$1.4B in AI Security Acquisitions, and the Execution Layer Is Still Wide Open
Palo Alto Networks, Check Point, and Cisco spent over $1.4 billion acquiring AI security companies in the past 12 months. Every deal targeted the same layer of the stack. The one layer that matters most for agentic AI remains untouched.
The past twelve months produced the largest consolidation wave in AI security history. Palo Alto Networks acquired Protect AI for approximately $700 million, completed in July 2025. Check Point acquired Lakera for approximately $300 million, announced in September 2025. Cisco acquired Robust Intelligence for approximately $400 million in August 2024. ClickHouse acquired Langfuse as part of a $400 million Series D in January 2026.
Over $1.4 billion in named acquisition value, all in AI security. Every major security and infrastructure vendor now has a position in the category.
The execution layer, the part of the stack where AI agents actually operate, is still completely open.
Where the money went
To understand what was acquired and what wasn’t, it helps to think about the AI stack in terms of where threats land.
At the top are the inputs and outputs: what goes into the model and what comes back out. This is where prompt injection defenses, guardrails, and content filtering live. Lakera built its business here. Its Gandalf red-teaming platform became the most visible public demonstration of prompt injection risk, and it developed deep tooling around input-output security. Check Point paid $300 million for that capability.
One layer down is the model itself: how it was trained, whether it’s been tampered with, whether its behavior deviates from what was intended. Protect AI specialized in model scanning, posture management, and AI red teaming. Palo Alto Networks paid $700 million to absorb those capabilities into its Prisma AIRS platform. Robust Intelligence focused on model validation and adversarial testing before Cisco acquired it for $400 million.
The observability tier covers developer tooling for tracing and debugging LLM applications, and it saw consolidation of a different kind. ClickHouse acquired Langfuse, the open-source LLM observability platform with over 21,000 GitHub stars and adoption by 19 Fortune 50 companies, not as a security play but as a data infrastructure play. LLM traces generate enormous volumes of structured data, and ClickHouse is built for exactly that.
What none of these deals addresses
The execution layer is the space between model output and real-world consequence. When an AI agent receives a response from the model and decides to call a tool, the execution layer is everything that happens next: which tool gets called, with what parameters, using which credentials, accessing which data, and in what sequence across the full session.
This is where agentic AI differs from prior generations of AI applications. A system that generates text has a narrow attack and failure surface. A system that can call APIs, read and write files, execute database queries, send messages, and spawn additional agents has a surface that extends across every system it can reach.
OWASP’s 2026 Agentic Top 10, the first security framework designed for autonomous AI agents, catalogs this surface in detail. Agent Goal Hijack arrives via tool responses, not model inputs. Tool Misuse happens after the model has made its decision. Privilege Misuse requires a credential ledger to detect. Cascading Hallucination only becomes visible by tracing across agent handoffs. Memory and Context Manipulation targets external retrieval stores. None of these risks are in scope for any of the acquired companies.
Protect AI scans models before deployment. Lakera filters what goes into models and what comes out. Robust Intelligence tests models for adversarial robustness. Langfuse traces LLM calls for debugging. These are real and valuable capabilities. They just don’t touch the execution layer.
The market validation problem
The acquisition wave is evidence of two things at once: AI security is a real market, and the hardest part of AI security remains unsolved.
The venture side is moving just as fast as M&A. AI security funding nearly tripled from $2.16 billion in 2024 to $6.34 billion in 2025, with average deal sizes jumping from $34 million to $54 million. Q1 2026 alone saw $4.9 billion flow into security and privacy companies globally, with AI-related categories capturing roughly 80% of all global venture security funding.
Notable standalone raises show the appetite. Arize AI closed a $70 million Series C in February 2025, positioning as a unified ML and LLM monitoring platform. HiddenLayer raised $50 million in Series A funding to build out its AI threat detection platform. Invariant Labs, focused on agent safety and policy enforcement, closed a seed round in early 2026. The category with the highest deal count in pure-play AI security, 25 funding rounds totaling $561 million between 2022 and 2025, is AI security and guardrails: precisely the input-output and model-layer problem set the acquisitions addressed.
Pure-play AI security remains a concentrated segment, roughly 13 companies focused on securing AI systems, LLMs, and agentic applications, with combined funding of approximately $414 million. That concentration, in a category getting $6 billion annually, is a signal. The majority of capital is flowing through the large incumbents making acquisitions, not into independent startups building new categories.
The technical signal from the acquisitions is equally clear: every major deal targeted capabilities that were already built and proven. Protect AI had a functioning model scanning platform. Lakera had a deployed guardrails product. Robust Intelligence had an established adversarial testing practice. The acquirers were buying existing solutions to existing problems.
The execution layer has no existing solution yet. It has an existing problem, which puts it at a different point in the acquisition cycle.
What closed the other gaps
Each of the acquired companies established its position by naming a specific problem and building evidence that the problem was real: published research, visible breach case studies, regulatory frameworks that codified the risk. Lakera built Gandalf. HiddenLayer published threat reports. Robust Intelligence documented adversarial attack techniques. By the time the acquirers arrived, the problem was well understood and the solution categories were defined.
