Cisco Spends Around $400 Million to Plug a Growing Security Blind Spot: AI Agents
Two rapid-fire acquisitions — Astrix Security and WideField Security — are Cisco's answer to a question most companies haven't thought to ask: who's watching the bots?

Key points
- Cisco agreed to acquire Astrix Security for a reported $400 million to secure non-human identities — digital credentials like API keys used by software rather than people.
- A second deal, WideField Security, follows weeks later and adds session-level tracking of human, machine, and AI-agent accounts inside Cisco's Splunk monitoring platform.
- A 2025 Deloitte survey of over 3,000 business and IT leaders found roughly one quarter of companies already use AI agents; that figure is expected to reach 74% within two years.
- Most AI agents currently sit outside the security controls companies use to manage employee accounts, leaving a gap attackers can exploit.
- Analysts say this is a targeted but meaningful move: Cisco's existing security architecture was built around human users and visibly lacked tools to handle automated agents.
Companies are deploying AI agents — software programs that act on instructions without a human clicking each step — faster than their security teams can keep up. These agents need credentials to do their jobs: API keys (a kind of digital password that lets one software system talk to another), service accounts (logins assigned to automated processes rather than people), and OAuth tokens (a type of permission slip that lets an app act on a user's behalf without seeing their password). Collectively, security professionals call these non-human identities, or NHIs.
The problem: most companies manage employee accounts carefully — requiring passwords, multi-factor checks, regular reviews. NHIs get almost none of that. They sit outside the standard security tooling, often with sweeping access to critical business systems, and nobody is watching them.
Cisco wants to fix that. Fast.
How did Cisco's security stack end up with this gap?
Cisco's existing Zero Trust architecture — a security model built on the principle that nothing inside or outside a company's network should be automatically trusted — was designed around human users. Automated agents simply weren't part of the picture when those foundations were laid. The company has now made two acquisitions in quick succession to close that hole.
First came Astrix Security, a five-year-old startup that built a platform specifically to find every NHI and AI agent inside an organisation, map what each one can access, and flag unusual behaviour. Published reports, first noted by Dark Reading, put the price at approximately $400 million. Astrix works by learning the normal patterns of each credential — which systems it touches, when, and how often — and then raising an alert when something deviates from that baseline.
Then came WideField Security. Cisco announced that deal last week, though financial terms were not disclosed. WideField adds what its makers call session intelligence: a continuous record of what each identity — human employee, automated process, or AI agent — actually does during a given session. Cisco plans to fold this capability into Splunk, its security monitoring platform, so analysts can see a joined-up picture of activity across all identity types in one place.
Kamal Hathi, general manager of Cisco's Splunk business unit, wrote in a blog post that the integration will let Splunk "assemble context across human, non-human, and AI-agent activity" by pulling in signals from Cisco's own Identity Intelligence product.
The broader ambition is to shift how access decisions get made. Rather than asking where a request is coming from — a traditional network-based check — the platform asks who or what is making it, and whether that behaviour looks normal.
Industry analyst Chris Steffan of Enterprise Management Associates called NHI governance "the conspicuous gap in Cisco's agentic SOC narrative" — SOC standing for Security Operations Centre, the team responsible for monitoring and responding to threats. Forrester Research analyst Geoff Cairns described the acquisitions as closing "a targeted gap" while extending Cisco's ability to detect threats tied to non-human identities.
Cisco is not alone here. Palo Alto Networks, CyberArk, Delinea, and ServiceNow have all moved into NHI management over the past two years. The market is moving because the underlying risk is real and growing.
What should organisations with AI agents do right now?
If your company uses any form of AI assistant or automated software that connects to business systems, a few practical steps apply regardless of what security tools you buy.
First, make a list — an accurate one — of every automated credential in your environment. Many organisations don't know how many they have. Second, check what each one can access. Credentials with more access than they need are a gift to anyone who steals them. Third, set up alerts for unusual behaviour: a service account that suddenly starts downloading files at 3 a.m. warrants a look. Finally, rotate credentials — replace them with fresh ones — on a regular schedule, so a stolen key has a limited useful life.



