Having spent years adding more point solutions, major platforms are changing tack. ServiceNow’s $7.75B acquisition of Armis confirms that smart money is moving away from more detection tools toward platforms that turn alerts into action. For many Australian organisations, the software is already in place.
In December 2025, ServiceNow announced it was acquiring Armis – an asset discovery and security platform – in its largest acquisition to date. It was one of more than 420 cyber security M&A deals last year in a consolidation wave worth over $84 billion1, including Google’s $32B purchase of Wiz and Palo Alto Networks’ $25B acquisition of CyberArk.
For organisations still adding security tools to address each new threat, this new direction is worth paying attention to.
More tools ≠ more protection
Most organisations have invested significantly in endpoint protection, SIEM platforms, vulnerability scanners, identity tools and cloud security controls – many also run an in-house or outsourced SOC. The tools and telemetry are there. The harder part is prioritising, taking action and resolving what they find.
Security tools commonly operate in silos, each with their own alerts, dashboard and view of the world – so teams spend time switching between platforms to piece together what’s happening and what to do about it.
A vulnerability scanner may flag a risk, but there’s no defined process to assess its business impact, assign it to the right team, track remediation and confirm it’s been resolved.
Where your security tools aren't looking
This challenge gets more complicated when you look at where sensitive business data actually lives. Over the past few years, critical information has moved into SaaS platforms – finance systems, HR platforms, CRM, collaboration tools – and in many cases, traditional security controls simply don’t extend to these environments.
There are three dimensions to SaaS security risks, and few organisations have addressed all of them.
Where is your data across your SaaS platforms?
Many organisations don’t have a clear picture of which SaaS applications hold sensitive data, who has access to it or how it moves between platforms. Shadow IT compounds the problem – teams adopt tools that sit outside the security perimeter without anyone realising the exposure.
Are those platforms configured to protect it?
SaaS platforms have security settings built in, but they’re only effective when configured correctly and reviewed regularly. A misconfigured sharing setting in a collaboration or HR platform, for example, can expose sensitive employee or customer data without triggering a single alert. Default configurations often leave these gaps open.
Would you know if something went wrong?
Even when data is identified and configurations are tightened, the detection question remains. If a user with valid credentials logs into a SaaS platform and downloads corporate data, most security teams wouldn’t see it. If employees paste sensitive information into public AI tools, the same applies. Traditional monitoring tools simply weren’t built for this.
The orchestration layer turns noise into action
Building on its core strength in business workflows, ServiceNow takes the data and alerts from platforms like Microsoft Sentinel, asset discovery tools like Armis and SaaS security solutions, and connects them into workflows that assign ownership, enforce SLAs and maintain a full audit trail.
It also layers in business context – which applications hold sensitive data, who owns them, how critical they are – so security teams can prioritise based on actual risk rather than alert volume.
The Armis acquisition brings asset discovery and risk-based vulnerability management directly into this engine. It signals a future where the entire chain from identifying an asset through to tracking remediation can run within a single integrated platform.
Compliance drives demand for in-house security workflows
ServiceNow’s security and risk business has gained serious traction in the past couple of years, driven by more accessible commercial models and tightening compliance obligations.
Across regulated industries such as financial services, utilities and critical infrastructure, we’re seeing organisations bring security operations back in-house to meet frameworks like CPS 234, the SOCI Act and the Essential Eight – and they need the internal platforms and workflows to run them effectively.
A common challenge we see in the market is that most ServiceNow partners are platform specialists without practical cyber security experience, and most security consultancies don’t know ServiceNow. Bringing both together is where Nexon delivers a genuine advantage. Whether your organisation already runs ServiceNow or is looking to get more value from the detection tools you’ve already invested in, a review of how your existing platforms connect will reveal where the gaps lie.
Mike Woods is Chief Technology Officer at Nexon. He recently hosted a security roundtable at the Cyber Resilience Summit in Melbourne. For a discussion about how your organisation can get more value from its existing security platforms, Contact Nexon today.
References:
SecurityWeek, SecurityWeek Report: 426 Cybersecurity M&A Deals Announced, 2026
Infosecurity Magazine, The Biggest Cybersecurity Mergers and Acquisitions of 2025
More articles to explore
