Armis Security

1.1 Company Identity and Corporate History

Armis Inc. (operating as "Armis" or "Armis Security") is a California-headquartered cybersecurity company specializing in cyber exposure management and security for all connected assets — including IT, OT, IoT, medical devices (IoMT), physical AI, code, and cloud environments. The company was founded in late 2015 by Yevgeny Dibrov and Nadir Izrael, both graduates of the Technion — Israel Institute of Technology who had collaborated on academic projects before entering the workforce. The founding idea originated from extensive customer discovery: rather than building technology first, the founders cold-called CISOs and IT managers from Nadir Izrael's apartment in Tel Aviv to identify the biggest pain points, ultimately landing on the security gap created by unmanaged IoT devices. Armis moved its headquarters from Tel Aviv to Palo Alto, California in 2017 when it emerged from stealth, and has since established offices in New York, London, Munich, and Bucharest. By 2026, the company was headquartered in San Francisco, California. Armis operated as a privately held company through its entire independent lifecycle, except for a brief period as a majority-owned subsidiary of Insight Partners from February 2020 onward. The company's core product, the Armis Centrix™ platform, is an AI-powered, agentless cyber exposure management system that discovers, classifies, and secures every connected device in an organization's environment — from laptops and servers to industrial control systems, medical devices, and cloud workloads — without requiring software agents on endpoints. As of early 2026, the platform tracked nearly 7 billion devices in real time. On April 19-20, 2026, ServiceNow completed its $7.75 billion cash acquisition of Armis, integrating it into ServiceNow's AI Control Tower security and risk portfolio. [CO001, CO002, CO003, CO004, CO013, CO014]

1.2 Founders and Executive Leadership

Armis was co-founded by Yevgeny Dibrov (CEO) and Nadir Izrael (CTO), both veterans of elite Israeli technology and military programs who brought complementary skills to the venture. Dibrov served on the executive team at cloud security startup Adallom — co-founded by members of what would later become the Wiz founding team — before Adallom was acquired by Microsoft for $320M in July 2015. Following a brief hiatus, Dibrov immediately began building Armis, recruiting Izrael to leave his position as a software engineer at Google, where he had worked on Google Maps and Google Autocomplete. Both founders attended the excellence program at the Technion and served in elite units of the Israel Defense Forces (IDF), including Unit 8200. Dibrov is widely credited as the primary commercial and customer-success driver at Armis, maintaining an intensive travel schedule to meet customers and partners globally. Izrael leads the technical and product vision, has overseen all three acquisitions (CTCI, Silk Security, OTORIO), and maintains significant cross-functional authority within the engineering and product organizations. Gili Raanan, founder of Cyberstarts, served as Chairman of the Board since before the Series A and represented the early investor base. By 2026, the executive leadership team had expanded significantly. Alex Mosher serves as President and Chief Revenue Officer (CRO). Jonathan Carr is Chief Financial Officer. Simon Mouyal was appointed Chief Marketing Officer in March 2026, bringing 25+ years of cybersecurity and SaaS marketing experience from organizations including CyberArk and athenahealth. Christian Terlecki leads public sector sales as Senior Vice President, overseeing the Armis Federal division and its government certifications. [CO001, CO003, CO004, CO005, CO006, CO007]

1.3 Funding History, Valuation, and Investor Base

Armis raised capital through a series of rounds totaling approximately $1.17 billion before its acquisition by ServiceNow. The first seed round was raised in 2015, followed by a $17M Series A in June 2017, a $30M Series B in April 2018, and a $65M Series C in April 2019 that brought total funding to $112M. The Series C was led by Sequoia Capital, which had backed the company since its Series A in Israel. In February 2020, Insight Partners acquired Armis at a $1.1 billion valuation — Israel's largest cyber exit at that time — taking a majority stake and providing operational support including customer introductions, go-to-market assistance, and strategic M&A guidance. Insight Partners remained the majority owner through subsequent rounds. In February 2021, Armis raised $125M at a $2B valuation from Brookfield Technology Partners (as lead investor), CapitalG (Alphabet's growth fund), Georgian, and Insight Partners. In November 2021, it raised $300M at a $3.4B valuation led by One Equity Partners, which joined the board. After a period of operational maturation, Armis raised $200M at a $4.2B valuation in October 2024, led by General Catalyst and Alkeon Capital (new investors) alongside existing backers Brookfield Growth, Georgian, Insight Partners, CapitalG, and One Equity Partners. This was followed by an August 2025 tender offer at a $4.5B valuation and a final $435M pre-IPO round in November 2025 at a $6.1B valuation, led by Goldman Sachs Growth Equity with participation from CapitalG and new investor Evolution Equity Partners. The ServiceNow acquisition at $7.75B represented approximately a 27% premium over the last private valuation. [CO005, CO006, CO007, CO008, CO009, CO010]

1.4 Company Milestones and Scale Metrics

Armis's trajectory from founding to acquisition spans ten years and includes significant milestones across founding, financing, product development, acquisitions, regulatory authorizations, and industry recognition. The company grew its ARR from zero to $300M by November 2025 and to $340M+ by December 2025, representing more than 50% year-over-year growth. This growth trajectory was supported by three strategic acquisitions in under twelve months: CTCI (February 2024, early warning), Silk Security (April 2024, $150M, vulnerability remediation), and OTORIO (March 2025, $120M, OT/CPS on-premises security). Armis's customer base grew from deployments at more than 25% of the Fortune 100 in 2019 to over 35% by late 2025 and nine of the Fortune 10 by April 2026. Named customers include United Airlines, Colgate-Palmolive, Mondelez International, Reckitt, Sysco Foods, and Allergan, in addition to dozens of federal agencies and state/local government entities. The platform achieves deployment scale not through agents but through passive network traffic analysis, enabling it to track nearly 7 billion devices globally in real time. On the regulatory and compliance front, Armis achieved FedRAMP Moderate and DISA IL4 authorization in 2023, and DoD Impact Level 5 authorization in February 2026, qualifying it for Controlled Unclassified Information (CUI) environments within the Department of Defense. The company was recognized as a Leader in the 2026 Gartner Magic Quadrant for CPS Protection Platforms (second consecutive year) and the Forrester Wave for IoT Security Solutions (Q3 2025) and Unified Vulnerability Management Solutions (Q3 2025). [CO015, CO016, CO017, CO018, CO019, CO020]

1.5 Adverse Findings and Evidence Gaps

Armis's record is largely clean of material security breaches or regulatory enforcement actions. The primary adverse finding involves post-acquisition workforce reductions: following its March 2025 acquisition of OTORIO for $120M, Armis laid off 45 of OTORIO's approximately 80 employees — more than half the acquired workforce — primarily in sales, marketing, finance, and HR, retaining approximately 35 development staff. This pattern is consistent with integration-focused M&A, where redundant go-to-market functions are eliminated while product engineering capacity is preserved, but it represents a material reduction in OTORIO's organizational footprint. Multiple areas of evidence remain unavailable due to Armis's private company status. Revenue, gross margin, operating loss/income, cash position, customer concentration metrics, and net revenue retention (NRR) are not publicly disclosed. The company disclosed ARR but not contract structure, renewal rates, or churn. Post-acquisition, Armis is now a subsidiary of ServiceNow, and its financial metrics will be reported (if at all) as part of ServiceNow's consolidated financial statements. Future diligence on financial performance will require either ServiceNow's investor disclosures or direct engagement with management. [CO031, CO030, CO036, CO015]

