Endpoint security and extended detection and response (XDR) vendor SentinelOne today announced the acquisition of Attivo Networks for just over $600 million. Attivo was a darling of deception technology, but SentinelOne was really after its Active Directory protection portfolio, including ADAssessor and ADSecure.

Enterprise identity plays a critical role in the Zero Trust world mandated by the Biden Executive Order and recently road-mapped by the Cybersecurity and Infrastructure Security Agency and the US Office of Management and Budget. Identity is foundational to Zero Trust architecture, and let’s face it: Every enterprise has an identity provider they’re trying to protect. The majority of Forrester clients we talk to are heavily invested in the Microsoft ecosystem and could find more Active Directory security compelling.



So while Attivo investors and employees can restfully celebrate the acquisition, advocates of deception technology may be standing on the sidelines offering little more than a golf clap.

Deception tech, while super cool, was never able to achieve escape velocity on its own, and some of its shining stars are disappearing into portfolios of larger vendors. Zscaler acquired Smokescreen in 2021 and has sold it as Zscaler Deception since but will ultimately integrate it into its popular ZPA (Zscaler Private Access) and ZIA (Zscaler Internet Access) services. SentinelOne marks the largest deception acquisition, swallowing Attivo in 2022, but for its identity security, not its deception tech.

A handful of pure deception tech startups still wait in the wings. The acquisition and valuation of Attivo may give them hope to move from a “nice to have” to a “nice to have on the side with” another more mainstream security tech such as identity, endpoint, or network security.

Deception technology is also sprouting up at other security vendors. Fortinet sells its cleverly named FortiDeceptor, and APAC security vendors Sangfor and Chaitin integrate deception into their products, as well.

What acquisitions like this one ultimately mean for security and risk decision-makers is that they can pivot from deploying a stand-alone deception tech product and start evaluating how deception gets paired with one or two key tactical domains such as identity.

Let us leave you with a final, spicy, thought. The SentinelOne press release mentions identity just under 30 times times and deception only three. This word-count snubbing of honeypots and honeynets seems to confirm that the acquisition was all about identity, right? Or is that just what SentinelOne wants us to believe?