Post merger integration security requires a structured approach: isolate the acquired network, run a compromise assessment before connecting any systems, inventory all assets and identities, and deploy EDR across both environments. Skipping these steps is how organisations inherit breaches. Marriott acquired Starwood in 2016 and inherited a network compromised since 2014, resulting in 339 million exposed records and an £18.4 million ICO fine.
Why is post merger integration the most dangerous phase for cyber security?
The period immediately following an acquisition is when your organisation is most exposed. You have inherited an IT environment you did not build, staffed by people you do not know, running systems you have never audited.
According to Forescout's survey of 2,700 IT and business decision makers, 53% of organisations encountered a critical cybersecurity issue during an M&A deal that put the deal in jeopardy. A separate finding from the same research: 62% agreed that their company faces significant cybersecurity risk when acquiring new companies, and that cyber risk is their biggest concern post-acquisition.
Attackers know this. M&A transitions create confusion: staff report to new managers, IT teams are stretched across two environments, and phishing incidents spike as employees receive unfamiliar communications from unfamiliar names. The acquired company's security team, if it still exists (or ever existed), may have been reduced or restructured. The financial severity of ransomware claims increased 411% from 2022 to 2023 (Resilience Midyear 2024 Cyber Risk Report), and 40% of all claims in 2024 resulted from third-party vendor breaches.
Post merger integration without a security-first approach is not a cost-saving measure. It is a liability transfer.
What happens when you skip cyber due diligence before connecting networks?
Three case studies illustrate the cost of getting this wrong.
Marriott-Starwood: the £18.4 million lesson
Marriott acquired Starwood Hotels in September 2016. What they did not know: attackers had compromised Starwood's guest reservation system in July 2014 using stolen employee credentials and a Remote Access Trojan (RAT). The breach went undetected through the acquisition and for two years after it.
Marriott allowed Starwood properties to continue operating on existing systems. The merger agreement contained no representations or warranties around privacy or cybersecurity. Marriott also laid off most of Starwood's IT and security staff post-acquisition.
In September 2018, a security alert finally flagged suspicious activity. The investigation revealed 339 million guest records had been exposed, including 5.25 million unencrypted passport numbers. The UK ICO fined Marriott £18.4 million, citing the failure to "undertake sufficient due diligence when it bought Starwood." The US FTC imposed a 20-year mandatory information security programme in December 2024.
ICO Commissioner Elizabeth Denham stated: "This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected."
Yahoo-Verizon: the $350 million price cut
After signing the acquisition agreement, Verizon discovered previously undisclosed data breaches at Yahoo. The result: a $350 million reduction in purchase price. The market assigned a concrete dollar value to unmanaged cyber exposure.
Change Healthcare: the $2.8 billion ransomware breach
UnitedHealth Group acquired Change Healthcare in October 2022. In February 2024, the Russian ransomware group ALPHV BlackCat attacked Change Healthcare through compromised credentials on a Citrix remote access portal that lacked multi-factor authentication. UnitedHealth CEO Andrew Witty testified that the failure was "caused in part by its failure to update internal security procedures after the acquisition." As of July 2025, 192.7 million individuals were affected, making it the largest healthcare data breach ever recorded. Total costs exceeded $2.8 billion.
What should the first 72 hours after acquisition look like for IT security?
The first three days set the tone for the entire integration. Get them wrong and you are playing catch-up for months.
Hour 0-24: Isolate and inventory. Do not connect the acquired network to yours. Place it behind a firewall with default-deny rules. Begin a full asset inventory: endpoints, servers, network devices, cloud accounts, SaaS subscriptions. Identify crown jewels (customer data, intellectual property, financial systems) and map data flows.
Hour 24-48: Deploy monitoring. At minimum, place a network tap on the acquired environment and begin forwarding logs to your SIEM. Deploy EDR agents to every endpoint you can reach. Establish a temporary incident response chain of command that spans both organisations.