1.6 Exhibits

2.1 Market Boundary and Category Definition

Armis Centrix competes primarily within the Gartner-defined Cyber-Physical Systems (CPS) Protection Platform market, a category that Gartner formally established with a Magic Quadrant in 2025, evaluating 13 vendors. CPS protection platforms provide agentless, passive network monitoring that discovers, classifies, and continuously monitors all connected assets — including IT devices, operational technology (OT/SCADA/PLC), IoT sensors, building systems, and connected medical devices — without requiring software agents or active scanning that could disrupt operations. The market boundary is important to define precisely because analyst estimates for adjacent categories (OT Security, IoT Security, "CPS Market") yield dramatically different TAM figures. The OT Security market ($22-23.5B in 2025) includes hardware, services, and traditional network monitoring tools, inflating the figure. The IoT Security market ($35.5B in 2024) is broader still and includes consumer IoT-adjacent segments. The narrowest and most relevant estimate is the CPS Protection Platform market as defined by TBRC ($10.05B in 2025) — the sub-segment that most closely mirrors Gartner's MQ scope and Armis's direct competition set. The market excludes: endpoint detection and response (EDR/EPP) for managed computers; cloud security posture management (CSPM); pure-IT SIEM tools without device discovery scope; and consumer IoT security. The status-quo substitute is manual asset inventory via spreadsheets and periodic network scans — a process that systematically undercounts unmanaged OT and IoT devices and leaves organizations with incomplete risk visibility. Armis's agentless architecture is architecturally necessary for this market: PLCs, SCADA systems, legacy medical devices, and embedded IoT typically run proprietary or real-time operating systems that cannot support software agents. Warranty and change-control restrictions also prohibit agent installation on many OT devices. This structural constraint creates a durable requirement for agentless discovery that cannot be substituted by enterprise EDR vendors.[CM001, CM002, CM003, CM004, CM005, CM023]

2.2 Market Sizing — Multiple Analyst Lenses

The OT and CPS security market is well-covered by analyst firms, but estimates vary significantly by methodology and scope definition. MarketsAndMarkets sizes the OT security market at $23.47B in 2025, growing to $50.29B by 2030 at 16.5% CAGR. Mordor Intelligence offers a slightly lower estimate of $22.15B in 2025 growing to $47.95B by 2031 at 13.74% CAGR. Both project doubling or near-doubling of the market over a 5-6 year period, confirming strong structural growth across methodologies. For a more specific proxy, the CPS Security market — defined narrowly to exclude hardware-only and services-only OT vendors — was valued at $10.05B in 2025 with 13% CAGR to $18.51B in 2030 (The Business Research Company). This is the closest public analog to the Gartner-defined CPS Protection Platform market in which Armis competes. Adjacent segments provide additional market context. The CAASM market ($1.88B in 2025, 25% CAGR to $5.72B by 2030) is growing faster than the core OT security market, driven by enterprise demand for continuous asset intelligence and AI-driven risk prioritization. Medical device security ($7.41-8.47B in 2025) is a distinct and growing vertical, with the healthcare IoT security sub-segment growing at 28.8% CAGR. The broader IoT security market ($35.5B in 2024 at 26.8% CAGR to $141.8B by 2030) overstates the addressable opportunity for Armis but illustrates the scale of the device proliferation problem. Device proliferation is the underlying demand driver: there are approximately 19.8 billion connected IoT devices globally in 2025-2026 (DemandSage), with Ericsson projecting cellular IoT connections alone to reach 4.5B by end of 2025. This growing device footprint structurally increases the value of platforms that can discover and monitor them without agents. A bottom-up SAM estimate for Armis suggests $3-8B: applying $20-50 per asset per year (from the May 2025 partner price list) to approximately 200 Fortune 500 enterprises with 10,000-50,000 managed assets each. This is a rough proxy; the actual SAM depends on Armis's expansion into healthcare, government, and mid-market channels that are still early stage. Armis's current $340M ARR represents approximately 4-11% of this SAM estimate, implying significant runway if the market share thesis holds.[CM006, CM007, CM008, CM009, CM010, CM011]

2.3 Buyer and Segment Profiles

The primary buyer for Armis Centrix is the enterprise Chief Information Security Officer (CISO), who controls the IT security budget and bears responsibility for device risk across all connected assets. In enterprise IT (Fortune 500+), the CISO typically procures through an annual security tooling budget, with ROI justified through device visibility uplift and reduced exposure from previously unmanaged assets. This segment is Armis's strongest, with Fortune 100 penetration exceeding 35% at acquisition close. In healthcare, the buying authority is more distributed, shared among the CISO, the Chief Medical Information Officer (CMIO), and Biomedical Engineering. The primary adoption trigger is regulatory — FDA cybersecurity guidance and HIPAA breach notification obligations create compliance-driven urgency. Ransomware attacks on hospital systems (e.g., Ascension Health, Change Healthcare) have elevated the healthcare CISO to board-level visibility, driving security investment. Armis has established healthcare momentum and named customer references in this vertical. Federal government and DoD procurement follows a distinct pathway requiring FedRAMP authorization (Armis holds FedRAMP Moderate, IL4, and IL5) and often a formal RFP/tender process. Armis Federal operates as a separate business unit with dedicated DoD and civilian agency sales. Budget is sourced from congressional appropriations with multi-year commitments, but procurement cycles are typically 12-18+ months, the longest in Armis's portfolio. Industrial and critical infrastructure customers present the most complex buyer dynamic: procurement authority is split between the corporate CISO and OT/plant managers who prioritize operational continuity. OT managers have historically resisted security tools that could disrupt production, making Armis's agentless, passive-only approach a critical requirement. NIS2 compliance urgency in EU-regulated manufacturers has accelerated adoption in EMEA. The Armis OTORIO acquisition materially deepens OT/ICS product credibility and customer relationships.[CM013, CM014, CM015, CM016, CM017, CM028]

2.4 Growth Drivers and Adoption Catalysts

Four structural forces are driving sustained growth in the CPS protection platform market through 2026 and beyond. Regulatory mandates provide the most durable demand floor. The EU NIS2 Directive, effective October 2024, requires 18 critical sectors to implement asset inventory, network monitoring, and incident response capabilities — creating non-discretionary cybersecurity spending for OT and IoT environments across European operations. Penalties for non-compliance include multimillion-euro fines and executive liability. U.S. regulations add further pressure: FDA cybersecurity guidance for connected medical devices (2023) and OT manufacturing environments (2025) requires security-by-design and postmarket vulnerability management, directly benefiting platforms with device discovery and risk prioritization capabilities. CISA asset visibility directives similarly require federal agencies and critical infrastructure operators to maintain comprehensive device inventories. OT/IT convergence structurally expands the addressable device pool. Digital transformation and Industry 4.0 initiatives have brought formerly air-gapped OT networks online, creating internet-accessible SCADA systems, PLCs, and connected sensors that are now reachable by threat actors but invisible to IT-centric security tools. Armis estimates that 60-70% of enterprise connected assets are not covered by traditional endpoint agents — a structural gap that Armis's platform is purpose-built to close. Threat escalation drives urgency. State-aligned attacks on critical infrastructure increased 49% in 2024, with manufacturing accounting for 25.7% of industrial cyber incidents. High-profile ransomware events (Change Healthcare, Colonial Pipeline) have elevated board-level awareness of OT/IoT security risk and accelerated budget approvals. AI-powered threat tools are enabling more sophisticated, targeted attacks on OT environments, raising the ROI of AI-powered defense platforms. Device proliferation sustains long-term demand. With 19.8B connected IoT devices globally (2025-2026) growing to 40.6B by 2034, the attack surface addressed by CPS platforms will continue expanding independent of regulatory pressure, providing a structural tailwind for the next decade.[CM018, CM019, CM020, CM021, CM022, CM036]

