The rapid rise of artificial intelligence has transformed the cybersecurity landscape, amplifying both the scale of threats and the sophistication of defense mechanisms. As AI-powered attacks become more adaptive and harder to detect, cybersecurity companies have responded in kind—developing AI-driven tools that can predict, prevent, and neutralize threats in real-time. This dynamic arms race has created a fertile ground for innovation and investment, positioning cybersecurity firms at the forefront of one of the most critical sectors in the digital economy.

At the heart of this evolution lies data—an asset that has grown exponentially in both volume and strategic value. However, in the world of AI, not all data is created equal. The edge increasingly lies in quality, not just quantity. Rich, contextual, and well-labeled datasets are essential for training effective AI models capable of distinguishing between benign and malicious behavior. This paradigm shift is compelling cybersecurity companies to rethink their data strategies and invest heavily in refining how they collect, clean, and utilize information.

For the industry’s major players, building robust data infrastructures is no longer optional—it is foundational. As AI agents become central to cybersecurity operations, these companies must develop the pipelines, governance, and intelligence layers necessary to power them. In the next phase of cybersecurity, the winners will be those who can move from collecting data to orchestrating outcomes and build cohesive platforms.

These developments have contributed to the rise of the modern SOC (Security Operations Center) enhanced by AI. While AI Agents are the ultimate goal, the value lies in the Data Sources and the Data Infrastructure Layer.

One of the most compelling aspects of the cybersecurity ecosystem from an investment perspective is its rapid pace of change, which demands continuous innovation. The threat landscape is in constant flux, driven by increasingly sophisticated adversaries and emerging attack vectors, pushing cybersecurity companies to stay agile and ahead of the curve. At the same time, the cybersecurity platform itself is continuously evolving and expanding, which is something that we will delve into in detail in this report.

The Rise of the Agentic SOC

The SOC (Security Operations Center) is the heart of cybersecurity operations. Every alert or response, from endpoint to cloud, flows through it. While SOCs have existed for decades, the role and functionality of the SOC significantly evolved over the past year+.

The modern SOC is not a dashboard with static data, but a system integrating source data into actionable insights. The data could be coming from different sources, such as the network, endpoints, identity, or the cloud. The challenge of the SOC is processing and sifting through this data, which is usually not properly labeled and in different formats.

From a public company investment perspective, we are laser-focused on figuring out how each company is positioned to capture a significant portion of this evolving market. As Palo Alto management pointed out, customers don’t want to be system integrators, implying that companies delivering a cohesive platform will win.

The leaders in network, endpoint, identity, cloud, and e-mail security are sitting on a vast amount of data, which puts these companies in a unique position to capture value.

Here are a few examples:

  • Crowdstrike (CRWD), a leader in Endpoint Security, processes over 5 trillion events per week, with over 150 million indicator of attack (IOA) decisions made every second; stores over 15 petabytes of data in the cloud and protects over 1 billion containers daily.
  • Zscaler (ZS), a leader in Network Security, processed over 100 trillion transactions, blocked over 60 billion threats, and enforced over 5 trillion policies last year alone.

However, how these companies filter, organize, and use the data will be a key differentiator in the next growth phase. Not surprisingly, most of the larger bolt-on acquisitions have been focused on the Data Infrastructure layer, building on solid positions that each company has in their respective core markets.

  • Crowdstrike (CRWD) acquired Flow Security, a company specializing in cloud data runtime security, to enhance its DSPM offerings for ~$110 million in March ’24.
  • Palo Alto Networks (PANW) acquired Dig Security, a provider of Data Security Posture Management (DSPM), for $200-400 million in October ’23, IBM’s QRadar, adding SIEM capabilities for $1.14 bn in Sept. ’24, and Protect AI for ~$600-700 million, expected to close in 1Q’26.
  • Zscaler acquired Avalor, a data fabric platform, for $350 million in March ’24, and recently announced the acquisition of RedCanary, a Managed Detection and Response (MDR) platform, for $675 million, expected to close in August ’25.

In this report, we provide an overview of the largest cybersecurity end markets in the context of the modern cybersecurity platform.

Sources of Data

Sources of Data: From a market size perspective, Network Security (SASE), Endpoint Security, and Identity Security are the largest end markets all around ~$20B+ in market size. Cloud Security is the most rapidly growing area, soon to rival in size at <$20B. E-mail security is relatively smaller at <$10bn.

Here are some details and key players for each one:

Network Security (SASE)

Traditional network security followed a “castle and moat” model—trusting everything inside the perimeter. That no longer works. In 2025, organizations are shifting to Zero Trust, which assumes no implicit trust and verifies every access request based on identity, device, location, and behavior.

