- ServiceNow completed its $7.75 billion acquisition of Armis Security on April 21, 2026, one of the largest enterprise cybersecurity deals on record.
- Armis provides agentless device discovery and classification across IoT, OT, IT, and cloud environments without requiring software agents on monitored endpoints.
- The deal values Armis at more than twice its $3.4 billion private market valuation from a 2022 funding round.
- ServiceNow gains real-time device intelligence as a data source for its AI-powered Now platform workflow automation engine.
What Happened
ServiceNow formally closed its $7.75 billion acquisition of Armis Security on April 21, 2026, absorbing a cybersecurity firm that has built one of the more widely deployed agentless asset intelligence platforms in enterprise environments. Armis was founded in 2015 by CEO Yevgeny Dibrov and CTO Nadir Izrael, who developed the platform initially to address the visibility gap created by unmanaged IoT devices connecting to corporate networks. In a statement released at close, McDermott described the acquisition as giving ServiceNow “the eyes to see every asset across the enterprise,” positioning device intelligence as foundational to the company’s AI-driven security workflow strategy.
Why It Matters
Enterprise platform vendors have moved aggressively to own the full detection-to-remediation loop in security operations, reducing reliance on point products that require manual handoffs between tools. ServiceNow’s existing Now platform already automates IT service workflows; the Armis capability adds the real-time device-level data layer needed to trigger those workflows from security events rather than only from human-initiated tickets. The deal follows Cisco’s $28 billion acquisition of Splunk, which closed in March 2024, and Palo Alto Networks’ purchase of IBM’s QRadar SaaS business the same year—a broader consolidation pattern in which ITSM and SIEM functionality converge on a small number of platform vendors.
Technical Details
Armis’s platform operates through passive network traffic analysis, meaning it identifies and classifies connected devices by observing traffic patterns rather than deploying software agents on the endpoints themselves. This agentless architecture is a material advantage in operational technology and industrial control system environments, where installing agents on programmable logic controllers or medical devices is frequently impractical or prohibited by vendor support terms. Armis’s device intelligence database, built from behavioral telemetry across its customer base, covers device profiles across more than 40 vertical categories including manufacturing, healthcare, utilities, and financial services. The integration path into ServiceNow’s Now Assist AI layer is expected to allow security alerts from Armis to automatically populate ITSM tickets, route to appropriate response teams, and trigger predefined remediation workflows without manual triage.
Who’s Affected
Large enterprises with heterogeneous device fleets—particularly organizations in manufacturing, critical infrastructure, and healthcare that operate both IT and OT networks—are the most direct beneficiaries of tighter integration between asset visibility and workflow automation. Security operations teams currently licensing Armis and ServiceNow as separate products will face a consolidated packaging and pricing structure as integration matures, typically a 12-to-18-month process for acquisitions of this scale. Competing platforms including Microsoft Sentinel, CrowdStrike Falcon, and Palo Alto Cortex XSIAM now face a combined ServiceNow-Armis offering in enterprise security operations center consolidation bids.
What’s Next
ServiceNow has not publicly committed to a specific timeline for unified product features, which is standard practice at deal close for acquisitions requiring deep platform integration. Armis co-founders Dibrov and Izrael are expected to remain with the combined organization in the near term per the acquisition agreement, which is common for founder-led companies where technical leadership continuity is a negotiated condition. Regulators in the United States and European Union had cleared the deal prior to close; no remedies or divestitures were required.
