Koi sold to Palo Alto for $400 million before most employees received options
The founders of the Israeli startup have moved to compensate staff after rapid acquisition left the equity pool incomplete.
A rapid, lucrative exit is the dream of every high-tech employee. But when events unfold at breakneck speed, the outcome can come with an unexpected cost. About ten days ago, cybersecurity giant Palo Alto Networks announced the acquisition of young Tel Aviv startup Koi Security at an estimated valuation of $400 million. The company’s 60 employees initially celebrated the deal, only to discover that most of themm except for roughly the first 10 hires, had not yet been formally granted stock options. As a result, they will not directly benefit from the exit, with most of the proceeds going to investors and the three founders.
Founded in mid-2024, Koi is less than two years old and has raised only two funding rounds. Its Seed round, completed toward the end of 2024, did not include broad option allocations, which is common at such an early stage, though a small equity pool was distributed to the first 10 employees.
The company completed its Series A round toward the end of 2025, raising capital at a valuation of $135 million. At that point, a valuation had been conducted to enable option grants to employees, who then numbered around 60. However, acquisition talks with Palo Alto Networks had already begun, and according to people familiar with the matter, management did not have time to complete the technical process of allocating options before the deal was signed. In total, Koi raised $48 million across both rounds, making the acquisition a swift and highly profitable outcome for founders and investors.
Following the announcement, employee frustration grew over their lack of equity participation. In response, the company’s founders, each of whom owns approximately 12% and stands to receive about $50 million before taxes, decided to allocate part of their personal proceeds toward employee bonuses.
According to people familiar with the decision, employees were informed at a company meeting earlier this week that bonuses would be distributed in amounts broadly equivalent to what they would have received had option packages already been granted. In startups, it is customary to allocate 10% to 15% of company equity to employee options, much of which typically accelerates upon acquisition. Depending on the final terms, some compensation may also be convertible into shares of Palo Alto Networks. The acquisition has not yet formally closed.
Koi was founded by Amit Assaraf (CEO, founder of real estate startup Landa), Idan Dardikman (CTO), and Itay Kruk (CPO), ex-Sygnia, Zscaler, after uncovering a major security gap in the VSCode Marketplace. To prove the risk, they built a fake theme extension, dubbed “Darcula Official,” added code that secretly sent developers’ source code and machine details to their server, and uploaded it to the VSCode marketplace all within 30 minutes. Within a week, they’d manage to infect over 300 organizations worldwide, including multi-billion-dollar companies, one of the world’s biggest EDR developers, and a national court network, landing on the VSCode marketplace’s 4.5M-view front page. The experiment led to the creation of “ExtensionTotal” to detect risky extensions, which quickly evolved into Koi’s broader security platform.
The primary financial beneficiaries of the acquisition, alongside the founders, are venture firms including Team8, NFX, Battery Ventures, and Picture Capital.
Koi has developed a platform designed to address what it sees as a critical gap in modern cybersecurity. Its main product, Supply Chain Gateway, acts as a centralized checkpoint for all incoming software, enabling organizations to maintain a complete inventory of applications, conduct real-time risk analysis, enforce security policies automatically, and proactively block malicious code before installation.
At the core of the platform is an AI engine that classifies software components, executes them in isolated test environments outside the organization, and detects threats that traditional scanners often miss. This approach allows security teams to control what software enters their environment, rather than reacting only after a breach has occurred.
