PKI Ecosystem Evolution: Modernization Shakes up M&A Space as Vendors Look to Expand

On May 13, 2025, Keyfactor announced the acquisition of InfoSec Global and CipherInsights. InfoSec Global offers cryptographic discovery, inventory, and risk remediation, while CipherInsights (a Quantum Exchange product) provides passive network monitoring. Both companies developed sensor-based technology that can run on various systems (networks specifically in CipherInsights’ case) to look for crypto assets and check for compliance with industry standards. InfoSec Global has additional capabilities on the remediation side as well.

The acquisition is representative of the change affecting the Public Key Infrastructure (PKI) ecosystem, and vendors such as Keyfactor, a specialist in PKI and certificate lifecycle management. A fairly static space for the last couple of decades, things have started to change considerably in the last 5 years, due in part to better performance capabilities of devices, making PKI easier to use, but also because of their explosion in number (i.e., with the Internet of Things (IoT)). From Hypertext Transfer Protocol Secure (HTTPS) and Virtual Private Network (VPN) access to machine identity, securing Continuous Integration (CI)/Continuous Delivery (CD) processes and micro-services, use cases have grown exponentially—for Keyfactor specifically, it has gone from certificate lifecycle management to issuance and signing, and, today, to discovery. The continued shortening of public certificate life spans (from 39 months in 2015 to 47 days for Transport Layer Security (TLS) by 2029), the removal of client authentication from public TLS, and the eventual requirement for hybrid and Post-Quantum Cryptography (PQC) have made certificates the driving factors behind the modernization of the PKI landscape.

More automation will be required for certificate lifecycle management solutions, and certainly better and faster remediation practices, to renew and upgrade the millions of certificates in use every day. To this end, crypto-agility will be the modus operandi for PKI providers and Certificate Authority (CA) vendors. This will allow them not only to modernize and meet these challenges, but also minimize the subsequent fallout. The removal of client authentication from public TLS will limit demand for multi-modal certificates and is already driving the emergence of new sub-markets (particularly X9 in the financial and banking space). Public and private PKI is increasingly diverging, with the Certificate Authority/Browser (CA/B) Forum squeezing down on public PKI and CA requirements.

The Keyfactor acquisitions will allow the company to expand outward from being a Certificate Lifecycle Management (CLM) and PKI provider, to addressing all emerging and future certificate needs. It is about enabling real-time management of certificates, and not just their life spans but also their applicability, implementing (and scaling) issuance and auto-renewal on new standard requirements (lightweight certificates for the IoT, hybrid certificates for PQC migration, etc.). Underpinning all that is the capability to discover and identify the assets, in order to better manage them.

Crypto asset discovery and inventory management are currently hot technology markets for PKI, CLM, and CAs that want to stay relevant in the fast changing and fragmenting space of digital certificates. PKI and CLM are increasingly intertwined offerings, rather than distinct solutions from different providers. But the real challenge will be on the remediation side, and the first test is on leveraging automation successfully to that end, especially for renewal as life spans shorten.

The final test, however, will be on the path to Post-Quantum (PQ) migration, and the ability to migrate systems in an orderly fashion, prioritized based on sensitivity, criticality, and dependencies. This will be the most difficult piece for providers to get right and is a significant opportunity for leveraging Artificial Intelligence (AI) (and crucially, for it to understand context correctly). The provider that can bring that capability to the fore will be at the bleeding edge of the certificate management market.