Current events · 4 MIN READ · GREG NOTCH · JUN 9, 2025 · TAGS: Guidance
TL;DR
- Mergers & acquisitions (M&A) are all over the news cycle lately, but it goes beyond just a headline
- Security needs don’t stop for corporate happenings, so it’s critical to ensure your new vendor(s) can manage your tech stack with the continued support you need
- Here’s five questions you can ask your new teams after an acquisition to help keep your org safe
Like many other security leaders, I’ve been on both sides of M&A in security—as a customer, and as a team that joined a larger company. And while the press releases usually sound the same (using phrases like “accelerated innovation,” “shared vision,” “seamless integration”), the real work starts once the logos are swapped and the dust settles.
Acquisitions can bring new investment, expanded capabilities, and fresh energy. They can also bring change, confusion, and a decrease in clarity of the combined roadmap that give security leaders pause. You’re not wrong to ask: What does this mean for us?
This isn’t specific to any deal—some of the best teams in the business are on the acquired side of these deals (and often, that’s the reason for the acquisition). But when your vendor gets absorbed into something much bigger, priorities that affect your security roadmap can change quickly.
If your managed detection and response (MDR) provider or other security vendor is being acquired, here are five questions worth asking. Not out of panic—just out of good operational hygiene. Because threats won’t wait for the combined org to stabilize.
1. What’s the roadmap for the product I’m using? Am I still a priority?
This is probably the most critical question. When a larger company acquires a smaller one, they often have their own existing product lines and strategies. Will the product you’re currently using be integrated, deprecated, or simply left to wither on the vine? If the acquiring company is openly talking about which customers they plan to service and how the acquired company plans to fit the acquisition into their existing portfolio, pay close attention to what they’re saying.
It’s a pretty safe bet that they’re making tough decisions about which products and features align with their long-term vision and which don’t. It may be some time before you see a concrete, detailed roadmap that goes beyond vague promises of “continued support.”
Ask for specifics: feature development, bug fixes, security updates, and a timeline for all of it. If they can’t give you a clear answer, start thinking about how you might need to adapt when your needs diverge from their new strategy.
2. Will we still receive support and services from the folks my people know and trust?
You chose your original vendor for a reason. Chances are, their customer support, responsiveness, and expertise were significant factors. Large organizations often have different support models, which can mean anything from less personalized service to longer wait times, or even a complete change in who you interact with.
Will you still have access to the same engineers and analysts who understand your environment? What are the new service-level agreements (SLAs)? What will happen to your current contracts and service agreements on renewal? Quite often after merger activity, a significant portion of the folks you relied on for support and service might be looking for new opportunities. Don’t assume business as usual over the mid- to long-term.
3. What happens to the people building and running the product?
Talent retention is a huge challenge in any acquisition, and in cybersecurity, it’s paramount. The engineers, threat hunters, and security analysts who develop and operate the tools you rely on are invaluable. Will the key innovators and operational staff who make the product great be staying on? A mass exodus of talent can severely degrade product quality, hinder future innovation, and impact the ability to deliver on promises. Your security program depends on the people behind the technology, not just the technology itself.
4. How will my data be handled and protected under the new ownership?
This is a critical security and compliance concern. Your data, which may include sensitive organizational information, threat intelligence, and incident details, is now under the purview of a new entity. What are their data privacy policies? Where will your data be hosted? Will there be any changes to data residency or sovereignty? How will they ensure the continued security and integrity of your data, especially during the transition period? Ask to see updated policies and understand their security posture thoroughly. They might also be consolidating or changing their infrastructure, which could introduce new and unintended risks.
5. What’s the real reason for this acquisition, beyond the marketing spin?
Companies acquire other companies for various reasons: market share, technology, talent, or to eliminate a competitor. It’s possible that their motivations might not align with the best interests of all existing customers. Are they just buying a patent portfolio? Are they trying to neutralize a competitor? Is this additive to their overall strategy or simply another SKU to sell? Are they looking to cherry-pick the most profitable accounts to sell their core product line to? Understanding the true underlying motivation can help you assess the long-term alignment with your priorities and commitment to the product you rely on.
The bottom line: bad actors don’t stop for acquisitions and mergers
These aren’t trick questions. They’re the same ones I’d ask if I were in your shoes. Because in security, vague answers are red flags—and “we’re working through it” doesn’t help you when the alerts are lighting up.
If your vendor’s been acquired, ask the uncomfortable questions now. Don’t wait for the roadmap to get rewritten in real time while your team’s on the hook.
At the end of the day, it’s simple: you need to know whether the vendor you trusted last month is still the team that’ll have your back tomorrow. Especially at 3am, when headlines don’t matter—but outcomes do.
