SoS Logo

The Case For and Against Palo Alto Networks Acquiring SentinelOne

A thought exercise about the strategic and financial rationale behind the speculation about Palo Alto Networks and SentinelOne.

Jul 29
M&A
the-case-for-and-against-palo-alto-networks-acquiring-sentinelone

Does it make sense for Palo Alto Networks to acquire SentinelOne?

That was the multi-billion dollar question many people were talking about last week after (speculative) reports came out about a potential deal.

And now we have another one, with WSJ and Reuters reporting a potential acquisition of CyberArk (right before I was about to hit publish!).¹

I normally wait until after deals are announced to do a detailed analysis. Both the SentinelOne and CyberArk reports had so much interest and would be so consequential (if either were to materialize) that it makes sense to explore now.

Even as the CyberArk report gains steam, there are some generalized factors here that apply to either scenario.

Consider these preliminary analyses to be a thought exercise.² Even if the reports are totally unfounded and/or a deal never materializes, it's still a helpful learning experience for us to analyze transactions of this scale.

Why?

Most of the take-private activity we've seen in cybersecurity so far has been private equity firms acquiring public companies. There have been acquisitions of public companies by strategic buyers, of course. Cisco-Splunk and Sophos-Secureworks are a couple recent examples. They're far less common, though.

Disclaimers aside, here's the punch line: I wouldn't take these Palo Alto Networks/SentinelOne acquisition reports too seriously (yet). The combination of strategy and dollars for this aren't a clear "go" or "no-go."³

Let's walk through the case for and against the deal, starting with the reasons why it could happen.

The case for a deal

First off, I still think we have to consider SentinelOne as an option that's still on the table, even with qualified reports of a CyberArk acquisition.

In some ways, CyberArk makes the SentinelOne report more credible than it was on its own. There are now two signals of Palo Alto Networks having the appetite to do a transformative deal.

I agree with others that CyberArk makes a SentinelOne deal seem less likely — just that it shouldn't be written off yet either.

Neutralizing a top‑three rival in endpoint security and adding ~$1 billion of ARR is appealing, both strategically and financially.

Market leadership (commercially) in endpoint security is still just out of reach for Palo Alto Networks, despite good effort to date in building an offering and a good stretch of favorable analyst ratings.

Combine the market reality with ambitious long-term financial goals, strong financial metrics, and competitive pressure, and you can start to see why a large acquisition like SentinelOne could be on the table.

Let's dig in.

Market share consolidation

If this deal happens, market share consolidation is going to be one of the main reasons.

Even though endpoint security is one of the largest and most mature markets in cybersecurity, it's still highly fragmented. Here's a market share snapshot from IDC (via Microsoft) to give you an idea of how pervasive the fragmentation is. The snapshot is a couple years old, but we can take the numbers as directionally correct.

Microsoft (25.8%) and CrowdStrike (18.1%) control ~45% of the market, and things get choppy from there. SentinelOne had ~4% market share at the time but was growing 43.1% year over year. Palo Alto Networks had less than 4% — their exact number buried somewhere in the 32% "rest of market" slice.

Acquiring SentinelOne would get Palo Alto Networks to ~10% market share (ballpark).⁴ That's still around half the market share CrowdStrike likely has today. It's good for third place, just above established companies like Trellix, Broadcom (Symantec and Carbon Black), Sophos, and Trend Micro.

A secondary but still important point is further consolidation of the next-gen SIEM market. Adding SentinelOne's customers to the ~270 customers XSIAM already has (as of their Q3'25) clearly helps the case for acquisition.⁵

We haven't seen market share consolidation happen very often in cybersecurity. It does, but it's not our default playbook. The cybersecurity industry has mostly been a collection of emerging markets and companies.

The Thoma Bravo backed combinations of Ping-ForgeRock and Exabeam-LogRhythm are two large, recent examples. In Cybersecurity's Class Conundrum: Winner-Take-All Market Dynamics, I made a case about why we're going to see market forces cause things like consolidation.

There is already a little bit of precedent with Palo Alto Networks doing market share consolidation. Their partial acquisition of IBM's QRadar SIEM portfolio was primarily about accelerating market share for Cortex XSIAM.

Palo Alto Networks essentially acquired customer pipeline (IBM's existing QRadar customers), not tech. Their objective is to migrate QRadar customers over to XSIAM (with IBM's blessing and professional services help), not to keep them on QRadar or integrate any part of the product into Cortex.

