My thoughts on the Zscaler acquisition of Red Canary
A smart move in a changing security landscape
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
It took me a while to process Zscaler’s acquisition of Red Canary, but I’ve come to see it as a natural outcome of how the security industry is evolving — away from point tools and toward more integrated, AI-managed platforms. This move intersects with a lot of what I’ve been writing about: managed services, security engineering, and the labor economics of cybersecurity.
What Zscaler and Red Canary Actually Do?
Let’s start with the basics.
Zscaler is best known for its secure service edge (SSE) platform. In simple terms, Zscaler proxies user traffic, both to the internet (via Zscaler Internet Access, or ZIA) and to internal applications (via Zscaler Private Access, or ZPA). These services enable organizations to apply security policies at the network edge, especially useful as workforces have become more distributed and reliant on SaaS. I previously wrote a breakdown of how Zscaler built its moat here.
Red Canary is a managed detection and response (MDR) vendor. They were originally known for layering detection and response on top of Carbon Black, but have since expanded their integrations and matured into a full-spectrum MDR player. I’ve written about the rise of MDR and the move to AI-driven operations in my post on AI-managed services.
The acquisition itself
Forrester published a fairly solid take on the deal from an analyst lens, but I wanted to offer a practitioner’s view.
To be clear, I don’t use Zscaler or Red Canary personally, but I’ve worked with their competitors, Cloudflare and CrowdStrike, and I’m familiar with how these products slot into modern security stacks. In most cases, these are not strategic products to build in-house. They benefit from broad visibility across customers, offer stronger analytics, and let internal teams focus on differentiated work.
The short version: this is a smart acquisition for Zscaler. And a good exit for Red Canary.
Why it’s smart for Zscaler
In my earlier post, I explored how Zscaler could fail: not because its tech wasn’t good, but because it might miss the next wave of cloud evolution — one that shifts the buying center from IT to developers. Zscaler’s primary persona is still the IT buyer, whereas Cloudflare has made deeper inroads into developer tooling and infrastructure.
Initially, I thought Zscaler would need to pivot toward developer experience. But a second, parallel wave has emerged, one focused on efficiency rather than extensibility. This wave is being driven by AI and by executive pressure on security leaders to justify costs. It’s no longer just about coverage. It’s about doing more with fewer people.
That’s where managed services, especially AI-augmented ones, come in.
Zscaler has traditionally required significant human labor to operationalize. Their alerting systems generate events that often need to be shipped into a SIEM or manually triaged by a SOC team. That means you need people to manage both the tool and the downstream response. In an era demanding fewer headcount, this is a problem.
Red Canary solves that. It’s not just a services team. It’s a platform for interpreting telemetry, enriching alerts, and responding with automation. Zscaler can now enter the AI SOC category with built-in MDR, a significant value-add for customers who want detection plus response, not just raw signals. Zscaler can bundle the two and tell a better ROI story: fewer tools, fewer people, faster time to resolution.
This also gives Zscaler a clearer path to upsell. A customer can reduce internal SOC headcount and instead pay Zscaler for both technology and service. That’s textbook labor arbitrage, and it’s what makes Falcon Complete and MDRs in general so successful. Now Zscaler has the opportunity to do the same, especially in IT-forward orgs where Cloudflare doesn’t yet dominate.
It’s obvious this isn’t great for the analysts who work in the SOC or on the Zscaler product, but there are complaints about alert fatigue leading to burnout. As I keep saying, there’s already a shortage of cybersecurity talent, so this evolution of products with AI and automation frees up talent to do more meaningful work.
Why it’s a win for Red Canary
Red Canary, to be blunt, was always caught in between. Their early bet on Carbon Black was clever, but CrowdStrike eventually pulled ahead with stronger product-market fit and integrated services. Red Canary then repositioned as a broader MDR, but that space is getting crowded. Expel dominates cloud-native use cases. Arctic Wolf has carved out the hybrid/on-prem segment. It’s a tough spot to be in when MDRs get better the more data they see, and you’re not the default.
This acquisition gives Red Canary distribution, infrastructure, and a future. It also makes Zscaler a more complete platform. Red Canary’s telemetry and threat insights can now be married to Zscaler’s traffic data, and Zscaler’s GTM team can drive adoption at scale.
How does this affect the market?
There are a few important takeaways here:
1. The era of best-of-breed point tools is waning.
Operating many tools with fragmented data pipelines is costly. Organizations want to consolidate spend, and vendors are responding by expanding platforms. Zscaler’s move is part of a larger trend, similar to CrowdStrike buying Bionic or Palo Alto’s spree of acquisitions.
2. AI SOC is the next battleground.
Whether you believe in fully autonomous SOCs or just smarter MDR, this space is heating up. Zscaler now joins CrowdStrike, Palo Alto, and Arctic Wolf in trying to own that layer. Startups here will face pressure — some will get acquired, others will fold.
3. Engineering-centric security orgs remain underserved.
This is the wildcard. Dev-forward security teams, the kind using Wiz, Cloudflare Workers, or building internal tools, don’t buy Zscaler. They likely won’t start now. There’s still an open question about who will build the “Cloudflare + Expel” experience tailored for engineering orgs. Expel could go there. Wiz (pre-acquisition rumors) might’ve tried. But this segment remains up for grabs. That’s why the market feels so uncertain. Most security companies aren’t building for these types of security organizations, which are more similar to engineering organizations that have a few opinionated tools that they customize and/or build around. As many of you know, I believe more of these types of security organizations need to exist, and I’m excited to see how that changes the security market.
What could go wrong?
Even though I have to hand it to Jay and Zscaler that this is a clever move, no acquisition is risk-free. Here are the main ways this might backfire:
1. Integration failure.
Red Canary’s MDR needs to be tightly coupled with Zscaler telemetry. If the product experience is clunky or the GTM isn’t aligned, customers will ignore it. Worse, if existing customers already use a preferred MDR or SOC, Zscaler risks channel conflict or may be forced to restrict data integrations to drive adoption, which rarely ends well.
2. Cultural mismatch or GTM friction.
Red Canary has its own culture, pricing, and posture. Zscaler will need to integrate the team without diluting its value or alienating existing customers.
3. Security teams resist the change.
Even when efficiency gains are obvious, security teams can be conservative. Moving from internal SOC to MDR means trusting a third party with detection and response. That’s not a trivial shift. But the macro trend still favors it, and Red Canary is arguably one of the more trusted MDR brands out there.
On top of that, security leaders might be unwilling to reduce their staff, so they might be unwilling to spend more on a platform that might result in personnel changes.
Final Thoughts
This was a thoughtful move by Zscaler. It helps them adapt to a market where the expectations for tooling are shifting from manual and alert-centric to automated and outcome-driven. It gives Red Canary a larger surface area to apply its strengths. And it validates the thesis that MDR, especially when augmented with AI, is becoming a core pillar of modern security.
Now, we’ll just wait and see how Zscaler executes. This could lead other security companies to follow suit.