7JUN

Google closes $32bn Wiz deal; 38 M&A

3 min read

10:08UTC

Google-Wiz is the largest pure-cybersecurity deal of the post-CrowdStrike era. SecurityWeek counted 38 cyber M&A deals in March and 42 in February.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyAssessed

Key takeaway

The 80-deal-a-quarter M&A pace tracks where buyers expect the next defensive stack to sit.

Google completed its $32 billion acquisition of cloud security vendor Wiz in March 2026, closing the largest pure-cybersecurity deal of the post-CrowdStrike-Humio era ¹. Wiz is a cloud-infrastructure risk platform founded in 2020; its product scans customer estates on Amazon Web Services, Microsoft Azure and Google Cloud for misconfiguration, exposed credentials and lateral-movement paths. Inside Google Cloud, the platform becomes the native security layer fronting every workload the hyperscaler hosts.

SecurityWeek's deal tracker counted 38 cybersecurity mergers and acquisitions announced in March 2026, on top of 42 in February. Databricks, the US data and AI platform, acquired Antimatter and SiftD.ai to launch its Lakewatch Security Information and Event Management (SIEM) product. OpenAI acquired Promptfoo to fold prompt-injection defence into its Frontier platform. Prompt injection is the attack class where malicious instructions embedded in user input hijack a large-language-model application; Promptfoo's tooling is aimed at catching it in production.

The pace matters because consolidation sequences tell you what buyers think the next defensive stack looks like. Cloud security, SIEM re-platforming on AI-native data stores, and large-language-model application security are the three categories absorbing capital. Cloud security is where the Handala-style MDM and Entra ID attack surface lives; SIEM re-platforming is an answer to the 393-day BRICKSTORM dwell problem at detection speed; LLM application security is a new surface that did not exist at the scale it does now three years ago. The money is going where the offensive tradecraft in this briefing is also heading.

Deep Analysis

In plain English

Google completed its $32 billion purchase of Wiz, a cloud security company, in March 2026. This is the largest acquisition of a purely cybersecurity company in history. Wiz makes software that helps businesses find security vulnerabilities in the cloud systems they use, like AWS or Azure or Google Cloud itself. Separately, there were 38 cybersecurity company acquisitions in March alone, continuing a trend of rapid consolidation in the security industry. Databricks bought two companies to build a security monitoring product, and OpenAI bought a company that specialises in defending against attacks on AI systems. This wave of acquisitions reflects the belief that cybersecurity spending is accelerating as threats increase, and that large technology companies want to own more of the security market rather than leave it to specialised vendors.

Deep Analysis

Root Causes

The M&A acceleration in cybersecurity reflects two converging structural pressures. Enterprise buyers are consolidating security vendors to reduce the integration overhead of operating 30-50 point products across their stack; they are purchasing platforms from vendors they already trust with their cloud infrastructure, which channels deal flow toward the hyperscalers.

For Google, the Wiz acquisition addresses a specific competitive gap: Google Cloud holds roughly 11% of the cloud infrastructure market against AWS at 33% and Azure at 22%, and lacks a native cloud security posture management offering comparable to Microsoft Defender for Cloud. The $32bn price is partly for Wiz's technology and partly for Wiz's multi-cloud customer relationships, which give Google a security wedge into AWS and Azure environments.

What could happen next?

Consequence
Google Cloud's bundling of Wiz's cloud-native application protection platform into Google Cloud Security will put competitive pressure on multi-cloud CNAPP vendors and accelerate enterprise consolidation of cloud security tooling with their primary cloud provider.
Risk
The concentration of cloud security monitoring within the same vendors that operate cloud infrastructure creates a conflict-of-interest dynamic that independent security advisers and regulators are beginning to scrutinise as a systemic risk.

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: The 2011-2014 wave of endpoint security consolidation, when Intel acquired McAfee, Symantec acquired Websense, and IBM acquired Trusteer.

That wave produced integrated security stacks that were later criticised for creating defensive monocultures: when CrowdStrike's flawed update caused 8.5 million Windows outages in July 2024, the concentration of EDR vendors was cited as an amplifying factor. The current cloud security consolidation wave risks creating a parallel concentration at the cloud control plane layer.

Counter-parallel: The 2022 Broadcom acquisition of VMware, which also concentrated critical infrastructure software into a large platform vendor, produced immediate pricing increases and customer migration pressure rather than improved security outcomes. The Google-Wiz and similar deals are happening at a moment when enterprise buyers have less leverage over platform vendors than in the pre-hyperscaler era.

At $32 billion, Google's Wiz acquisition is the largest pure-cybersecurity acquisition ever, exceeding Broadcom's $10.7bn Symantec purchase (2019) and IBM's $34bn Red Hat acquisition (which included significant non-security elements). It values Wiz at approximately 40x annual recurring revenue, reflecting the growth premium attached to cloud-native security platforms.

The 38 M&A deals in March 2026 (42 in February) represent an annualised rate of roughly 480 cybersecurity transactions, the highest on record. The SIEM consolidation story (Databricks acquiring Antimatter and SiftD.ai for Lakewatch) and the prompt-injection defence acquisition (OpenAI-Promptfoo) both reflect the AI-security market taking shape: AI vendors are acquiring both offensive-detection and defensive tooling to address risks in their own platforms.

For enterprise buyers, the consolidation creates budget pressure in both directions: bundled platform deals may reduce per-tool costs but increase dependency lock-in; specialised independent vendors face acquisition or margin compression as hyperscalers bundle their equivalent functionality.

Consensus view: Gartner's cloud security research team assesses the Google-Wiz acquisition as the most consequential cloud security market consolidation since Microsoft acquired RiskIQ in 2021: it gives Google Cloud a native cloud-native application protection platform that competes directly with Microsoft Defender for Cloud and AWS Security Hub, shifting the cloud security tools market from independent best-of-breed to cloud-vendor-bundled competition.

Counter-view: Cato Networks CEO Shlomo Kramer (also a Wiz co-founder investor) argued publicly that cloud security consolidation into the big three hyperscalers creates a structural conflict of interest, because the same vendor that hosts your workloads now also sells your security monitoring, and the provider has a commercial incentive to minimise breach disclosure that affects its own cloud platform reputation.

Key tension: Whether the cloud security consolidation wave (Google-Wiz, CrowdStrike-SGNL, Databricks-Lakewatch) improves enterprise security outcomes by reducing integration complexity, or whether it reduces the independent oversight function that specialised security vendors provided and concentrates risk into a smaller number of critical dependencies.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Google Cloud / Mandiant· 17 Apr 2026

Read original →

Causes and effects

Caused by

KB5091157, Gentlemen C2 intel, ENISA CNAs: in brief

Portkey's $130m acquisition by Palo Alto Networks and April's 33 M&A deals continue the consolidation trend documented in March's 38 deals.

Occurred 19 Apr 2026

Read story →

UNC6780 takes Cisco AI Defense source code

UNC6780's theft of Cisco AI Defense source code validates the AI-security market risk that the Google-Wiz $32bn close was pricing, shifting diligence from hypothetical to named incident.

Occurred 11 May 2026

Read story →

This Event

Google closes $32bn Wiz deal; 38 M&A

The commercial signal on cloud and identity security is running ahead of the defensive one at an 80-deal-a-quarter pace.

Led to

Beazley shareholders clear Zurich's £8.1bn bid

Beazley/Zurich is the largest single cyber-insurance M&A of 2026, contextually following the Google/Wiz $32bn close that led the cyber-sector consolidation wave in ID:2557.

Occurred 22 Apr 2026

Read story →

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.