Hour 48-72: Engage external assessment. Bring in a third party to begin a compromise assessment. This must happen before any penetration testing. Pentest activity (port scans, exploitation attempts, lateral movement) generates artifacts in logs and endpoint telemetry that are indistinguishable from real attacker behaviour. If you run a pentest first, you contaminate the forensic baseline and make it significantly harder to determine whether the acquired environment was already compromised. Compromise assessment first, penetration testing second. The Forescout data shows only 37% of ITDMs strongly agree their team has the skills to conduct a cybersecurity assessment for an acquisition, which makes third-party expertise essential.
How do you run a compromise assessment on an acquired network?
A compromise assessment is a targeted threat hunt across the acquired environment, conducted before you integrate a single system and before any penetration testing begins. Its purpose: determine whether the network is already compromised.
The sequencing matters. Penetration testing generates noise in logs, creates authentication events, triggers endpoint detection alerts, and leaves forensic artifacts across the environment. If a compromise assessment team is later asked "was this network breached before the acquisition?", the answer becomes unreliable when the log data is mixed with pentest activity. Run the compromise assessment on a clean environment first. Once you have a forensic baseline and confirmed whether the network is compromised, proceed to penetration testing to identify exploitable vulnerabilities.
The assessment should cover:
- Endpoint forensics: Memory analysis, disk forensics, persistence mechanism detection across all endpoints. Look for Remote Access Trojans, web shells, and backdoor accounts.
- Active Directory audit: Enumerate privileged accounts, service accounts, group policy objects, and trust relationships. Check for Kerberoasting exposure, Golden Ticket prerequisites, and stale accounts with domain admin rights.
- Network traffic analysis: Baseline network behaviour and identify anomalous connections, command-and-control beaconing, and data exfiltration patterns.
- Dark web credential monitoring: Check whether credentials from the acquired company's domain have been exposed in breaches or are for sale on criminal forums.
- Log analysis: Review authentication logs for impossible travel, bulk failed logins, and privilege escalation events.
Map findings to MITRE ATT&CK techniques, particularly T1021 (Remote Services), T1078 (Valid Accounts), and T1550 (Use Alternate Authentication Material). These are the lateral movement techniques most commonly exploited when two networks are joined.
The difference between a vulnerability assessment and a penetration test matters here. You need both: the vulnerability scan to identify known weaknesses, and the penetration test to determine whether those weaknesses are exploitable in the context of the merged environment.
How should you handle Active Directory trust and identity integration?
Active Directory trust is the single largest risk vector in post-merger IT integration. A two-way trust created on day one gives any attacker already inside the acquired network a direct path into your environment.
Do not create any trust relationship until you have completed:
- A full AD audit. Enumerate every account: user accounts, service accounts, computer accounts. Identify stale accounts (no login in 90+ days) and disable them. Review privileged group membership (Domain Admins, Enterprise Admins, Schema Admins).
- A credential hygiene pass. Force password resets on all acquired accounts. Rotate service account credentials. Check for shared credentials between environments.
- MFA enforcement. Deploy multi-factor authentication across all acquired accounts before any trust is established. This is non-negotiable. The Change Healthcare breach succeeded because a Citrix portal lacked MFA.
- A staged trust approach. Start with a one-way selective trust that gives your security team visibility into the acquired AD without exposing your environment. Move to a two-way trust only after the compromise assessment is complete and findings are remediated.
Zero trust principles apply directly: verify explicitly, enforce least privilege, and assume breach until proven otherwise. The acquired environment should be treated as untrusted until your security team has validated it.
What does a post-merger network segmentation strategy look like?
Keep the acquired network fully segmented until your compromise assessment and penetration testing confirm it is safe to begin controlled connectivity.
The segmentation architecture should follow these principles:
- Default deny between environments. No traffic flows between the acquiring and acquired networks unless explicitly permitted per validated business need.
- Micro-segmentation within the acquired environment. Separate business-critical systems (finance, HR, customer data) from general user traffic. This limits blast radius if a dormant threat activates.
- Dedicated management VLAN. All security tooling, monitoring, and remote administration of the acquired environment should run through a dedicated, isolated VLAN.
- Controlled integration points. When you do begin connecting systems, route them through a DMZ with full packet inspection. Monitor these integration points aggressively.
NIST CSF controls PR.AC (Access Control) and DE.CM (Continuous Monitoring) map directly to this architecture. ISO 27001 control A.8.8 (Management of technical vulnerabilities) applies to the acquired environment's unpatched systems.
