Palo Alto Networks closed its acquisition of Koi on April 14, 2026, and used the press release to name a new security category: Agentic Endpoint Security (AES). The reported price tag—around $400 million for a two-year-old startup that had raised just $48 million—tells you how urgently the industry's largest pure-play security vendor wants to own the agent-security narrative before CrowdStrike, Microsoft, and SentinelOne arrive with competing messaging.

For enterprise leaders already struggling to inventory sanctioned AI tools, the deal forces an uncomfortable question: what's actually running on your developer laptops right now, and who approved it?

The Short Version of What Happened

Palo Alto Networks (NASDAQ: PANW) announced its intent to acquire Tel Aviv–based Koi in February and closed on April 14. Koi was founded in 2024 by Israeli Defense Forces Unit 8200 veterans Amit Assaraf and colleagues, and had grown quickly—its platform protects more than 500,000 endpoints across Fortune 50 customers and major financial institutions.

Financial terms were not disclosed, but industry reporting puts the price near $400 million. That makes Koi the 12th Israeli cybersecurity company Palo Alto has bought since 2014, representing roughly half of the vendor's 24 significant global acquisitions in that period.

More important than the price is the positioning. Koi is being integrated into two Palo Alto platforms:

• Prisma AIRS gets Koi's endpoint visibility layer, extending the AI security platform from cloud models down to the machines where agents actually execute.
• Cortex XDR gets a new module to detect and remediate risks inside AI software ecosystems—the MCP servers, IDE plugins, browser extensions, and coding agents that sit outside traditional binary-focused EDR.

Koi will also remain available as a standalone product for customers who run a different EDR stack, which signals that Palo Alto wants category ownership more than it wants forced rip-and-replace migrations.

Why a New Category

Lee Klarich, Palo Alto's Chief Product and Technology Officer, framed the thesis plainly: "Agentic AI presents tremendous opportunity for the enterprise, yet they create a new attack surface that traditional security tools were not built to detect." Elsewhere, he described AI agents as "the ultimate insiders"—they operate with a real user's credentials, execute at machine speed, and leave a log trail that looks a lot like a productive developer's.

Traditional EDR was built for binaries. It inspects executables, watches process behavior, and scores files against known-bad hashes. That model is not obsolete—but it is blind to the way modern AI-assisted development actually looks on the endpoint.

What lives on a 2026 developer laptop that EDR barely sees:

• Coding agents (Claude Code, OpenClaw, Cursor background agents, GitHub Copilot CLI) that spawn shells, edit files, and call external APIs.
• MCP servers—hundreds of them, many installed from community registries—that proxy email, calendars, filesystems, databases, and cloud consoles.
• IDE and browser extensions that auto-update silently and can execute arbitrary code with the user's privileges.
• Skill files, system prompts, and configuration profiles that change agent behavior without ever touching a signed binary.
• Local model weights and inference runtimes that can be swapped or poisoned.

Koi's own threat research—part of how the company earned the acquisition—surfaced concrete, in-the-wild examples: malicious MCP servers that silently routed Gmail through plugin-author infrastructure, 800-plus malicious skills published to popular agent registries, and more than 135,000 exposed agent instances reachable from the internet. The attack surface isn't theoretical. It's already deployed.

What makes these threats distinct from classic malware is the trust model. A malicious MCP server doesn't need to bypass code-signing, evade AV signatures, or exploit a zero-day. It is installed intentionally by a developer, granted OAuth scopes intentionally by that same developer, and then updated silently through package registries that most SOC tooling does not inspect. The compromise arrives through the front door, wearing a lanyard.

How Koi Works (The Technical Layer)

For CTOs and security architects evaluating what is actually being absorbed, Koi's platform sits on three capabilities:

1. Visibility into non-binary software. A continuously updated inventory of every coding agent, MCP server, extension, skill, script, and local model on the endpoint—including items installed by developers without a ticket.
2. Continuous risk analysis via its Wings engine. Koi's proprietary analyzer evaluates what each agent and plugin is doing, what data it touches, which external services it calls, and what changed since last seen. This is where silent post-install updates get caught.
3. Real-time policy enforcement with automated remediation. Block an MCP server from reading customer PII, revoke a just-updated extension, kill an agent that starts exfiltrating repo contents—without waiting for a human in the loop.

Plug that into Prisma AIRS and Cortex XDR, and Palo Alto's argument is that a single control plane can now cover the full agentic stack: model risks in the cloud, policy enforcement at the gateway, runtime behavior on the endpoint, and correlated detections across all three.

The competitive reality is that CrowdStrike, Microsoft Defender, and SentinelOne will almost certainly ship their own agentic-endpoint modules within the next one to two quarters. Wiz, now inside Google Cloud, will extend its cloud security posture story to include agent behavior. The category label is up for grabs. Palo Alto is betting that naming it first, backed by a working product and a large installed base, is worth $400 million.

What Changes for CIOs and CISOs

If you run an enterprise IT or security organization, the Koi deal is less a vendor story than a visibility checklist.

Klarich's team published what amounts to a three-question audit any CISO can run this week:

1. What non-binary software have your developers installed in the last 90 days? Count MCP servers, IDE plugins, browser extensions, and community-installed agents—not just signed executables.
2. Which MCP servers currently hold trust privileges on developer machines? Which have access to email, cloud credentials, production databases, or CRM data?
3. Which of those components received a silent post-install update? Updates to non-binary software are the cleanest supply-chain pivot an attacker has.

