When an AI agent is switched off, its credentials do not switch off with it.
That is the problem Astrix Security has built its business around. The Tel Aviv startup, founded in 2021 by two veterans of Israel's elite Unit 8200 intelligence unit, has spent five years selling software that answers a question most enterprises cannot: what are all the AI agents inside our network actually doing, and do they still have access to things they shouldn't? Cisco is in advanced talks to pay $250 million to $350 million for the answer, according to The Information, with coverage confirmed by SiliconANGLE, PYMNTS, and others. The deal has not closed. Negotiations may not result in an agreement.
The valuation range is wide, and that is telling. Astrix raised roughly $91 million across its existence at a last-known valuation of $192 million, per Globes. Cisco paying three times what investors put in — but only about 25 percent above the December 2024 valuation — suggests both sides have leverage and neither is certain of the number. This is a negotiation, not a done deal.
What Cisco appears to be buying is a platform that treats AI agents the way identity tools have treated human employees for twenty years: as accounts with permissions that need to be tracked, scoped, and revoked. Astrix's software automatically inventories every AI agent in an enterprise environment — including ones running on employee laptops that nobody told IT about. It maps what those agents can access: the MCP servers they connect to, the third-party applications they have credentials for, the data sources they can reach. It flags configuration problems, such as an internal agent accessible from the public web, or a coding assistant that can delete files when it only needs read access to a repository. And it enforces what Astrix calls JIT access: credentials that expire automatically, so an agent decommissioned in March does not still have live access to your Snowflake instance in June.
That last feature is the one security teams describe as the real operational gap. Traditional identity and access management software was built for humans. Humans have a manager, a departure checklist, an IT ticket when they leave. AI agents have none of that. They spin up inside a workflow, accumulate credentials along the way, and when the project ends, nobody revokes them. The credentials persist. The attack surface grows. Most enterprises have no tooling to see it happening.
Astrix competitors in this space include Oasis Security, another Israeli startup. Astrix itself has approximately 130 employees spread across offices in Tel Aviv, San Francisco, London, and Texas, with Workday listed as a client. The company has appeared on the Fortune 2026 Cyber 60 list and has been cited in Gartner research on agentic AI security.
What makes the Cisco deal interesting as a signal is Cisco's own behavior. The Astrix talks emerged just one day after Cisco announced it would acquire Galileo Technologies, a startup that monitors AI agent behavior and flags hallucinations and data leakage in real time. That deal, announced April 9 on Cisco's blog, is expected to close in Q4 of Cisco's fiscal year 2026. Cisco closed its $28 billion purchase of Splunk in 2024 and announced plans to acquire Robust Intelligence that October — a company that stress-tests AI models before deployment, essentially poking holes in them so enterprises can find the holes first. At RSA Conference 2026, Cisco introduced DefenseClaw, an open-source framework for building agents with security controls baked in from the start.
Taken together, the acquisitions form a coherent stack: Robust Intelligence for pre-deployment model testing, Galileo for runtime agent observability and hallucination detection, Astrix for agent identity and access governance, and DefenseClaw as the open framework layer. Nobody else in enterprise security has that sequence. Whether it holds together technically is an open question — Cisco has a mixed record with acquisition integrations — but the strategic intent is legible.
There is also the Anthropic signal. Anthropic invested in Astrix through its Anthology Fund, a joint vehicle with Menlo Ventures, before Cisco entered the picture. Anthropic also invested in Robust Intelligence. The AI labs building the most capable models have twice backed the same buyer in adjacent categories — not as LP investors through a diversified fund, but through a dedicated vehicle that suggests strategic conviction. That does not prove the stack works. It suggests the labs think the problem is real and the market will follow.
The deal math offers a secondary read. Cisco is paying roughly three times what Astrix raised in total funding for a company with no publicly disclosed revenue figures. At 130 employees, this is primarily an IP and talent play. The $250 million floor is not large by enterprise security acquisition standards — Palo Alto Networks has spent considerably more assembling its own security stack — but the strategic breadth of what Cisco is assembling is unusual for a single deal cycle.
If the deal closes, the pressure lands on every other network, endpoint, and identity security vendor to answer the same question: do you build, buy, or partner into the agent governance layer? The question is already live. The acquisition accelerates the timeline.