2.5 Adoption Constraints and Market Risks

Despite the strong growth trajectory, the CPS protection platform market faces several adoption constraints that discipline revenue velocity and addressable market expectations. Long sales cycles are the most significant structural constraint. Enterprise OT security procurements typically require 6-18 months from initial engagement to signed contract, driven by OT-specific proof-of-concept requirements, multi-stakeholder alignment (CISO + OT manager), security assessments, and regulatory certification requirements in government. Armis's ability to scale past $340M ARR despite this constraint is notable and suggests efficient sales motion, but the ceiling is set by pipeline capacity and cycle duration. Incumbent switching costs are real. Claroty, Nozomi Networks, and Dragos have established footholds in industrial environments, and customers with existing OT security tooling face integration migration costs and vendor relationship inertia. Armis must typically displace or complement an existing tool, which extends the sales cycle and reduces win rates in competitive replacements. Market consolidation creates competitive uncertainty. The 2024-2026 wave of M&A — ServiceNow acquiring Armis ($7.75B), Cisco acquiring Splunk ($28B), and Palo Alto's continued acquisitions — is compressing the standalone CPS platform market. Remaining independents (Claroty, Nozomi Networks) face both organic competition from bundled mega-platform providers and potential consolidation pressure. Post-acquisition, Armis's competitive positioning depends heavily on ServiceNow maintaining its standalone go-to-market motion. Market sizing uncertainty limits investment thesis confidence. Analyst TAM estimates for OT security vary by 6% in 2025 and may diverge further at the 2030 forecast horizon; no public analyst has published a standalone CPS protection platform SAM that directly maps to Armis's go-to-market scope. Investors should seek bottom-up customer cohort data from ServiceNow to validate Armis's market share trajectory.[CM029, CM030, CM031, CM032, CM033, CM034]

3.1 Competitive Landscape Overview

Armis operates in the Gartner-defined "CPS Protection Platforms" market category, formally established with a dedicated Magic Quadrant in 2025 (evaluating 13 vendors) and continuing through 2026. The 2026 MQ named four Leaders: Armis, Claroty, Dragos, and Nozomi Networks — the same four Leaders as 2025. This stability signals a maturing competitive landscape with entrenched leaders and diminishing likelihood of new entrant disruption at the top tier in the near term. The Challengers and Niche Players quadrants include Cisco, Fortinet, Tenable, and others primarily competing on adjacencies (NAC, firewalls, vulnerability management) rather than native CPS protection. The competitive landscape can be segmented into four tiers: (1) Direct peers — pure-play CPS/OT/IoT platforms that address the same buyer with overlapping capability sets; (2) Incumbents and adjacent vendors — established IT/network security vendors adding OT/IoT modules to existing enterprise relationships; (3) Platform consolidators — large-platform vendors (Microsoft, Palo Alto, Cisco) pursuing security consolidation that can displace point solutions through bundling; and (4) Status-quo and internal build — manual CMDB inventories, passive packet capture without analytics, or industrial-firewall-based visibility without a dedicated CPS platform. Armis faces meaningful competition across all four tiers, with the greatest near-term threat from platform consolidators via pricing leverage.

3.2 Direct Competitor Profiles

Claroty (New York, founded 2015) is Armis's closest peer: both are Gartner Leaders, both are agentless/passive, and both address OT, IoT, and IoMT. Claroty raised $900M+ through a January 2026 $100M strategic financing, valuing the company at $3B+, and is reported to be preparing for an IPO at $3.5-4B. Claroty's estimated ARR reached $200M+ in early 2026 with 800+ employees and 20% of the Fortune 100 as customers. Claroty's primary differentiation is deeper OT protocol decoding — covering Siemens S7, Rockwell CIP, Schneider Modbus/TCP at the ladder-logic level — and a lower perceived TCO for OT-centric buyers. Where Armis leads on breadth (all environments), Claroty leads on depth (pure OT/ICS environments). Nozomi Networks (San Francisco, founded 2013) was acquired by Mitsubishi Electric in September 2025 for an implied valuation of ~$800M, ending its independent trajectory. Prior to acquisition, Nozomi had $75M in revenue (~$266M raised) with ~390 employees, particularly strong in energy, oil/gas, and utilities. Post- acquisition, Nozomi is embedded in Mitsubishi's OT ecosystem and may gain distribution through Mitsubishi's industrial customer base, but its strategic independence and development velocity are uncertain. The acquisition reduces the independent competitive threat while potentially increasing Nozomi's reach in industrial verticals through OEM/channel. Dragos (Washington DC, founded 2016) is the clear OT threat intelligence leader: $154M revenue (2024), $439M total funding at a $1.7B valuation, 566-609 employees, and a 2026 Gartner MQ Leader distinction. Dragos differentiates on threat intelligence (OT-specific playbooks, sector-specific threat groups like CHERNOVITE and VOLTZITE), incident response services, and deep expertise in electric, oil/gas, manufacturing, and water sectors. Dragos was critiqued in the 2026 Gartner report for limited reach outside North America and channel-partner coverage gaps — the company is actively addressing this with a pure-channel GTM strategy. Dragos acquired Network Perception in 2024 to add network security policy management capabilities.

3.3 Incumbents and Adjacent Competitors

Forescout Technologies (Campbell, CA) is the incumbent network access control (NAC) and device visibility vendor, acquired by Advent International (PE) for $1.9B in 2020. Forescout reported strong FY2025 results: 230+ new customers, 58 deals over $1M, 91% gross dollar retention, revenue growth >25% in financial services and >24% in healthcare, and the company exceeded the Rule of 40 for the third consecutive year. Forescout's ~1,200 employees and estimated $300-500M revenue make it larger than Armis at the time of acquisition, but its architecture (on-premises NAC, agent-based for some use cases) is less cloud-native than Armis. Forescout competes through existing enterprise NAC relationships, channel distribution, and asset visibility capabilities added via its eyeSight and eyeInspect products. Forescout was recognized as a Market Leader in CPS Security at the Global InfoSec Awards (2025/2026) and a Niche Player in the Gartner MQ. Microsoft Defender for IoT is the most significant platform consolidation threat. It is available to organizations with Microsoft 365 E5/Security and Azure Defender for Cloud licensing at minimal incremental cost — effectively free within the Microsoft enterprise agreement. The capability set is less comprehensive than Armis for heterogeneous OT environments (particularly non-Microsoft protocol stacks and proprietary industrial protocols), but for Microsoft-first enterprise IT environments, the bundling price pressure is severe. Microsoft has made the ServiceNow acquisition of Armis a partial mitigant — Armis can now be bundled into ServiceNow enterprise agreements and positioned as the OT/IoT layer complementary to Microsoft's IT-centric visibility. Tenable OT Security (formerly Indegy, acquired by Tenable in 2019) offers vulnerability-centric OT discovery and risk management, benefiting from Tenable's established IT vulnerability management customer base. Tenable is a public company (TENB, ~$5.3B market cap), giving it financial permanence but making it slower to innovate. Tenable OT competes more on vulnerability scoring and integration with Tenable.sc/ Tenable.io than on real-time threat detection, making it a frequent co-deployment with Armis (vulnerability management + asset intelligence) rather than a pure displacement competitor. Palo Alto Networks (PANW) integrates IoT Security as a module of its XSIAM/SASE platform, competing through firewall-native enforcement and Prisma SD-WAN — a coverage advantage Armis lacks (Armis detects but cannot block inline).

3.4 Differentiation and Switching Costs

Armis's primary differentiators versus direct peers are: (1) Breadth — the largest proprietary device knowledge base covering 7B+ devices across IT, OT, IoT, and IoMT (including physical AI and cloud assets); (2) Architecture — agentless, cloud-native, passive monitoring with no SPAN/TAP required for IT assets (Wi-Fi and BLE radio-frequency monitoring); (3) Platform expansion — Centrix now includes CAASM, VMDR, healthcare IoMT security, and OT security in a single platform; and (4) ServiceNow integration — post- acquisition, Armis workflows can be embedded into ServiceNow ITSM/SOAR, creating distribution through ServiceNow's 8,000+ enterprise customers. Switching costs are high in this market. A full platform migration requires rebuilding the asset database (typically 3-6 months of passive learning in large environments), redeploying detection policies and alert thresholds, re-establishing integrations with SIEM/SOAR/ticketing systems, retraining SOC analysts, and re-baselining OT network behavior. These switching costs create meaningful net revenue retention advantage for the incumbent platform. PeerSpot and independent reviews note that both Armis and Claroty customers rate switching as a high-friction process, particularly in industrial environments where re-deployment requires change management and maintenance window coordination. Multi-homing is common at the enterprise level: organizations frequently deploy one vendor for OT/ICS environments (often Claroty or Dragos for depth) and a second for IT/IoT/enterprise (often Armis), creating co-existence rather than pure displacement. This multi-homing pattern is both a risk (slower full-platform adoption) and an opportunity (land with one use case, expand to others).

