By ByteBot
ServiceNow announced its largest acquisition ever on December 23, 2025: $7.75 billion in cash for Israeli cybersecurity startup Armis. This caps off an extraordinary year where ServiceNow spent $11.6 billion on three security acquisitions—Moveworks ($2.85B), Veza ($1B), and now Armis. CEO Bill McDermott explicitly framed this as a response to “AI-fueled cyber risks surge,” claiming the acquisition will create “the only AI control tower” and more than triple ServiceNow’s security market opportunity. The market reacted skeptically: ServiceNow stock dropped 3% on concerns about integration risk and whether the spending spree signals slowing organic growth.
ServiceNow’s $11.6B Security Spending Spree Reveals AI Panic
Spending $11.6 billion on security acquisitions in a single year isn’t business as usual—it’s a bet that existing tools can’t handle AI-era threats. ServiceNow acquired Moveworks for $2.85B (AI-powered IT support, completed December 15), Veza for $1B+ (identity security), and now Armis for $7.75B (cyber exposure management). This represents roughly 5% of ServiceNow’s ~$250B market cap deployed on security in 12 months. CFO Gina Mastantuono had to publicly reassure investors: “We won’t need to do any more M&A in security space.”
McDermott’s language is telling. In a CNBC interview on December 23, he said: “In this AI world, especially with the agents, you’re going to need to protect these enterprises [because] every intrusion is a multimillion-dollar problem.” The explicit “AI-fueled cyber risks surge” framing signals this isn’t about building a platform over time—it’s a reactive response to enterprise fear about AI attack surfaces accelerating faster than security teams can adapt.
The velocity matters more than the size. Three major acquisitions in one year, with the Armis deal nearly 3x larger than ServiceNow’s previous record acquisition, suggests urgency bordering on panic. For developers and security teams, this signals that AI security is now the #1 enterprise priority, driving consolidation at unprecedented speed.
Cyber-Physical Security Goes from Niche to $7.75B Mainstream
Armis specializes in “cyber exposure management” across IT, operational technology (OT), industrial control systems (IoT), and medical devices—the “cyber-physical” attack surface. This isn’t traditional IT security. Armis’s Centrix platform uses agentless monitoring to discover and secure devices that conventional tools miss, like factory floor industrial controllers, hospital MRI machines, and utility SCADA systems where you can’t install security software.
The numbers validate the market: $340M+ annual recurring revenue (50%+ YoY growth), 35% of Fortune 100 companies as customers (including 7 of Fortune 10), and Gartner Leader status in the 2025 Magic Quadrant for Cyber-Physical Systems Protection Platforms. One month before the acquisition, Armis raised $435 million at a $6.1 billion valuation in November 2025. ServiceNow’s $7.75B offer represents a 27% premium in just 30 days.
That premium signals urgency or competition. Either ServiceNow feared losing Armis to another bidder, or the company determined that cyber-physical security is critical enough to warrant paying above-market rates. For developers working in manufacturing, healthcare, or critical infrastructure, this validates what many already knew: securing operational technology is no longer optional. The 27% valuation jump also suggests Armis had leverage—multiple interested buyers or strategic timing after the funding announcement.
The “AI Control Tower” Promise – and Platform Lock-In Risk
McDermott claims ServiceNow will have “the only AI control tower that drives workflow, action and business outcomes across all of these environments.” The vision: Armis detects vulnerabilities across IT/OT/IoT, Veza manages identity and access, Moveworks provides AI-powered support, all integrated into ServiceNow’s workflow platform for automated detection-to-remediation. It’s a compelling pitch—one platform instead of 10+ fragmented security tools generating conflicting alerts.
Analysts warn this forces a shift from “best-of-breed” security tools to an integrated “suite” approach. CIO Magazine put it bluntly: “This could force CISOs away from a best-of-breed strategy and into a classic suite approach, where the individual elements may be merely good enough.” KeyBanc Capital Markets downgraded ServiceNow to “Underweight,” citing concerns that such massive inorganic spending suggests slowing organic growth and integration execution risk.
