Agents are running inside enterprises right now using credentials nobody is tracking. An OAuth token someone wired up in 2022. A service account with way too much access because the developer who created it left the company. An API key in a config file. Cisco is acquiring Astrix Security to start issuing those credentials properly, and to know which agent is using which one when something goes wrong. The intent was announced May 4 by Peter Bailey, senior vice president and general manager of Cisco's security business group.

This is the layer Cisco has been working toward for nine months. DefenseClaw shipped at RSA Conference 2026 as an open source vulnerability scanner for AI agents, Galileo got acquired in April for evaluation and observability, AI Defense protects models and applications, Project Glasswing has been hardening Cisco products against capable threat actors, and Live Protect closed gaps in vulnerability defense. Astrix is the part where you can finally answer the question that makes any of those tools useful: which non-human identity took which action, and was it allowed to.

The agent is the credential

Humans got directory services twenty years ago. You log in, the directory tracks you, your access is governed by group membership, and when you leave the company someone disables the account. That whole apparatus was built for one identity per person, and it works because the person sits at one keyboard.

Agents do not work that way. A single agent might pull a secret from a vault to call a model provider, use an OAuth token to read from a software-as-a-service application, fire an API call against an internal service through a service account that was originally created for a batch job, and finish by writing to a database with a connection string that lives in an environment variable. Four credentials, four blast radii, no directory entry that ties any of them to the agent that just used them. Most enterprises have no inventory of these credentials at all, because they accumulated over years of automation work and nobody had a reason to count them until agents started reaching for them at machine speed.

Astrix was founded in 2021 in Tel Aviv by Alon Jackson and Idan Gour, both veterans of Israel's Unit 8200, and the original pitch was about preventing supply chain attacks through third-party app connections. The Series A in 2023 was led by CRV at $25 million. The Series B in December 2024 was $45 million, led by Menlo Ventures through the Anthology Fund, the joint vehicle Menlo runs with Anthropic, with Workday Ventures and existing investors participating. Total venture funding is $85 million. The Information reported a Cisco deal range of $250 million to $350 million when talks first surfaced in April. Customers named publicly include Figma, NetApp, Priceline, and Workday.

What Cisco is actually buying

The Astrix product covers four things, and Cisco can use them as a single platform or as primitives that get pulled into different existing products. Discovery and governance, which is the inventory and risk-ranking layer. Lifecycle management, which provisions and decommissions agent identities the way a directory provisions a human. Threat detection and response, which catches an agent using a credential it should not have. And centralized secrets management across vaults and cloud providers, which is the backend that holds the things in the first place.

Bailey's blog post is explicit about where each piece goes. Astrix capabilities will go into Cisco Identity Intelligence for visibility, into Cisco Secure Access and Duo Identity and Access Management for enforcement, and the detection telemetry will land in Splunk for the security operations workflow. Splunk is the part that matters most. It already ingests human identity events, Cisco Identity Intelligence already correlates them across systems, and adding the non-human layer to the same data plane is what lets a security analyst run one investigation instead of two.

The open source question deserves a direct answer

Cisco repeats a commitment to open standards in every security announcement, and the receipts are real enough. DefenseClaw was released under an open source license. Galileo's Agent Control was Apache 2.0 before that acquisition closed. Astrix has published an open source MCP Secret Wrapper and contributed to Center for Internet Security work on agent governance guidance. The pattern is consistent. What buyers should ask is what happens to the non-acquired open source artifacts now that they sit inside a security platform Cisco wants to monetize, because the discovery engine that makes Astrix valuable was always proprietary, and the wrapper around the Model Context Protocol is the part that is open. Inside Cisco, the discovery engine becomes a feature of Cisco Identity Intelligence and a hook into Duo. The open source artifacts will likely continue, but whether they continue with the same investment, the same governance cadence, and the same neutrality toward competing identity platforms is a different question, and one Cisco has not answered yet.

Where this collides with the rest of the market

Cisco is not alone in identifying non-human identity as the next control point, but the bets being made are different. Palo Alto Networks announced its intent to acquire Portkey at the end of April, taking the gateway position where every agent token transits. CrowdStrike has been extending Falcon to agent telemetry. Microsoft Entra has been quietly adding agent identity controls. Okta is the obvious independent challenger and the one most exposed if this consolidation continues.

Palo Alto Networks is betting on the gateway, the layer that sees every token in flight and can refuse the call. Cisco is betting on the directory, the layer that sees every credential at rest and can refuse the issuance in the first place. These are different jobs and enterprises will end up running both, because the failure modes of agentic systems show up in different places and any chief information security officer who has worked through an incident knows you cannot rely on a single chokepoint. The vendor that wins long term is the one whose data plane the other tools have to integrate with, and the Splunk acquisition was Cisco buying that asset before anyone else could.

What the AI Readiness numbers actually say

Cisco's blog post cites the Cisco AI Readiness Index figure that 24 percent of organizations can control agent actions with guardrails and live monitoring, and 31 percent feel fully capable of securing their agent AI systems. These numbers are vendor-supplied and should be read with that caveat. The directional point still holds. Most enterprises have not built the muscle to govern agents, and the gap shows up in audit findings, in incident reviews, and in the quiet conversations chief information security officers are having about which AI projects to slow down. Cisco wants to sell the platform that closes the gap, and so does every other security vendor on the list above, which means the procurement decision will come down to which vendor's identity infrastructure a customer is already running.

Astrix inside Cisco is not the same product as Astrix outside Cisco. The integration with Duo and Cisco Secure Access is the value proposition, and a customer not running Cisco identity infrastructure should price the deal differently. For a customer who already runs Duo, the consolidation argument is hard to refuse, especially when the alternative is buying a fourth identity tool to handle the non-human side.