Palo Alto Just Bought the MCP Gateway. Enterprise Security Has Entered the Agent Stack.
Palo Alto Networks announced yesterday that it intends to acquire Portkey, a 45-person AI gateway company that closed a $15 million Series A in February. Terms were not disclosed. The deal is expected to close in Palo Alto's fiscal Q4 2026. On the surface it looks like a small bolt-on. It is not.
Portkey runs an open source AI gateway that routes to roughly 1,600 LLMs, layers in 50 plus guardrails, and ships an MCP gateway that has, by their own count, become the fastest-adopted product they have ever built. Enterprises do not want to block MCP. They want a way to trust it. Portkey sells that trust. Palo Alto Networks just paid for the control plane.
I've been tracking enterprise security M&A in the AI agent space for the last year. This is the first deal I have seen where a top-five cybersecurity vendor pays to own an MCP gateway. It is the moment MCP graduates from developer mailing list to enterprise procurement budget.
What Portkey Actually Sells
Portkey is one of those quiet infrastructure companies that punches above its weight. The founders, Rohit Agarwal and Ayush Garg, started the company as a unified production stack for generative AI. The product set has three pieces that matter for this deal.
The first is the AI gateway. One API, 1,600 plus LLMs, with built-in caching, quotas, versioning, and observability. The open source build on GitHub claims it processes around 2 trillion tokens per day. That is not a vanity metric. At that volume the gateway becomes the chokepoint where every prompt, every tool call, and every model response passes through a single inspectable layer. If you are a CISO trying to govern AI spending, that is exactly the surface you need.
The second piece is guardrails. 50 plus pluggable filters covering PII redaction, prompt injection detection, jailbreak heuristics, output validation, and policy enforcement. The guardrails layer is what turns a router into a security product.
The third is the MCP gateway, which is the part that should grab any reader of this site. Portkey's MCP gateway centralizes auth, access, and observability for Model Context Protocol servers. In practical terms, when a Claude or GPT agent inside an enterprise calls an MCP server, Portkey sits in the middle: authenticates the agent, scopes the tools it is allowed to invoke, and logs every request. We covered the scope of MCP adoption in our piece on 97 million MCP installs. Big organizations are not asking whether to adopt MCP. They are asking how to govern it. Portkey shipped one of the first credible answers.
Where Prisma AIRS Fits
Palo Alto Networks is folding Portkey into Prisma AIRS, its AI runtime security platform. AIRS 3.0 launched in March with a stated goal of securing the entire agentic AI lifecycle: agent identity, runtime threats, tool misuse, memory manipulation, adversarial instructions. Until yesterday, AIRS had a posture management story and a runtime firewall story but no real control plane for AI traffic itself. Portkey gives them one.
Read between the lines of Palo Alto's blog post and the architecture is clear. Portkey becomes the unified AI gateway that sits in front of every model and every MCP server an enterprise touches. AIRS uses that traffic vantage point to do agent artifact scanning, automated red teaming, runtime threat detection, and identity enforcement (with a CyberArk hand-off for the privileged access piece). Every action an agent takes flows through one bottleneck that can authenticate, authorize, log, and kill the request.
That is a textbook security architecture pattern. Web Application Firewalls did this for HTTP traffic in the 2010s. Cloud Access Security Brokers did it for SaaS in the late 2010s. AI gateways are the same pattern applied to agent traffic, and Palo Alto just bought the leading independent vendor in the category.
The Numbers
| Metric | Value | Source |
|---|---|---|
| Portkey total funding | $18M | Crunchbase |
| Last round | $15M Series A | Feb 19, 2026 |
| Headcount | 45 | Tracxn, Mar 31, 2026 |
| Throughput | ~2T tokens/day | Open source gateway, Portkey |
| LLMs supported | 1,600+ | GitHub README |
| Guardrail integrations | 50+ | Portkey docs |
| Deal close | PANW Q4 FY26 | PANW press release |
| Deal price | Undisclosed | PANW press release |
A 45-person company with $18 million in total funding and 2 trillion tokens of daily traffic is the right shape to get acquired. That throughput is hard to fake and hard to rebuild. Palo Alto could have stood up an internal AI gateway team. They chose to buy a working production system with a real customer book in finance, pharma, and tech. That tells you how compressed the timing pressure is.
