Fast Facts
ServiceNow closed its $7.8 billion acquisition of Armis on April 19, 2026 — its largest-ever deal. Armis tracks nearly 7 billion connected devices in real time across OT, IoT, medical devices, and physical AI infrastructure. The headline is the price tag. The story is what the acquisition reveals: industrial networks are running thousands of devices that no security tool currently sees, and that blindness is becoming a liability factories can no longer ignore.
Most factory security conversations start with IT — firewalls, endpoint protection, identity management. The OT environment gets added almost as an afterthought, often managed by a separate team with different tools, different priorities, and historically very different threat assumptions. The ServiceNow Armis OT IoT cyber risk acquisition, closed April 19, 2026 for $7.8 billion, is a $7.8 billion argument that this model is over.
Armis does one thing that no traditional IT security tool handles well: it discovers, tracks, and assesses risk for every connected device in an environment — including the ones that can’t run an agent, can’t be patched remotely, and can’t be monitored by conventional endpoint security. PLCs. HMIs. Industrial sensors. Legacy control panels connected to the same network as the corporate IT stack through years of incremental integration. According to ServiceNow’s official close announcement, Armis tracks nearly 7 billion devices in real time. That number is not a market estimate — it’s live telemetry from production deployments.
| Metric | Value | Description |
|---|---|---|
| Acquisition Price | $7.8B | ServiceNow acquisition price for Armis (closed April 19, 2026) |
| Devices Tracked | 7B | Connected devices monitored in real time by Armis platform |
| Market Growth | 3× | Expected growth in ServiceNow’s security and risk addressable market |
| Global Security Spending | $240B | Projected worldwide spending for 2026 (up 12.5%) |
The Visibility Gap That Made Armis Worth $7.8 Billion
Here’s the problem Armis was built to solve, stated plainly. When a manufacturing plant connects its OT environment to its corporate network — for operational data, remote monitoring, ERP integration — it creates a flat attack surface that traditional security tools see only partially. IT security tools see the laptops, servers, and corporate endpoints. They don’t see the PLC running the assembly line, the HVAC control system, or the industrial sensor array that someone plugged into a network switch three years ago during a maintenance upgrade.
Those invisible devices carry real risk. They often run firmware that hasn’t been updated in years. They weren’t designed with security in mind. Many can’t run security software at all. And because no tool has been tracking them, security teams don’t know they exist, can’t assess their risk posture, and can’t prioritise patching or isolation — even when a threat is actively moving through the network toward them.
Armis solves this through agentless discovery — it passively monitors network traffic to build a continuously updated map of every device present in the environment, without installing anything on the devices themselves. For OT and IoT environments where installing agents is operationally impractical or technically impossible, this is the only workable approach. The OT cybersecurity convergence pattern — where IT security vendors acquire OT-native visibility capability — is becoming a structural trend in industrial security, not an isolated move.
What the ServiceNow Armis OT IoT Cyber Risk Deal Actually Changes for Industrial Operators
ServiceNow’s security and risk business crossed $1 billion in annual contract value in Q3 2025 — organic growth built on IT service management and security operations workflows. Armis extends that into territory ServiceNow couldn’t reach before: the physical layer of the enterprise, where OT devices, IoT sensors, and increasingly physical AI systems operate outside the visibility of conventional security infrastructure.
“The acquisition extends ServiceNow’s security platform into the physical and operational layers of the enterprise, adding the cyber asset intelligence foundation and business context that enterprises need to deploy agentic AI with trust and control at scale.”— ServiceNow official close announcement, Business Wire (April 2026)
That last phrase — “deploy agentic AI with trust and control at scale” — is doing more work than it looks like. Agentic AI systems operating in industrial environments need to know what they’re connected to. If an AI agent is making decisions about production scheduling, predictive maintenance, or energy management, and it can’t see half the devices in the environment it’s managing, the decisions it makes are built on incomplete data. Armis provides the foundation layer — the continuously updated map of everything connected — that makes agentic AI in OT environments trustworthy rather than a liability.
⚠ Fiction — Illustrative Scenario
A plant security manager at a Nigerian cement facility discovers during a routine audit that 47 devices connected to the plant network have never appeared in any asset inventory. Some are legacy HMIs from a 2019 upgrade. Several are industrial sensors added by a contractor without formal documentation. One appears to be a consumer-grade router someone installed to create a maintenance Wi-Fi network four years ago.
