Palo Alto Networks is reportedly looking to acquire Israeli cybersecurity startup Koi for approximately $400 million. The one-year-old company specializes in endpoint security and already protects more than 500,000 endpoints worldwide. Palo Alto Networks and Koi have not responded to CTech’s report.
Koi is a rapidly growing security player. In addition, there is currently a lot of consolidation taking place within the security market. Palo Alto Networks CEO Nikesh Arora also visited Israel last month to meet with CyberArk employees before the $25 billion purchase is finalized. At the same time, he is said to have evaluated local startups for potential deals.
For the investors and founders, it would be a rapid success story. Koi was only founded in 2024 by alumni of the Israeli intelligence service Unit 8200: Amit Assaraf (CEO), Idan Dardikman (CTO), and Itay Kruk (CPO). The company has raised only $48 million to date, mainly through a $38 million Series A round in September.
Many media outlets have picked up on CTech’s report. Neither party has denied the report at this time, but similar reports about Cisco’s potential acquisition of Axonius were denied. CTech (CalcalisTech) has also frequently reported on potential deals that ultimately did not materialize (see Palo Alto Networks’ alleged acquisition of SentinelOne). It therefore seems that those involved are keen to share information with this tech site at an early stage, which often has financial consequences for listed companies. In any case, negotiations for Google’s eventual takeover of Wiz were known to CTech at an early stage, so sensational rumors can certainly turn into actual deals.
From hacking experiment to company
Doubts aside, Koi’s origins are remarkable. The founders discovered a major security vulnerability in the VSCode Marketplace. To prove the risk, they built a fake theme extension called “Darcula Official.” That extension secretly sent source code and machine information to their server. Within 30 minutes, it was live on the marketplace.
The damage was surprisingly extensive. Within a week, they had infected more than 300 organizations worldwide, including multi-billion dollar companies, one of the world’s largest EDR developers, and a national judicial network. The experiment led to “ExtensionTotal,” a tool for detecting risky extensions. That subsequently grew into Koi’s broader security platform.
The central component of Koi is called Supply Chain Gateway, which combines software inventory management, risk analysis, policy enforcement, and automatic blocking of dangerous code. Under the hood, it runs Wings, which tests software components and ranks them according to potential dangers.
XDR and EDR in one platform
Koi now protects more than 500,000 endpoints worldwide. The platform runs at Fortune 50 companies, large financial institutions, and leading tech companies. This demonstrates that there is significant market demand and that the platform is operationally mature.
The potential Koi acquisition is no exception. Palo Alto Networks showed an unprecedented appetite for acquisitions in 2025. After completing the $25 billion CyberArk deal, it acquired Chronosphere for $3.35 billion and Protect AI for $500 million. The focus is on building an integrated security platform in which all components work together seamlessly.