Why MCP Is the Real Story
Strip the press release language and the most interesting part of this acquisition is the MCP gateway. Model Context Protocol is, in 2026, the de facto plumbing for agent tool use. We argued in an MCP server is a 50 line file that the protocol won because it was easier to ship than to argue about. Adoption took care of the rest.
The thing that does not get said enough is that an MCP server is, from a security perspective, a remote code execution endpoint with extra steps. The agent calls a tool. The tool runs code. The code touches your database, your filesystem, your APIs, your credentials. Every existing security control assumes a human is somewhere in the loop. With agents calling MCP servers in a hot path, that assumption is gone.
Portkey's MCP gateway is the first widely deployed answer to that problem. It puts a policy enforcement point between the agent and the tool. Authentication, scoping, rate limits, audit logs, anomaly detection. The same pattern enterprises spent the last two decades wiring around HTTP APIs, applied to MCP.
Palo Alto Networks paying real money for that capability is the strongest signal yet that MCP is going to live in enterprise stacks for the long run. You do not buy governance for a protocol you think is a fad.
Who This Pressures
The independent AI gateway category is small but real. LiteLLM, Kong AI Gateway, Cloudflare AI Gateway, OpenRouter, and Portkey have been the names that come up most often in our reader threads. Two of those (Kong, Cloudflare) are already inside larger platforms. Portkey was the most prominent independent. After the deal closes there is a gap in the standalone market.
Other security incumbents are now on the clock. CrowdStrike, Zscaler, Wiz, and SentinelOne all have agent security stories in some form. None of them owns an AI gateway with this kind of traffic share. Expect at least one more deal in this category before year end. The candidates are obvious if you watch the funding announcements.
The other group worth watching is the model labs themselves. OpenAI, Anthropic, and Google all run their own gateways internally. They have so far stayed out of selling a neutral, multi-model gateway because doing so would commoditize their own pricing surface. Now that the third-party gateway category is being absorbed into security platforms, the labs may have less to fear from offering their own.
What This Means for Builders
If you are running an internal Portkey deployment, nothing changes today. The product team keeps shipping. The open source repo presumably stays open source, or at least the parts that already are. Acquisition timelines for product overhaul tend to run 12 to 18 months.
If you are evaluating AI gateways for the first time, the decision tree just got more interesting. Portkey's roadmap will increasingly bend toward Prisma AIRS integration. That is great if you are already a Palo Alto customer and bad if you are not, since enterprise security platforms tend to extract their pound of flesh once they own a dependency. LiteLLM (open source, no vendor) and Cloudflare AI Gateway (free tier, edge native) become more attractive default choices for teams without an existing PANW relationship.
If you build agents on MCP, this is good news. A real enterprise security vendor putting its weight behind MCP governance accelerates the policy and compliance work that has been slowing down adoption inside Fortune 500 organizations. Watch for AIRS-flavored MCP server certifications, audit profiles, and reference architectures over the next two quarters.
Our Take
The story everyone is going to write about this deal is the AI gateway angle. The story that matters more is the MCP angle. Palo Alto Networks did not pay for routing. They paid for the control plane sitting in front of every MCP-enabled agent inside their enterprise customer base. That control plane is now the foundation for runtime security, identity enforcement, and red teaming across the agent stack.
We have been arguing for months that agent infrastructure is the next platform layer, the same way mobile was in 2010 and cloud was in 2015. This deal is the first enterprise security M&A that prices that thesis explicitly. It will not be the last.
We are adding Portkey to our agents tracker and watching for an updated roadmap once the deal closes. Our MCP glossary entry gets a new line item too. The category is no longer experimental. It just got its first big exit.