Stabilizing growth, historic concentration, and a valuation reset in a more selective market

We present our annual analysis of publicly traded, enterprise‑focused cybersecurity company performance. Aggregate cybersecurity revenue grew 16.8% in 2025, modestly below 17.0% in 2024 and well below 21.4% in 2023, continuing the sector’s multi‑year deceleration from the exceptionally strong growth rates seen earlier in the decade. Importantly, the pace of deceleration moderated, with median company growth stabilizing at 13.7%, suggesting demand is slowing but not deteriorating further.

Despite this relatively stable fundamental backdrop, cybersecurity stock performance weakened materially. The median stock declined 18% over the past year, even as a small number of very large companies supported a 5% market‑cap‑weighted gain, highlighting a growing disconnect between index‑level returns and the experience of the typical cybersecurity company.

Market‑capitalization concentration increased further and reached historically high levels. The top three cybersecurity companies accounted for 68% of total market capitalization as of March 13, while the top four accounted for approximately 81%, reinforcing a pronounced “haves versus have‑nots” dynamic in the public markets.

While most companies met or exceeded revenue and earnings expectations in 2025, stock price changes showed limited correlation with those outcomes. Instead, performance aligned more closely – though imperfectly – with expectations for future growth and Rule of 40 metrics, while broader software‑sector sentiment and valuation compression weighed heavily on equity performance across the group.

How we looked at the market

This report presents our annual analysis of publicly traded, enterprise-focused cybersecurity firms’ performance. To be included, companies must have been listed on a U.S. exchange, derive the vast majority of their revenue from supplying cybersecurity solutions to enterprise and government customers, and have sufficient historical financial data to allow meaningful comparisons.

Consistent with prior years, we exclude consumer-focused cybersecurity companies. We perform our analysis near the end of the first quarter to incorporate reported full-year results and initial guidance for the coming year. Because our analysis used a March 13 cut off date, SailPoint’s (SAIL) figures reflect consensus mean estimates rather than reported values.

For revenue analysis, we include only companies with at least four years of comparable reported data. As a result, recently public companies such as Rubrik (RBRK) and Netskope (NTSK)–added to our universe following its IPO in September 2025–are excluded from revenue growth calculations but are discussed elsewhere. Cisco’s (CSCO) cybersecurity revenue remains excluded due to limited comparability following its acquisition of Splunk. During the past year, CyberArk was acquired by Palo Alto Networks (PANW) and, as a result, is no longer included as a standalone company in our analysis.

Revenue growth slowed but showed signs of stabilization

We present revenue and revenue growth by company in Table 1 and conclude that cybersecurity demand growth slowed again in 2025 but remains solid relative to broader technology markets. Aggregate revenue for the companies in our analysis grew 16.8% to $39.4 billion, marking the third consecutive year of deceleration following the unusually strong growth experienced in 2021 and 2022.

Notably, the pace of deceleration moderated. Aggregate growth declined by just 0.2 percentage points year-over-year, while median company growth increased slightly to 13.7% from 13.3% in 2024. We view this as evidence cybersecurity demand is stabilizing at a lower–but still healthy–growth rate rather than continuing to weaken.

TABLE 1: Revenue and revenue growth 2023 to 2025 (sorted by 2025 growth, dollars in millions)

Source: Company data, Capital IQ, First Analysis.
Notes: (1) Revenue and growth rates are based on CRWD’s, NTSK’s, OKTA’s, RBRK’s and S’s reported revenue for its fiscal year ended January 2023, 2024, and 2025. (2) Revenue and growth rates are based on CSCO’s, PANW’s, and ZS’s reported revenue of the four quarters through January (their fiscal Q2) in 2023, 2024, and 2025. (3) Reporting SAIL’s revenue consensus mean as of March 10, 2026.