The execution layer is at an earlier inflection point. CVE-2025-34291 in Langflow, the widely used AI agent workflow platform, provided a clear public case. The vulnerability, a CORS misconfiguration combined with a permissive refresh token cookie, allowed an attacker to steal a user’s session token simply by getting them to visit a malicious page. From there, the attacker gained full account access, including every API key and service credential stored in the workspace. Active exploitation was confirmed in January 2026. The CVSS score was 9.4. The credential surface of the agent platform was the attack vector, not the model.
The incident pattern exists. The framework (OWASP) exists. The regulatory context (EU AI Act, SOC 2 for AI systems) exists. A scaled commercial solution with the market presence the input-output and model-layer companies had when the acquirers came looking does not.
The structural reason the gap persists
There is a specific technical reason the execution layer has been harder to address than input-output security or model scanning. Both of those problems can be solved with a proxy: sit between the user and the model, inspect what passes through, block or log as needed.
The execution layer is more complex. A proxy at a network boundary can capture tool calls that pass over that boundary, and that is genuinely useful coverage. Products like MintMCP and Lasso Security’s MCP Gateway do exactly this for MCP interactions: they log what tool calls were made, can mask credentials that appear in plaintext over the wire, and in some cases can block requests that match policy rules.
What a network-level proxy cannot see is everything that does not cross the network boundary it monitors. Credentials passed as environment variables never appear on the wire. State maintained in the agent’s memory or written to local disk is not observable at the network layer. Internal tool calls that happen within the agent’s process are invisible. In a shared enterprise MCP server setup, a proxy can cover server-side interactions but not the full execution context of every client agent connecting to it.
This is why the most complete execution-layer instrumentation approaches runtime-level interception: hooks, callbacks, or SDK-level tracing that fire from inside the execution context rather than watching from a network boundary. A runtime interceptor and a network proxy address different parts of the surface and are most effective in combination. The gap in the market is not that proxies exist; it is that no scaled product provides the runtime depth that proxies alone cannot reach.
Microsoft’s Agent Governance Toolkit, released in April 2026 under an open-source MIT license, takes a policy enforcement approach: define what agents are allowed to do and block violations. That is governance, not observability. A governance tool tells you what the agent was supposed to do. It does not tell you what the agent actually did, which credentials it touched, or whether the pattern of its behavior looks like an early-stage breach.
What an execution-layer solution actually needs
Given the acquisitions that have happened and the gap they leave, it is possible to define what a complete execution-layer security product needs to do.
It needs runtime instrumentation that does not add overhead to the agent’s execution path. Any solution that intercepts tool calls synchronously, adds tokens to the model context, or introduces network latency is adding cost and fragility to the production system it is meant to protect.
It needs a credential ledger. Not credential masking (hiding secrets from logs after the fact), but a tracking layer that identifies every credential present in an agent session, records what it was used to access, and surfaces the pattern of use across multiple sessions. The Langflow CVE-2025-34291 attack succeeded in part because there was no per-session accounting of which credentials the platform held or which had been accessed by a compromised session.
It needs execution-layer traces with security semantics. Developer observability tools show what the agent did. A security-oriented trace shows which events in that execution represent risk: a tool call that touches production PII, a credential appearing outside its expected scope, an agent behavior pattern that differs from its baseline.
It needs to be vendor-neutral. Every major AI platform vendor, including Anthropic, now offers platform-native tracing for their own models. Those traces are useful and also locked to a single platform, built for operational debugging rather than security auditing. Enterprise organizations running heterogeneous AI stacks need a solution that works across models and provides a consistent audit surface.
The acquisitions in the past twelve months validated the market, set the premium multiples, and left one distinct gap on the table. If you are working through what execution-layer visibility looks like in your AI stack, reach us at hello@omnodex.com.
Sources
- Palo Alto Networks, “Completes Acquisition of Protect AI”, July 2025.
- Check Point Software, “to Acquire Lakera to Deliver End-to-End AI Security”, September 2025.
- Cisco, “to Acquire Robust Intelligence”, August 2024.
- ClickHouse, “ClickHouse Acquires Langfuse”, January 2026.
- Crunchbase, “Cybersecurity Funding Holds Up At Robust Levels In Q1 2026”, 2026.
- OWASP, “Top 10 for Agentic Applications 2026”, OWASP GenAI Security Project, 2026.
- Obsidian Security, “CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in the Langflow AI Agent and Workflow Platform”, 2025.
- CrowdSec, “CVE-2025-34291 Exploited in the Wild: LangFlow AI Framework Under Fire”, 2026.
- Microsoft, “Agent Governance Toolkit”, April 2026.
- Langfuse, “ClickHouse Acquires Langfuse”, January 2026.
- Arize AI, “Arize AI Raises $70M Series C”, February 2025.
- HiddenLayer, “HiddenLayer Raises $50M Series A”, 2024.
- New Market Pitch, “AI Safety Market Funding Trends (2022-2026)”, 2026.