Brief #143: Check Point Spends $340M on Four Acquisitions in 60 Days

Check Point just dropped $150 million on three Israeli startups in a single earnings call. That's on top of the $190 million Lakera AI deal two months ago. Four acquisitions, $340 million, and a clear signal: the legacy firewall giant is trying to buy its way into the AI security and exposure management categories before the window closes.

Meanwhile, Proofpoint, Zscaler, and CrowdStrike all made AI-adjacent acquisitions this same week. The land grab for agentic AI security is on.

Top 3 This Week

• BeyondTrust CVSS 9.9 flaw exploited within 24 hours of PoC release - One threat actor is behind 83% of attacks, and CISA added it to the KEV catalog on the same day
• Claude Opus 4.6 discovers 500+ zero-day vulnerabilities in open source projects - Anthropic's newest model found high-severity bugs in codebases that survived decades of automated testing, forcing a rethink of disclosure timelines
• Check Point spends $340M on four acquisitions in 60 days - AI security, exposure management, and MSP workspace all targeted as the legacy firewall giant tries to buy its next chapter

BeyondTrust Vulnerability Exploited Within 24 Hours of PoC Release

• Attackers began exploiting CVE-2026-1731, a critical CVSS 9.9 vulnerability in BeyondTrust Remote Support and Privileged Remote Access, within hours of a proof-of-concept becoming available.
• A single threat actor is responsible for 83% of all observed exploitation attempts against recent Ivanti and BeyondTrust vulnerabilities, suggesting a highly organized operation focused on remote access infrastructure.
• CISA added the flaw to its Known Exploited Vulnerabilities catalog on the same day, requiring federal agencies to patch immediately.

Why this matters:
Remote access tools sit at the trust boundary of enterprise networks. When a CVSS 9.9 goes from PoC to active exploitation in under 24 hours, your patch SLA is the only thing between you and compromise. If your remote access infrastructure isn't on a 24-hour emergency patch cycle, it should be.

---

300+ Malicious Chrome Extensions Caught Stealing Data from 37 Million Users

• Researchers identified over 300 malicious Chrome extensions with a combined 37 million installations that disguised themselves as AI assistants, ad blockers, and productivity tools while harvesting browsing history, credentials, and session tokens.
• The extensions used injected iframes and background scripts to hijack accounts on platforms including VKontakte, steal API keys from emails, and exfiltrate business data, with some specifically targeting enterprise users.
• Google has begun removing the extensions from the Chrome Web Store, but the scale of the campaign, spanning at least 30 distinct malware families, points to a coordinated ecosystem rather than isolated incidents.

Why this matters:
Browser extensions operate with broad permissions that most users never review. For security teams, this is a reminder that extension governance belongs in your endpoint policy, not just your IT hygiene checklist. Block unsigned extensions, whitelist what you need, and audit the rest.

---

Dutch Carrier Odido Discloses Data Breach Impacting 6.2 Million Customers

• Netherlands-based telecom provider Odido (formerly T-Mobile Netherlands) confirmed a breach of its contact management system exposing personal data of 6.2 million customers, including names, addresses, phone numbers, and dates of birth.
• The breach did not involve financial data or passwords, but the volume of exposed PII creates significant phishing and social engineering risk for affected customers across the Netherlands.
• Dutch regulators are investigating. Odido has notified affected customers and implemented additional access controls on the compromised system.

Why this matters:
6.2 million records in a country of 17 million means roughly one in three Dutch residents is affected. For CISOs operating in the EU, this is another data point for board conversations about the real cost of contact system security and GDPR exposure.

CISA Set to Furlough Most of Its Workforce Under DHS Shutdown

• The Cybersecurity and Infrastructure Security Agency is preparing to furlough the majority of its staff if the Department of Homeland Security faces a government shutdown, leaving critical cybersecurity coordination functions severely understaffed.
• Essential functions like active incident response and critical infrastructure protection would continue with a skeleton crew, but proactive programs including vulnerability disclosure, threat intelligence sharing, and security assessments would halt.
• The timing is particularly concerning given active exploitation of multiple critical vulnerabilities and ongoing nation-state campaigns targeting federal and critical infrastructure networks.