How do you integrate SIEM and SOC monitoring across two environments?
Your SIEM is blind to the acquired environment until you onboard its log sources. This means the acquired network is effectively unmonitored during the period when it is most at risk.
Priority log sources to onboard first:
- Active Directory authentication and security event logs
- Firewall and network device logs from the perimeter between environments
- EDR telemetry from all deployed agents
- VPN and remote access logs
- Cloud identity provider logs (Azure AD, Okta, Google Workspace)
Detection rules need tuning. The acquired environment likely runs a different technology stack, and your existing detection content may not cover its attack surface. Audit your detection library for gaps.
For organisations that do not have the SOC capacity to absorb a second environment overnight, SOC-as-a-Service provides surge monitoring during the integration window. This is common in mid-market acquisitions where the acquiring security team is already at capacity.
What is a realistic post-merger IT security timeline?
Post merger integration security is not a weekend project. Here is a realistic timeline, based on mid-market acquisitions where the acquired company has 200-2,000 endpoints.
| Phase | Timeframe | Key actions |
|---|---|---|
| Isolate | 0-72 hours | Network isolation, asset inventory, deploy EDR, establish IR chain of command |
| Assess | Week 1-4 | Compromise assessment, AD audit, dark web credential check, vulnerability scanning |
| Segment | Month 1-3 | Network segmentation design, SIEM integration, security policy alignment, staff training |
| Connect | Month 3-6 | Controlled connectivity, phased AD trust, internal and external penetration testing, remediation |
| Unify | Month 6-12 | Full integration, unified security operations, continuous monitoring, compliance validation |
The pressure to move faster is real. Forescout found that only 36% of IT teams strongly agree they are given adequate time to review a target's cybersecurity standards before completing an acquisition. Push back on that pressure. The Marriott-Starwood breach cost orders of magnitude more than a 90-day delay would have.
| Approach | "Connect first, assess later" | "Assess first, connect never (until ready)" |
|---|---|---|
| Network posture | Acquired network plugged directly into corporate backbone | Acquired network isolated behind firewall until cleared |
| Identity risk | AD trust created immediately; lateral movement possible day one | No trust relationship until AD audit, stale accounts purged, MFA enforced |
| Threat visibility | Existing SIEM blind to acquired environment; no EDR on acquired endpoints | EDR deployed to all acquired endpoints; SIEM ingesting logs before connection |
| Compliance | Inherited vulnerabilities become your GDPR/regulatory liability instantly | Compromise assessment documents baseline; risk accepted or remediated before merge |
| Timeline pressure | Feels faster; catastrophically expensive if a dormant threat activates | Takes 30-90 days longer; prevents the Marriott scenario |
| Real-world outcome | Marriott-Starwood: 4 years undetected, £18.4M fine, $52M US settlement | Structured integration: controlled risk, documented posture, defensible to regulators |
Frequently Asked Questions
How long does post-merger IT security integration typically take?
A structured post-merger IT security integration takes 6-12 months. The first 72 hours focus on network isolation and asset inventory. Weeks 1-4 cover compromise assessment and EDR deployment. Months 1-3 address SIEM tuning and network segmentation. Full connectivity and unified operations typically complete by month 6-12.
What is a compromise assessment and why is it needed after an acquisition?
A compromise assessment is a targeted threat hunt across the acquired environment, checking for active intrusions, dormant malware, compromised credentials, and indicators of past breaches. It is needed because 53% of organisations encounter critical cyber issues during M&A deals. Without one, you risk connecting a compromised network to your own.
What are the biggest cyber security risks during post-merger integration?
The biggest risks include inheriting undisclosed breaches from the acquired company, Active Directory trust misconfigurations enabling lateral movement, expanded attack surface from unmanaged assets, phishing attacks targeting confused staff during transition, and regulatory liability for the acquired company's pre-existing GDPR violations.
Should you create an Active Directory trust immediately after an acquisition?
No. Creating a two-way AD trust on day one gives any attacker in the acquired environment a direct path into your network. Audit all accounts first, purge stale credentials, enforce MFA, and start with a one-way selective trust. Full trust should only follow a completed compromise assessment and penetration test.