Growth remained uneven across the group. Cloud-focused companies continued to lead, with native cloud-centric platforms Rubrik, Cloudflare (NET), Zscaler (ZS), SentinelOne (S) and CrowdStrike (CRWD) all growing revenue at rates above 20% in 2025. SailPoint was the only other company to grow revenue by more than 20% in 2025. While not cloud-native from inception, SailPoint’s Atlas platform, launched in 2023, has positioned it as a major cloud player for identity security.

The next-fastest growers were Palo Alto Networks, which grew revenue 15.4%, and Fortinet (FTNT), which grew revenue 14.2%. They are examples of strong platform plays. These are the two largest companies by revenue within the group, and both offer a broad array of products covering multiple cybersecurity sub-segments. The fact the largest companies by revenue grew near the industry’s average rate reinforces our view that cybersecurity has entered a more mature phase over the past several years. Prior to 2020, the larger players in terms of revenue, such as McAffee, Symantec and Checkpoint (CHKP), generally grew slower than average and were therefore eventually overtaken by smaller, more nimble companies. This is no longer true. The larger companies seem to be getting even stronger, and this is also reflected in their market caps.

The companies growing materially slower than the group average are, in general, not cloud-native companies. They have, of course, introduced cloud-centric capabilities and platforms, but we believe they are not viewed by prospects as providing the cutting edge of cloud capabilities. Further, these companies generally lack leadership in multiple subcategories, which prevents them from capitalizing on being a central cybersecurity platform for enterprises to build on (unlike Palo Alto and Fortinet). Being a non-cloud-native, non-platform company is proving difficult, and we don’t foresee this dynamic changing quickly.

Notwithstanding the current analysis, AI is a wild card. We believe any company on the list that can be recognized in the market as having a highly differentiated AI offering and strategy will have a pathway for above-market growth. To date, while there is substantial AI marketing buzz at nearly all the companies, we don’t think the market has anointed a clear leader, and this leaves an opening for companies not on this list to take this title.

Initial guidance again proved conservative

Comparisons between initial 2025 guidance and actual results provide important context for looking at recent stock performance. Actual 2025 revenue finished approximately 2% above initial guidance on both an average and median basis – a result we view as relatively typical by historical standards. For context, 2024 revenue was also about 2% above guidance (similar to 2022), 2023 about 1% below (during a weaker demand environment), and 2021 about 7% above.

There were no material revenue guidance misses. Most companies reported actual revenue within a few percentage points of initial guidance, and several delivered modest upside. Earnings performance was notably strong: Every company in the group beat its initial EPS guidance, with several delivering meaningful outperformance.

TABLE 2: 2025 revenue and EPS initial guidance compared to actual results (sorted by revenue difference)*

Source: First Analysis, company reports, Capital IQ.
Notes: For July and December year-end companies, we show fiscal 2025 figures; for January year ends, we show fiscal 2026 figures. For companies lacking initial revenue and/or EPS guidance, we show initial consensus estimates as of approximately one week after reported year-end results. EPS = earnings per share. (1) Reporting SAIL’s revenue and EPS consensus mean as of March 10, 2026.

Taken together, these results suggest cybersecurity companies executed largely in line with, or better than, expectations in 2025. Importantly, the results show no sign of an unexpected demand or profitability shock during the year. Further, though we don’t present the data in detail, the outlook for next year does not suggest any fundamental industry weakness. At this time last year, companies guided to average revenue growth of approximately 13.4% (12.1% median) for 2025, which the group ultimately exceeded, delivering 15.9% average and 13.2% median growth on a comparable basis. Revenue growth guidance for 2026 averages approximately 14.0% (11.8% median), indicating a modest slowing from what was reported in 2025, but in line with growth guidance for 2025 at this time last year. So, we expect growth to remain relatively steady based on guidance, and guidance for 2026 EPS does not indicate a deterioration in industry profitability.

