Palo Alto Networks CEO Nikesh Arora has stressed again and again in interviews with journalists that until seven years ago when he was appointed to the job by CTO and founder Nir Zuk, he knew nothing about cybersecurity. “They made fun of the fact that they appointed a Google veteran who doesn’t understand the field and made him the CEO of a large cybersecurity company,” he said on Wednesday at a press conference hours after announcing the acquisition.
But one business principle that guided him along the way teaches the entire doctrine of the cybersecurity industry: “My method is to take the best company in its field, quickly integrate it into Palo Alto Networks and bring it to market very quickly along with the rest of our products – that’s what I’ve always done. When we bought a browser (Israeli company Talon), no one understood why we did it, but very quickly we saw other companies like Google and Microsoft launch their own secure browser. The same was true in the database field and in the field of command and control centers. I’m not going to spend four years developing a product from scratch now, hoping that it will fit into the market. I’m panicking about AI and we’re already behind in securing artificial intelligence agents.”
Arora understood that the way to succeed in cybersecurity is to acquire the companies that lead the category, preferably when they are still early stage and relatively cheap. It is not always the leading and more expensive company, sometimes it’s possible to settle for number two. This was the case, for example, with Palo Alto’s acquisition of Israeli corporate data security company Dig Security for $400 million (competing with Cyera, which is currently worth $6 billion), and the acquisition of the secure browser company Talon for $458 million (competing with Island, which is currently worth $5 billion). These retained very high-quality teams and generated initial revenue, even if quite small. Until this week, Palo Alto had made nearly 30 acquisitions since 2013, according to the PitchBook database, none of which exceeded the billion dollar mark. Only earlier this month, Globes reported its acquisition of cybersecurity company AI Protect for $700 million, just three years after its founding.
In fact, it seems that CyberArk, a company only 20% the size of Palo Alto Networks, has been much more daring in its acquisitions. Last year, it acquired its major rival Venafi for $1.5 billion.
RELATED ARTICLES
Palo Alto CEO: CyberArk gives us AI identity security
“CyberArk founders were head and shoulders above the rest”
Palo Alto ready to pay to be cyber supermarket
Israel’s biggest ever exit: Google buying Wiz for $32b
Palo Alto Networks will pay $25 billion for CyberArk, the vast bulk of which will be paid in shares. This deal is a kind of “fine” that Nir Zuk’s cybersecurity giant is paying for being late to the field of AI. As technology advances at a dizzying pace, so too are the vulnerabilities and the possibilities of hackers and other cyber attackers.
Palo Alto has taken acquisitions to the extreme
Palo Alto Networks has taken acquisitions to the extreme, but it is not the only major cybersecurity company to do so. US rival CrowdStrike has made no less than 41 acquisitions since 2017 – some of them, like Adaptive Shield and Flow Security, are Israeli company. Veteran cybersecurity company Fortinet has made 37 acquisitions, and Israel’s Check Point has made 26 acquisitions. Even Wiz understood the rules of the game and, just before being acquired by Google in a huge $32 billion deal, it acquired four companies, the largest of which, Gem and Dazz were for a total of almost $800 million.
Not every acquisition by Palo Alto has been successful. It acquired Israeli cybersecurity company Cider Security for the application security field, and after a year, employees were laid off. To date, the field has not really taken off within the company. Palo Alto’s Prism cloud security product is generating sales, but it has hit a glass ceiling and is reportedly being challenged by giants like Wiz, Orca, and CrowdStrike.
Successfully merging companies is no easy task. Cisco acquired companies in Israel like LightSpin and PortShift, which were supposed to be the answer to Wiz, but had difficulty integrating the product into the market. Epsagon, which it acquired for $500 million, had its key employees transferred to develop other products while it became open source. Even if products do not ultimately fit into the market, the employees are easily moved to other development projects.