Zero Trust is more than tools—it’s a mindset. It enforces least privilege, micro-segmentation, and real-time, identity-aware access, applied consistently across identity, network, endpoint, and cloud environments. It’s a strategic framework, not a single product.

SASE: Merging Networking and Security

Secure Access Service Edge (SASE) integrates networking and security into a unified, cloud-native platform. Instead of managing separate tools like SD-WAN, firewalls, and VPNs, SASE delivers them as a single service — enforcing policies at the edge for better performance and protection. Vendors like Zscaler, Palo Alto Networks, and Netskope offer solutions that secure users wherever they connect.

Trends:

  • SASE is the fastest-growing segment within network security, with a CAGR of ~30+%. Vendors like Zscaler, Palo Alto Networks, and Netskope are leading the transition.
  • The market is moving toward unified, “single-vendor” platforms for simplicity and scalability.

Endpoint Security


Endpoints—laptops, mobile devices, IoT—are prime attack vectors, especially in hybrid and remote work environments. Traditional antivirus (AV) software has proven inadequate, prompting the rise of Next-Gen Endpoint Protection.

Traditional end-point security relied on signature-based detection to identify known malware, but today’s threats are more evasive, dynamic, and behavior-based. This has led to the rise of Endpoint Detection and Response (EDR)—a more advanced approach that continuously monitors endpoint activity, stores telemetry for forensic analysis, and can automatically investigate and contain threats.

To go beyond the endpoint, organizations are adopting Extended Detection and Response (XDR). XDR integrates data across security layers—endpoints, network traffic, email, cloud workloads, and identity—to give security teams a holistic view. Instead of piecing together disconnected alerts, XDR correlates signals across domains, making threat detection more accurate and response more efficient.

The endpoint security market is expected to grow at a double-digit CAGR. While growth has moderated over the past year, there is still significant runway as 40%+ of the market is still using legacy antivirus.

Together, EDR and XDR form the foundation of modern threat detection—proactive, integrated, and responsive to a constantly evolving attack surface.

Key players in endpoint security are: CrowdStrike, SentinelOne and Microsoft Defender.

Identity Security


Identity remains the linchpin of enterprise security. According to industry estimates, over 80% of cyberattacks exploit identity-based vulnerabilities. The rise in cloud adoption and distributed teams has magnified the complexity of managing identities and permissions.

Subcategories:
1. IAM (Identity and Access Management): Controls user authentication and access. Identity and Access Management (IAM) begins by verifying that a user or system is who it claims to be. It’s more than technology—it’s a framework of policies, processes, and tools for managing digital identities and their access across systems.

Access Management covers both authentication (proving identity with biometrics, passkeys, etc.) and authorization (controlling what that identity can access). Features like SSO, MFA, and passwordless logins strengthen security, while real-time context—such as device, location, and behavior—is used to assess risk and enforce adaptive, conditional access.

Leading vendors like Okta and Microsoft Entra ID now integrate device posture checks and AI-driven policy decisions for smarter access control.

2. PAM (Privileged Access Management): Secures high-level system access.

Some identities—like admin, DevOps, and IT superusers—pose greater risk due to their broad access. PAM protects these accounts by storing credentials in secure vaults, monitoring sessions, and enforcing Just-in-Time (JIT) access—granting elevated rights only when needed, then revoking them automatically.

Modern PAM also covers machine and service accounts, not just human users.

3. IGA (Identity Governance and Administration): Manages lifecycle and compliance.

While IAM grants access, Identity Governance and Administration (IGA) determines if that access should exist. IGA manages the full identity lifecycle—onboarding, role changes, and offboarding—enforcing policies, segregation of duties, and regular access reviews.

Modern IGA platforms are automated, cloud-ready, and integrated with HR and business workflows, helping large enterprises stay compliant and ensure access remains appropriate over time.

4. ITDR (Identity Threat Detection & Response): Defending the Identity Layer.

Modern attackers don’t break in—they log in, exploiting credentials and permissions. Identity Threat Detection and Response (ITDR) monitors identity behavior, detects anomalies, and correlates threats with data from across the stack.

When suspicious activity—like a dormant admin logging in from abroad—is detected, ITDR can alert teams or trigger automated responses. These tools often integrate with SIEM, XDR, and PAM to enhance detection and response.

8. Customer Identity (CIAM)

CIAM governs how customers access apps—balancing security with seamless UX through features like social login, adaptive auth, and consent management. As AI agents begin acting on users’ behalf, CIAM is evolving to address identity, delegation, and authentication in this new context.