3.5 Commoditization Risk and Displacement Threats

The primary commoditization risk is the convergence of asset discovery capabilities across the vendor set. As Armis, Claroty, Nozomi, Forescout, and Microsoft all expand their device knowledge bases, the asset discovery/inventory use case is commoditizing — differentiation is shifting toward threat intelligence depth, compliance reporting, SOAR integration, and enforcement capability. Armis's 7B-device knowledge base is a current moat but is not a permanent one if competitors invest aggressively in protocol libraries and AI-driven device fingerprinting. The Microsoft bundling risk is the most adverse near-term threat. Microsoft's inclusion of Defender for IoT in enterprise agreements creates a "good-enough" option for IT-centric organizations. Gartner analyst Dale Peterson noted that Gartner's OT Visibility MQ category framing does not fully capture the distinction between pure-OT security (where Armis has less depth than Claroty/Dragos) and IT/IoT convergence (where Armis leads). Organizations with primarily IT/enterprise IoT exposure may consolidate on Microsoft rather than purchasing Armis — a displacement vector that the ServiceNow acquisition partially mitigates via ecosystem positioning. Dragos's limited North American focus (critiqued by Gartner 2026) and Nozomi's loss of independence (Mitsubishi acquisition) are adverse signals for the pure-play OT segment: this consolidation benefits Armis and Claroty, but also signals that the standalone CPS platform market may consolidate further through acquisition or platform bundling in the next 2-3 years. The 2025-2026 acquisition wave (Nozomi by Mitsubishi, Armis by ServiceNow, partial OTORIO integration) suggests the market is entering a consolidation phase that benefits scale players.

3.6 Exhibits

4.1 Revenue Streams and Pricing Model

Armis generates revenue almost entirely through SaaS subscriptions on the Centrix platform. The core licensing model is asset-count-tiered: enterprises pay per block of managed devices ($26,000–$50,000 per block across 500–9,999 assets) or per network port ($3,100–$3,500) for agentless network discovery deployments. Add-on modules — Armis AI risk scoring, threat intelligence feeds, and CAASM capabilities — are sold as incremental subscriptions layered on the base platform. Professional services (implementation, integration, and custom configuration) are estimated to account for less than 10% of revenue, consistent with Armis's partner-led deployment model. The MSSP and channel segment is growing, driven by the January 2026 Armis Select Partner Program. Revenue recognition follows ratable SaaS treatment for annual and multi-year contracts; deferred revenue and professional services delivery timing create a likely gap between ARR and recognized GAAP revenue, though no specific ARR-to-revenue reconciliation has been published.

4.2 Go-to-Market Motion and Sales Efficiency

Armis sells primarily through a direct enterprise motion for large-scale deals in OT, healthcare, and government verticals, where sales cycles range from 6 to 18 months due to proof-of-concept requirements, multi-stakeholder approvals, and compliance reviews. The company has invested heavily in building a global system integrator (GSI) ecosystem, including co-sell and implementation partnerships with Accenture, KPMG, Deloitte, PwC, and cloud hyperscalers AWS and Google. In January 2026, Armis launched the tier-free Armis Select Partner Program, replacing volume-based partner tiers with outcome-oriented and engagement-based incentives. This structural shift is designed to lower onboarding friction for MSSPs and smaller specialized partners, expanding indirect distribution without proportional direct S&M overhead. Customer acquisition cost and CAC payback remain undisclosed; industry proxies for enterprise cybersecurity SaaS suggest payback periods of 12–24 months at comparable deal sizes. The revenue split between direct and indirect channels has not been disclosed.

4.3 Cost Structure and Margin Drivers

Armis's cost structure is consistent with an engineering-intensive, cloud-native SaaS company with a heavy enterprise sales overlay. Gross margin is not disclosed but estimated at 70–80% based on SaaS cybersecurity peer benchmarks (CrowdStrike, Zscaler, Claroty). Cloud infrastructure, data ingestion processing for 7 billion tracked devices, and customer success headcount are the primary cost-of-goods-sold components. R&D is estimated at 25–35% of ARR ($75–105M in FY2025), reflecting three acquisitions in 13 months plus a sustained internal roadmap. Sales and marketing spend likely runs 50–70% of revenue based on enterprise SaaS benchmarks and Armis's aggressive direct-sales team build. Armis employs approximately 950 staff (52% US, 29% Israel), a distribution consistent with a commercial-heavy US operation supported by an Israeli R&D center. The March 2025 OTORIO integration resulted in 45 of 80 OTORIO employees being eliminated — a deliberate cost rationalization that signals management's willingness to prioritize financial discipline over headcount preservation post-acquisition.

4.4 Capital Adequacy and Financing History

Armis completed three external capital rounds in 18 months: a $200M growth round at $4.3B valuation (October 2024), a $100M employee secondary at $4.5B (July 2025), and a $435M pre-IPO round at $6.1B (November 2025) led by Goldman Sachs Alternatives with CapitalG and Evolution Equity participating. Total disclosed capital raised across all rounds is approximately $1.17B. The November 2025 round was intended to fund the path to $500M ARR at cash-flow positive status ahead of a 2026 IPO; that path was superseded by the ServiceNow acquisition. ServiceNow acquired Armis for $7.75B in all-cash consideration (a ~27% premium over the last round valuation), financed through cash on hand and a $4B unsecured term loan from JPMorgan Chase. The transaction closed April 19, 2026. As a wholly owned ServiceNow subsidiary, Armis's standalone runway and financing dependency are resolved; capital adequacy is now governed by ServiceNow's $180B+ public company balance sheet. The $7.75B acquisition price implies approximately a 22x ARR multiple on $340M+ ARR — a premium to 2025 public market cybersecurity comparables (15–18x) but reflective of Armis's hypergrowth trajectory and platform differentiation.

4.5 Financial Gaps and Verdict

Armis's status as a private company throughout its operating history means that no audited GAAP financial statements are publicly available. Key undisclosed metrics include gross margin, NRR, GDR, customer acquisition cost, CAC payback period, operating loss, free cash flow, and the ACV distribution of its customer base. The CEO's public commitment to cash-flow positive status prior to IPO is a positive signal, but the three-acquisition M&A strategy in FY2024–FY2025 suggests negative FCF through at least mid-2025. ARR-based metrics are Armis's primary public financial currency; whether ARR quality is supported by high NRR, durable contract duration, and low churn is unverifiable from public data alone. The $7.75B acquisition at approximately 22x ARR, endorsed by institutional investors including Goldman Sachs and CapitalG, is the strongest available signal of revenue quality. Post-acquisition, Armis's financials will be embedded in ServiceNow's segment reporting, further reducing standalone financial visibility. The primary diligence verdict: revenue momentum and growth quality are compelling; structural financial opacity is the decisive limiting factor for any independent financial assessment.