How do you become a superpower: Check Point v Palo Alto
One fact is undeniable. When it comes to the cybersecurity market, mergers and acquisitions are shaping the industry and changing it from end to end. In 2023, 20 acquisitions were made for more than $200 million, for a total of $43 billion. A year later, the number of deals at the high threshold increased to 30, for a total of over $35 billion. So far in 2025, deals worth $60 billion have already been closed, and that’s without counting Amiram Shahar’s Upwind in talks to be sold for $1 billion.
These acquisitions have contributed to the creation of cybersecurity superpowers – giant companies that serve as a kind of department store where you can find a variety of solutions in one place. “A decade ago, the two largest cybersecurity companies – Palo Alto Networks and Check Point – were at the top of the largest companies in the field with a market value of about $15 billion each,” says Oren Junger, managing partner at the venture capital fund Notable, which invests in cybersecurity and enterprise software companies, including Israeli companies, and has conducted special research on mergers and acquisitions in the field. “Palo Alto began to make more aggressive acquisitions of small players that led their market, and tended to pay hundreds of millions of dollars for companies with single-digit annual revenue growth even in areas that were outside its expertise – corporate network security.
“Check Point, on the other hand, was more conservative, focusing on acquiring less flashy companies and usually paying amounts ranging from tens of millions of dollars, sometimes down to a few hundred thousand. Today, with Palo Alto Networks worth over $115 billion and Check Point worth about $20 billion, it is clear that aggressive acquisitions of companies with prominent entrepreneurs and strong talent was a profitable move, even if it did not seem profitable at first.”
Check Point has acquired 26 companies over the years. It has not yet bought a company for more than $1 billion. One of the acquisitions by the Israeli network security giant could have been CyberArk. In 2016, it was reported that then Check Point CEO Gil Shwed was interested in acquiring CyberArk, which was then worth only $1.7 billion.
Today, the cybersecurity powerhouses are Palo Alto, with a market cap of $115 billion, Crowdstrike with a value of $115 billion, and Fortinet with a value of $71 billion. After losing 15% of its value in one day this week, Check Point is ranked eighth with a value of about $20 billion. “In 2015, the aggregate value of cybersecurity companies was $97 billion, today there are at least two powerhouses that are each traded for over $100 billion,” says Junger. “Strategic acquisitions have become the driving force behind the surge in cybersecurity mergers and acquisitions, which reflects growing confidence in this industry. Between 2022 and 2025, they were responsible for deals worth over $100 billion, even before the CyberArk deal.”
The logic behind the acquisitions is clear: While the industry continues to grow, with an average annual growth rate of 19% in sales, the number of cybersecurity software products used by the average data security manager in a US organization ranges from 70 to 90 and can even reach 135 different products, according to Silicon Angel. Palo Alto has mastered the art of “bundling,” or cybersecurity packages, in which it offers an additional product at a discount to those who already use several of its other products, to save security managers the need to find additional suppliers. Sometimes Palo Alto goes the extra mile and buys an expensive product, such as Expanse for $670 million, and offers it for free to customers just to keep them.
Cybersecurity is driven, of course, by mergers and acquisitions, but there is a drawback: the number of potential buyers is limited, certainly if it is a company worth billions of dollars like CyberArk or Wiz. CyberArk has repeatedly said that it is not for sale, until the right offer comes along. “On the other hand, the funds that invest in cybersecurity are quietly living with the existing model,” says Junger. “Look at what happened with the data protection company market (DSPM), with companies like Dig, Eureka, Polar, Flow – most of them were eventually acquired, even if for smaller amounts. Cybersecurity managers wake up in the morning and ask what they are missing and that’s how new industries are born all the time. This is a dynamic that you don’t see in other fields, like fintech, for example, due to the nature of the market, which is biased towards consumers, rather than purchasing managers in large enterprises.
Are valuations already too inflated?
Israeli cybersecurity proves time and again that it exists separately from the rest of the tech industry, with a different economic logic, as a kind of state within a state. Within six months, two deals from the field have climbed to first and second place on the list of the largest-ever Israeli exits.
