Although details are limited — with more expected to come during an upcoming earnings call — we know that a leader in the security service edge (SSE) market will consume a leader in the managed detection and reponse (MDR) market, with Zscaler announcing that it intends to acquire Red Canary. Here’s our analysis of the good, the bad, and the concerning about this acquisition, what it means for the cybersecurity market, and what it signals for security leaders and their teams.

The Good: Complementary Visibility And Business Benefits

On its face, this acquisition makes sense. Both companies lead the primary market segments in which they operate and both companies augment weaknesses in the other. Specifically:

  • Platforms are the name of the current game. Competitors in the broader security market are pushing heavily toward “platformization,” leading to significant consolidation with larger security companies (e.g., Exabeam and LogRhythm, Cisco and Splunk, etc.). Zscaler and other vendors looking to become a platform need to expand to compete.
  • They fill key functionality gaps in the other. Zscaler’s legacy is cloud-based network and application access control built on a Zero Trust foundation. Gaps for Zscaler include minimal visibility into endpoints, identities, and security telemetry — though it does advertise security data fabric as part of its catalog. Red Canary plugs in and solves those issues right away, giving Zscaler even more credibility for its Zero Trust platform. As enterprises continue to deemphasize the importance of network visibility via SaaS in favor of endpoint, cloud, and identity detection surfaces, this reduces the likelihood that its primary SSE and secure-access service edge competitors can frame Zscaler as a niche Zero Trust provider with visibility gaps.
  • Each will bring financial benefits to the other. This acquisition brings a sizable infusion of recurring revenue into Zscaler that will boost its financial results and please shareholders. Red Canary struggled with sales, partnerships, and market penetration — Zscaler brings a strong go-to-market engine. In addition, Red Canary, with a predominantly North American-focused customer base, can tap into Zscaler’s existing financials and global footprint, leading to cross-sell opportunities that otherwise wouldn’t exist. One aspect that will make this integration easier: Both companies focus on annual recurring revenue as subscription companies.

The Bad: No One Wants To Revert Back To Managed Security Service Providers

As much as this acquisition addresses weaknesses in each company, when you dig deeper, the foundation of this acquisition starts to falter. While MDR is taking a turn toward more proactive capabilities and Zero Trust can reduce the impact of breaches, Zero Trust and MDR don’t amplify one another. Therefore, bundling SSE with MDR isn’t a natural or compelling consumption model. One only needs to look at the recent history of the managed security service provider market to see how managed network security and managed security information and event management failed to create synergies beyond bundling via a catalog of services. In fact, the challenges created by this disconnect helped create MDR as a standalone market. Unfortunately:

  • This duo addresses business gaps without creating a better security product. Zscaler’s gaps, such as a lack of detailed logging and reporting or native security services, were easily exploited by competitors like Palo Alto Networks and Cisco. Through Red Canary, Zscaler is positioned to leverage the MDR’s extensive coverage across endpoints, identities, and workloads for richer telemetry, in addition to expert services to augment security teams. Even so, it’s unclear how any technology integration might work in practice. On paper, Red Canary can bring a tremendous amount of visibility to Zscaler to support the core functionality of the platform, but there’s currently neither a public timeline for integration nor details regarding how Red Canary’s telemetry will be bridged into Zscaler’s current product offerings.
  • Scale will be difficult for Zscaler. Red Canary was in a highly competitive market with hundreds of providers offering MDR services, but scaling its business in that market was expensive, challenging, and, critically, uncertain. Zscaler’s competitors already offer MDR services, making the vendor late to bring this into its platform (which is at least one year away at best), and the lack of strong security synergies between Zero Trust and MDR don’t make this an obvious purchase for security leaders seeking out strong detection, investigation, and response services.

The Concerning: Conflicting Cultures Rarely Mesh Well In Security

There’s a glaring culture gap between these two corporations. Zscaler focuses on a broad portfolio of security offerings with a strong sales and marketing culture and leaders with a long history of scaling a startup to a major cybersecurity brand. Red Canary is expertise-oriented with strong practitioner knowledge and a long history focused on threat intelligence, detection, and response. Further:

  • Based on past performance, the two don’t share the same values. Red Canary excelled in its highly technical community contributions, especially with its work to set a standard for raw telemetry access from endpoint detection and response providers in the MDR market and Atomic Red Team. Zscaler does offer some open-source scripts, but the primary intent of those scripts is enabling deployment and implementation of Zscaler services, not necessarily for the good of the broader security community. Time will tell if Red Canary will continue its contributions to the broader cybersecurity community, but there’s no evidence in Zscaler’s history that it places the same level of value in giving back to practitioners.
  • In cybersecurity history, sales cultures rarely meld well with expertise cultures. The canonical example of FireEye and Mandiant stands out. And even though both companies offer subscription services in the form of annual recurring revenue, which helps the sales motion, it might not be enough to bridge the gap.

In Summary: Mostly Upside Potential And A Bellwether For More Volatile Acquisitions

For CISOs trying to make sense of the Zscaler and Red Canary combination: In spite of the claims that bringing various acquisitions together makes sense, the simple truth is that an acquisition being better for customers rarely factors into the equation. Forrester expects that this acquisition will bode well for Zscaler customers, as they now have access to a strong set of practitioners with skills in threat detection and response. But for MDR customers, it all comes down to whether Zscaler can retain Red Canary practitioners and whether they consider Zscaler — and its approach to Zero Trust — as a necessity for their security program. As an example, Red Canary and Palo Alto Networks launched a major partnership for Managed XSIAM in September 2024, but as mentioned previously, Palo Alto Networks is a major Zscaler competitor. Those kinds of partnerships, previously borne out of the independence an MDR provider can have, are now a question mark.

But there are implications for the wider security industry and the CISOs navigating this landscape. There’s no doubt that at least some of the motivation for this acquisition comes from the economic uncertainty in cybersecurity (and the economy in general). Forrester predicts more acquisitions as smaller players couple up with larger ones in the hopes that the financial resources will shelter them from the storm. That’s better than limping along (or going out of business), but some of the acquisitions and exits that we’ll see in cybersecurity wouldn’t happen in more stable economic conditions.

You’ve got questions; we’ve got answers. If you’re a Forrester client, schedule an inquiry or guidance session with me to do a deeper dive on the changes happening in the MDR market.