4.6 Exhibits

5.1 Platform Definition and Customer Workflow

Armis Centrix addresses the core enterprise security problem of asset visibility: organizations cannot protect devices they cannot see, and traditional endpoint agents miss OT controllers, medical equipment, smart building systems, and unmanaged IoT, leaving 30 to 60 percent of enterprise attack surfaces invisible to security teams. Armis solves this by passively monitoring all network traffic using SPAN and mirror ports, fingerprinting every communicating device without installing software or disrupting operations. The customer workflow begins with deployment of Armis sensors (physical or virtual appliances) at network aggregation points. Within hours, Centrix discovers and classifies every asset in scope, building a live CMDB-enriched inventory. Security teams then consume alerts, risk scores, and remediation workflows through the Centrix console or integrated SIEM, SOAR, and ITSM tools, prioritizing response by business impact rather than raw signal volume. For OT environments including manufacturing, utilities, oil and gas, and critical infrastructure, Centrix decodes 500-plus industrial protocols including Modbus, DNP3, BACnet, Siemens S7, OPC-UA, and PROFINET, enabling behavioral baselining of PLCs, SCADA systems, and industrial controllers without disrupting production cycles. In healthcare, the IoMT module adds FDA and HIPAA-mapped clinical impact scoring so biomedical engineers and security teams can triage infusion pumps, imaging systems, and ventilators by patient risk rather than raw CVSS scores. The unifying customer promise is continuous, comprehensive asset intelligence without operational disruption or deployment friction, making Centrix the authoritative source of truth for every connected device in the enterprise environment. This positions Armis in the Gartner-defined CPS Protection Platforms market as the broadest single-platform option spanning IT, OT, IoT, and IoMT simultaneously in one cloud instance.

5.2 Technical Architecture and Operating Model

The Armis Centrix architecture consists of three logical tiers: collection, intelligence, and action. At the collection tier, Armis sensors (software-defined virtual appliances deployable on commodity x86 hardware, VMware, AWS, or Azure VMs) connect to SPAN ports or network taps and capture raw traffic metadata. The sensors perform local pre-processing and encryption before transmitting only metadata, not packet payloads, to the Armis cloud, preserving network performance and addressing data-residency concerns. For air-gapped OT environments, the OTORIO Titan on-premises platform captures and processes data locally with a secure periodic sync to Centrix cloud analytics, though this integration is still in progress as of H1 2026. At the intelligence tier, the Armis Asset Intelligence Engine, a proprietary AI and ML data lake, correlates captured metadata against a continuously updated knowledge base of 7 billion or more device behavioral fingerprints, vulnerability associations, and threat intelligence feeds to classify, score, and profile each asset. The engine applies deep packet inspection across 500-plus OT and IoT protocols using purpose-built protocol decoders, enabling it to identify firmware versions, communication patterns, and anomalous behavior in Siemens S7, Modbus, DNP3, BACnet, OPC-UA, and PROFINET without disturbing operational traffic. The AI models, augmented by CTCI acquisition IP from February 2024 and Silk Security risk prioritization logic from April 2024, score each asset on a multi-dimensional risk index that accounts for vulnerability criticality, asset business value, exposure context, and threat actor relevance. At the action tier, Centrix exposes REST API v3 and 200-plus pre-built connectors to SIEM, SOAR, ITSM, EDR, NAC, CMDB, and cloud platforms. Remediation actions such as quarantine, ticket creation, and firewall policy push flow through these integrations rather than through Armis directly, preserving the platform's passive and non-intrusive architecture. The Python SDK (armis-sdk on PyPI) and the Armis Developer Portal at developers.armis.com extend the platform for custom integrations and automated workflows.

5.3 Deployment, Integration, and Roadmap

Armis Centrix supports three deployment modes: full cloud-native SaaS on AWS (US-East, US-West, EU-West); hybrid, where sensors are on-premises and analytics is cloud-based; and air-gapped on-premises via OTORIO Titan for classified or isolated OT environments. Federal deployments run on AWS GovCloud through Armis Federal LLC, the dedicated federal subsidiary established to hold FedRAMP and DoD authorizations separately from commercial operations. FedRAMP Moderate and DISA IL4 were achieved in 2023; DoD IL5 was authorized on February 23, 2026, enabling classified workloads up to SECRET level. FedRAMP High authorization is in process as of H1 2026 with a company-committed target of H2 2026. Deployment complexity varies by environment: cloud SaaS deployments can be operational within days for IT-only use cases; OT and healthcare deployments typically require 4 to 12 weeks for sensor placement, protocol tuning, and policy configuration, often supported by Armis-certified integrators including Accenture, Deloitte, and KPMG. The Armis Select Partner Program, launched in January 2026, replaced tiered partner tiers with outcome-based incentives, reducing MSSP and regional integrator onboarding friction. Integration maturity is a key differentiator: 200-plus pre-built connectors and native ServiceNow integration reduce the implementation burden for enterprise customers already invested in ITSM and SIEM ecosystems. The roadmap as of H1 2026 includes: FedRAMP High completion targeted H2 2026; Centrix for Application Security general availability with SDLC integration launched in 2025 and in early adoption; OTORIO Titan on-premises integration with Centrix cloud analytics currently in progress and partially complete; and deeper ServiceNow ITSM, SAM, and HAM workflow embedding following the April 2026 acquisition close. The three acquisitions of CTCI in February 2024, Silk Security in April 2024, and OTORIO in March 2025 each added roadmap surface area and integration workstreams that compete for engineering bandwidth with the core platform release cadence.

5.4 Differentiation and Competitive Moat

Armis's primary competitive moat rests on four reinforcing pillars. First, the agentless passive architecture: Centrix requires no software installation, no active scanning, and no network disruption, a critical differentiator for OT and healthcare environments where device owners prohibit agent installation and active scanning can trigger safety shutdowns or equipment malfunctions. No major CPS protection platform claims 100 percent passive operation across IT, OT, IoT, and IoMT simultaneously; Claroty and Nozomi require SPAN and TAP infrastructure for OT but do not extend native passive coverage to enterprise IT without additional tooling. Second, the proprietary device knowledge base: with 7 billion or more behavioral fingerprints accumulated over nine years across enterprise, OT, healthcare, and government customer environments, Armis has the largest proprietary device intelligence asset in the CPS security market by its own claim. This data flywheel, where every new deployment adds fingerprints that improve classification accuracy for all customers, creates a compounding accuracy advantage over competitors building their libraries from scratch or from open-source sources. Third, OT, IT, and IoT convergence in a single platform: competitors either specialize (Dragos for OT threat intelligence; Claroty for OT protocol depth) or generalize without depth (Microsoft Defender for IoT in non-Azure environments). Centrix is the only platform addressing all three attack surface types in a single cloud-native instance. Fourth, ecosystem depth: 200-plus pre-built integrations, the ServiceNow native integration enabling workflow automation for 8,100-plus ServiceNow enterprise customers, and the AI-powered risk prioritization from Silk Security IP (claiming approximately 90 percent reduction in analyst triage time) collectively lower the operational overhead of running Centrix at enterprise scale. The Early Warning System, combining dark web intelligence monitoring, dynamic honeypot deception, and threat actor modeling, adds proactive threat hunting capability that most CPS platform competitors do not offer natively. Post-ServiceNow acquisition, Armis gains distribution leverage through the ServiceNow enterprise agreement and platform ecosystem.

5.5 Trust, Compliance, and Quality Controls

Armis holds a comprehensive compliance portfolio spanning commercial, federal, and international standards. On the federal side, FedRAMP Moderate from 2023 and DISA IL4 from 2023 cover US federal civilian and DoD non-classified workloads; the DoD IL5 authorization issued by DISA on February 23, 2026 permits processing of Controlled Unclassified Information and National Security Systems data, a requirement for most DoD and intelligence community deployments; and FedRAMP High is in process with an H2 2026 target. For commercial and international compliance, Armis holds SOC 2 Type II covering security, availability, and confidentiality trust service criteria; ISO 27001 for information security management; and ISO 27018 for cloud personal data protection. The UK Government G-Cloud-14 listing enables UK public sector procurement of Armis Centrix without a separate tender process. The platform's passive-only architecture provides a structural privacy and safety advantage: because Centrix captures only metadata and never injects traffic, it cannot disrupt OT device operation, exfiltrate packet payloads, or cause network storms, a trust guarantee that active-scanning alternatives cannot match. Data in transit is encrypted using TLS 1.3 and data at rest uses AES-256 encryption. Role-based access controls, SSO and SAML integration, and audit logging are standard platform features. For healthcare deployments, the IoMT module maps findings to HIPAA Security Rule controls and FDA cybersecurity guidance for medical devices published in the 2023 final rule. Armis provides 24/7 enterprise support, a public status page, and defined SLAs for critical vulnerability intelligence delivery. The Early Warning System provides advance intelligence on novel threat actor campaigns targeting asset classes present in customer environments, enabling proactive patching and network segmentation before exploitation events occur.