Stock performance diverged sharply from fundamentals

Despite stable growth expectations and strong earnings execution, cybersecurity stock performance weakened materially over the past year. The median stock declined 18%, and the average stock declined 12%. But on a market‑cap‑weighted basis, the group appreciated 5%, supported by gains in a small number of very large companies.

Only three of sixteen companies posted positive one‑year returns – Cloudflare, CrowdStrike, and Radware (RDWR) – and just two outperformed the Nasdaq, which gained 28% over the same period. This divergence underscores the growing disconnect between the sector’s solid revenue growth and profitability and equity performance across much of the sector.

Cybersecurity stocks were affected by broader software‑sector repricing

We believe recent cybersecurity stock performance should also be viewed in the context of a broader repricing across the software sector. Over the past year, software equities experienced meaningful valuation compression as investors reassessed growth durability, enterprise spending trends, and the longer-term implications of artificial intelligence on competitive dynamics and capital allocation.

Although cybersecurity fundamentals remained relatively resilient, the sector was not immune to this sentiment shift. As a result, most cybersecurity stocks declined alongside software peers despite stable growth expectations and generally strong operating performance. In prior years, cybersecurity companies often benefited from premium multiples supported by strong secular tailwinds and a perception of defensiveness. How AI affects this sector is subject to much debate, but the concern has driven at least a temporary reset in valuation. As the debate settles, we will see if the current downdraft represented an excellent entry point or the start of a secular, AI-driven decline for the sector along with other software areas. From here, we think this dynamic may disproportionately affect smaller and mid-cap companies without clear category leadership or platform scale, although outcomes will obviously vary significantly across individual companies.

TABLE 3: Cybersecurity stock price and market cap analysis

Source: First Analysis, Capital IQ.

Market‑cap concentration reached historic levels

Market‑cap concentration among publicly traded cybersecurity companies continued to increase and reached historically high levels in 2025. As of March 13, 2026, the top three companies accounted for 68.0% of total cybersecurity market capitalization, up from 64.4% in 2024 and 38.9% in 2019.

This concentration increased even as total market capitalization expanded to $474.3 billion, indicating that rising concentration occurred alongside market growth rather than contraction. While the specific companies comprising the top tier have evolved over time–most recently with Cloudflare replacing Fortinet–the broader trend toward concentration has remained consistent. Adding Fortinet, with the fourth-largest market capitalization in the sector, brings the concentration to more than 80%, reinforcing the winner-take-most narrative.

TABLE 4: Cybersecurity market capitalization concentration of top three constituents ($ in billions)

Source: First Analysis.
Notes: We did not publish an annual analysis for 2020 performance.

Concentration has implications for both investors and operators

For investors, rising concentration reduces the informational value of index‑level performance, as median stock performance may diverge materially from index returns for extended periods.

For companies, this trend underscores the advantages of scale. Larger platforms appear to benefit from broader product portfolios, more entrenched customer relationships and more efficient go‑to‑market models. We feel smaller companies face increasing pressure to differentiate through innovation, specialization or strategic focus to sustain growth and relevance. However, we again note AI initiatives may offer the opportunity to upset the status quo, which could be contributing to the valuation multiple decline seen even at sector leaders.

Stock performance correlated with growth and profitability expectations – but imperfectly

As in prior years, we examined the correlation between stock price movements and the magnitude of difference between guidance and actual results. In the past, cybersecurity stocks tended to respond strongly to either revenue or earnings outperformance; however, that relationship again weakened this year. The correlation between stock price change and revenue performance relative to guidance was just 0.27, and the correlation for EPS was even lower at 0.02, indicating little meaningful linkage between near-term execution and stock price.

With neither revenue nor earnings beats explaining stock price changes, we examined the relationship between stock performance and expected forward revenue growth. The correlation was 0.57 for 2026, indicating expected growth remains a key driver of relative performance.

TABLE 5: Correlation of stock price change and estimated 2026 revenue growth

Source: First Analysis.

