What to Do When Your Security Provider Gets Acquired: How to Spot the Signals and Stay Ahead of the Spin

When it comes to my career in the cybersecurity industry, I’ve been on both sides of the table during an acquisition. I’ve sat in the CISO seat when a trusted endpoint protection platform partner was acquired and spent long nights trying to figure out what would change – or not change – about the risk landscape I was responsible for.

Now, as the CISO at eSentire, it would be up to me to help our own customers navigate the realities of M&A in the cybersecurity world. Trust me, there’s more happening under the surface than most press releases will ever admit.

If you’re reading this, you might be in the same place I was: your MDR, SIEM, or XDR vendor just announced an acquisition, or maybe you’re just watching industry headlines, wondering when it will happen to you.

And you’re right to be alert; M&A activity in cybersecurity isn’t slowing down, which may be due to more security leaders choosing to consolidate their technology stack. According to PwC’s 2024 Global Digital Trust Insights, 60% of organizations say they’ve had to adjust their security strategy in the past two years directly because of vendor consolidation.

So, what’s really going on when a security provider gets acquired, and how can you as a security leader keep your organization safe? Here’s my playbook, drawn from years on both sides of the buy/sell line.

Don’t Panic, But Don’t Get Comfortable Either

Let’s start with the emotional response. When I first got the news that a key vendor was being acquired, I’ll admit I felt a little uneasy. I’ve seen teams freeze and do nothing, just hoping for the best, and I’ve seen teams overreact, immediately looking to switch vendors at the first sign of trouble.

The reality? Neither extreme is helpful. What you need in this moment is clear-headed action. Acquisitions almost always bring change, but the speed and visibility of those changes can vary. There are cases where things go smoothly, and the customer experience stays high. But that isn’t something you should just hope for.

The first thing you should do is pay close attention to what’s said – and, more importantly, what’s left unsaid – in any official communication from both the acquired and acquiring companies. Read between the lines. Are they being transparent about timelines for integration, changes to the support model, whether how they will prioritize you as a customer or the future of the product you rely on? Or is it just the usual “we’re excited to join forces” fluff?

Then, get tactical:

• Pull out your contract: What are your renewal dates, your SLAs, your termination clauses? If there’s a “material change” or “termination for convenience” clause, highlight it.
• Schedule a check-in with your account manager or customer success lead: Even if you think you have a good relationship, now’s the time to ask for regular updates.
• Loop in your team, and, if you have one, your legal counsel: Make sure everyone understands what’s happening and what you’re watching for.

In my own experience, the security leaders that start these steps early are the ones that avoid scrambling later. The ones who “wait for the dust to settle” often find themselves reacting to changes after the fact, sometimes with real consequences.

Don’t Settle for Generic Answers; Ask the Hard Questions

Let’s be honest – acquisitions are full of marketing spin. Every customer is going to get the same “Nothing will change” line, at least at first. It’s in every press release, every customer webinar, every FAQ.

But in the real world, “nothing will change” often means “we haven’t decided what’s changing yet, so we’ll say nothing is.”

I’ve learned, both as a customer and now as a provider, that you must be persistent and specific if you want answers that mean anything so here’s my advice:

• Get it in writing: When you ask about SLAs, support structures, and incident response times, ask for a written commitment for at least the next 12 months if possible.
• Be relentless about compliance and data handling: Will your data be moved or handled differently? Are any support teams being relocated, or is your data going to be processed in a new region?
• Push for a clear roadmap update: Don’t settle for “we’re working on it.” Ask for dates and details. What’s happening to the features or integrations you rely on? When will you be notified about actual changes?
• Repeat yourself: Don’t assume you’ll get the full story the first time you ask. The situation evolves, especially as teams start to integrate behind the scenes. Follow up monthly, if necessary.

One lesson I’ve learned the hard way: avoid the temptation to ask “softball” questions like “Will my business remain a priority?” No one is going to answer that honestly.

Focus on what you can track and what’s enforceable – SLAs, response times, support access, and compliance documentation. Your goal isn’t to be antagonistic, but to be an informed, proactive customer.

Compliance and Data Residency: The Risks That Sneak Up On You

One area that causes anxiety for most CISOs during a vendor acquisition is compliance and data residency. This is where the hidden risks live. An acquisition can change where your data is stored, who has access to it, and which regulatory frameworks apply.

Here’s what I recommend based on my experience:

• Ask outright about data movement: Will any of your data be transferred to new data centers or cloud environments, possibly across borders? Even a “temporary” migration can have permanent compliance implications.
• Request updated compliance documentation and certifications: If your organization relies on GDPR, HIPAA, SOC 2, ISO 27001, or similar certifications, get explicit confirmation that these remain valid—and that they’ll notify you before anything changes.
• Bring in your compliance and legal teams early: In one case, I had a provider assure me everything was “business as usual,” but my legal counsel found a footnote in the updated contract that would have voided our DPA (Data Processing Agreement) if the product was retired.
• Don’t just rely on vendor assurances: If you’re in a highly regulated industry, consider an external audit or risk review after the acquisition is finalized.

The worst time to discover a compliance gap is when a regulator or auditor is already knocking at your door. Being proactive here isn’t just smart; it’s essential.

Red Flags: The Signals No Press Release Mentions

There are almost always warning signs that things are about to go sideways with your provider, but you must know what to watch for. Most customers don’t notice the change until after something major has gone wrong – whether it’s a support disaster, a major feature being dropped, or even a security incident.

