Microsoft acquires ICS security specialist CyberX to accelerate its IoT security strategy

June 22 2020
by Johan Vermij, Scott Crawford


Microsoft has purchased IoT/OT security specialist CyberX for an undisclosed amount. The deal capitalizes on the existing API-level integration of the target's behavioral analytics platform with Azure Security Center for IoT. It targets the delivery of end-to-end security for both managed and unmanaged devices across IT and operational technology (OT) networks. The move culminates a partnership CyberX had already launched with Microsoft, and highlights the $5bn investment in IoT that Microsoft had announced two years ago. It also aligns with Microsoft's growing ambitions in cybersecurity operations and management.

Snapshot Snapshot






IoT/ICS security

Deal value


Date announced

June 22, 2020


None disclosed

The 451 Take

The explosion of enterprise IoT is spreading, and for security managers, introduces new operational technologies alongside those of IT. This means a plethora of new devices and operational endpoints – and in the IT realm, few vendors have Microsoft's distribution across endpoints. In IoT, 451 Research's 2019 IoT Market Monitor expects the number of enterprise operational and industrial devices to nearly double by 2024. When coupled with the need to leverage cloud technologies to manage these devices and centralize their data gathering and analysis, Microsoft's opportunity to amplify its presence in the OT domain is apparent.

A global lockdown in the wake of the COVID-19 pandemic gives added emphasis to the need to securely manage operational technologies under such conditions. With CyberX, Microsoft significantly steps up its industrial security capabilities and finds itself at the frontline of industrial control system (ICS) security with some of the largest organizations in energy and utilities, as well as oil and gas. These industries face major cybersecurity challenges in the digital transformation of smart grids and smart pipelines.

Deal details

This deal had been rumored for weeks, but terms were not disclosed. It follows the announcement earlier this year of CyberX's API-level integration with Microsoft Azure Security Center for IoT, further augmenting the acquirer's ambitious enterprise security management strategy. Security is a top spending priority for IoT budgets in 451 Research surveys, but few transactions appeared in the space until late 2019, when Palo Alto Networks nabbed Zingbox in September and Tenable scooped up Indegy in December, for about $75m each. The revenue multiples fetched by those two vendors reflect our 2019 IoT Market Monitor data that shows enterprise IoT endpoints growth from approximately eight billion in 2019 to nearly 14 billion by 2024.

Deal rationale

Reaching for CyberX aligns with Microsoft's strategy on three closely related fronts: enterprise IoT, security and Azure. Two years ago, the company announced a $5bn investment in IoT to bring it more directly into the burgeoning enterprise segment in this realm. In cybersecurity, Microsoft has demonstrated its ambitions at multiple levels, from its various advanced threat protection (ATP) offerings to the security operations center (SOC), with Azure Sentinel competing directly in security information and event management (SIEM).

In the cloud, Microsoft has parlayed Azure's position as a major hyperscaler into a significant IoT platform, emphasizing the digital transformation of OT, where security is becoming more of a priority. Azure already provides IoT security monitoring but was limited in giving customers insight into which assets were already connected to the network, especially in brownfield deployments. In addition to its API integration with Azure Security Center for IoT, CyberX had also joined the Microsoft Intelligent Security Association to fill that gap.

Target profile

CyberX was founded in 2013 by Omer Schneider and Nir Giller, both former members of the Israel Defense Force's cybersecurity unit. Its core product is the situationally aware XSense platform designed to identify anomalous ICS behavior based on finite-state machine (FSM) models and machine learning technology. CyberX's proprietary implementation of FSM is its Industrial Finite State Machine technology, predicated on the expected varieties of states in which operational technologies should function in a given environment, even if those states may be highly complex.

Recognition of anomalies that deviate from those states signals potentially malicious behavior. The vendor's technology is deployable as either a virtual or physical appliance that connects to a SPAN port or network TAP to analyze IoT/ICS network traffic via passive and agentless monitoring. CyberX has received $47m in five funding rounds, with an $18m investment led by Inven Capital and Qualcomm Ventures being the most recent in April 2019.

Acquirer profile

Redmond, Washington-based Microsoft has over 150,000 employees. In 2019, the company generated more than $125bn in revenue and $43bn in operating income. Azure has grown to be one of the largest IoT platforms and is pivotal in Microsoft's transformation from packaged software provider to actively engaging partnerships to build the IoT ecosystem, while its investments in security in recent years have challenged a variety of established incumbents, from endpoint security leaders to SIEM specialists dominant in the SOC.

The company's endpoint security investments parallel its penetration of enterprise IT endpoints, not only through its Windows portfolio but also via its other business productivity offerings. In 2017, Microsoft bought another Israel-based security startup, Hexadite, to augment its Windows Defender ATP offering, while the recently introduced Microsoft Azure Sentinel product tackles SIEM incumbents head-on for security operations.


CyberX comes from a large and reputable community of Israel-based cyber-defense startups that includes the aforementioned Armis (acquired earlier this year by Insight Partners for $1.1bn), Claroty, Indegy, Radiflow, SCADAfence and SIGA. To address changing cybersecurity demands, the traditional IT firms have been on a shopping spree to obtain ICS security capabilities to offer consolidated IT and OT security. These deals include Cisco's acquisition of Sentryo as well as Palo Alto's purchase of Zingbox, both in 2019, in addition to Insight's $1.1bn Armis buy and Tenable's pickup of Indegy noted previously.

Earlier this year, IBM bolstered its IOT security offering with the release of IBM X-Force IoT, which it developed in cooperation with Armis. Asset visibility – the capability for delivering insight into which devices are operating in the industrial network – is part of the high priority placed on IoT security for the large industrial enterprise segment, and is further emphasized along with operational security capabilities by startups like Dragos.