Security is splitting: Three Acquisitions, Three Different Realities
Cursor, Palo Alto Networks, and Datadog all have different bets on where the market is going (and how fast).
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
There’s been a lot of M&A activity and speculation in security over the past couple of weeks. Sure, there’s always buzz in this space, but these recent moves feel more meaningful. They hint at how different parts of the ecosystem are reacting to broader shifts in developer tooling, cloud security, and the AI wave.
I’m going to try a different format for this post: instead of diving deep into one deal, I’ll cover three in rapid-fire fashion. We’ll look at Cursor’s acquisition of Resourcely, and the rumored acquisitions of SentinelOne by Palo Alto Networks and Upwind by Datadog.
Cursor Acquires Resourcely
Let’s start here. Resourcely, founded by Netflix security alum Travis McPeak, built tooling to help manage and fix infrastructure misconfigurations. Cursor is an AI-powered code editor, essentially a fork of VSCode, that’s gained serious traction among developers, especially with the rise of “vibe coding.”
This acquisition signals something important: Cursor sees security not just as a checklist item, but as a differentiator. And they’re backing that up with action by hiring Travis and acquiring Resourcely. That’s a strong bet that developers care about secure defaults, even in fast-moving, AI-assisted environments.
There’s already growing criticism around the lack of secure coding practices in this new wave of tooling. My LinkedIn feed (admittedly very security-skewed) regularly features examples of dangerous defaults or insecure patterns generated by LLM copilots. Cursor clearly wants to get ahead of this, and maybe even set the bar.
Historically, application security has been a velocity drag. It’s a space filled with tools that slow developers down and security teams that get ignored. But that dynamic can’t continue; vibe coding breaks the old model. I’ve written before that appsec, a market many have written off, has a chance to reinvent itself through AI. My bet was on Semgrep because of its work on false positive reduction and smart triaging.
What I underestimated was how much AI-native platforms like Cursor would care about owning this functionality natively. It feels like a new class of developer-first security. Security is built inside the dev loop, not bolted on. Cursor’s secure PR reviews are a good example of this. They don’t replace security engineers, but they reduce the friction for everyone.
Travis is one of the few security engineers I know who deeply understands developers. (So, I might be a bit biased since I know him personally.) This is a smart acquisition for Cursor, and a good sign that developer experience and security can evolve together if they’re designed with the same intent.
Palo Alto Networks and the SentinelOne Rumor
This deal, while still rumored, feels directionally correct for Palo Alto. It’s the kind of move they’ve made before: acquire something adjacent to expand the platform and improve cross-sell potential. SentinelOne gives them more endpoint reach and another shot at CrowdStrike.
The logic is almost identical to the rationale behind Wiz’s rumored interest in SentinelOne, which I wrote about previously.
To summarize that argument:
Wiz wants to become the next great security platform, starting with cloud, then moving to runtime, detection, and now endpoint. SentinelOne gives them telemetry, credibility, and a way to play defense against CrowdStrike (and arguably Palo Alto). But more than that, endpoint gives Wiz a foothold into detection and response workflows, especially for mid-market buyers who want a simpler path to consolidation.
Palo Alto likely sees the same play: this is about completing the narrative. Endpoint telemetry helps them sell Cortex, bridge gaps in XSIAM, and reduce friction for buyers looking to “buy the quadrant” rather than integrate five tools. It also allows them to follow the attack vector and provide more complete visibility on their platform since endpoints are usually the source of most attack chains. That is, it allows them to understand whether traffic/requests came from an endpoint or externally. This is especially useful as many threats start with stolen credentials from an endpoint threat like phishing and allow them to laterally move into the cloud.
There’s nothing wrong with the logic. But it’s also a very traditional move. A platform player trying to keep pace through acquisition, not through reinvention. SentinelOne gives them more surface area to defend, but it doesn’t help them rethink how defense happens in a world where agents are autonomous and decisions are made probabilistically.
Datadog and the Upwind Rumor
Upwind focuses on runtime threat detection in cloud environments, an area that’s gotten more attention as companies realize that static scanning and posture management alone don’t cut it. Wiz started with posture management, but is now expanding into runtime. Upwind fits into that story, too.
This move makes sense for Datadog. They’re already strong in real-time observability, and Upwind helps connect the dots between performance and security. Datadog’s SIEM capabilities have gained some traction, especially for companies already sending logs into the platform. So why not try to keep those customers from splitting off to Wiz or Panther or another cloud-native detection tool?
Datadog hasn’t done well in application security, which makes sense. They’re not a scanning company. But they’re good at ingesting telemetry and surfacing actionable signals. That’s exactly what runtime security needs.
The big opportunity here is customer retention. If Datadog can detect security issues in real-time, customers, especially new ones that are starting in Datadog out of convenience, are less likely to spin up an entirely separate detection pipeline. They can stay inside the Datadog ecosystem. It’s a smart bundling play that could also help shore up their SIEM, which today is mostly seen as a lightweight option for teams just getting started.
More broadly, if security continues to shift toward engineering, as I believe it will, then Datadog’s position only strengthens. Security will consolidate around dev tools, not the other way around. And with AI transforming security into an engineering problem, it’s likely that this trend accelerates.
Takeaway
These three acquisitions (and rumors) reflect different responses to where security is headed.
Cursor is looking ahead and building security directly into the developer experience and betting that trust will be a core part of “vibe coding.”
Palo Alto Networks is doubling down on traditional security platform expansion. It’s about coverage, not reinvention.
Datadog is threading the needle, playing a traditional bundling game, but doing it in a space that aligns with where engineering and security are converging.
The last two are smart but conservative. They don’t reflect a point of view on how AI might change the organizational dynamics around security. Cursor, on the other hand, seems to believe that AI-native development will force security to evolve, and they’re making early moves to meet that shift head-on.
It’s too early to say if that bet pays off. But it’s rare to see a developer tool that popular care this much about security this early. That either means developers are finally starting to care, or that the space is maturing faster than we expected.
I’m honestly not sure which it is. But either way, it’s worth paying attention.