The privately-held tech company market – growth companies and startups – proves this point. According to IVC – LeumiTech, fundraising for cybersecurity companies stands out above all others with a total investment of $2.5 billion in the first half of 2025, compared to only $1 billion in fintech companies and $500 million for the growing field of defense-tech. Even the glamorous AI industry is unable to compete with cybersecurity and raised “only” $1.5 billion in the first half of 2025. Although the recovery from the financing crisis of 2022-2023 affects the entire tech industry, cybersecurity crashed less and is growing much faster. The average Series A round funding for a company is $24.5 million in cybersecurity, compared with $12.8 million in insurtech and fintech, and $15.5 million in enterprise software.
The large gap is also reflected in the inflated valuations of cybersecurity companies. According to data from Altshare, which has developed a platform that allows mainly private companies, entrepreneurs and investors to manage their shares, the average value of investment in seed companies in the cybersecurity sector increased from $8 million at the end of 2024 to $12.4 million in the second quarter of 2025 and is expected to reach $13 million by the end of the year. For more mature companies in Series A funding, the valuation of companies in new funding will increase from $50 million at the end of 2023 to $80 million by the end of 2025. The earnings multiple is also relatively high throughout all stages of the companies, with an average of 5.3 compared with 4 in fintech.
Altshare CEO Ronen Solomon explains that cybersecurity companiesw distribute more options as a relative proportion of the company’s total shares – 15% more than in other companies, and that at cybersecurity companies, the rate of companies that have a secondary round (in which entrepreneurs and employees sell shares directly to investors) has doubled since the end of 2023. “In cybersecurity, the team doesn’t come for the salary, because they know they can get upside in options and secondary rounds,” says Solomon.
“You get a premium simply by being Israeli” “The cybersecurity market is currently in its golden age for a variety of reasons: the proliferation of solutions from various fields, the rise of AI that is deterring many players, and also the increase in defense budgets among countries around the world,” Adv. Guy Lachmann, partner and co-head of the IL high-tech practice group at Pearl Cohen, tells Globes. “Within this market, Israel has been considered a global leader for several years and Israeli companies are generally at the forefront of various branches within cybersecurity. They are also less sensitive to the political risks that other Israeli technology companies experience and here there is a premium you receive simply by being Israeli. However, this market is conducted almost separately from other markets with its own strategic buyers, regular serial entrepreneurs and a few investors who understand and are well-connected in it.”
The big entrepreneurs invest in each other
In Israel, for example, most investments in cybersecurity are concentrated in the hands of a small number of funds: Gili Raanan’s Cyberstarts – the fund behind successes such as Wiz and Cyera, alongside Team8, Picture Capital, Glilot Capital, Yoav Leitersdorf’s YL and Natan Shohami’s Hyperwise. Serial entrepreneurs, such as Shlomo Kramer, Assaf Rapaport, Yevgeny Dibrov, Nir Zuk, Mickey Bodai and Amichai Shulman, invest in each other and create a highly concentrated fabric in the industry. Foreign venture capital giants such as Sequoia, Greylock, Index and Insight have identified the niche and are currently leading some of the seed rounds in the field, creating another problem – Israeli entrepreneurs who do not have even one Israeli investor on the board of directors, a problem that could lead to losing their way in the early stages.
Lachmann says, “The celebration of exits in cybersecurity creates a kind of effect that pushes more and more entrepreneurs into cybersecurity, which may create a greater challenge down the road. Because when a giant like Palo Alto arrives and acquires a giant like CyberArk, it means that the other companies active in the same market (identity management) will receive smaller acquisition offers, if any. In addition, this may lead to degeneration in other technology areas – every golden age reaches a certain saturation point.”
Published by Globes, Israel business news – en.globes.co.il – on August 3, 2025.
© Copyright of Globes Publisher Itonut (1983) Ltd., 2025.
