Independent Analysis: AI, SaaS, and Revenue Growth Strategy

Two years from founding to a reported $400 million exit is a short runway by any measure, and amazing that Koi displaced traditional endpoint detection and response tools that were not built for a world of executables.

Palo Alto Networks announced today (April 14th 2026) the completion of its acquisition of Koi, an Israeli cybersecurity startup founded in 2024 by veterans of the Israel Defense Forces' Unit 8200 intelligence program. The acquisition closes a deal announced in February 2026, and with it Palo Alto Networks formally declares a new protection category: Agentic Endpoint Security, abbreviated as AES.

The integration path runs through two existing platforms: Koi's detection and governance capabilities will extend into Prisma AI Runtime Security (AIRS), and a new module will be added to Cortex XDR to surface risks specifically within the AI software layer. Koi's technology will also remain available as a standalone offering, a move that lets the company compete for customers who haven't committed to full platformization.

The Endpoint Is No Longer Just Binaries

Endpoint security, as a discipline, was designed around executables. Detect a malicious binary, quarantine it, alert the team. Adequte architecturefor decades but needs a change in today;s day and age

The new endpoint surface consists of code and operating system packages, browser extensions, integrated development environment plugins, scripts, local servers including those running the Model Context Protocol (MCP), containers, and model artifacts. These are not classic binaries and are installed by developers or employees without going through any centralized IT approval. Traditional endpoint tools have no visibility into them.

Koi's founders spotted the problem while testing the Visual Studio Code Marketplace. To prove how badly governed it was, they built a fake theme extension, added code that silently exfiltrated developers' source code and machine details, and uploaded it. Thirty minutes, start to finish. That demonstration became the founding rationale for the company.

AI agents make this problem considerably worse. An agent running with a user's credentials has read access, write access, and the ability to invoke or install additional components at machine speed. When that agent is compromised or misbehaves, the blast radius is not limited by what a human user could accomplish manually. Palo Alto Networks' chief product and technology officer described it directly: these agents create what amounts to an insider threat, operating with full access to systems and data while remaining invisible to conventional security controls.

"These agents operate with access to critical systems and sensitive data, creating the ultimate insider threat."

Lee Klarich, Chief Product & Technology Officer, Palo Alto Networks

OpenClaw Made the Risk Concrete

The timing of the acquisition tracks a series of real-world incidents that gave the category its urgency. OpenClaw, an agentic AI tool developed by a single individual in about a week, accumulated millions of downloads while acquiring broad permissions across users' email accounts, filesystems, and shells. Within days of its viral spread, researchers had documented more than 135,000 exposed instances and over 800 malicious skills in its marketplace.

Koi's own research team separately documented the first malicious MCP server found in the wild. A developer adding a particular skill to tools such as Claude Code or Cursor was, unknowingly, routing every email through the plugin creator's server. The capability was not present at initial install. It was added through a post-install update, after developers had already granted trust.

Post-install updates are where trust gets weaponized. A supply chain compromise arriving that way, on a non-binary component, running with the permissions of a credentialed developer, will not trigger any existing endpoint detection rule.

Speed of Exit Reflects Strategic Urgency, Not Just Price

Koi raised $48 million in total, including a $38 million Series A completed in September 2025. Investors included Battery Ventures, Team8, NFX, and Picture Capital. The company had grown to protect more than 500,000 endpoints, including deployments at Fortune 50 companies and major financial institutions, according to its own disclosures.

The speed of the exit, roughly two years from founding to close of an approximately $400 million deal (deal value unaudited, drawn from press reports), suggests Palo Alto Networks was less interested in building this capability organically than in getting ahead of a category definition race. With this deal, Palo Alto Networks has now acquired 12 Israeli cybersecurity firms since 2014, representing half of its 24 significant global acquisitions over that period, per press reports.

Klarich acknowledged the standalone availability of Koi's technology as a deliberate choice, which signals awareness that the primary endpoint security incumbents, including CrowdStrike, Microsoft, and SentinelOne, will each claim some version of agentic coverage within months. Releasing Koi as standalone keeps the acquisition from being read as a closed-platform play.

What Platformization Actually Means When Agents Run the Stack

Palo Alto Networks has organized its market narrative around platformization for several years. The argument is that customers buying point products for network security, cloud security, and security operations eventually consolidate onto fewer platforms, and those platforms should be Palo Alto Networks' own.

The Koi acquisition extends that logic into a new layer. Prisma AIRS already addresses AI model scanning, posture management, and runtime security for AI applications. Adding agentic endpoint governance means the platform now claims visibility from the AI infrastructure layer down through the endpoint, including the self-installed, non-binary software that runs between a developer's keyboard and the data those tools can reach.

The integration is not simple. Koi's architecture rests on three functions: complete visibility into AI tools and non-binary software across the environment, continuous risk analysis using its proprietary Wings engine, and real-time policy enforcement with automated remediation. Fitting those capabilities into two separate products, Prisma AIRS and Cortex XDR, while keeping a standalone version current, is a substantial engineering commitment on a threat surface that is still changing week to week.

The technology can be replicated. The category name is harder to take back.