5.6 Exhibits

6.1 Customer Base Segmentation

Armis Security's customer base is concentrated in large enterprises operating complex, heterogeneous network environments spanning traditional IT, operational technology (OT), and Internet of Things (IoT) devices. The company's most penetrated verticals are Healthcare (IoMT security and clinical device management), Manufacturing and Industrial (OT/ICS asset visibility and security), Energy and Utilities (critical infrastructure protection), Federal Government (FedRAMP Moderate and DoD IL5 deployments), Financial Services, Education, and Telecommunications. Geographically, Armis is US-first — approximately 52% of its workforce is US-based, reflecting its primary customer concentration — with a growing presence in EMEA and APAC. The buyer profile is predominantly the enterprise CISO and VP of IT Security at organizations with 1,000+ employees; however, TrustRadius data confirms deployments in districts as small as 1,500 employees (East Moline School District 37). Deal size skews large: Fortune 500 and Global 2000 companies represent the highest-priority customer segment, evidenced by nine Fortune 10 companies and 35+ Fortune 100 companies in the active customer base. The product is sold almost exclusively as an enterprise SaaS subscription, with 1-3 year contracts typical. Channel and partner coverage spans 200+ technology integrations including Microsoft, Cisco, Palo Alto Networks, and Elisity, which uses the Armis Centrix API for policy enforcement in its microsegmentation platform.

6.2 Adoption Trajectory and Growth Metrics

Armis's adoption trajectory is among the strongest in the cyber-physical systems (CPS) security market. The company disclosed ARR milestones of $200M in August 2024 and $300M in August 2025 — representing exactly 50% YoY growth in a 12-month period — and internally exceeded $340M ARR by December 2025 following the close of its $435M Series E funding round at a $6.1B valuation. The company tracks more than 7 billion devices globally across its customer fleet, a number that functions as a proxy for platform utilization and network breadth. Gartner named Armis a Leader in the Magic Quadrant for Cyber-Physical Systems Protection Platforms in both 2025 and 2026, confirming increasing market recognition and enterprise adoption. The Series E funding and subsequent $7.75B ServiceNow acquisition (April 2026) serve as external validation of customer base quality and growth trajectory. The company also achieved FedRAMP Moderate authorization, unlocking federal civilian agency procurement channels, and DoD Impact Level 5 (IL5) authorization in February 2026, enabling classified-adjacent federal deployments through a dedicated Armis Federal LLC subsidiary. ARR from the federal segment is growing but undisclosed as a separate line item.

6.3 Named Customer Proof and Outcomes

Armis publishes a substantial library of case studies and third-party reviews. Named production deployments include East Moline School District 37 (1,500 employees, K-12 education), which deployed Armis for asset tracking, rogue device blocking, and traffic analysis — a TrustRadius reviewer from this organization described the product as having "saved incalculable time" on network analysis and confirmed production use. A Head of Cyber Defense Center at an IT services firm (under $50M revenue) gave a 4.0/5 on Gartner Peer Insights, specifically praising Armis's agentless architecture and Security Risk Assessment (SRA) capabilities in a highly regulated environment. PeerSpot reviewers from manufacturing contexts confirmed production OT/IT security deployments with emphasis on asset discovery and vulnerability identification. At the top of the market, nine of the Fortune 10 companies and more than 35 Fortune 100 organizations are Armis customers, though these are disclosed as aggregate metrics rather than named references with outcome data. Armis's technology partner Elisity publicly uses the Armis Centrix API in production for microsegmentation policy enforcement. The OTORIO acquisition (March 2025) added OT-native capabilities and presumably brought OT customer references, though these are not yet surfaced as public case studies. Healthcare (IoMT) customers are referenced in Armis marketing materials with clinical impact scoring claims, but no independently verified named healthcare case studies were located.

6.4 Retention, Satisfaction, and Durability

Armis does not publicly disclose Net Revenue Retention (NRR) or Gross Revenue Retention (GRR), which are standard private-company opaque metrics. Indirect indicators are strongly positive: a company-reported Net Promoter Score (NPS) of 70 is classified as "excellent" by NPS benchmarking standards (>50 threshold). G2 shows a 4.5-star rating from 12 reviews as of late 2025. TrustRadius reviewers generally recommend Armis strongly. Armis notes bi-weekly onboarding calls as part of its customer success motion, suggesting active post-sales engagement. Adverse retention signals exist but are isolated. A Gartner Peer Insights review posted in December 2025 from a reviewer at a $30B+ manufacturing company rated Armis 3.0/5, citing limitations in OT-specific alert customization and noting that "OT-specific options remain behind" competitor offerings. PeerSpot reviewers flagged occasional platform instability with the phrase "not completely stable, sometimes incidents may occur." Contract duration for enterprise SaaS is typically 1-3 years, which provides near-term revenue durability but also creates renewal decision windows. The OTORIO acquisition is expected to address OT-specific gaps that surfaced in adverse reviews.

6.5 Expansion Dynamics and Concentration Risk

Armis operates a land-and-expand model in which customers typically begin with one product module — most commonly CAASM (Cyber Asset Attack Surface Management) or IoT Security — and subsequently add modules including OT Security, Healthcare Security (IoMT), Vulnerability Management and Detection Response (VMDR), and Early Warning (threat intelligence). Module expansion is the primary ARR growth driver within the existing installed base, complementing new logo acquisition. The ARR increase from $200M to $300M in 12 months implies meaningful expansion revenue, though Armis has not segmented expansion vs. new logo ARR. Customer concentration risk is real but nuanced. Nine of the Fortune 10 being customers is a strong logo validation story but also a brand concentration risk — any public dissatisfaction or churn from this cohort would be disproportionately visible. No single customer appears to constitute a material revenue concentration given the breadth of the Fortune 100 customer base. Channel concentration risk has shifted with the ServiceNow acquisition: Armis is now a ServiceNow business unit, and future distribution will increasingly route through ServiceNow's enterprise sales force. This introduces risk that ServiceNow's own IT workflow customers may be steered toward native ServiceNow security capabilities rather than Armis-specific modules. New verticals — Application Security (2025) and Automotive — represent expansion bets that widen the addressable customer set.

