Palo Alto Networks in negotiations to acquire one-year-old Israeli startup Koi for $400 million
The deal would extend the cyber giant’s reach in enterprise endpoint protection amid AI-driven market shifts.
Palo Alto Networks, the cybersecurity giant, is showing no signs of slowing its acquisition spree. After completing its $25 billion purchase of CyberArk in 2025, and acquisitions of Chronosphere for $3.35 billion and Protect AI for $500 million, the company is now in talks to acquire Israeli cybersecurity startup Koi for an estimated $400 million. Neither company would comment on the reports.
If the deal goes through, it would mark a rapid and lucrative exit for Koi’s investors and founders. The startup has raised just $48 million to date, primarily in a $38 million Series A round last September. Founded in 2024 by alumni of the IDF’s elite 8200 Intelligence Corps technology unit, Koi operates in the enterprise endpoint protection space. Its investors include Team8, NFX, Battery Ventures, and Picture Capital.
Palo Alto CEO Nikesh Arora visited Israel last month, meeting with CyberArk employees ahead of that acquisition’s closing while also evaluating local startups for potential deals. Arora emphasized that the rapid changes AI technologies are bringing to the cybersecurity sector have created a need to consolidate endpoint solutions, including XDR and EDR offerings. The acquisition of Koi would align with this strategic focus.
Koi was founded in 2024 by Amit Assaraf (CEO, founder of real estate startup Landa), Idan Dardikman (CTO), and Itay Kruk (CPO), ex-Sygnia, Zscaler, after uncovering a major security gap in the VSCode Marketplace. To prove the risk, they built a fake theme extension, dubbed “Darcula Official,” added code that secretly sent developers’ source code and machine details to their server, and uploaded it to the VSCode marketplace all within 30 minutes. Within a week, they’d manage to infect over 300 organizations worldwide, including multi-billion-dollar companies, one of the world’s biggest EDR developers, and a national court network, landing on the VSCode marketplace’s 4.5M-view front page. The experiment led to the creation of “ExtensionTotal” to detect risky extensions, which quickly evolved into Koi’s broader security platform.
Related articles:
- Cyber startup Koi raises $38M Series A to build a central checkpoint for enterprise software
- Palo Alto Networks CEO: “We’re happy Wiz is now part of Google, it gives us more room to operate”
- “I can retire… with peace”: Nir Zuk says Palo Alto Networks finally achieved his 20-year vision with $25B CyberArk acquisition
Koi has since built a platform designed to fill a crucial gap in enterprise security. Its main product, Supply Chain Gateway, serves as a central checkpoint for all incoming software. It provides software inventory management, real-time risk analysis, automatic policy enforcement, and proactive blocking of dangerous code. At the heart of the system is Wings, an AI engine that classifies software components, tests them in isolated environments, and identifies threats that traditional scanners often miss. This allows security teams to control software installation proactively, rather than reacting after breaches occur.
Koi currently protects over 500,000 endpoints globally. Its platform is deployed across Fortune 50 companies, major financial institutions, and leading technology corporations, demonstrating significant market demand and the platform’s operational maturity.
