One story. Gone deep.

The EU signed off last week. Unconditional approval. No conditions, no remedies, no behavioral commitments.

Google's $32B acquisition of Wiz is done. Largest cybersecurity acquisition in history.

If you use Wiz — or any cloud security tool with multicloud coverage — your risk model just changed. Nobody sent you a memo.

Wiz was built by the same team Microsoft acquired in 2015 to create Defender for Cloud Apps. They knew the playbook. Within 18 months of launch, Wiz hit $100M ARR. Google offered roughly $23B in 2024. Wiz declined, preferring independence. Google came back with $32B in cash.

The thing that made Wiz valuable is the same thing that just got complicated.

Wiz scanned AWS, Azure, and GCP with equal depth, owned by nobody's competitor. That neutrality was the product. It's no longer the case. Google Cloud competes directly with the two environments where most Wiz customers run workloads. Amazon and Microsoft now face a legitimate question: how deeply should they integrate with a tool owned by their rival?

If those integrations become friction points — permissions tightening, APIs shifting, data flows getting murky — Wiz customers absorb that pressure without ever choosing to take a side.

This is a scope and boundaries problem.

Your security tooling defines the edges of your visibility. Who sees what. Who controls which data flows where. Who decides how the tool evolves. When an acquisition happens, those answers change — even if the product looks identical on day one.

Regulators concluded that customers "have credible alternatives." They're not wrong. But switching your cloud security platform isn't a Tuesday afternoon decision. You have integrations, alert tuning, workflows, and institutional knowledge embedded in whatever you're running. Real migrations take months and real money.

And every deal like this narrows the field of genuinely neutral tools available to organizations that want coverage without cloud vendor politics.

Three questions worth sitting with:

Do you know who owns your security tools? Not the vendor — who owns the vendor? If your SIEM, endpoint platform, or cloud scanner was acquired in the last 18 months, the priorities driving that product may not be yours anymore.

What's your exit timeline? If you had to replace your cloud security platform in 90 days — not because of a breach, but because the roadmap moved — how long would it actually take?

Who decides when the boundaries shift? Regulators said alternatives exist. You're the one executing the migration and managing the gap. The question isn't whether alternatives exist — it's whether you're positioned to use them before you need them.

Nobody changes your risk model and announces it. You find out later.

Sources: SecurityWeek, The Verge, CRN

What else matters this week.

Notepad++ Compromised for Six Months by Nation-State — Chinese APT Billbug infiltrated a tool millions of developers trust, running three infection chains with monthly C2 rotation — all to target roughly 12 high-value machines. Six months undetected. If your security program assumes compromise is loud, this is the correction. via Kaspersky Securelist

Chinese APT Exploits Hardcoded Credentials in Dell Backup Software — CVE-2026-22769. Hardcoded admin passwords in Dell RecoverPoint's Tomcat server let attackers upload malicious WAR files for root-level command execution. In 2026. In enterprise backup software. Being tracked as a "zero-day." If your RecoverPoint instance is reachable, assume compromise. via Google Threat Intelligence

ZeroDayRAT: $2,000 Buys SMS MFA Bypass — Full mobile surveillance — including SMS interception — commercially available via Telegram. When spyware reads the text before your authenticator app does, two-factor isn't protecting you. Nation-state capability, mass-market price. via Dark Reading

Ivanti EPMM: Two Zero-Days, Both Actively Exploited — CVE-2026-1281 and CVE-2026-1340, unauthenticated remote code execution, both CISA KEV'd. Patches available. If you run their Mobile Device Manager, check your patch status today — not next quarter. via Ivanti Advisory

Not every signal needs action.

"$96 Billion in Cybersecurity M&A Last Year" — Headlines frame this as the industry getting stronger. It's the industry getting more consolidated. Palo Alto dropped $400M on another acquisition. $2 billion in startup funding in six weeks. The money is real. Whether it's buying capability or just musical chairs at the top is a different question entirely. Don't confuse vendor activity for your security improving.

No answer. Just the question.

If one of your security vendors was acquired tomorrow by a company that competes with two of your other cloud providers — would you find out from the news, from the vendor, or from your contract?

Michael Faas is a fractional CTO/CISO helping growth-stage companies navigate complexity without building bloated security programs. More at echocyber.io.