6.6 Exhibits

7.1 Risk Severity Ranking and Overview

Armis Security enters the ServiceNow integration phase with a risk profile elevated relative to a standalone pre-IPO company. The three primary risk clusters — integration execution, regulatory compliance, and competitive OT displacement — are interlinked: integration delays erode engineering focus, which degrades product quality and creates conditions for regulatory non-compliance and customer churn. The $7.75B acquisition at approximately 23x trailing ARR creates a goodwill impairment risk if ARR growth decelerates materially. Severity ranking by expected residual impact: (1) Integration execution risk — highest severity given three acquisitions in 13 months (CTCI February 2024, Silk Security $150M April 2024, OTORIO $120M March 2025) with documented OTORIO layoffs of 45 of approximately 80 employees within days of acquisition close, introducing OT Titan code-base fragmentation; (2) Regulatory and compliance risk — FedRAMP High authorization is in process and any delay blocks DoD expansion, while GDPR enforcement risk is non-trivial given EU-deployed telemetry sensors; (3) Competitive OT depth risk — Gartner Peer Insights received a 3.0/5 review from a $30B+ manufacturer in December 2025 citing OT alert gaps, signaling Claroty and Dragos may displace Armis in industrial OT verticals; (4) ServiceNow dependency risk — Armis now operates as a business unit with ServiceNow controlling roadmap and capital allocation; (5) Financial model risk — no disclosed NRR, GRR, or burn rate creates diligence opacity. Investment implication: this is a high-growth platform with strong compliance moats, but risk-adjusted returns depend on integration execution fidelity, OT gap closure, and founder retention through the integration window. [CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Regulatory and Legal Risks

Armis faces multi-jurisdictional regulatory exposure across U.S. federal, EU, and sector-specific frameworks. In the United States, FedRAMP Moderate authorization is maintained and DoD Impact Level 5 (IL5) was achieved in February 2026 through Armis Federal LLC. FedRAMP High — required for the most sensitive DoD and intelligence community contracts — remains in process. Denial or prolonged delay would cap the federal addressable market and could trigger attrition from DoD agencies requiring High authorization. DISA requires ongoing continuous monitoring compliance, creating annual recertification obligations. In the EU, Armis must comply with GDPR for device telemetry data collected by agentless sensors deployed within EU customer networks. Article 28 Data Processing Agreements (DPAs) are required with all EU customers. The EU NIS2 Directive (in force October 2024) creates compliance obligations for Armis's EU customers in critical infrastructure sectors (energy, healthcare, transport) and obligates Armis as a vendor to document its security practices. CISA ICS advisories and NIST NVD CVE disclosures create ongoing vulnerability disclosure obligations for Armis as an OT security vendor. A NIST NVD search shows no critical platform CVEs in Armis as of May 2026, but OTORIO integration code introduces new potential exposure. From a legal standpoint, Armis's Privacy Policy and Legal Compliance pages confirm GDPR, CCPA, SOC 2 Type II, and ISO 27001 postures. The ServiceNow S-4/A registration statement provides the most complete public disclosure of representations and warranties related to data processing, IP indemnification, and litigation exposure assumed during the acquisition. [CR009, CR010, CR011, CR012, CR013, CR014]

7.3 Operational and Technology Risks

Armis's SaaS architecture is hosted on AWS (commercial) and AWS GovCloud (federal) with no publicly disclosed multi-cloud or hybrid failover strategy. An extended AWS GovCloud outage could cause Armis platform unavailability for federal customers, triggering SLA penalties and potential FedRAMP non-compliance. AWS GovCloud is a premium-priced, compliance-driven environment with limited geographic redundancy relative to commercial AWS regions. The OTORIO acquisition introduced the Titan on-premises air-gapped OT platform as a separate code base that must be maintained in parallel with Armis Centrix. The integration of Titan air-gapped OT capabilities into Centrix was in progress as of H1 2026. Integration complexity is elevated by the March 2025 layoff of 45 of approximately 80 OTORIO employees, reducing the experienced OT engineering bench. A Gartner Peer Insights review from a $30B+ manufacturer in December 2025 rated Armis 3.0/5 and cited that OT-specific options remain behind competitors, confirming OT feature depth as a persistent operational risk. PeerSpot reviewers noted occasional platform instability. The 200+ third-party integration ecosystem creates API dependency risk; if Splunk, Microsoft Sentinel, or CrowdStrike changes API contracts, affected integrations could disrupt customer security workflows. Armis has no manufacturing dependencies (100% software), limiting supply chain risk. Labor risk is moderate: cybersecurity engineering talent is highly competitive, and ServiceNow culture integration could trigger attrition among Armis's Israeli engineering team. [CR016, CR017, CR018, CR019, CR020, CR021]

7.4 Partner, Dependency, and Concentration Risks

The ServiceNow acquisition has fundamentally restructured Armis's dependency landscape. Pre-acquisition, Armis depended on venture capital for growth capital; post-acquisition, it depends on ServiceNow for strategic direction, GTM resources, product roadmap prioritization, and integration investment. ServiceNow's enterprise software priorities may not perfectly align with Armis's cybersecurity product roadmap, and pricing, packaging, and go-to-market decisions will be influenced by ServiceNow's broader ITSM and platform strategy. AWS GovCloud dependency is the most critical infrastructure concentration risk. Armis's FedRAMP and DoD IL5 authorizations are scoped to AWS GovCloud; migrating to another cloud provider would require re-authorization taking 12-24 months, limiting negotiating leverage with AWS. Customer concentration risk is elevated: nine of the Fortune 10 use Armis, meaning adverse events affecting even a subset of these high-profile customers could generate disproportionate brand and revenue impact. The 200+ integration partner ecosystem creates dependency on API stability from Splunk, Microsoft, CrowdStrike, and Palo Alto. The Elisity technology partnership confirms production API integration usage but also illustrates that Armis API changes could break downstream partner products for shared customers. [CR023, CR024, CR025, CR026, CR027, CR028]

7.5 Financial Model Risks and Mitigations

ServiceNow paid $7.75B for Armis, implying approximately 23x trailing ARR based on $340M ARR as of December 2025. This creates goodwill impairment risk: if ARR growth decelerates or integration synergies fail to materialize, ServiceNow will face pressure to write down a portion of the acquisition premium. Total capital raised exceeded $1.17B (seed through Series E at $435M), meaning existing investor return expectations were priced into the acquisition. No publicly disclosed burn rate, EBITDA margin, or GAAP net income exists for Armis. Customer churn risk is unquantifiable without NRR or GRR. The absence of these metrics is an adverse signal; well-performing SaaS companies typically disclose NRR to validate land-and-expand efficiency. Stock-based compensation burden on GAAP profitability post-acquisition is unknown as ServiceNow has not separately disclosed Armis segment financials. Key mitigations: $300M+ ARR at 50%+ YoY growth provides revenue durability; FedRAMP and IL5 certifications create switching-cost moats in the federal segment; Gartner Leader status in 2025 and 2026 MQ creates a referenceable market position; ServiceNow's $28B+ annual revenue provides a deep-pocketed parent to fund extended platform investment. Thesis-break triggers: (1) NRR below 110% upon post-acquisition financial disclosure; (2) OTORIO Titan integration delayed past Q3 2026 with persistent OT depth gap reviews; (3) FedRAMP High denied or delayed beyond 18 months; (4) CEO Yevgeny Dibrov or CTO Nadir Izrael departure within 12-18 months of acquisition close; (5) ServiceNow reports Armis-related goodwill impairment charge. Monitoring indicators include ServiceNow quarterly earnings commentary on Armis ARR, the FedRAMP authorization registry for High status, Gartner Peer Insights score trajectory, and LinkedIn headcount velocity for the Armis engineering team. [CR029, CR030, CR031, CR032, CR033, CR034]

