Rohit Dhamankar, VP, M&A and AI Strategy at Fortra, with 15+ years of cybersecurity experience.

getty
There are two types of acquirers in cybersecurity today: the ones chasing innovation and those trying to complete established platforms. While some level of innovation is desirable and necessary, investments should drive forward a preestablished goal. Impressive acquisitions that don’t serve a purpose within your road map are just wasted resources.
Buyers should define what they’re looking for first and then go out and identify the solution that fits their company’s long-term strategy. They shouldn't craft a strategy around a tool they happen to see and like. When looking for their next M&A deal, leaders should identify technology that fills a specific gap in their stack capability, integrates cleanly with their existing investments and serves a defined customer need.
In other words, your acquisition has to do something you can’t currently do, play well with the solutions you already have, give your company a competitive advantage and serve your customers in a way they weren’t being served before. It has to bring something meaningfully new to the table, and “more AI” doesn’t count.
AI Hype Is Inflating High-Risk Companies
Gartner warns that “only 20% of cybersecurity teams report highly beneficial results from GenAI use cases,” suggesting that the reward can pale in comparison to the hype once implementation begins.
Over the past two years, a significant number of startups have attached themselves to the AI narrative and attempted to lure CISOs with their “cutting-edge, next-gen” technology. A slick demo may win over investors, but it doesn’t guarantee that the product will be a long-term fit in your stack. It doesn’t even guarantee that it will perform well once it’s deployed in your environment.
Advanced AI capabilities, though important in some cases, do not eliminate the need for CISOs to look at what they’ve always looked at when making purchasing decisions. Is revenue modest or strong? How is the product-market fit? Is the AI capability easily replicated by other companies?
First-to-market wins aren’t a substitute for doing your homework, and they’re not a guarantee that the capability is what you need, or even the best in market.
How Smart M&A Teams Are Vetting Acquisitions
In cybersecurity investments, deployment friction and long-term integration costs can really drain an acquisition of its value. Immature companies, though impressive on paper, can cost more than a purchase is worth. When considering AI-based startups, bear in mind that GenAI solutions are only as secure as the infrastructure, data and access layers that support them. Companies looking to be acquired must come with all those pieces in place, and acquiring security leaders need to make sure they do.
According to Gartner's Katell Thielemann, “Organizations are making aggressive technology investments to achieve their goals, especially in leading edge, ‘hyped’ areas like GenAI.” Thielemann, who serves as the company's distinguished VP analyst, continued, "When change ambitions are at their peak, CISOs need to ground people in reality and data.”
Does the product contribute something unique to your organization’s platform model? Does it fill a customer need that already has budget attached? If it’s reducing exposure, it probably does. And when it boasts AI capabilities, get granular about what it does. If a company uses machine learning to increase triage speed, that could indicate genuine thought. If they are selling simply “autonomous AI security,” more questions need to be asked.
Co-pilots and automation layers can always be added in after the fact, and that technology will only improve over time. What can’t be easily added are things like deeply integrated workflows, time in the market, a loyal customer base and solid partner ecosystems. All these things add value and take a lot more skill to establish than AI functionalities.
From Boosting Financials To Playing The Long Game
There has been a shift in M&A priorities over the past two years within my own company, and I've learned a few lessons after numerous acquisitions completed between 2018 and 2022.
The M&A process used to be about guaranteed, immediate financial wins. Now it’s more about strategic acquisitions that will strengthen product portfolios. Platformization and simplicity drive cybersecurity buyers, and organizations with an appetite for new companies are often looking to complete their platform capabilities.
Compelling cybersecurity acquisitions in this context are ones that are going to do at least one of three things: close a key product gap, accelerate your road map or make your platform easier to use and deploy. Companies or products that can be easily integrated into your existing control plane are always going to be favorable to stand-alone tools. The industry is moving toward less, not more. Consolidation and integration have become key considerations for me in this new industry mindset.
Most Likely To Consolidate In 2026
On the topic of consolidation, there's one area that I believe will see significant growth and change this year. The technology categories most likely to come together in 2026 include offensive security and data security platforms.
Offensive security—red-teaming, pen-testing, attack surface management and more—is transitioning from a collection of separate tools to an all-in-one platform capability that provides proactive detection and remediation on a continual basis. The scale and frequency of attacks (as a result of AI) have forced round-the-clock capabilities, and platformizing offensive security can make it more accessible while driving up value.
Data security is becoming its own strategic control layer, and I believe the market is likely to see separate tools like data security posture management (DSPM), data loss prevention (DLP) and data discovery and classification work together to present a more unified view of where data resides and how it’s being secured.
Platforms are where practical security wins and hyped-up technologies come together. In fact, IBM’s 2025 research notes that organizations that successfully use AI and automation for security spend an average of $1.9 million less in a breach than those that don’t. This is one area I would urge leaders to keep a close eye on in the coming months.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

18 hours ago
2












English (US)