From my own “battle scars,” here are the signals I track closely:

• Personnel churn: If your account manager, support contacts, or key technical experts leave the company or get reassigned, it’s usually the tip of the iceberg. High turnover on SOC or engineering teams is even more alarming.
• Service degradation: If your support tickets start taking longer, or the quality of incident response slips, don’t write it off as “integration hiccups.” Track the changes and compare to your baseline.
• Communication slowdowns: Are you getting fewer product updates, or has the cadence of roadmap briefings and status calls dropped off? Silence is rarely a good sign.
• Vague or evasive responses: When you start hearing “We can’t share details right now” or “We’re still working out the integration plan,” it’s time to start documenting your concerns.
• Surprise contract changes: Sometimes you’ll get a “routine” contract update to sign, so read it carefully. Changes buried in new terms could lock you in or reduce your rights if things deteriorate.

I recommend keeping a running log or tracker. In one of my past roles, I did the same and that allowed us to escalate with both our leadership and our vendor before things hit a breaking point.

Don’t Get Caught in a Platform Trap

A major driver behind many security acquisitions these days is the push toward broader “security platforms.” The goal for many acquirers isn’t just to own a single point solution, but to bring your business into their ecosystem – sometimes whether you want to or not.

The numbers back this up: IDC reports that 57% of security leaders said they were “encouraged” (or required) to adopt additional tools or licenses because of a provider M&A event in the last 18 months.

What does this look like in practice?

• You start hearing about “synergies” and “integration roadmaps” in quarterly business reviews.
• Product features you rely on are now part of a new, bundled solution—often at a higher price.
• Support and SLAs may only be guaranteed if you migrate to a new portal, buy into the parent company’s platform, or adopt other products in the suite.
• In some cases, you might even find your core product being “sunsetted” in favor of a different offering.

My recommendation:

• Ask for explicit commitments in writing: Will your current product, support, and SLAs remain unchanged for at least the next contract term?
• Watch out for roadblocks in upgrades, renewals, or integrations: If you see signs of forced migration, start planning now. Don’t wait until the choice is taken out of your hands.
• Explore your alternatives: Even if you’re happy, having a shortlist of other providers gives you leverage and peace of mind.

Metrics Matter; Don’t Just Trust Your Gut

In the aftermath of an acquisition, you might feel like service is slipping but you need evidence, not just anecdotes, to make your case (internally or with your vendor). Tracking objective metrics not only protects you but also arms you with data if you need to escalate or make a business case for change.

Here’s what I track and why:

• Mean time to detect (MTTD) and mean time to respond (MTTR): If these increase even by a small margin, it could mean that the new team is understaffed, distracted by integration, or dealing with process changes.
• Ticket resolution times: Are cases taking longer, especially those that used to be handled quickly? Track trends over time, not just individual examples.
• Threat intelligence quality and update frequency: Are you still getting the same actionable intelligence and timely advisories, or has that slowed down?
• Alert volume and accuracy: Watch for more false positives or “alert storms.” Sometimes, a loss of institutional knowledge after an acquisition leads to noisier or less effective detection. The inverse is also true here, and perhaps a bigger red flag indicator. If you notice missed detections or markedly less alert volume, this could lead to a serious incident.

In my previous CISO roles, I always had a baseline of what “normal” looked like for these metrics before the acquisition. If you see downward trends over a couple of quarters, don’t ignore them. Bring them up with your vendor, escalate with your leadership, and be prepared to act. You’ll also find this data invaluable if you ever need to negotiate out of a contract for “material degradation” in service.

How to Prepare: A CISO’s Acquisition Readiness Checklist

The best time to get ready for a vendor acquisition is before it happens to you. Here’s what I recommend, based on lessons learned, not just best practices:

1. Know Your Contract Inside and Out

• Highlight and document “material change,” exit, and SLA clauses.
• Keep an eye on renewal and auto-renew dates. Don’t get caught by surprise.

2. Establish a Metrics Baseline

• Record current SLAs, response times, support contacts, and critical product features.
• Review this baseline with your team so everyone knows what “good” looks like.

3. Map Your Dependencies

• Understand which products, integrations, and workflows are “must-haves.”
• Identify areas of vendor lock-in that could complicate migration if you have to leave.

4. Build Your Network

• Stay engaged in industry groups, share experiences with peer CISOs, and pay attention to chatter after big acquisition announcements.
• Knowledge-sharing is a force multiplier; don’t underestimate the power of your network.

5. Develop a Contingency Plan

• Research alternative vendors, even if you don’t expect to switch. It’s always good to keep up with how different MDR vendors compare to each other, how their product offerings are evolving, and what they are prioritizing.
• Outline what migration would entail: data exports, new integrations, retraining, change management.

You don’t have to do all of this at once, but chipping away at it over time can make a huge difference if you ever need to act quickly.

Looking back, I’ve seen acquisitions play out both ways—some are genuinely positive, with new investment and better capabilities. Others have led to dropped features, service gaps, or even compliance headaches that took months to resolve. The difference always comes down to preparation and vigilance.

Don’t let a vendor acquisition catch you off guard. Read between the lines, ask hard questions, track your metrics, and have a plan. If you do, you’ll find you can weather these changes and maybe even come out stronger on the other side.

ABOUT THE AUTHOR

Greg Crowley Chief Information Security Officer

Greg Crowley is an accomplished executive with over 20 years in Information Technology and Cybersecurity with extensive experience in managing enterprise security and mitigating risk for global hybrid networks. Greg believes that as a leader in the cyber world, being able to communicate and execute a strategic vision to defend and protect is the most important part of his role. Prior to joining eSentire, Greg oversaw the overall cybersecurity function as Vice President of Cybersecurity and Network Infrastructure at WWE (World Wrestling Entertainment). He spent over 17 years in various leadership roles across engineering, infrastructure and security within that organization. Greg holds a Bachelor's degree from Queens College. He is a Certified Information Security Manager (CISM) and a Certified Information Systems Security Professional (CISSP).