None of them have been patched since installation. None of them are visible to the plant’s IT security tools. She has no idea what firmware they’re running, what vulnerabilities they carry, or whether any of them have already been compromised. This isn’t unusual. It’s the default state for most industrial facilities that have grown their OT network incrementally over years.
This scenario is not a failure of security team competence — it’s a structural visibility gap that conventional tools weren’t designed to close. Armis was. And now it sits inside ServiceNow’s workflow automation platform, which means discoveries don’t just appear in a dashboard — they trigger automated remediation workflows, risk prioritisation processes, and incident response sequences that the combined platform can execute at scale. For the AI cybersecurity threats targeting IoT devices that are accelerating in sophistication, automated response capability isn’t optional anymore.
The Emerging Market Angle: Unmanaged OT Assets Are a Bigger Problem in Less Mature Security Environments
In markets like Nigeria, Ghana, Egypt, and Southeast Asia, industrial facilities are often running OT networks that have grown organically over 10–15 years — acquisitions layered on top of legacy infrastructure, contractor-installed devices that never made it into formal inventory, and IT-OT convergence that happened informally rather than through a planned integration architecture.
The visibility gap is proportionally larger in these environments, not smaller. And the security teams managing them typically have fewer resources to conduct manual asset discovery, fewer tools to monitor OT traffic, and less vendor support for industrial-specific security tooling. Armis’s agentless approach — which requires no modification to the OT devices it discovers — is particularly well suited to these environments, because it doesn’t require operational changes to the production environment to deploy. The botnet attack protection strategy for industrial IoT becomes significantly more tractable when you can actually see every device on your network. You can’t protect what you can’t discover.
Worldwide security spending is projected to reach $240 billion in 2026, up 12.5% year-on-year, according to ServiceNow’s investor disclosure. A meaningful portion of that growth is driven by OT and IoT security demand — the same market Armis dominates and ServiceNow just acquired. The industrial IoT ROI framework for 2026 needs to include cyber risk exposure as a line item — and specifically, the cost of unmanaged device exposure versus the platform cost of bringing those devices into continuous visibility.
💡 Analyst’s Note
By Daniel Ikechukwu
Strategic Impact
ServiceNow acquiring Armis consolidates two capabilities that have been running separately in most industrial enterprises: IT workflow automation and OT asset visibility. The result is a platform where discovering an unmanaged device triggers an automated response chain — risk assessment, prioritisation, remediation workflow — without requiring manual intervention from a security team. For industrial operators, this matters because the scale of unmanaged OT and IoT assets in most facilities exceeds what human analysts can manually track and respond to. Automation is the only viable path to closing the visibility gap at production scale.
Stop / Start / Watch
- STOP assuming your IT security tools see your OT environment. They almost certainly don’t — not the legacy PLCs, not the contractor-installed sensors, not the devices added during maintenance cycles that never made it into formal inventory. Conduct a passive network traffic analysis before assuming your asset inventory is complete.
- START treating unmanaged OT and IoT device visibility as a board-level risk metric, not just a security team concern. An unpatched PLC connected to a corporate network is a potential entry point for lateral movement into IT systems — the risk doesn’t stay in the OT environment.
- WATCH ServiceNow’s integration roadmap for Armis capabilities into the Now Platform. The commercial availability timeline matters for procurement planning — customers of both ServiceNow and Armis can begin leveraging combined capabilities immediately, according to the close announcement.
ROI Outlook
The ROI case for OT asset visibility platforms is built on breach cost avoidance, not just operational efficiency. A single OT-targeted breach in a manufacturing facility — production downtime, ransomware recovery, regulatory response — runs $1M–$10M depending on facility size and sector. Armis’s agentless discovery typically reveals 20–40% more devices than facilities’ existing asset inventories. Each undiscovered device is an unassessed risk. The cost of the platform against the cost of a single significant breach event makes the investment case straightforward for any facility running more than a few hundred connected OT and IoT assets.
Your Factory Has Devices You Don’t Know About — So Does Every Other Factory
We track the OT cybersecurity acquisitions, industrial IoT security shifts, and connected asset risk strategies that industrial operators need to act on before a breach does it for them.
Join the Newsletter →