QRadar isn't a direct comp for SentinelOne, which has both a broader and more diversified product suite. I'm just making this connection to say that market share consolidation has been a factor for Palo Alto Networks before, even with a slightly different flavor.

SentinelOne would be a bigger, bolder iteration of a similar playbook — and perhaps a necessary one for Palo Alto Networks in their quest for multi-platform market leadership in cybersecurity.

Revenue acceleration

Palo Alto Networks has an audacious long-term financial goal: $15 billion in Next-Generation Security (NGS) ARR by 2030.

They hit $5 billion of NGS ARR in Q3'25. This is impressive on its own, and it also shows how far they still have to go if they want to hit $15 billion.

This is where the math starts to impact the strategy. Hitting $15 billion by 2030 from $5 billion today implies a ~20% CAGR. It could happen on its own...but we're currently living in a world where median revenue growth for public software companies is 11%, and 20% growth puts you in the top ten.

Acquiring SentinelOne quickly adds ~$1  billion of ARR to Palo Alto Networks' NGS portfolio. The growth rate to $15 billion suddenly becomes 16-17% (napkin math, just showing what revenue acceleration looks like). Still aggressive, but a lot more doable.

So, accelerating the timeline for reaching this milestone is very appealing — assuming a reasonable acquisition price and revenue multiple.

This assumes strong growth continues (or even accelerates) post-acquisition, customer retention is high, and overlaps in product portfolios get worked out (more on this later). All big assumptions, but part of the territory in large scale acquisitions.

Scale and financial position

Palo Alto Networks is now big enough to afford larger deals. History says that billion-dollar-plus acquisitions are uncharacteristic for them. But Palo Alto Networks is a much different company in mid-2025 than they were when Nikesh Arora took over seven years ago.

As I observed in a related LinkedIn post, the reported price tag of $7 billion (or more) for SentinelOne would a atypical — 10x larger than their largest acquisition level of atypical. They have never made an acquisition over $800 million.

Here are the ten largest disclosed acquisitions they've made so far:

panw-largest-acquisitions.png

A commenter correctly pointed out that Palo Alto Networks has grown beyond their original M&A playbook.

In fact, you could make the case that the investment required to inorganically grow their current NGS portfolio was proportionally larger and riskier (in aggregate) than a large acquisition is now.

Over the past decade, Palo Alto Networks spent just over 11% of its weighted average market cap on acquisitions. This isn't a banking-grade calculation, but it's precise enough for comparison.

Even though the individual deal sizes were smaller, the total was a material investment relative to its size at the time. The plan worked, too. Palo Alto Networks wouldn't be today's most valuable standalone cybersecurity company without these acquisitions.

This brings us to today and the current situation with SentinelOne (or any comparably large acquisition target ...cough...CyberArk...).

Palo Alto Networks' current financial metrics can support larger acquisitions than they've done in the past. You know...like buying a public company for several billion dollars.

A few metrics to further illustrate the point: Palo Alto Networks currently has $136 billion of market cap, $2.3 billion of cash and equivalents, and essentially zero long-term debt obligations.

Enterprise value has quadrupled since 2020. They can comfortably finance a $7–8 billion purchase.

Palo Alto Networks has made plenty of acquisitions, but they haven't fully exercised their enviable financial position. This is only theoretical because they haven't chosen to exercise it.

The strategic choice is theirs to make, of course. Nobody says they have to do this deal, or any deal they don't have strategic and financial conviction.

The point is they can.

Strategic buyers make acquisitions up to ~10 % of enterprise value all the time. We just don't see deals like those very often in cybersecurity because they haven't needed to happen.

A ~$7 billion acquisition (ballkpark for SentinelOne) at their current $136 billion market cap is about 5%. A ~$20 billion acquisition (ballpark for CyberArk) is 14.7%. More of a stretch, for sure — but both within reason as a proportion of the company's current scale.

Acquiring either SentinelOne or CyberArk would be a large transaction, but it's not outside normal strategic M&A guardrails for a $130 billion company.

If the priority for Palo Alto Networks is to accelerate NGS revenue, neutralize a rival, and position itself better against large competitors, SentinelOne’s $1 B ARR at a mid-single-digit multiple is attractive...financially.

But for a deal like this, the strategic rationale have to clear a higher bar than “we can afford it.”

Factors like product overlap, cannibalization risk, and whether consolidating share in endpoint security is worth the distraction from PANW’s platform-expansion roadmap (Prisma Cloud, XSIAM, etc.). More on this later.

The financial drivers could make sense, but qualitative fit still matters.