What this means:
Whether or not the shutdown happens, the fact that federal cybersecurity coordination hinges on funding negotiations should concern every CISO in critical infrastructure. If you rely on CISA advisories, KEV catalog updates, or their incident coordination, have a backup plan. Diversify your threat intelligence sources now, not when the lights go off.

---

Munich Security Conference: Cyber Threats Lead G7 Risk Index

• The 2026 Munich Security Index ranks cyberattacks as the top risk across all G7 nations, overtaking traditional geopolitical threats for the first time in the index's history.
• The report highlights that state-backed actors from China, Iran, Russia, and North Korea are running coordinated operations against defense industrial base targets, with Google's threat intelligence group documenting linked campaigns across multiple sectors.
• EU officials used the conference to warn that adversaries are rehearsing digital sieges against critical infrastructure, with Taiwan specifically flagging Chinese rehearsal operations.

What this means:
Cyber risk at the top of the G7 index isn't just an academic ranking. It changes how boards think about security investment. If your executive team still treats cybersecurity as an IT cost center, this is the external validation to reframe it as enterprise risk management.

---

CyberArk Survey Reveals 75% of Organizations Overconfident in Privilege Management

• 75% of organizations believe they're future-ready but continue relying on outdated privilege models, with 91% still using standing privileged access and 99% failing to eliminate it entirely.
• Shadow privilege remains a persistent problem with 54% of organizations discovering unmanaged privileged accounts weekly, while 88% use multiple identity platforms creating operational blind spots.
• Only 33% of organizations have established policies for AI identities or AI agent access, highlighting a critical governance gap as artificial intelligence adoption accelerates across enterprises.

What this means:
The gap between confidence and reality in privilege management is a red flag for every security program. Standing access is the gift that keeps giving to attackers, and the AI identity gap is about to get worse. If your PAM strategy doesn't account for non-human identities and AI agents, you're building your access model on assumptions that expired six months ago.

Claude Opus 4.6 Discovers 500+ Zero-Day Vulnerabilities in Open Source Projects

• Anthropic's new Claude Opus 4.6 model found over 500 high-severity vulnerabilities in well-tested open source codebases without specialized tooling, using human-like reasoning to analyze Git commit histories and identify patterns rather than traditional fuzzing methods.
• The AI model successfully discovered zero-day vulnerabilities in projects like GhostScript, OpenSC, and CGIF that had remained undetected for decades despite millions of hours of automated testing, demonstrating superior analysis capabilities for complex memory corruption issues.
• Anthropic has implemented new cyber-specific detection probes and enforcement workflows to prevent misuse while contributing validated patches to maintainers, warning that existing 90-day disclosure windows may need adjustment for the speed and volume of AI-discovered bugs.

The implication:
The offensive-defensive balance just shifted. If one AI model can find 500+ zero-days in mature codebases, the question isn't whether attackers will use similar capabilities. They already are. The 90-day disclosure window was designed for human researchers finding bugs one at a time. When AI finds them by the hundreds, the entire coordinated disclosure framework needs rethinking.

---

Claude AI Artifacts Abused to Push Mac Infostealers via ClickFix Attacks

• Threat actors are using Anthropic's Claude to generate malicious web pages through the Artifacts feature, then promoting these pages via Google Ads to target macOS users with infostealer malware.
• The attack chain uses ClickFix social engineering, tricking users into copying and executing terminal commands that download and install credential-stealing malware on their machines.
• This represents a new abuse vector where legitimate AI coding tools are weaponized to rapidly generate convincing phishing infrastructure at scale, lowering the barrier for creating targeted attack campaigns.

The implication:
AI tools are becoming infrastructure for attackers, not just targets. The speed at which threat actors can generate convincing malicious pages using legitimate AI platforms means traditional URL reputation and blocklist approaches will fall further behind. Behavioral detection at the endpoint is becoming the critical last line.

---

AI Agents Solve 9 of 10 Web Hacking Challenges but Struggle with Broad Scope Testing

• Claude Sonnet 4.5, GPT-5, and Gemini 2.5 Pro successfully exploited vulnerabilities including authentication bypass, SSRF, stored XSS, and S3 bucket takeovers with costs under $10 per successful attack when given specific targets.
• The AI models failed to solve challenges requiring enumeration tools or creative pivoting, such as finding exposed secrets in GitHub repositories, demonstrating limitations in strategic thinking compared to human testers.
• Performance degraded significantly in broad scope scenarios where agents had to independently prioritize targets, with costs increasing 2-2.5 times and fewer challenges solved due to inefficient resource allocation across multiple attack surfaces.

