MDR Market Consolidation Continues
In the latest move in a wave of MDR market consolidation, Arctic Wolf has announced the acquisition of Cylance from BlackBerry for $160 million, with the deal expected to close in BlackBerry's fiscal Q4. This announcement comes amid a broader consolidation trend in the MDR market, marked by two other major deals slated for early 2025 closings: Sophos combining with SecureWorks and Trustwave joining forces with Cybereason. According to TechCrunch, the Cylance price tag represents a stark markdown from the $1.4 billion BlackBerry paid in 2018. The deal structure includes $80 million in cash at closing, another payment a year later, and approximately 5.5 million Arctic Wolf common shares. For a company acquired for $1.4 billion in 2018 to be sold for $160 million only six years later, some may see this purchase as "The Cylance of The Lambs". Others recognize that, while its market value has indeed been slaughtered during its time at Blackberry, it's likely the endpoint security vendor's technology will live on in some form at its new owner Arctic Wolf.
These consecutive deals signal a broader shift in the cybersecurity industry, where MDR providers are actively seeking to strengthen their technology stacks through strategic acquisitions. This consolidation wave isn't happening in isolation - it's directly tied to the industry's movement toward comprehensive security platforms.
Market Impact: Platformization Takes Center Stage
This acquisition isn't just about adding another tool to the toolbox. As Arctic Wolf's CPO Dan Schiappa explains in their official blog, "We're not a services company adding a new tool to its portfolio, or a tools company bolting on services to its products—we're a security operations company with an open platform." This distinction is crucial in understanding Arctic Wolf's strategic direction.
The move reflects a broader industry trend toward comprehensive security platforms. With 95% of Arctic Wolf's SOC investigations involving endpoint telemetry, this acquisition positions them to address a critical security operations challenge. The integration of Cylance's AI-powered endpoint protection with Arctic Wolf's Aurora Platform promises to combine automated threat detection with human expertise.
What's Coming Together
The acquisition brings together several key components:
Cylance's CylancePROTECT (EP), CylanceENDPOINT and CylanceOPTICS (EDR) products
Arctic Wolf's Aurora Platform and Alpha AI capabilities
Processing power for over 7 trillion security events weekly
Integration expertise from nearly 1,000 SOC analysts
Cylance has some great offerings - particularly its CylanceENDPOINT solution - but was part of a portfolio of products within Blackberry's security division - a self-described product company that also offered services. As recently as August 2024, Blackberry released CylanceMDR Pro, a service based on the Open XDR platform. Blackberry talked about pivoting its focus to further develop its security services business, but perhaps it was a case of too little, too late? For Cylance, it appeared that it was stuck in a corporate organization that was either unwilling - or unable - to monetize its products and develop its business.
There is also the “Pure Play vs. IP-Led” argument to consider. Until this announcement, the vendor-agnostic “pure play” services companies like Arctic Wolf argued that breadth of endpoint telemetry creates a multiplicative detection effect; essentially that the whole is greater than the sum of its parts. IP-Led providers like Cylance (prior to its acquisition by Blackberry) argued for prevention first through superior EDR tools (most notably at the RSA Conference 2017). CrowdStrike has also used this messaging but launched Falcon Complete (its MDR offering) in 2018 recognizing earlier than Cylance that prevention goes a long way but wasn’t enough.
Arctic Wolf has committed to maintaining an open platform approach, continuing to support their existing integrations with more than 15 endpoint security vendors. This vendor-agnostic strategy sets them apart in an industry where many platforms resist integrating with competitors.
Industry Perspective: Reading Between the Lines
From a market dynamics viewpoint, this acquisition makes strategic sense but requires careful execution. Arctic Wolf's current limitation has been their homegrown EDR sensor's capabilities and the lack of a robust endpoint agent. The Cylance acquisition directly addresses these gaps, potentially creating a more integrated solution set for customers.
Cylance also brings a complementary channel play to Arctic Wolf’s partner business. With over 1,000 partners servicing the SMB market (as of 2019), Cylance benefited from Blackberry's strengths in the mobile applications security space that helped it develop in the commercial sector via resellers and MSPs. In channel-heavy regions such as EMEA, offering an MDR/SOC service is highly desirable for SME customers, but selling it at an affordable price remains a challenge. Pre-packaging, combined with automation tools will help, and Arctic Wolf has been providing integrations via its own Aurora platform for several years. It now also has the benefit of Cylance AI as part of its endpoint security toolkit.
However, the real story here is about market evolution. The cybersecurity industry is witnessing a clear trend toward platformization, but with an important twist: customers, especially in the midmarket, prefer what could be called "iterative consolidation." They want to reduce complexity and vendor sprawl but aren't looking to put all their security eggs in one basket.
This acquisition represents a pivotal moment in Arctic Wolf's evolution, but it also raises important questions about their existing partnerships. Two of the biggest IP-led MDR service providers - CrowdStrike and SentinelOne - are currently Arctic Wolf partners. The nature of these partnerships, particularly whether they're primarily resale agreements, could significantly impact Arctic Wolf's open platform strategy. There's a real possibility that these endpoint security leaders might reassess their relationship with Arctic Wolf now that it's becoming a direct competitor in the endpoint space.
The success of Arctic Wolf's strategy will depend on several critical factors: how well they can balance integration with openness, how they maintain relationships with existing partners, and how they manage the transition from partner to competitor in the endpoint security space. While their commitment to an open platform is admirable, the practical challenges of maintaining deep integrations with direct competitors shouldn't be underestimated.
Acquisitions and mergers take time to execute well. The temptation to forge ahead with product development, feature changes, service modifications etc. is strong post-acquisition, but risks alienating existing Cylance customers. Arctic Wolf needs to carefully execute its Cylance integration plan, being cognizant of potential 'poaching' of worried customers during any transition phase, while weighing-up the implications of Cylance's existing strategic relationships. EDR and MDR are rapidly evolving markets, with new partnerships providing further competitive threats. In December, MDR provider SonicWall - already partnering with the likes of Sophos and SentinelOne - announced a partnership with leading vendor CrowdStrike, a move likely to bring further pressure on MSPs and MSSPs offering solutions in the SMB sector.
Perhaps the biggest challenge ahead lies in the technical execution. Maintaining and evolving endpoint security solutions is notoriously difficult, requiring constant innovation to keep pace with emerging threats. With most of the original Cylance engineering team no longer with the company, Arctic Wolf faces the daunting task of R&D, engineering, and modernizing the Cylance tools. This isn't just about maintaining existing functionality – it's about evolving the platform to meet future security challenges while simultaneously integrating it into their broader offering.
For Arctic Wolf, this move could be transformative, but success isn't guaranteed. The real test will be multifaceted: executing on their vision of combining Cylance's endpoint expertise with their existing security operations prowess, maintaining their open ecosystem partnerships, navigating complex competitive dynamics, and crucially, building an engineering team capable of modernizing and advancing the Cylance technology stack in an increasingly competitive endpoint security market.
I have never dealt with M&As, only large scale joint ventures. The security market M&A brings a perspective that is very complex. One would need a new type of expert that can handle these very sophisticated and sensitive acquisitions.