The trade-off is real for developers and security engineers. Unified platforms reduce tool sprawl and data fragmentation, but “good enough” integrated tools may replace best-in-class specialized solutions. Platform lock-in becomes inevitable as ServiceNow ties identity, exposure management, and workflows together. Expect more consolidation across the industry—independent security vendors will either get acquired or struggle to compete against all-in-one platforms backed by billions in M&A spending.
Integration Risk: Executing Three Massive Acquisitions Simultaneously
ServiceNow’s stock dropped 3% on the acquisition announcement (it had initially plunged 12% when the deal leaked early before official confirmation). The market’s skepticism is warranted. Integrating three massive acquisitions simultaneously—Moveworks, Veza, Armis—is extraordinarily complex. The Armis deal alone is nearly 3x larger than ServiceNow’s previous record acquisition, and ServiceNow held $9.7 billion in cash and equivalents as of Q3 2025, meaning the company is spending more than its cash on hand and taking on debt to finance the M&A spree.
For developers at Armis, Veza, and Moveworks, this means platform migrations, cultural clashes, and potential product roadmap changes. For customers, the phased integration timeline (deal closes H2 2026, integration extends into 2027+) means uncertainty about feature stability, pricing changes, and product direction. If ServiceNow fumbles the integration—and history shows integrating even one large acquisition is difficult—the “AI control tower” vision collapses into expensive tech debt.
Related: CVE Crisis 2025: 46,701 Bugs, 28% Exploited in 24 Hours
Cyber Exposure Management vs Traditional Vulnerability Scanning
Armis’s approach—”cyber exposure management”—differs fundamentally from traditional vulnerability scanning. Traditional tools scan for known CVEs (Common Vulnerabilities and Exposures) and generate massive lists: enterprises routinely face 10,000+ unpatched vulnerabilities. CVE volume doubled from 2021 to 2024 (20,161 → 40,077 annually), and the average time from CVE disclosure to exploit availability is just 6.3 days according to 2025 EPSS data. Traditional periodic scanning can’t keep up.
Armis analyzes how attackers chain together weaknesses—misconfigurations, weak credentials, open ports, unprotected APIs—to model attack paths and prioritize business risk, not just CVSS scores. This continuous, agentless monitoring focuses on what matters most: how adversaries actually compromise systems by exploiting combinations of vulnerabilities that individually might not score high on traditional risk scales.
For security teams and developers, this shift from “scan everything” to “prioritize what attackers will actually exploit” is fundamental. AI-powered attacks will chain together vulnerabilities faster than humans can patch them. Exposure management tools that model attack paths and prioritize business risk become essential. ServiceNow is betting $7.75B that this approach is the future of enterprise security, and the market is forced to respond.
Key Takeaways
- ServiceNow spent $11.6B on security acquisitions in 2025 alone (Moveworks $2.85B, Veza $1B+, Armis $7.75B), signaling AI security as the top enterprise priority and revealing either strategic brilliance or C-suite panic about AI attack surfaces
- Cyber-physical security (OT, IoT, medical devices) is now mainstream, validated by the $7.75B Armis acquisition and 27% valuation premium in just 30 days after Armis’s $435M funding round
- Platform consolidation accelerates across cybersecurity—expect fewer independent best-of-breed tools as integrated suites backed by billions in M&A spending force a shift to “good enough” unified platforms
- Integration execution risk is substantial: ServiceNow must integrate three massive acquisitions simultaneously while spending more than its cash on hand, with market skepticism reflected in a 3% stock drop and KeyBanc downgrade
- Cyber exposure management’s attack path modeling approach (analyzing how weaknesses chain together) replaces traditional vulnerability scanning’s CVE lists—a fundamental shift as CVE volume doubled to 40,077 in 2024 and exploit time averages just 6.3 days
The deal closes H2 2026. Integration execution over the next 18-24 months will reveal whether ServiceNow’s $11.6B AI security bet was strategic foresight or expensive panic buying. For now, the message to the industry is clear: AI attack surfaces are expanding faster than traditional security tools can handle, and enterprises are willing to spend billions—and accept platform lock-in—to consolidate their defenses.
