ServiceNow recently entered into an agreement to acquire Armis, a cyber exposure management and cyber-physical security platform, for $7.75 billion in cash. The transaction is ServiceNow’s third major security-focused acquisition in 2025, following Moveworks ($2.85 billion) and Veza (undisclosed terms).

Armis brings agentless asset discovery capabilities across IT, OT, IoT, and medical device environments. The company current generates about $340 million in annual recurring revenue with reported 50% year-over-year growth.

ServiceNow positions the acquisition as an expansion of its security and risk solutions market opportunity by more than 3x while advancing its “AI control tower” platform strategy.

The deal is expected to close in the second half of 2026, financed through a combination of cash and debt.

Who is Armis?

Armis provides a cyber exposure management platform, specializing in agentless discovery and security for cyber-physical environments. Founded in 2015, the company’s platform provides real-time visibility and risk prioritization across traditional IT infrastructure, operational technology, IoT devices, and medical equipment (asset categories that legacy scanning tools frequently miss).

Armis’ cyber exposure management platform offers the following core capabilities:

• Agentless Asset Discovery and Classification: real-time discovery and classification of both managed and unmanaged assets across enterprise environments without requiring agent installation. This includes traditional IT infrastructure, OT, IoT devices, medical equipment, and industrial control systems.
• Cyber-Physical Security: visibility and protection across cyber-physical environments, addressing manufacturing facilities, healthcare systems, critical infrastructure, and industrial operations where IT and OT systems converge.
• Exposure Intelligence and Risk Prioritization: the platform analyzes discovered assets to identify vulnerabilities, misconfigurations, and security exposures, then prioritizes risks based on asset criticality and threat context.
• Threat Detection and Response: threat intelligence capabilities integrated with asset discovery, enabling security teams to understand what devices are communicating on networks, identify anomalous behavior, and detect potential threats across both IT and OT environments.
• Integration Capabilities (Centrix): integration capabilities that connect asset intelligence and exposure data to downstream security and IT management tools, including existing ServiceNow workflows, enabling automated remediation and response actions.

The platform’s core differentiation centers on agentless discovery across diverse device types and environments, particularly in OT and IoT contexts where traditional endpoint security tools cannot be deployed.

Strategic Rationale and Fit

ServiceNow sees this acquisition as a repositioning from workflow orchestrator to “AI control tower” and system of intelligence. The rationale for the acquisition centers on several interconnected objectives that extend beyond traditional security portfolio expansion:

Moving upstream to control asset intelligence

ServiceNow has historically operated as a downstream workflow engine dependent on signals from upstream security and infrastructure tools. Armis provides the source of truth for asset discovery and exposure intelligence, allowing ServiceNow to move upstream in the technology stack.

Rather than simply orchestrating responses to vulnerabilities identified by other platforms, ServiceNow gains the ability to discover, classify, and assess risk across the full technology estate.

Platform consolidation against tool sprawl

Enterprises operate fragmented security stacks comprising dozens of point solutions for asset management, vulnerability scanning, threat detection, and compliance monitoring.

Armis allows ServiceNow to combine best-in-class asset discovery with ubiquitous workflow automation. ServiceNow suggests this integration can replace multiple legacy scanners and basic asset tracking tools.

Expanding into cyber-physical security domains

Armis brings specialized capabilities in operational technology, industrial control systems, medical devices, and IoT environments, all domains where traditional IT security tools have limited visibility.

This expansion addresses critical infrastructure sectors including manufacturing, healthcare, energy, and utilities where cyber-physical convergence creates new attack surfaces. The acquisition allows ServiceNow to address security domains beyond traditional IT infrastructure.

Strengthening the “AI control tower” and agent governance narrative

ServiceNow’s broader platform strategy centers on positioning itself as the governing and orchestration layer for enterprises deploying hundreds of AI agents across systems. Armis supports that by providing the real-time asset context and risk intelligence that AI agents lack, enabling ServiceNow to understand asset criticality, operational impact, and security posture rather than operating on abstract signals.

As enterprises scale AI and agentic systems, ServiceNow argues that intelligent trust and governance spanning any cloud, asset, AI system, and device becomes non-negotiable.

Armis strengthens this narrative for ServiceNow by providing the foundational asset intelligence layer.

Transforming risk management into real-time operational resilience

ServiceNow operates an Integrated Risk Management (IRM) platform that has historically focused on compliance reporting and audit workflows. Armis telemetry enables ServiceNow to transform IRM from static audit snapshots into a live, continuously updated view of enterprise exposure.

The acquisition elevates ServiceNow’s value proposition from compliance reporting to operational resilience.

Accelerating security portfolio growth

ServiceNow’s Security and Risk business crossed $1 billion in annual contract value during Q3 2025. The company states that Armis will more than triple its addressable market for security and risk solutions.

Analysis

ServiceNow’s $7.75 billion acquisition of Armis is continuation of ServiceNow’s evolution from workflow orchestrator to enterprise intelligence and control platform, with cybersecurity serving as the anchoring use case.

The acquisition provides agentless asset discovery across IT, OT, IoT, and medical device environments, strengthening ServiceNow’s ability to address cyber-physical security requirements in manufacturing, healthcare, and critical infrastructure sectors where traditional IT security tools have limited visibility.

This transaction is ServiceNow’s third major security acquisition in 2025, following Moveworks ($2.85 billion for AI agent platform capabilities) and Veza (identity security). Together, these acquisitions see the company embarking on a deliberate strategy to make ServiceNow as the “AI control tower” for enterprises deploying AI agents and autonomous systems across complex technology environments.

It’s a reality that intelligent trust and governance spanning any cloud, asset, AI system, and device is fast becoming non-negotiable as enterprises scale AI adoption. If ServiceNow can address those needs, then it can extend its relevance beyond traditional IT service management into more strategic technology governance.

The Armis acquisition plays directly to this, providing the foundational asset intelligence layer that AI governance requires. Rather than operating on abstract signals, ServiceNow gains real-time visibility into what assets exist, how they’re configured, what vulnerabilities they contain, and what business services they support. This combination of discovery, context, and workflow automation addresses a genuine gap in enterprise security architectures where tool fragmentation, manual processes, and lack of business context limit security effectiveness.

For enterprises, the combined ServiceNow/Armis platform may offer a credible alternative to fragmented security tool stacks, particularly for organizations already invested in ServiceNow for IT service management and workflow automation. The integration promises to reduce the manual handoffs, context switching, and coordination overhead that characterizes traditional security operations. For industries with significant cyber-physical infrastructure, the combination addresses specialized requirements that traditional IT security vendors often overlook.

ServiceNow’s aggressive acquisition strategy in 2025 shows a company actively expanding beyond its IT service management origins into broader enterprise platform positioning, with security and AI governance serving as the strategic pillars.

If executed effectively, the Armis integration strengthens ServiceNow’s relevance for strategic technology initiatives while extending its platform value into critical security domains where enterprises are increasing investment. It’s a strong acquisition for the company.

Competitive Outlook & Advice to IT Buyers

The acquisition places ServiceNow more directly against multiple categories of competitors while creating new competitive dynamics. This includes traditional cybersecurity platforms like those from Palo Alto Networks (with its CyberArk acquisition) and Google (with its Wiz acquisition); specialized security platforms like those from Tenable, qualys, and Rapid7; CSP-native solutions from Microsoft, Google, and AWS; and ServiceNow’s more traditional service management competitors.

It’s a broad array of competitors. Let’s look at how a combined ServiceNow/Armis solution might compare…

These sections are only available to NAND Research clients and IT Advisory Members. Please reach out to [email protected] to learn more.