Pangea and Lakera acquisition thoughts
Legacy security companies scrambling for AI talent
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
Wow. Two major AI security acquisitions in one week: CrowdStrike acquiring Pangea, and Check Point acquiring Lakera. It reminds me of the early days of cloud security, when companies scrambled to build posture and visibility tooling. Palo Alto Networks, notably, got ahead of it early by acquiring Evident.io and RedLock, and riding the cloud wave to massive market share. It’s not a coincidence that both of these new acquisitions come from companies widely viewed as more “traditional” or “legacy.” The message is clear: they don’t want to be left behind again like they did with cloud security.
The AI security space is still young and chaotic but maturing fast. Legacy security companies, often built around endpoint, network, or compliance tooling, are struggling to stay relevant in this new terrain. These acquisitions aren’t just about feature coverage but about survival.
I’ve written before about why AI will be hard for existing security companies (e.g. their poor understanding of the developer persona) and believe that misunderstanding will be a ceiling for many. Now, with the pace AI is accelerating, you see more first security hires with solid software engineering backgrounds. Developers are becoming more central not just to building features, but to defining risk.
Let’s dig into these acquisitions more: what Pangea and Lakera bring, how Check Point and CrowdStrike are moving, and what this all means for where the market is going (and where I think many will still struggle).
What Are CrowdStrike and Check Point Really Buying?
Let’s talk specifics. Pangea, acquired by CrowdStrike for around $260M, started out building security APIs, e.g., drop-in authentication, logging, and other services for developers. But like many others, they pivoted to AI security. Why? Because AI apps are new, unlike monoliths with decades of legacy code, and that makes them easier to instrument and monitor from day one. Their go-to-market increasingly focused on helping teams gain visibility into AI agent usage, detect unsafe prompts, and respond to AI-specific incidents. That’s exactly the kind of telemetry a platform like Falcon could plug into.
Lakera, picked up by Check Point for roughly $300M, approached things differently. They built out a set of discrete products: a red-teaming engine for LLMs, a runtime guardrail system, and model training validation. One of their standout projects, “Gandalf,” is a live, gamified test of LLM adversarial behavior, and it’s been widely adopted in security and AI circles. The unifying thread is less clear, but the assets are real: datasets, detection infrastructure, and talent who’ve been on the frontlines of AI risk.
Neither of these are large-scale platforms yet. But that’s not why they were bought.
A Talent and Timing Play
Let’s be blunt: these were talent acquisitions, not product ones. The products have promise, but they’re early. AI security is moving fast, but adoption at enterprises remains exploratory. Many companies are still prototyping, not deploying AI agents at scale. Some will abandon their efforts altogether. (Side note: I believe that because most companies lack the proper talent and knowledge, they will abstract away from building AI agents or using OpenAI/Anthropic APIs directly. They will likely buy a platform that abstracts this way and allows them to build applications more easily on top at least in the short term as knowledge and understanding becomes more democractized and available.)
That makes AI security a high-risk, high-variance space. Startups like Pangea and Lakera faced a long road ahead: constant fundraising, GTM noise, and rapidly shifting use cases.
From the acquirer’s perspective, the logic is sound. They get:
A senior founding team that understands AI threat models better than most.
Early customer context that will inform product strategy.
A lower acquisition price relative to valuations in adjacent markets like EDR or cloud.
A narrative shift with a press release and roadmap that says, “we’re taking AI seriously.”
Compare this to Palo Alto Networks’ acquisition of Protect AI, which reportedly came in at a higher price. PANW knows what it’s doing here because they saw the cloud wave early and moved aggressively. These smaller acquisitions from CrowdStrike and Check Point feel like catch-up bets, not confident land grabs. However, time will tell on how they will play out, or if the market is too early.
Legacy vs. Native: The Developer Problem
I’ve said this before and I’ll say it again: most security companies don’t understand developers, and that’s going to be a huge problem in AI. I’ve written about this extensively in my blog, especially around how companies like Crowdstrike and Zscaler will fail.
The AI boom is not just a security problem — it’s a developer explosion. Every meaningful AI surface (agents, copilots, customer-facing models, internal tooling) is built by developers, owned by engineering teams, and changes weekly. That means your security tools have to feel like dev tools: lightweight, programmable, and embedded. They can’t be heavy dashboards or compliance checklists. They need SDKs, APIs, and deployment hooks.
That’s where these acquisitions could help. Pangea focused on API-first design. Lakera built tools that integrate into model deployment pipelines, but now the pressure is on the acquirers. CrowdStrike and Check Point are not known for their developer experience. Their products often prioritize control and auditability over usability. That has to change. These acquisitions are only useful if the parent companies truly learn from the dev-centric culture of the startups they bought and don’t just bolt them onto existing dashboards.
AI Security Is Still Early
There’s a risk here that’s worth calling out: AI security is still an unstable market. Tools built for today’s threat models, e.g., prompt injection, agent hijacking, shadow AI, may not be relevant six months from now. Enterprises don’t yet agree on what “AI security” even means. Some see it as data protection while others want model validation. Others still are just worried about employees pasting secrets into ChatGPT.
Compare this to the cloud boom. Cloud adoption was slow at first, then accelerated hard, especially after COVID. That urgency drove a surge of purchases in cloud security tooling, often reactive and compliance-driven. Wiz won that moment by offering visibility across misconfigurations and runtime risks with a better UX. In AI, we’re not quite there. The pressure is building, but we haven’t hit the tipping point where every CISO feels they need AI-native controls. At the same time, most companies haven’t really figured out how to use AI, adding more uncertainty into the market.
That’s why these acquisitions feel speculative. The buyers are making modest bets in case the market solidifies.
Buying these companies is a good first step. But if CrowdStrike and Check Point want to really compete in AI security, they need to go further. That means:
Hiring technical AI leaders, not just absorbing founders.
Rebuilding parts of their platforms to integrate LLM-native security logic, including RAG validation, agent policy enforcement, and model-specific observability.
Thinking like dev tools, not SIEM vendors. This is a new security buyer, and a new security workflow.
Packaging security as part of value creation, not cost avoidance. AI is the product, not just a back-office risk.
Palo Alto Networks has proven it can evolve this way by building integrations across cloud, endpoint, and network with surprisingly tight GTM and engineering alignment. Is that the right way to build for this new AI wave? Who knows, but it’s a playbook worth studying.
Good Outcomes for Startups, But Just the Beginning
For Pangea and Lakera, this is a win. In a noisy market, building a platform takes time, capital, and luck. Getting acquired early by a top security brand gives them a soft landing, a wider distribution channel, and hopefully more resourcing to expand their vision.
But this is not consolidation, but this is positioning.
The companies that will define AI security at scale are still being built, and they’ll win not by being security vendors, but by being AI-native developers who deeply understand risk. That might mean agents that self-validate. That might mean model-level memory firewalls. That might mean continuous red teaming built into the training loop.
Whatever it is, it won’t come from a press release. It’ll come from deep investment into talent and understanding of the technology and its business value.