If your SOC cannot answer those three questions by Friday, you are exactly the customer Palo Alto is describing. That's true whether or not you ever write Koi a check.

The other shift is governance posture. "AI tool inventory" used to be a compliance box—something procurement filled in for the annual risk questionnaire. With agents that read production data and execute code autonomously, it becomes a live control surface. Expect internal audit, CFO's office, and board-level risk committees to start asking how the inventory is maintained and who can change it.

The Business Case (For CFOs and Procurement)

Agent adoption is running well ahead of security budget cycles, and that's where this deal matters financially.

A few data points worth holding together:

• Developer productivity gains are real. Industry surveys through 2026 show coding agents delivering 20–40% velocity improvements in engineering organizations that actually measure them.
• Unsanctioned agent deployment is widespread. Recent OutSystems research found 96% agentic AI adoption with only a minority of CIOs reporting governance in place. The gap is the attack surface.
• The financial blast radius of a single compromised agent is large. An MCP server with credential access can exfiltrate customer data, commit malicious code, or trigger payment fraud—each of which lands in the 7- to 9-figure incident range before legal and regulatory costs.

For CFOs, the calculus is familiar: a relatively modest line item for agentic-endpoint tooling against tail-risk exposure that existing EDR, DLP, and IAM contracts do not currently cover. The budget conversation that starts with "we already pay CrowdStrike" now needs a second line: "…and here's what they don't see."

For procurement, expect a wave of renewal conversations. Palo Alto will position the Koi integration as part of the larger Prisma AIRS / Cortex XDR bundle, which means existing PANW customers get a relatively easy upsell. CrowdStrike and SentinelOne customers face a harder decision: wait for the incumbents to ship their own agentic modules, or add a parallel vendor now. Koi remaining a standalone product was designed exactly for that second path.

The other financial wrinkle is insurance. Cyber insurance underwriters are already asking about generative AI controls at renewal. Carriers are unlikely to reward a policyholder whose coding agents run with unrestricted credentials and whose plugin inventory is unknown. Expect premium pressure and coverage exclusions to become the enforcement lever that IT budget requests could not.

Competitive Positioning

Palo Alto is not the only vendor chasing the agent-security layer. The map looks roughly like this:

• Palo Alto Networks + Koi now occupies the agentic-endpoint slot with a named category, integrated platform, and an installed base of 500,000 endpoints.
• CrowdStrike will extend Falcon with agent-aware detections; its advantage is sensor density and a world-class threat-intel operation.
• Microsoft Defender for Endpoint will integrate agentic coverage into the broader Microsoft Security Copilot story, with deep hooks into GitHub, VS Code, and M365 Copilot agents.
• SentinelOne will lean on its Purple AI and Singularity platform to add agentic behavior analytics.
• Wiz (Google Cloud) and Snyk will push this conversation up the stack—into cloud posture and developer supply chain respectively.
• Smaller pure-plays like Prompt Security, Lasso, Lakera, and HiddenLayer cover adjacent parts of the AI security stack (prompt firewalls, model red-teaming, content policy).

The category is forming in real time. Expect the analysts to publish the first "Agentic AI Security Platforms" wave or guide within 6–9 months, and expect nearly every enterprise RFP for EDR refreshes to add agent-endpoint requirements by the next fiscal cycle.

A Decision Framework

For CIOs, CISOs, and CFOs trying to decide what to do now—before the next renewal—three questions are worth running through with your security architect:

1. Visibility first. Do we know what agents and MCP servers are running on developer and business-user endpoints today? If not, the vendor conversation is premature—get an inventory, even a manual one.
2. Policy before product. What should and should not an autonomous agent be allowed to do in our environment? Who owns that policy—CISO, engineering, platform, or data governance? Until that is assigned, no tool will stick.
3. Incumbent vs. specialist. If you are a Palo Alto shop, expect the Koi integration to land quickly and test it. If you are a CrowdStrike, Microsoft, or SentinelOne shop, ask your account team for a concrete agent-endpoint roadmap with dates, and benchmark against Koi as a standalone option in the meantime.

A cautionary note for boards: the biggest risk in this category is not picking the wrong vendor—it is moving too slowly while developers keep installing MCP servers, coding agents, and browser extensions with production credentials. The Koi acquisition is useful less as a buy signal and more as a prompt to run the inventory.

One last note on timing. Palo Alto closing this deal in April, on the same week that OpenAI announced $122 billion in new funding explicitly to scale enterprise agents, is not coincidence. Model providers are pushing agents into production as fast as enterprises can absorb them. Security vendors are racing to build the control plane underneath. For the next 12 months, the most expensive mistake a CIO can make is assuming those two racing tracks are someone else's problem.

Want to calculate your own AI ROI? Try our AI ROI Calculator — takes 60 seconds and shows projected savings, payback period, and 3-year ROI.

Continue Reading

Sources

• Palo Alto Networks Completes Acquisition of Koi to Secure the Agentic Endpoint — Palo Alto Networks press release, April 14, 2026.
• Palo Alto Networks Announces Intent to Acquire Koi — original February 2026 announcement.
• The Agent Is the Threat: Palo Alto Networks Closes Koi Acquisition and Names a New Security Category — industry analysis, April 2026.
• Palo Alto Networks Completes Koi Acquisition to Address Emerging AI Endpoint Risks — CXO Voice coverage.
• Palo Alto Networks Closes Koi Deal for AI Security — StockTitan PANW coverage.