8.1 Investment Thesis and Recommendation

Armis Security's investment thesis rests on four converging pillars: (1) a decade-long secular growth market in cyber-physical systems (CPS), OT, and IoT security projected to exceed $25B by 2028; (2) platform leadership evidenced by Gartner Magic Quadrant Leader positions in 2025 and 2026, a 7-billion-device knowledge base, and the only agentless platform covering IT, OT, IoT, and IoMT in a single console; (3) enterprise customer density, including 9 of the Fortune 10 and 35+ Fortune 100 customers with an NPS of approximately 70; and (4) explosive ARR growth from $200M (August 2024) to $300M (August 2025) exceeding 50% YoY with trajectory toward $340M+ at acquisition announcement. The recommendation for the ServiceNow acquisition is Fair Value at Acquisition Price — the $7.75B all-cash price at ~23x trailing ARR is fully justified given growth velocity, customer quality, and platform positioning, though it leaves limited margin of safety if integration execution underperforms. Confidence is high for the market and product pillars; medium for the financial pillar given absence of NRR and GAAP profitability disclosure. Risk rating is Medium-High driven primarily by integration execution risk (three acquisitions in 13 months), OT depth gap flagged in Gartner Peer Insights, and Microsoft Defender for IoT competitive pressure in SME. Anti-thesis signals include: the acquisition announced four weeks after a $6.1B funding round (suggesting acquisition outreach may have pre-dated the round), OTORIO workforce reduction of 45 of 80 employees creating OT engineering bench risk, and no public disclosure of NRR creating opacity in churn risk assessment. The acquisition thesis holds if ServiceNow preserves ARR growth above 30% YoY through ITSM distribution synergy, integrates OTORIO Titan OT capabilities by Q3 2026, and retains founding engineering leadership through the integration window. Target return on the ServiceNow investment is 15-20% IRR in a bull case over a three-to-five-year horizon through platform revenue contribution; the fair value hold is predicated on Armis becoming ServiceNow's security anchor contributing $700M+ ARR by 2027-2028. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Valuation Context and Financing History

ServiceNow announced the acquisition of Armis Security for $7.75B all-cash on December 22, 2025, with the transaction closing April 19-20, 2026. The acquisition price implies approximately 22.8x trailing ARR based on the company's estimated $340M ARR at announcement, extrapolated from the $300M ARR milestone reported in August 2025 and the 50%+ YoY growth trajectory. Armis's last private financing was a $435M Series E at $6.1B valuation, closed in November 2025 — just four weeks before the acquisition announcement — with Goldman Sachs Alternatives leading. The $7.75B acquisition price represents a 27% premium to the Series E valuation, suggesting ServiceNow's acquisition outreach likely overlapped with the final funding round. Total disclosed funding across seven-plus rounds exceeded $1.17B, with investors including Google Ventures, CapitalG, Brookfield Asset Management, Goldman Sachs Alternatives, and Insight Partners. The 23x ARR multiple is consistent with premium SaaS companies growing at 40-50% ARR YoY in a durable secular market: CrowdStrike trades at approximately 21x ARR on $3.3B+ ARR (>30% YoY), confirming that large-scale, high-growth cybersecurity platforms command 20-25x ARR in public markets. Public SEC filings including the ServiceNow 8-K disclosures and S-4/A registration statement provide the most complete publicly available financial representations and warranties associated with the transaction, though Armis-specific segment financials were not separately disclosed. Dilution and preference overhang from $1.17B+ in cumulative funding across preferred share tranches will flow through the acquisition waterfall; no liquidation preference analysis has been publicly disclosed. Entry discipline for any ServiceNow investor evaluating the acquisition value creation requires tracking Armis ARR contribution in quarterly earnings commentary and watching for integration cost charges in operating expense lines. [CV001, CV002, CV003, CV004, CV005, CV006]

8.3 Bull, Base, and Bear Scenarios

Three scenario cases bound the range of outcomes for ServiceNow's $7.75B acquisition of Armis. The bull case assumes Armis reaches $700M ARR by 2027 via ServiceNow's 8,000-person enterprise sales force, aggressive cross-sell into the 7,700+ ServiceNow customer base, and successful OTORIO integration opening new industrial OT contracts in energy, utilities, and manufacturing. At 15x forward ARR on $700M, the implied platform value is $10.5B — a 35% upside to the acquisition price. This requires ARR growth to reaccelerate from 50% to 60%+ in the 18 months post-close. The base case assumes $500M ARR by 2027 at 15-17x forward multiple, implying $7.5-8.5B in platform value — essentially in line with the acquisition price. This scenario assumes ServiceNow ITSM synergy delivers 20-30% revenue lift above standalone trajectory, OTORIO integration completes by Q4 2026, and Armis holds its Gartner MQ Leader position. The bear case assumes integration disruption stalls ARR at $300M, Microsoft Defender for IoT displaces Armis in mid-market, OT depth gap criticism accelerates Claroty or Dragos displacement in industrial verticals, and the ARR multiple compresses to 15x — implying $4.5B in value and a potential goodwill impairment charge for ServiceNow. Key downside triggers: NRR below 110% (indicating churn exceeds expansion), OTORIO Titan integration delay past Q3 2026 (confirming OT depth gap persistence), FedRAMP High authorization denied or delayed, or CEO/CTO departure within 18 months. The probability distribution skews base: ServiceNow's integration track record and Armis's Fortune 10 customer density provide durable downside support, but the three-acquisitions-in-13-months integration burden is the primary uncertainty anchor. [CV027, CV028, CV029, CV030, CV031, CV032]

8.4 Comparable Valuation and Market Benchmarks

Armis's ~23x trailing ARR acquisition multiple sits within the fair-value band for high-growth cybersecurity SaaS leaders, above mature public multiples but below private OT security peers. CrowdStrike — the clearest public comparable for high-growth, cloud-native security SaaS — trades at approximately 21x ARR on $3.3B+ ARR with 30%+ growth, providing a public market anchor for how investors value large, durable cybersecurity platforms at scale. Tenable, a slower growth vulnerability management incumbent at ~13% growth, trades at approximately 6.5x revenue, illustrating the severe multiple compression associated with decelerating growth. In the private OT security market, Claroty — Armis's closest direct competitor — raised at $3.5B on estimated $100M+ ARR, implying approximately 35x ARR; Nozomi Networks raised its Series E at $1.5B on an estimated $50M ARR, also implying approximately 30x ARR. Both private OT peers carry higher multiples on smaller revenue bases than Armis at acquisition, suggesting Armis's multiple is conservative relative to early-stage OT security market pricing. The $7.75B Armis multiple of ~23x ARR at $340M ARR (vs. Claroty at ~35x ARR at ~$100M ARR) reflects the expected multiple compression at scale — large ARR bases command lower multiples even at similar growth rates. IDC forecasts the CPS protection market at $25B+ by 2028 with 20%+ CAGR, confirming the TAM expansion supports premium valuation for the market leader. The Forrester Wave (Q4 2024) and dual Gartner MQ Leader credentials provide independent validation of platform positioning that justifies premium to the CrowdStrike comparable. [CV014, CV015, CV016, CV017, CV011, CV012]

8.5 Exit Readiness and Final Diligence Asks

Armis is now a wholly-owned ServiceNow subsidiary post-April 2026 close; traditional exit readiness analysis applies to ServiceNow investors evaluating whether the acquisition created value. For strategic buyers or future carve-out scenarios, the key exit readiness signals are positive on platform maturity (FedRAMP Moderate and DoD IL5 achieved, SOC 2 Type II and ISO 27001 maintained, Gartner Leader in 2025 and 2026) but incomplete on financial transparency (no NRR, GRR, GAAP metrics, or burn rate disclosed). The final diligence asks before confirming the thesis center on: (1) NRR and GRR disclosure in ServiceNow's next quarterly earnings call commentary on Armis, which would confirm whether land-and-expand efficiency matches the Fortune 10 density signal; (2) OTORIO Titan integration milestones and timeline from ServiceNow management, addressing the OT depth gap flagged in Gartner Peer Insights; (3) confirmation of CEO Yevgeny Dibrov and CTO Nadir Izrael retention packages and vesting lock-up schedules — founder departure within 18 months is a thesis-break trigger; (4) gross margin and GAAP operating margin disclosure to confirm path to profitability at scale; and (5) FedRAMP High authorization status update, which unlocks classified DoD and intelligence community contracts estimated at 2-3x the current federal TAM. Thesis-break triggers that warrant immediate re-evaluation: NRR below 110% upon first disclosure, more than two Fortune 100 customer losses within 12 months, OTORIO integration delay combined with a negative Gartner review update, FedRAMP High denied, or ServiceNow reporting a goodwill impairment charge related to the Armis acquisition. [CV023, CV024, CV025, CV026, CV037, CV039]