THE DEEP TAKE

The consolidation that hits you is the one you didn't choose

The security tool most likely to blow up your roadmap this year is not the one you are evaluating. It is one you already run. Security vendors closed 219 M&A deals in the first half of 2026, per Momentum Cyber's mid-year review. That is a record pace by deal count. This week alone, three more vendors got swallowed. Barracuda bought Evo Security on Monday. CyberFOX took the SASE vendor Timus Networks. Qualcomm grabbed the Israeli network-security firm SAM Seamless. None of them made the front page. That is the point.

The pitch to a CISO never changes. Fewer vendors, less sprawl, one platform to manage. But look at where the record actually sits. It is in the deal count, not the dollars. Disclosed value was only $9.1 billion. Accenture's $4.175 billion pickup of Dragos, NetRise, and runZero was the first billion-dollar deal of the year, and it did not land until June. 2026 is not a story of a few megadeals. It is a swarm of small tuck-ins.

That shape is the risk. When the record is in count, the exposure spreads across your whole stack. When a point product you run gets bought, it gets rebundled into a suite, repriced against a platform list, or sunset on a timeline you did not set. The migration you never planned shows up on your desk with a renewal date attached.

So the real procurement skill in 2026 is not picking the winning platform. It is writing a contract that survives your vendor getting bought. Price locks and feature-parity terms that hold through a change of control. Data-portability and export rights in writing. A defined notice window before any product is sunset. These clauses cost nothing at signing. They are the only leverage you keep once the acquirer's logo hits the login page.

There is a second bill, too. Every tuck-in removes an alternative you might have switched to. The point solution you would have used as your renewal threat gets absorbed into the suite you are trying to leave. Your best card at renewal is a credible exit, and the market is retiring your exits one deal at a time.

One thing to do this quarter. Pull your top five security contracts and check which ones have change-of-control protection. Most will not. For every renewal you sign this half, add the clause before you sign, not after the acquisition news breaks.

Powered by the DoGood network

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

QUICK HITS

A single HTTP header walks past Gitea's login

If you run self-hosted Gitea, patch it today. Researchers disclosed CVE-2026-20896. It is an auth bypass that needs one crafted HTTP header and nothing else. No login, no user action. With it, an attacker reaches private repos and any secrets stored inside. Self-hosted dev servers tend to sit inside the perimeter. They are lightly watched and trusted by everything downstream. That is the exact profile attackers hunt for. Find your Gitea instances, confirm the version, and treat any exposed token or key as already burned.

SAP just bought the plumbing under your AI agents

SAP closed its acquisition of Dremio on July 6. The headline is agentic AI. The real story is data. Every AI agent you deploy is only as good as its access to unified, governed data, and most enterprise data still sits in silos your agents cannot read. Dremio is a lakehouse layer built on open Iceberg tables that stitches SAP and non-SAP sources together without moving them. The land grab under agentic AI is not the model. It is the substrate that feeds it. If your AI roadmap assumes clean data access, check who owns that layer before your ERP vendor decides for you.

THE NUMBER: $8,600 per minute

That is what an hour of enterprise cloud downtime now costs at the per-minute rate. It is up 54 percent since 2022. Here is why it belongs here. Forrester expects at least two multi-day hyperscaler outages in 2026. AWS, Azure, and Google are pouring money into AI data centers. The older gear ages while they do. Non-AI workloads still run most enterprise compute, and they ride that older gear. So the outage you are more likely to hit this year also costs more than ever. That should reset your resilience math for the second half. If your failover plan only covers the AI stack, you are hedged against the wrong outage.

Security vendors funded 219 acquisitions in six months. The IT and security leaders in the DoGood network are the buyers on the other side of those deals, and they are telling us which consolidations are helping and which are just repricing. That signal is the whole point.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.

Keep Reading