It is 3am, and an automated agent in your estate has started behaving oddly. It ran clean all week. Now it is making calls it has never made before, reaching for a service nobody recognises.

Your observability team sees a workload gone wrong. Recent change, odd behaviour, that is the playbook, and they are already drafting a rollback.

Your security team is looking at the same trace on the same dashboard and asking a colder question. What if it is not broken? What if it is compromised?

Same telemetry. Same screen. Two teams, two instincts, and a quiet assumption running under both of them: that the other team owns this. I have been in that meeting. The incident is rarely the expensive part. The expensive part is the ten minutes you lose working out whose incident it is. The diagram never loses that fight. The org chart does.

This is not a trend piece because the trend already has a balance sheet.

In November 2025, Palo Alto Networks, one of the largest security companies in the world, agreed to acquire the observability company Chronosphere for $3.35bn, a deal it completed in January 2026. A pure-play security vendor, writing a cheque that size for a company whose job is to tell you whether your systems are healthy.

It is not an outlier. Cisco closed its $28bn acquisition of Splunk in March 2024 and now integrates Splunk directly into its security stack. Datadog, still filed under "monitoring" in most people's heads, says its security products crossed $100m in annual recurring revenue in 2025. And the buying did not stop with the new year. In January, Snowflake bought the observability platform Observe for a reported $1bn; in April, Cisco moved again for Galileo, an AI-agent observability tool it is folding into Splunk. Same telemetry, sold twice, then bought again.

The vendors have voted. As far as the people writing the cheques are concerned, SecOps and observability are one market.

The uncomfortable truth: the platforms are converging years ahead of the teams meant to use them.

The vendors are not wrong to push it. Underneath the branding, security monitoring and operational monitoring have always been the same problem, wearing two lanyards. The same logs, the same metrics, the same traces, the same network flow data. A spike in outbound traffic is a performance signal and a security signal. A lurch in your authentication service is a reliability event and a possible breach.

The duplication is expensive, and everyone feels it. In a survey of 506 cybersecurity leaders run by UserEvidence for Sumo Logic, 93% run at least three separate security operations tools and 45% run six or more. More than half said, plainly, that they have too many point solutions. Add the cost ceiling, where teams routinely drop telemetry they would like to keep because storing all of it is too expensive, and the pitch writes itself. One pipeline, one picture. In that same survey, 100% of respondents agreed a unified platform would be valuable.

So I will fully concede the point. The case for convergence is strong. It is a real answer to a real, exhausting, expensive mess. Wanting one platform instead of eleven is not naive. It is sane.

Here is where I stop nodding.

The same survey holds a number that never makes it onto a slide. 80% of organisations already share observability tools across their security and DevOps teams. Only 45% say those teams are aligned on how they use them.

Most companies have already merged the tools. Fewer than half have merged the way the teams think.

That is the whole game. Buying a converged platform is the easy 20%. The hard 80% is everything the platform cannot ship you: a shared idea of who owns a signal, who makes the call on it, and what "resolved" means when one team means "latency is back to normal" and the other means "we have confirmed it was not an intrusion."

Three things have to converge, and no vendor sells any of them. Ownership of the dual-purpose signal, meaning the named human who runs it. The routing decision, meaning who decides, and how fast, whether an alert is a performance incident or a security one. And a shared definition of done, so the incident is not closed by one team while the other is still working it.

It is worth being honest that even the vendor-layer convergence is not a merger of equals. Forrester analysed the Palo Alto and Chronosphere deal, and Principal Analyst Carlos Casanova and colleagues expect Palo Alto to prioritise security features over observability innovation within 12 to 18 months. They also named something that every operations person already feels: IT and engineering teams have historically resisted tools from security vendors because security tooling is built around compliance and risk, while observability tooling is built around speed, cost, and operational autonomy. When one absorbs the other, one set of instincts wins.

Where this breaks is specific. If ownership of the dual-purpose signal is fuzzy, a shared platform does not help you. It just lets two teams misread the same graph at the same time, faster, each assuming the other has it. And when something then goes wrong, a converged dashboard with no clear ownership becomes a place to assign blame rather than fix problems. People stop trusting the data because the data is being used against them. That is not convergence. That is a shared room to point fingers in.

You do not need a procurement cycle to start. You need one signal and one name.

Pick a single genuinely dual-purpose signal this week: a spike in outbound traffic, a latency shift on your authentication service, a sudden configuration drift. Name the one human who owns the first call on it. Not a team, not a rota. A person who, when that signal fires, decides in the first few minutes whether it is a performance incident or a security incident. If you cannot write a name down, that gap matters more than any platform decision on your roadmap.

Then give both teams one number they read the same way. Pair an outcome measure, incidents routed to the correct responder on first assignment, with an early indicator, time to ownership: the minutes between a signal firing and a named human saying "mine." Security reads it. Operations reads it. The same number, meaning the same thing to both, is the smallest, truest test of whether your teams have converged, or only your tools have.

The platform is coming. The money has been decided, the acquisitions are closing, and at some point, a unified security and observability platform will land on your desk with a confident salesperson attached. It may even be a good thing. One pipeline, one picture, less sprawl. Worth wanting.

It will not save you on its own. It never does. We adopt the technology faster than we adapt the organisation, then act surprised the organisational problem is still there, now with a larger invoice.

The question that decides whether any of this helps is not which platform you sign. It is the one you answer before it arrives: who owns the signal. Answer it this week, while it is still cheap, and not at 3 a.m. with an agent misbehaving and two teams staring at each other.

Further reading

•      Palo Alto Networks completes Chronosphere acquisition (Jan 2026)

•      Forrester: Paying To Observe It All (Nov 2025)

•      Snowflake to buy observability platform Observe (Jan 2026)

•      Cisco to acquire Galileo for AI-agent observability (Apr 2026)

•      Survey: room for DevSecOps improvement (UserEvidence for Sumo Logic)