ServiceNow has agreed to acquire cybersecurity startup Armis for $7.75 billion, with the transaction expected to close in the second half of 2026, according to Reuters. The deal is one of the largest acquisitions in ServiceNow's history and marks a decisive move to embed asset intelligence and exposure management directly into its platform.

ServiceNow has said it expects the acquisition to triple the total addressable market for its security and risk business — a projection that, if accurate, would reframe the company's security portfolio from a workflow-management adjunct into a primary competitive surface.

What Armis Brings to the Table

Armis has built its reputation on agentless device visibility and asset intelligence, particularly in environments where traditional endpoint agents cannot be deployed: operational technology (OT), industrial control systems (ICS), IoT, medical devices, and unmanaged network endpoints. The company's platform ingests telemetry from connected assets, builds behavioral baselines, and surfaces exposure and risk posture without requiring software installation on the monitored device — a meaningful architectural distinction in environments where patching cycles are measured in years, not weeks.

The core value proposition Armis offers is a unified asset inventory that spans IT, OT, and IoT in a single data model. For enterprises running hybrid environments — and that is essentially every large enterprise at this point — stitching together visibility across managed endpoints, cloud workloads, building management systems, and factory-floor PLCs from a single pane has remained a persistent, largely unsolved operational problem. Armis's approach to this problem is what made the company attractive; its reported customer base spans critical infrastructure, healthcare, manufacturing, and financial services.

ServiceNow's Strategic Logic

ServiceNow has been systematically expanding its security and risk surface for several years, layering Security Operations (SecOps), Vulnerability Response, and Risk Management capabilities onto its core IT Service Management (ITSM) platform. The underlying thesis is that security workflows — detecting, triaging, remediating, and reporting on threats — are fundamentally business process problems, and ServiceNow's strength is orchestrating business processes at scale across the enterprise.

Armis adds a dimension ServiceNow has not previously owned: the telemetry and intelligence layer that feeds those workflows. Rather than ingesting alerts from third-party asset management or network monitoring tools and relying on integrations of variable quality, ServiceNow would own the data origin. That vertical integration — from raw device telemetry through risk scoring to remediation workflow — is a meaningful architectural shift for the platform.

The TAM expansion claim is worth examining carefully. ServiceNow's security and risk business today is largely tied to ITSM-adjacent use cases: vulnerability triage, compliance automation, incident response workflow. Armis's presence in OT and ICS environments opens sectors — critical infrastructure operators, industrial manufacturers, utilities — where ServiceNow has had limited penetration, because those customers' primary security problem is not ticket management but asset visibility and exposure in air-gapped or semi-connected environments. Tripling the TAM is an aggressive projection, but the directional logic is sound.

Competitive Context

The enterprise security market has been consolidating aggressively. Palo Alto Networks has pursued a platformization strategy, acquiring or building capabilities across SIEM, SOAR, cloud security, and endpoint. CrowdStrike has extended from endpoint detection into identity, cloud workload protection, and threat intelligence. Microsoft has made security a bundled enterprise lever, tying its Defender and Sentinel stack to its dominant position in productivity and cloud infrastructure.

ServiceNow's angle has always been differentiated from pure-play security vendors: it is not competing on threat detection efficacy so much as on workflow orchestration and business process integration. The Armis deal does not change that positioning — it deepens it by ensuring ServiceNow controls a richer, more authoritative data substrate for the workflows it already runs.

We have seen this architectural play before, in a different context. When Salesforce acquired MuleSoft in 2018 for $6.5 billion, the strategic logic was similar: rather than depend on integrations that connected CRM workflows to external data, own the integration layer and make the platform stickier by becoming the authoritative data hub. The analogy is imperfect — security telemetry and enterprise integration are distinct domains — but the pattern of a workflow platform acquiring a foundational data layer to reduce dependency on third-party connectors and deepen lock-in is a recurring one in enterprise software.

Integration Risks and Open Questions

A $7.75 billion acquisition of this complexity carries material execution risk. Armis's agentless architecture and its OT/IoT-specific data models will need to be integrated into ServiceNow's Common Service Data Model (CSDM) in a way that preserves the fidelity that made Armis compelling in the first place. Data normalization across heterogeneous asset classes — where a PLC, a CT scanner, and a cloud-native microservice all need to coexist in the same inventory — is a non-trivial engineering problem.

There is also the question of go-to-market alignment. Armis has cultivated relationships with OT and ICS security practitioners, a buyer persona that sits outside ServiceNow's traditional ITSM and SecOps buyer community. Whether ServiceNow can retain and extend those relationships through a platform transition, or whether it risks channel disruption, will be one of the more consequential integration variables to watch.

Regulatory clearance is another open variable. The deal is scheduled to close in the second half of 2026, which leaves a meaningful window for antitrust review in the US and potentially in the EU, where scrutiny of large enterprise technology acquisitions has intensified.

What This Means for Enterprise Security Buyers

For organizations currently running Armis alongside ServiceNow SecOps, the near-term practical question is roadmap clarity: which integrations get prioritized, where does the combined product surface appear, and what happens to existing Armis commercial agreements as the deal closes. Enterprises with long-term Armis deployments — particularly in regulated industries where procurement and vendor risk cycles are slow — will want contractual continuity commitments.

Longer term, if ServiceNow executes well, the prospect of a genuinely unified asset intelligence and workflow platform — spanning IT, OT, and IoT from inventory through remediation — would address one of the more durable friction points in enterprise security operations. The gap between knowing an asset is exposed and being able to act on that exposure through a governed, auditable workflow has historically been bridged by spreadsheets, custom integrations, and manual hand-offs. That is a gap worth closing.

The deal's closing is still months away, and the real measure of its value will be in the integration and the product roadmap that follows. But the strategic intent is clear: ServiceNow is placing a large, deliberate bet that the future of enterprise security operations is inseparable from the broader workflow and business process platform — and that owning the telemetry layer is the mechanism that makes that bet defensible.