We also evaluated stock performance and companies’ implied 2026 Rule‑of‑40 guidance. In this case stock performance exhibited a positive but moderate correlation of 0.39, suggesting investors continue to value some balance of growth and profitability – but growth has returned to the fore, reversing some trends seen in the past two years.

TABLE 6: Correlation of stock price change and 2026 Rule of 40 guidance

Source: First Analysis.

However, neither growth nor profitability alone was sufficient to support broad stock appreciation. Several companies with solid growth and profitability expectations still experienced significant stock price declines, reinforcing the view that AI concerns, macro conditions, valuation discipline and market structure played a larger role in determining equity performance over the past year.

Where will the market focus?

The cybersecurity market continues to expand at a healthy pace, but success is becoming increasingly selective. Growth remains solid. Profitability is now an expectation rather than a differentiator, and scale has become a clear advantage in the public markets. As a result, outcomes are increasingly bifurcated, with a small number of large platforms capturing a disproportionate share of value creation.

At the same time, innovation remains an important driver of outperformance. Cloud-native and technologically differentiated companies continue to grow faster than the group average, demonstrating that leadership is not determined by size alone. However, the path to sustained outperformance appears narrower than in prior years, requiring either meaningful scale or a clearly differentiated position within a critical security category.

Further, AI may provide another vector of differentiation. Just as some of last decade’s smaller cloud-native companies replaced some of the previous sector leaders, we see room for small but AI-focused companies to play a disruptive role. Whether these companies eventually replace current leaders depends in part on how many of them are acquired by the current crop of larger players; it appears the larger players are willing to pay up to acquire the upstarts, for now.

Looking ahead, while the sector may no longer command the valuation premiums it once did, cybersecurity fundamentals remain sound. The industry appears to be entering a more mature phase in which returns are driven less by broad sector tailwinds and more by company specific execution, competitive positioning and scale.

Roller-coaster year for cybersecurity index

The First Analysis Cybersecurity Index gained 3% over the one-year period ended March 13, substantially underperforming the Nasdaq’s 28% gain and the S&P 500’s 20% gain. It was a roller-coaster year: The index had gained 31% by July, gave up most of those gains by August, recovered to a 33% gain in November, and fell to a 13% decline in February as a result of a SaaS market sell-off prompted by concerns about AI’s impact, before finally recovering somewhat in the final few weeks.

Cybersecurity public comparables*

Source: Capital IQ, First Analysis.
Notes: Public comparable company data shown above is as of March 13, 2026. (1) EBITDA multiples less than 0 and greater than 50 labeled “not meaningful” (NMF). LTM = last 12 months. EBITDA = earnings before interest, taxes, depreciation and amortization.

Of the 17 cybersecurity stocks that have been public for over a year (excludes Netskope, NTSK, after its initial public offering in September), only three appreciated, all by more than 10%, led by Cloudflare (NET), up 87%, and CrowdStrike (CRWD), up 33%. Those two companies’ 14-point market-cap-weighted contribution to the index was offset by the losses in the other constituents.

The index’s enterprise value multiple of trailing-12-month revenue as of March 13 was 11.0, down from 11.9 at the beginning of the one-year period. It was still well above the Nasdaq’s 4.9 ending multiple. Looking at forward multiples, the average enterprise value multiple of estimated revenue was 6.4 for 2026 and 5.4 for 2027. Cloudflare (NET) traded at the highest multiples for estimated 2026 revenue (26.5) and estimated 2027 revenue (20.8). The only other company trading above 11 times revenue was CrowdStrike (CRWD), with an 18.2 multiple for 2026 and 15.0 for 2027. Revenue growth on average is expected to be 13.2% in 2026.

We have added Netskope (NTSK) to the index, which had its initial public offering on Sept. 18, 2025. Netskope is a cloud security and secure access service edge company offering real-time visibility, threat protection and data security for cloud services, websites and private applications. The metrics above reflect this change for the current period.

