Registration for Nomios Next is now live! Sign up for the cybersecurity event of 2026. More info

Contact us
Artificial Intelligence

Koi and the Palo Alto Networks acquisition: agentic endpoint security becomes a category of its own

Richard Landman
Placeholder for Richard landman 1024x1024Richard landman 1024x1024

Richard Landman , Marketing & Portfolio Director , Nomios Netherlands

3 min. read
Placeholder for Adobe Stock 407097430Adobe Stock 407097430
Palo Alto Networks

Share

As a child, I used to fish for carp in the park pond in Voorschoten. Waiting patiently, watching for the float to move, hoping you'd spot it in time. Those carp are called koi in Japanese — a symbol of perseverance and attentiveness. Fitting, because the security company Koi has just been acquired by Palo Alto Networks, and it delivers exactly that: seeing what is happening below the surface on the endpoint, before it becomes a problem.

The endpoint is no longer what it used to be

A year ago, the endpoint was mostly a laptop with a browser and some locally installed software. EDR tooling was perfectly suited to that.

That picture no longer holds. A typical developer endpoint now runs Cursor or Windsurf, Claude Code in a terminal, a handful of MCP servers, dozens of IDE extensions, npm and PyPi packages that allow agents to take action, and a growing collection of AI models. 67 percent of developers use AI in their workflow. Statista forecasts 2.2 billion active AI agents in companies by 2030.

The endpoint is no longer a passive endpoint but an active executing system that makes decisions on behalf of the user, queries external data and installs software. Legacy EDR sees little of this. An MCP server doesn't stand out as a suspicious process. A Cursor extension is installed outside every software distribution channel.

What Koi does differently

Palo Alto calls the category Agentic Endpoint Security (AES). In practice it consists of four layers:

Visibility into everything that normally stays invisible: agents, MCP servers, browser extensions, IDE plugins, Claude Skills, ollama models, HuggingFace downloads.

Context-aware risk analysis. An MCP server with access to your mail is not the same as one that only fetches the weather. Koi tries to make that distinction instead of ticking off an IOC list.

Preventive supply chain control. Packages, models and extensions are analysed before installation. With Shai-Hulud — the npm worm campaign that hit 25,000 GitHub repos — the time between publication and the first downloads was measured in minutes. A gateway that quarantines new versions neutralises that entire attack path.

Enforcement through dynamic evaluation at the moment of installation, rather than a software list that gets refreshed monthly.

Why now

Three reasons this category is gaining momentum.

The scale. Palo Alto shares its own figures from using Koi internally: 188,000 unique items identified, 23,000 proactively remediated, thirty shadow marketplaces brought into view. Customer Cambia Health Solutions discovered 220,000 installations across fourteen marketplaces in two weeks. These are not edge cases — this is the bulk of what runs on endpoints.

The threat. Koi documents a series of 2025 campaigns: Shai-Hulud (3.5 million downloads), GlassWorm in VS Code/Cursor/Windsurf, DarkSpectre in browsers (8.8 million), PromptJacking aimed at Claude integrations, Nx Packages (4.6 million weekly downloads). Attackers follow user behaviour. Wherever the install button lives, they set up shop. And that button is now everywhere.

The architecture. AES is not a feature you bolt onto an existing EDR. It requires a different telemetry model, a different risk engine, a different enforcement mechanism. That's why Palo Alto is buying it — as it did earlier with Dig Security and Talon — rather than building it.

What integration with Cortex means

Koi remains available standalone, deployable alongside any existing EDR. In addition, it will be integrated into Cortex XDR (expected in FY27) and into Prisma AIRS (FY27 Q3) as the basis for security around vibe coding. For organisations on Cortex XDR, this means the gap between classical endpoint detection and the modern software stack closes without a second agent or a separate console.

What this doesn't solve

AES is not a replacement for EDR, identity management or data security. It is a new layer that closes a blind spot that did not previously exist. The fact that the blind spot is now being filled by a single vendor that also sells the rest of the portfolio makes the choice easier for customers — but it doesn't change the fact that the underlying risks are a broader governance problem than any single tool can solve.

Get in touch

Do you want to know more about this topic?

Our experts and sales teams are at your service. Leave your contact information and we will get back to you shortly.

Call now
Placeholder for Portrait of french manPortrait of french man
Updates

More updates

Placeholder for Shadow ITShadow IT
Infoblox

Preemptive Security

Attacks start outside your network. So should your security.

Phishing pages, fake executive profiles, leaked credentials on the dark web – most attacks take shape long before they reach your network. Yet traditional security largely focuses on what happens after that boundary. Infoblox is taking a different approach.

Michel Geensen
Placeholder for Michel-GeensenMichel-Geensen

Michel Geensen

1 min. read
Placeholder for PKI post quantum transitionPKI post quantum transition

Quantum Security PKI

Preparing PKI for the post-quantum transition

PKI is one of the most complex parts of the post-quantum transition. Learn why certificate infrastructure requires early planning and what your organisation should focus on now.

Priyanka Gahilot
Placeholder for PriyankaPriyanka

Priyanka Gahilot

4 min. read
Placeholder for Nomios Guardian x MDRNomios Guardian x MDR
Palo Alto Networks

MDR

Nomios launches Guardian xMDR: enterprise-grade managed detection and response

Our new standardised MDR service combines Cortex XDR, a Dutch SOC, and transparent tier-based pricing — so organisations of every size can take managed security seriously.

2 min. read
See all updates