5. Non-Human Identity (NHI)
Machine identities—APIs, scripts, bots, containers—now outnumber human ones, often with excessive or unmanaged access. Most organizations lack visibility into them. NHI management tools help discover, inventory, and govern these entities using lifecycle principles once reserved for humans. In 2025, managing machine identity is central to addressing identity sprawl.

Trends:

  • Increasing focus on non-human identities (e.g., workloads, APIs).
  • Platform convergence as vendors move to unify IAM, IGA, and PAM into single offerings.

Market leaders include Microsoft, Okta, CyberArk, and CrowdStrike, with the latter pushing into ITDR.

Consolidation is expected as platforms evolve to cover broader identity use cases.

Cloud & App Security

As organizations migrate to the cloud, securing workloads, data, and applications has become a top priority. Cloud and App Security represents both a white-space opportunity and a rapidly evolving battlefield for cybersecurity providers. With cloud-native architectures and infrastructure as code, securing infrastructure and apps is now one integrated workflow. Most breaches stem from misconfigurations, exposed APIs, or compromised code—highlighting the need for unified, context-aware protection.

Cloud security spend represents ~1% of overall cloud spend and has been growing in-line to stronger than the overall cloud spend. The market is still in an early stage, with various players approaching it from different angles.

Here are some details on each sub-category:

CNAPP (Cloud-Native Application Protection Platforms)
CNAPP consolidates posture management, workload protection, entitlement visibility, and pipeline scanning into one platform. It links signals across the cloud stack to reveal risk in context—like a public VM with vulnerable software and excessive access. CNAPP also shifts security earlier in development, flagging issues at build time for DevSecOps teams.

CSPM (Cloud Security Posture Management)
CSPM scans cloud environments (AWS, Azure, GCP) for misconfigurations—like open ports or unencrypted storage—and enforces best practices. Modern CSPM tools prioritize by risk, align with compliance standards, and suggest precise fixes.

CWPP (Cloud Workload Protection Platforms)
CWPP monitors workload behavior in real time—tracking processes, file activity, and network traffic across VMs, containers, and serverless. It catches runtime threats in dynamic environments where traditional tools fall short.

CIEM (Cloud Infrastructure Entitlement Management)
CIEM maps who has access to what in the cloud, exposing overprivileged roles and risky permission combinations. It enforces least privilege and complements CSPM and CWPP for full-stack visibility.

CDR (Cloud Detection and Response)
CDR provides real-time threat detection in live cloud environments—flagging lateral movement, rogue containers, and privilege abuse. It’s the cloud-native version of EDR, integrating behavioral and identity signals to detect active threats.

SSPM (SaaS Security Posture Management)
SSPM extends posture management to SaaS apps like Google Workspace and Salesforce. It audits configurations, access, and integrations to reduce risk across the often-overlooked SaaS layer.

ASPM (Application Security Posture Management)
ASPM tracks application risk from code to production—correlating code flaws, vulnerable dependencies, misconfigured APIs, and IaC issues. It merges static and dynamic testing with environment context to prioritize what truly matters.

Trends:

  • Shifting Left vs. Shifting Right – companies are coming to Cloud Security from both the Left (DevOps) and Right (Cybersecurity)
  • Cloud and App security are converging

Data Security Infrastructure


The explosion of data and the adoption of AI systems have given rise to new security concerns. Data security now includes traditional and next-gen SIEMs, governance, compliance, and protection in addition to emerging areas such as Data Flow (e.g., Pipelines and Data Routing).

The entire Data Infrastructure Market is only $16-$20B in size but its the most rapidly growing space with some sub-segments growing 50%+.

SIEM & SOAR, both legacy and next-gen, are the most significant components, sized at about $10-12B, with Data security DSPM & DLP at ~$4B and AI at ~$1B. This segment contains the highest-growth businesses, with several growing at 50%+ rates.

More details on each category.

SIEM (Security Information and Event Management)

The SIEM used to be the center of the SOC. It still plays a major role today, though its purpose has shifted. In its earliest form, a SIEM was designed for log collection and compliance reporting. Teams would store large volumes of data, run queries, and hope to catch suspicious patterns in time.

That model doesn’t hold up in modern environments. Data moves too fast and attackers don’t wait. Today’s SIEMs need to support fast search, scalable architecture, and open integration with other parts of the SOC stack. Some organizations still use traditional platforms like Splunk or QRadar. Others are shifting to newer models like Chronicle or Panther. Either way, a SIEM is only as valuable as the telemetry it receives and the detections it can drive in context.