First Analysis Cybersecurity Index 1-year performance

Source: Capital IQ.
Notes: (1) Index performance is weighted by market cap. For the period from March 17, 2025, through March 13, 2026.

Cybersecurity M&A: Notable transactions include SGNL and Koi

We highlight two noteworthy cybersecurity merger and acquisition announcements from the first quarter.

On Jan. 8, CrowdStrike (CRWD) announced it had signed a definitive agreement to acquire SGNL, which provides continuous identity security software, in a transaction valued at approximately $650 million. SGNL’s continuous identity authorization layer is designed to secure modern enterprise environments where human, non-human and AI agents operate. SGNL’s runtime enforcement engine sits between identity providers and cloud resources, eliminating gaps exploited by credential-based attacks. The acquisition helps strengthen CrowdStrike’s flagship Falcon platform, bolstering its identity security capabilities and helping the platform better manage identity access requests in the AI era.

SGNL’s Continuous Access Evaluation Profile (CAEP) Hub enables systems to share security events in real time to manage user access and session security continuously

Source: SGNL.

On Feb. 17, Palo Alto Networks (PANW) announced a definitive agreement to acquire Koi, a pioneer of agentic endpoint security, for $300 million. The company had previously raised $48 million in a funding led by Battery Ventures, Team8, Picture Capital and NFX. Koi’s technology protects the emerging layer of AI agents, extensions, plugins and model artifacts that operate with deep and often unmanaged privileges on modern endpoints. Its platform provides real-time visibility and control over AI-native software components, helping address risks including remote code execution via application programming interfaces and credential hijacking. This acquisition helps Palo Alto enhance agentic endpoint security in its Cortex XDR security solution and its Prisma AIRS AI security platform.

Koi’s endpoint solution maps software to organization-wide access rules based on user and group

Source: Koi.

Select recent M&A transactions (sorted by date of announcement, $ in millions)

Source: Capital IQ, First Analysis.

Cybersecurity private placements: Notable investments include Upwind Security and VulnCheck

We highlight two noteworthy cybersecurity private placement announcements from the first quarter.

On Jan. 26, Upwind Security, a cloud-native run-time security platform, announced it had raised $250 million in a Series B funding led by Bessemer Venture Partners with participation from Salesforce Ventures, Picture Capital, Greylock Partners, Cyberstarts, Leaders Fund, Craft Ventures, TCV, Alta Park Capital, Cerca Partners, Swish Ventures and Penny Jar Capital. This funding brought the company’s total funding to $430 million since its founding in 2022. Upwind Security provides cloud security capabilities that help organizations detect malicious activity in public cloud environments by correlating cloud telemetry and run-time signals. Its platform also uncovers surface vulnerabilities present in continuous integration and continuous delivery pipelines before code reaches production. The proceeds will be used to expand product development and scale globally.

Upwind identity authorization graph

Source: Upwind Security.

On Feb. 17, VulnCheck, a provider of exploit intelligence, announced a $25 million Series B funding led by Sorenson Capital with participation from National Grid Partners and existing investors Ten Eleven Ventures and In-Q-Tel. This investment brings the company’s total amount raised to $45 million since its founding in 2021. VulnCheck delivers fully autonomous, exploitation anchored intelligence designed for direct machine-to-machine consumption, prioritizing first-party evidence of active exploitation over traditional analyst-driven vulnerability workflows. The platform continuously ingests and refreshes exploit data multiple times per day, enabling security teams and downstream security products to close the exploitation timing gap as new common vulnerabilities and exposures emerge. VulnCheck grew annually recurring enterprise revenue 557% in 2025 and added nearly 7,000 new users across its intelligence platform, reflecting accelerating demand from enterprise, government and critical-infrastructure customers.

VulnCheck common vulnerabilities and exposures dashboard

Source: VuInCheck.

Select recent private placements (sorted by date of announcement, $ in millions)

Source: Capital IQ, First Analysis.