ServiceNow has agreed to acquire cybersecurity startup Armis for $7.75 billion, with the deal expected to close in the second half of 2026, according to Reuters. It's one of the largest acquisitions in ServiceNow's history and signals a strategic bet on embedding deeper security intelligence directly into the platform.

ServiceNow has said the acquisition could triple the addressable market for its security and risk business — a significant claim that would reshape how the company's security tools fit into its broader software portfolio.

What Armis Does and Why ServiceNow Wants It

Armis has built its reputation on tracking connected devices without installing software on them. This matters in environments where installing agents — small pieces of monitoring software — is difficult or impossible: factory equipment, medical devices, industrial control systems, IoT sensors, and various unmanaged network endpoints.

The company's core strength is creating a unified inventory of all connected assets in an organization. Instead of IT teams managing one list of computers, another list of factory equipment, and a third list of medical devices — all in separate tools — Armis brings them into a single system. This "single pane of glass" (a common industry phrase for a unified view) remains unsolved for most large enterprises that operate hybrid environments spanning offices, data centers, and factory floors.

ServiceNow's Strategic Play

ServiceNow has been steadily building out its security and risk capabilities over several years. The company's underlying belief is that managing security is fundamentally a business process problem: detecting threats, prioritizing them, fixing them, and reporting on them are workflows that can be orchestrated at scale, much like ServiceNow already does for IT operations.

What ServiceNow lacks is the raw data layer. Currently, ServiceNow takes security alerts from other companies' tools and stitches them together through integrations of variable reliability. With Armis, ServiceNow would own the source of that data — the actual sensors and intelligence gathering that feed the security workflows.

The claim about tripling the market is worth examining. ServiceNow's current security business largely serves IT operations teams managing traditional computers and cloud systems. Armis operates in different sectors: critical infrastructure operators, industrial manufacturers, and utilities. These customers' primary security need is not ticket management but visibility into devices in air-gapped or semi-connected environments. The directional logic for expanding into these sectors is sound, though tripling the market is an aggressive projection.

The Larger Context

The enterprise security market has been consolidating rapidly. Palo Alto Networks has built a platform spanning threat detection, automation, cloud security, and endpoints. CrowdStrike has expanded from endpoint detection into identity and cloud workload security. Microsoft has bundled security with its dominant productivity and cloud infrastructure offerings.

ServiceNow's competitive angle has always been different. Rather than competing on threat detection, it competes on orchestration — helping security teams execute workflows more efficiently and consistently. The Armis deal reinforces this positioning by ensuring ServiceNow controls a richer data foundation for those workflows.

We have seen this pattern before in enterprise software. When Salesforce acquired MuleSoft in 2018 for $6.5 billion, the strategic logic was similar: own the data plumbing layer rather than depend on third-party connections. The difference here is that ServiceNow is working with security data instead of customer data, but the underlying principle — reducing dependency on external tools and making the platform stickier — follows a familiar playbook.

Challenges Ahead

This is a complex, high-stakes integration. Armis's ability to monitor diverse device types — from factory controllers to medical equipment — will need to fit into ServiceNow's data architecture without losing precision. Making sure a factory PLC, a hospital scanner, and a cloud application all live together in the same unified system is a genuine engineering challenge.

There is also a go-to-market question. Armis has built relationships with operations technology and industrial security specialists — a different buyer community than ServiceNow's traditional IT operations and security operations audiences. Whether ServiceNow can hold onto those relationships through a platform transition is uncertain.

The deal still faces regulatory review. With a close planned for late 2026, there is time for antitrust scrutiny in the US and potentially in Europe, where large technology acquisitions are now receiving closer attention.

What This Means for Organizations Using These Tools

If your organization currently runs both Armis and ServiceNow's security tools, your immediate questions are practical: how will the two products integrate, where will combined features appear first, and what happens to your existing contracts. Teams with long-term Armis deployments — especially in regulated industries where vendor relationships move slowly — will want to push ServiceNow for continuity commitments.

The longer-term prospect, if ServiceNow executes well, is genuinely useful. A single platform for asset visibility and remediation workflows spanning IT, operations technology, and IoT would close a real gap in enterprise security operations. Currently, the journey from discovering that an asset is exposed to actually fixing it often involves spreadsheets, custom scripts, and manual hand-offs between teams. That is friction worth eliminating.

The deal closing is still months away. The real test will be in how ServiceNow integrates Armis and what comes out in the product roadmap afterward. But the strategic intent is clear: ServiceNow is betting that the future of enterprise security depends on owning both the workflows and the underlying data that feeds them.