Spend enough time reading about enterprise cybersecurity and you start noticing a pattern: the industry is obsessed with detection. Find the threat faster, flag the vulnerability sooner, alert the analyst before the breach spreads. Detection is where venture capital flows, where marketing budgets go, and where conference keynotes point. CrowdStrike, for instance, built an $80 billion company almost entirely on finding threats faster than anyone else. It is also, increasingly, the wrong thing to optimize for.

ServiceNow’s $7.75 billion acquisition of Armis, announced December 23, 2025, the largest deal in ServiceNow’s history, is a $7.75 billion argument that the real value in enterprise security lies one step later: in what happens after something goes wrong. That argument is correct. And if ServiceNow executes, it will have pulled off one of the more elegant strategic pivots in recent enterprise software history.