Timing and competitive dynamics

Companies and their leaders will often downplay the role of timing and competitive dynamics in M&A decisions, but the reality is they're always a factor.

The Nikesh Arora era Palo Alto Networks is notoriously ahead of competitors on the timing of most acquisitions — Protect AI being the most recent example in a nascent market to secure AI models.

Large cybersecurity competitors aren't letting up, and several have already made large moves of their own.

Alphabet acquired Wiz for $32 billion.

CrowdStrike's valuation is $117.6 billion, up 29.2% since last year. At this point, they're past material impact from last summer's outage.

Microsoft is Microsoft. No large acquisitions, but lots of action within a well-rounded security portfolio that directly competes with most of Palo Alto Networks' NGS portfolio.

Fortinet, Check Point, and others are doing their part, too.

Competition has never been more intense on either front — both traditional competitors and hyperscalers. External pressures and urgency are higher than ever.

Timing and competition won't be the main driver, but it could be time for a big move.

We're probably at a point where organic growth and tuck-in acquisitions aren't going to move the needle enough on driving growth at scale.

Acquisitions like Talon and Protect AI still matter, of course, but they're in emerging markets that need time to grow. There are only a finite amount of these emerging market leader opportunities out there.

Palo Alto Networks is big enough where they need multiple levers to pull.

Next, let's move on and discuss the case against a deal.

The case against a deal

As a person who's been part of billion-dollar cybersecurity acquisition discussions before, I can assure you the burden of proof required to get a deal done is incredibly high.

Most of our larger companies wouldn't bat an eye at spending $50 or $100 million on a smaller company that's obviously complementary. You still have to make the case, but it's much easier to do.

For Palo Alto Networks and SentinelOne, there is a case for a deal — as we just discussed in the first half of this article. I just don't know if it's enough to overcome the relatively substantial case against the deal.

Everything basically starts and ends with overlap in product portfolios and how to rationalize the differences. Several other sub-points stem from this core issue.

Let's start at the top.

Product overlap

There is significant overlap in the product portfolios. It's hard to put an exact number on the amount of overlap without an internal data room. I'd call it something like 50-75% overlap based this high-level analysis:

panw-s-product-portfolio-analysis.png

Endpoint security is obviously the core product and crown jewel of SentinelOne. It's a valuable asset, for sure — but Palo Alto Networks is no slouch.

Palo Alto Networks doesn't disclose product line level revenue within the Cortex platform, so it's hard to say exactly how big their endpoint security business is commercially.

It usually ranks well in analyst reports and performs among the leaders on MITRE ATT&CK evaluations, to the extent that external benchmarks and analyst ratings matter.

As we discussed earlier, the overall endpoint security market share probably isn't where Palo Alto Networks ideally wants to be, but it's not a gaping hole in their product portfolio either.

Another nuance worth noting is that Palo Alto Networks has historically viewed endpoint security as an add-on to its Cortex platform, not as a standalone product. I don't have the data around this (and Palo Alto Networks doesn't discloses it), but I would guess the number of times where endpoint security is a standalone sale or the entry point into a new customer is somewhere between "never" and rarely.

That's not to say they don't want to lead with endpoint security, just that leading with an endpoint security product would represent a change to their go-to-market philosophy.

There is also a lot of overlap in the broader SecOps portfolio. SentinelOne has shown some traction in the next-gen SIEM market, but this directly overlaps with Cortex XSIAM.

It's a similar story for CNAPP, SOAR/hyperautomation, threat intelligence, exposure management, ITDR...you get the picture.

The only cases where there is little to no overlap are capabilities that Palo Alto Networks already has and SentinelOne doesn't.

ITDR is probably the product category where SentinelOne is the closest to bringing something net new to the table, but Palo Alto Networks does have an offering already.

Purple AI is the wildcard. SentinelOne has done some interesting things and shared anecdotes of customer traction in recent earnings calls.

Palo Alto Networks is no stranger to AI, though. They have their own unique approach with Cortex XSIAM and many other customer-facing and internal use cases across the board that Nikesh Arora has openly discussed for years.

Rationalizing this many products, agents, data repositories, and automation suites is a recipe for customer churn and channel confusion. They might decide the upside is worth the pain, but make no mistake about it: there would be a lot of pain.

Financial tradeoffs

Palo Alto Networks may be in a fortunate position where they can afford a large acquisition, but a move like this comes with tradeoffs.

Spending $7 billion or more on a single acquisition with significant overlap in the product portfolio could limit their ability to execute the playbook that's worked for them so far: multiple acquisitions of emerging market leaders.

