination layer into an operational authority. Buying Armis is not about expanding a security portfolio. It is about owning the upstream constraint that determines whether modern enterprises can govern complexity at all,” Gogia said. But without knowing what is connected across IT, OT, IoT, and other physical environments, “workflow automation, AI governance, and risk prioritization all collapse into theatre,” he observed, adding that the deal could remove long standing fragmentation between discovery tools, CMDBs, service mapping, ticketing, change management, and remediation. “If executed well, it could finally address one of the enterprise’s most persistent failures,” he said.
Gogia added, “continuous discovery tied to business context has the potential to turn the CMDB from a negotiated artefact into a living system. That would change how incidents are resolved, how changes are governed, how audits are passed, and how accountability is assigned.”
Reveals architectural debt
Given that the deal is not expected to be closed until next summer, executives should temper their timeline expectations.
The 2026 second half closing date “implies a prolonged transition period where integration depth, roadmap clarity, and packaging decisions will evolve. CIOs should plan for ambiguity, not assume instant unification. Early value will come from visibility, [therefore] full platform value will take time,” Gogia said.
Another consultant, Yvette Schmitter, CEO of the Fusion Collective consulting firm, said the deal is sitting atop years of bad enterprise IT strategy.
“This acquisition exposes more than ServiceNow’s strategy. It reveals the architectural debt hiding in every enterprise security stack that CIOs have been promising to address ‘next quarter’ for the past three years,” Schmitter said. “ServiceNow just signaled that platform plays will dominate over point solutions, and they’re willing to fund it with debt to move quickly while enterprises are still running budget committee meetings about tool sprawl.”
She observed, “the valuation for Armis tells you the market assigns premium multiples to cyber-physical capabilities spanning IT, OT, and medical devices. Translation: that patchwork of legacy security tools you’ve been defending as ‘best of breed’ just became technical debt you can’t explain to the board. CIOs need to audit their current security tool sprawl and map total cost of ownership before vendors make that case for them with renewal pricing that reflects your lack of alternatives.”
The question, she said, “is no longer whether to consolidate, but whether your organization controls the timing and terms of that consolidation.”
Cybersecurity consultant Brian Levine, a former federal prosecutor who today serves as executive director of FormerGov, said that Armis executives were evaluating going public before they decided to accept the ServiceNow offer.
“For Armis, skipping the IPO and joining ServiceNow is a signal that the market for standalone device‑security platforms is consolidating fast, and scale wins,” Levine said. “The line between workflow, risk, and security is disappearing, and ServiceNow wants to own the convergence point.”
Aaron Painter, CEO of authentication vendor Nametag, added that part of the IT confusion is that product names no longer mean what they once meant.
“Many of the workflows ServiceNow already automates are now security workflows, even if they’re still labeled as operations. Onboarding and offboarding, incident response, asset exceptions, vendor access, and change management all involve decisions that directly shape security outcomes,” Painter said. “Looked at alongside ServiceNow’s earlier acquisition of Veza, the strategy becomes clearer: ServiceNow is trying to connect asset visibility with identity and access intelligence, so the platform understands not just what devices exist, but who has access, why they have it, and whether that trust still makes sense over time.”
This article originally appeared on CIO.com.