Data Pipelines

The first step in any SOC workflow is ingesting telemetry. But not all logs are helpful. In fact, much of what gets collected is repetitive, incomplete, or irrelevant. Security Data Pipeline Platforms emerged to solve this challenge.

These platforms act as filters and routers. They connect to dozens of sources including endpoint tools (Crowdstrike), network logs (Palo Alto), identity providers (Okta), cloud audit logs, and SaaS apps, and normalize what they pull in. They strip out duplicates, apply enrichment, and send the cleanest, most useful version of that data to the right downstream tools. What you end up with is a stronger detection surface and fewer wasted cycles. SDPPs aren’t just about saving on storage. They’re about building a cleaner, smarter pipeline from the ground up. Platforms like Cribl, Datadog, Abstract, and Axoflow have made this possible.

Data Security Posture Management (DSPM)


DSPM platforms help organizations discover and classify sensitive data—across cloud storage, SaaS apps, and databases—and understand who’s accessing it, how, and where it’s going.


They go beyond basic inventory by mapping data flows, flagging overexposed records, and identifying compliance risks. With hybrid and multi-cloud environments, DSPM offers a unified view of data exposure, helping teams reduce risk without disrupting operations.

Data Loss Prevention (DLP)


Legacy DLP tools often struggled with noisy alerts and limited visibility. Modern DLP has shifted toward contextual, integrated enforcement—monitoring who is sending what data, through which channels, and whether it aligns with policy.


These tools now embed directly into apps like Google Workspace or Slack, offering real-time prompts or warnings to users. Combined with DSPM, they enable more precise, usable data protection across endpoints, apps, and cloud systems.

SOAR (Security Orchestration, Automation, and Response)


Even the best alerts are useless if no one responds. That’s where SOAR platforms step in. They help automate the messy, manual parts of incident response, gathering logs, assigning severity, pinging analysts, or kicking off containment scripts.
Modern SOAR tools like Torq and D3 go further than simple playbooks. They allow branching workflows, connect to a broader range of platforms, and adapt based on risk or context. In mature SOCs, they’ve become the engine behind response, not just accelerating actions but making sure no alert slips through the cracks. With strong SOAR integrations, even small teams can scale their impact.

AI Security

AI is both a tool for defenders and a target for attackers.

The rapid adoption of generative AI has introduced an entirely new layer of exposure that security teams are still learning to navigate. From proprietary large language models (LLMs) trained on internal data, to third-party AI integrations, to the unsanctioned use of public tools like ChatGPT, the attack surface is expanding fast.

The associated risks are both familiar and novel. Traditional concerns like data leakage now take new forms—such as sensitive information surfacing in AI-generated responses—while newer threats include prompt injection, model tampering, and indirect misuse, like tricking downstream systems with crafted outputs.

To combat these challenges, a new category of AI security solutions is emerging. These tools track and analyze model interactions in real time, flag suspicious prompts, enforce usage policies, and map out AI usage across an organization. In many ways, they function as runtime security for AI, stepping in when behavior deviates from expected norms.

Importantly, the goal isn’t only to secure the models themselves—it’s to protect the broader AI infrastructure, including APIs, training pipelines, storage environments, and access permissions. As AI becomes more embedded in core business operations, safeguarding the full ecosystem is becoming a top security priority.

While the ultimate goal is to create AI Agents, that is not necessarily where the value lies. The key to a successful platform and quality AI Agents will solving the data challenge.

Conclusion

Cybersecurity is no longer an IT cost center—it’s a business-critical imperative. From ransomware and phishing to cloud misconfigurations and identity theft, the threats are numerous and constantly evolving. But so too are the solutions.

Customers are seeking one-stop solutions that take raw data and generate actionable insights. As the SOC becomes more dynamic, data-driven, and integral to enterprise defense, the battle is no longer just about who has the best individual tool—but who can unify the layers into a seamless, intelligent platform. The companies best positioned to lead are those with deep telemetry, strong customer trust, and the architectural advantage to turn fragmented signals into coordinated defense. In the next phase of cybersecurity, the winners will be those who can move from collecting data to orchestrating outcomes.

For more information on valuations, growth projections, and how the key cybersecurity companies stack up, stay tuned for our upcoming Tech Edge research digest, which will be released tomorrow. Sign up here if you are not on our distribution list.

The Tech Edge covers hot topics in B2B technology and will keep you on the cutting edge of investments in data hardware, infrastructure, cybersecurity, and more.

Additional Resources