They also limit optionality for acquiring a different company at or around SentinelOne's scale. You can see where this tradeoff matters with the CyberArk report we just heard. If I was Palo Alto Networks and had to pick between SentinelOne and CyberArk, I'm buying CyberArk 100/100 times.

A large acquisition could also limit their ability to invest in R&D. Their product teams have proven to be capable of both integrating acquired products and developing new ones within each of the three major platforms.

Inorganic growth gets a lot of attention, but Palo Alto Networks wouldn't be as successful as it is without meaningful R&D investments.

Customer perception and retention

A secondary point against the deal is how customers will receive it and whether Palo Alto Networks can retain a meaningful portion of SentinelOne's customer base. This one is harder to quantify, so I'll just describe the point anecdotally.

Here's a paraphrased comment from a CISO in the LinkedIn post I wrote about the potential deal:

Many SentinelOne customers explicitly chose SentinelOne to avoid Cortex XDR...many SentinelOne customers will switch to CrowdStrike.

There would be some amount of churn from SentinelOne customers that don't have a Palo Alto Networks footprint today (and don't want one). This isn't everyone, or even a majority, but there is an undercurrent of hard-to-explain industry contempt for Palo Alto Networks.

The churn could end up being negligible. Or, it could manifest itself in different ways, like a slowdown in net new customer additions. This alone isn't a reason not to do the deal, but it has to factor into the rationale.

Regulatory and antitrust scrutiny

Combining two industry leaders in endpoint security could attract regulatory (DOJ and EU) scrutiny, as most large deals do.

Ping and ForgeRock made it through under the previous administration. HPE's acquisition of Juniper Networks was finally settled, too.

The review of Alphabet-Wiz is still in progress and isn't predicted to close until 2026.

I'm certainly not an antitrust expert, but anecdotally it seems like Palo Alto Networks-SentinelOne should also be approved if it was to happen.

The question is how long it would take, as any major delays affect the upside of the deal. Again, not enough of a concern to prevent the deal on its own, but a factor that has to be considered.

Best Alternative to a Negotiated Agreement (BATNA)

This wouldn't be a proper case study without a BATNA! We won't drain this topic, but it's worth mentioning the alternatives for each company if a deal doesn't come together.

If Palo Alto Network believes the trajectory for Cortex (and NGS overall) is already set up for success (between organic growth and continued tuck-ins), the price premium plus integration risk could outweigh the bump in endpoint security market share.

As discussed earlier, it also leaves them the optionality to do a different large scale acquisition like CyberArk or other late-stage cybersecurity companies.

SentinelOne still has decent options too. An acquisition and take-private by private equity would follow a pattern many other public cybersecurity companies have taken in the past few years.

Continuing along as a public company is a perfectly good option, too. They are still one of the better performing pure play cybersecurity companies since they've been public. The path ahead isn't easy, but it's certainly possible.

Unlikely, but interesting to think about

In probabilistic terms, I think this acquisition is unlikely (but still possible — and even less possible with CyberArk on the table).

Even before hearing the CyberArk report, I didn't expect this acquisition would happen.

It's hard to rationalize the overlap between SentinelOne and the product portfolio Palo Alto Networks already has.

While the price is digestible for Palo Alto Networks, overlapping portfolios and integration complexity make the overall value thesis challenging.

If nothing else, a scenario like this is fascinating to think about.

And now, we get to think about another one — this time with CyberArk. More on that soon.


Acknowledgements

There are too many people to name, but I want to thank all of the commenters who shared their thoughts and opinions on the LinkedIn post I wrote about this acquisition. The discussion sharpened my point of view considerably and helped a ton with this longer-form analysis.

Footnotes

¹There are a handful of CyberArk-related comments sprinkled in for context, but most of this analysis was already written when the potential acquisition was reported. More analysis on that report soon.

²You should literally treat it like the Harvard MBA case studies people do in business school, not a credible news report.

³There are reasons why Nikesh Arora is a highly compensated CEO. Making decisions like these is one of them.

⁴Give or take, depending on factors like growth rates, attrition from the CrowdStrike incident, continued market share decay from the legacy competitors, and more.

⁵There's more to it than adding customers, though. Unlike the QRadar acquisition, most of SentinelOne's SIEM deployments are relatively new. Customers aren't going to scrap their deployments and cut over to XSIAM right away. It's way more likely they will be furious, which means retention could be hard.

Share Article

Related Articles

SOS Logo

Cybersecurity, clarified

Strategic intelligence on the cybersecurity ecosystem, straight to your inbox.