The implication:
AI agents are already effective at targeted exploitation but can't replace human pentesters for strategic thinking. The cost curve is what matters here: under $10 per successful exploit means automated vulnerability scanning at scale is becoming trivially cheap. Security teams should assume that every known vulnerability class will be tested against their infrastructure continuously and affordably.

Check Point Acquires Three Israeli Startups for $150M Alongside Strong Earnings

• Check Point acquired Cyata (AI agent security), Cyclops (exposure management, $85M), and Rotate (MSP workspace) for a combined ~$150 million, adding to the $190 million Lakera AI acquisition from Q4 2025.
• Q4 2025 results showed $745 million in revenue (up 6% YoY), with security subscription revenue growing 11% to $325 million and non-GAAP EPS beating estimates at $3.40 versus $2.77 consensus.
• CEO Nadav Zafrir outlined four strategic pillars for 2026: hybrid mesh, workspace, exposure management, and AI security, with the acquisitions expected to cause ~0.5 points of operating margin dilution.

The signal:
Four acquisitions totaling $340M in 60 days tells you where Check Point thinks the growth is: AI security and CTEM. The Cyclops deal at $85M for a company with ~$6.4M in funding is a 13x return for early investors. For cybersecurity startups in exposure management or AI governance, the acquisition market is hot. For Check Point investors, the question is whether buying growth works when organic revenue growth is only 6%.

---

Zscaler Acquires SquareX for Browser-Native Zero Trust Security

• Zscaler acquired browser security firm SquareX to extend Zero Trust protection directly into standard browsers like Chrome and Edge, eliminating the need for third-party enterprise browsers.
• SquareX's "Browser Detection and Response" technology runs as a lightweight extension that detects malicious extensions, enforces least-privilege application access, and prevents data leakage from generative AI tools.
• The deal comes days after CrowdStrike announced its acquisition of Seraphic for similar browser security capabilities, signaling a competitive rush into the secure browser category.

The signal:
Gartner projects 25% of enterprises will use secure enterprise browsers by 2028. But the market is splitting: standalone browser companies like Island versus platform players like Zscaler and CrowdStrike acquiring their way in. Platform integration usually wins in enterprise. The standalone browser companies need to move fast or get absorbed.

---

Proofpoint Acquires Acuvity to Secure the Agentic Workspace

• Proofpoint acquired Acuvity, an AI security startup focused on visibility and governance for enterprise AI usage, including monitoring how employees and autonomous agents interact with external AI services and internal models.
• Acuvity's platform covers the full range of AI infrastructure from endpoints and browsers to Model Context Protocol (MCP) servers and locally installed AI tools, providing detection models that understand context and intent rather than just pattern matching.
• Proofpoint's CSO Ryan Kalember framed the shift clearly: CISOs have moved from worrying about prompt injection to needing to understand what AI agents are actually doing across the organization.

The signal:
This is the third major AI security acquisition this week alongside Check Point's Cyata deal and Zscaler's SquareX buy. The message from enterprise security platforms is clear: AI governance is no longer a feature request, it's an acquisition target. The shadow AI problem just became a board-level priority, and the startups building visibility into agentic behavior are getting acquired before they can scale independently.

SquareX Browser Detection and Response

Browser-native security extension that detects malicious extensions, prevents AI data leakage, and enforces Zero Trust policies directly in Chrome and Edge. Relevant this week as Zscaler acquired SquareX to extend its platform into browser security.

Menlo Security Secure Enterprise Browser

Cloud-based secure browser platform that isolates web content and applies DLP controls. With Zscaler and CrowdStrike both acquiring browser security companies this week, the secure browser category is consolidating fast.

TestSavant AI Security Assurance Platform

AI model testing and security assurance platform for organizations deploying machine learning in production. Relevant as Proofpoint's Acuvity acquisition and Check Point's Cyata deal signal growing enterprise demand for AI governance tooling.

---

The M&A pace in cybersecurity is accelerating, and the categories getting acquired tell you where the market is heading: AI security, browser security, and exposure management. If you're building in or buying from these categories, the landscape is shifting under your feet.

For cybersecurity companies: track your competitive landscape across 10,000+ products on CybersecTools.

Nikoloz