Palo Alto's Shocking $4 Million Bet on One-Year-Old Startup Koi: What’s at Stake?

Palo Alto Networks, the leading cybersecurity firm, continues its aggressive acquisition strategy, showing no signs of slowing down. Following its $25 billion purchase of CyberArk in 2025, the company made headlines with its acquisitions of Chronosphere for $3.35 billion and Protect AI for $500 million. Now, it is reportedly in discussions to acquire Israeli cybersecurity startup Koi for approximately $400 million. As of now, neither company has commented on these acquisition talks.

If finalized, this deal would represent a rapid and profitable exit for Koi’s investors and founders. To date, the startup has raised $48 million, primarily during a $38 million Series A funding round last September. Founded in 2024 by alumni of the Israel Defense Forces’ elite 8200 Intelligence Corps technology unit—specifically Amit Assaraf (CEO), Idan Dardikman (CTO), and Itay Kruk (CPO)—Koi has positioned itself within the enterprise endpoint protection sector. Its notable investors include Team8, NFX, Battery Ventures, and Picture Capital.

During a recent visit to Israel, Palo Alto Networks CEO Nikesh Arora met with employees at CyberArk ahead of the acquisition's closure, while also scouting local startups for potential deals. Arora underscored that the rapid advancements in AI technologies are driving the need for consolidation within endpoint solutions, particularly in areas like Extended Detection and Response (XDR) and Endpoint Detection and Response (EDR) offerings. The potential acquisition of Koi aligns perfectly with this strategic focus.

Koi emerged in 2024 after its founders identified a significant security vulnerability in the VSCode Marketplace. To demonstrate this risk, they developed a deceptive theme extension called “Darcula Official,” embedding code that secretly relayed developers’ source code and machine details back to their server. Remarkably, they uploaded this extension to the VSCode marketplace within just 30 minutes. Over the course of a week, their experiment infected more than 300 organizations globally, including major corporations and even a national court network, drawing considerable attention by landing on the front page of the marketplace, which boasts 4.5 million views.

This alarming incident catalyzed the development of Koi’s “ExtensionTotal,” a tool designed to detect risky extensions, which quickly evolved into a comprehensive security platform. Koi's flagship product, the Supply Chain Gateway, acts as a vital checkpoint for incoming software. It offers features such as software inventory management, real-time risk assessment, automated policy enforcement, and proactive blocking of malicious code. At the core of this platform is **Wings**, an AI-driven engine that classifies software components, tests them in isolated environments, and identifies threats often overlooked by traditional scanners. This proactive approach empowers security teams to manage software installations effectively, shifting the focus from reactive measures post-breach to preventative strategies.

Currently, Koi protects over 500,000 endpoints worldwide. Its platform is already operational within Fortune 50 companies, prominent financial institutions, and leading tech corporations, indicating a significant market demand and showcasing the platform’s operational maturity. The acquisition of Koi, if successful, would not only enhance Palo Alto Networks' capabilities but also signify the growing importance of advanced endpoint protection in an era increasingly defined by digital threats and vulnerabilities.