Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Cybersecurity: Threats and Defences
20MAY

Google closes $32bn Wiz deal; 38 M&A

3 min read
09:58UTC

Google-Wiz is the largest pure-cybersecurity deal of the post-CrowdStrike era. SecurityWeek counted 38 cyber M&A deals in March and 42 in February.

← Back to AI joins the breach column on both sidesJump to analysis ↓
TechnologyAssessed
Key takeaway

The 80-deal-a-quarter M&A pace tracks where buyers expect the next defensive stack to sit.

Google completed its $32 billion acquisition of cloud security vendor Wiz in March 2026, closing the largest pure-cybersecurity deal of the post-CrowdStrike-Humio era 1. Wiz is a cloud-infrastructure risk platform founded in 2020; its product scans customer estates on Amazon Web Services, Microsoft Azure and Google Cloud for misconfiguration, exposed credentials and lateral-movement paths. Inside Google Cloud, the platform becomes the native security layer fronting every workload the hyperscaler hosts.

SecurityWeek's deal tracker counted 38 cybersecurity mergers and acquisitions announced in March 2026, on top of 42 in February. Databricks, the US data and AI platform, acquired Antimatter and SiftD.ai to launch its Lakewatch Security Information and Event Management (SIEM) product. OpenAI acquired Promptfoo to fold prompt-injection defence into its Frontier platform. Prompt injection is the attack class where malicious instructions embedded in user input hijack a large-language-model application; Promptfoo's tooling is aimed at catching it in production.

The pace matters because consolidation sequences tell you what buyers think the next defensive stack looks like. Cloud security, SIEM re-platforming on AI-native data stores, and large-language-model application security are the three categories absorbing capital. Cloud security is where the Handala-style MDM and Entra ID attack surface lives; SIEM re-platforming is an answer to the 393-day BRICKSTORM dwell problem at detection speed; LLM application security is a new surface that did not exist at the scale it does now three years ago. The money is going where the offensive tradecraft in this briefing is also heading.

Deep Analysis

In plain English

Google completed its $32 billion purchase of Wiz, a cloud security company, in March 2026. This is the largest acquisition of a purely cybersecurity company in history. Wiz makes software that helps businesses find security vulnerabilities in the cloud systems they use, like AWS or Azure or Google Cloud itself. Separately, there were 38 cybersecurity company acquisitions in March alone, continuing a trend of rapid consolidation in the security industry. Databricks bought two companies to build a security monitoring product, and OpenAI bought a company that specialises in defending against attacks on AI systems. This wave of acquisitions reflects the belief that cybersecurity spending is accelerating as threats increase, and that large technology companies want to own more of the security market rather than leave it to specialised vendors.

Deep Analysis
Root Causes

The M&A acceleration in cybersecurity reflects two converging structural pressures. Enterprise buyers are consolidating security vendors to reduce the integration overhead of operating 30-50 point products across their stack; they are purchasing platforms from vendors they already trust with their cloud infrastructure, which channels deal flow toward the hyperscalers.

For Google, the Wiz acquisition addresses a specific competitive gap: Google Cloud holds roughly 11% of the cloud infrastructure market against AWS at 33% and Azure at 22%, and lacks a native cloud security posture management offering comparable to Microsoft Defender for Cloud. The $32bn price is partly for Wiz's technology and partly for Wiz's multi-cloud customer relationships, which give Google a security wedge into AWS and Azure environments.

What could happen next?
  • Consequence

    Google Cloud's bundling of Wiz's cloud-native application protection platform into Google Cloud Security will put competitive pressure on multi-cloud CNAPP vendors and accelerate enterprise consolidation of cloud security tooling with their primary cloud provider.

  • Risk

    The concentration of cloud security monitoring within the same vendors that operate cloud infrastructure creates a conflict-of-interest dynamic that independent security advisers and regulators are beginning to scrutinise as a systemic risk.

Sources:Google Cloud / Mandiant
Mentions:Google →Wiz →Databricks →Antimatter →OpenAI →Promptfoo →CrowdStrike →SGNL →Gartner →Prima →BRICKSTORM →SiftD.ai →Amazon →Microsoft →Intel →Azure →Broadcom →AWS →Handala Hack →SecurityWeek →Security Information and Event Management →
First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Google Cloud / Mandiant· 17 Apr 2026
Read original
Causes and effects
Caused by
KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief
Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.
Occurred 19 Apr 2026
Read story →
UNC6780 takes Cisco AI Defense source code
UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.
Occurred 11 May 2026
Read story →
This Event
Google closes $32bn Wiz deal; 38 M&A
The commercial signal on cloud and identity security is running ahead of the defensive one at an 80-deal-a-quarter pace.
Led to
Beazley shareholders clear Zurich's £8.1bn bid
Beazley/Zurich is the largest single cyber-insurance M&A of 2026, contextually following the Google/Wiz $32bn close that led the cyber-sector consolidation wave in ID:2557.
Occurred 22 Apr 2026
Read story →
Different Perspectives
Tsinghua University Institute for International Strategic Studies
Tsinghua University Institute for International Strategic Studies
Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.
Google Threat Intelligence Group
Google Threat Intelligence Group
GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.
Cisco
Cisco
Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.
NCSC
NCSC
The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.
Microsoft Security Response Center
Microsoft Security Response Center
The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.
CISA
CISA
CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.