Core Conclusions
AI cybersecurity has moved from "one feature inside a security product" to the control plane and governance layer of the AI value chain. It spans models, agents, enterprise data, identity, runtime, development tools, and the SOC, and it is no longer a peripheral capability of traditional network security but one of the entry requirements for deploying AI at scale. Anthropic defines MCP as an open standard for establishing a "secure two-way connection" between data sources and AI tools; OpenAI folds tracing and evaluations into the agent development stack; Microsoft, Palo Alto Networks, Zscaler, and Check Point have all brought AI assets, agents, runtime, data, and identity governance into their main platforms.
The biggest change AI brings to the attack side is not that "hackers suddenly got smarter" but a marked rise in attack scale, personalization, social-engineering realism, and attack-chain automation. The biggest change on the defense side is that SOC ticket handling, investigation, response, policy tuning, data classification, and permission governance are beginning to be agentized. Microsoft has publicly applied Security Copilot agents to phishing, data security, and identity management; its 2025/2026 materials explicitly bring agent governance, shadow AI agents, and agent identities into the security framework.
"Using AI to do security" and "protecting AI itself" are two entirely different budget curves. The former is essentially about reallocating existing security operations budget and maps to SIEM, SOAR, XDR, MDR, threat intelligence, email security, and code review; the latter is new security budget that appears as AI applications and agents proliferate and maps to AI-SPM, AI runtime security, RAG permission control, agent identity, MCP/tool governance, AI data security, and model API security. The former lands faster; the latter has greater long-run elasticity.
The AI security budget that lands first over the next 12–24 months is not "pure prompt-injection defense" but five categories: AI SOC automation, the security data lake plus AI SIEM, AI/agent identity and permission governance, AI data security/RAG permission control, and the AI gateway/runtime control plane. These sit closest to enterprises' existing control chains, procurement frameworks, and ROI systems, and are the easiest to embed into existing platforms. Palo Alto's Portkey deal positions the AI Gateway as a key control plane for autonomous agents; Microsoft places agent identities inside Entra; CrowdStrike, Zscaler, Check Point, and Fortinet are all extending AI security capabilities within their existing platforms.
Among public companies that already convert AI security demand fairly clearly into revenue, ARR, RPO, or margin improvement, look first at Palo Alto Networks, CrowdStrike, Fortinet, Zscaler, and Rubrik. Palo Alto's Next-Generation Security ARR reached $4.8 billion in FY25 Q2, up 37% year over year, with RPO at $13 billion; CrowdStrike's end-of-FY25 ARR reached $4.24 billion, with Next-Gen SIEM/Cloud/Identity ARR together exceeding $1.3 billion; Fortinet's Q1 2025 Unified SASE ARR and Security Operations ARR grew 26% and 30% year over year; Zscaler's FY25 Q2 revenue grew 23% with deferred revenue up 25%; Rubrik's FY25 Q4 Subscription ARR reached $1.09 billion, up 39%.
Another set of companies look more like defensive beneficiaries, where AI mainly cuts costs, lifts efficiency, and deepens platform stickiness rather than creating an independent new revenue pool. Typical names include Microsoft, Datadog, Cloudflare, Check Point, and Qualys: all are accelerating the embedding of AI features into their platforms, but most have yet to disclose AI security ARR separately, and the benefit shows up more as stronger platform competitiveness, more seat/workload expansion, or higher capacity.
The companies truly at the core of the AI security platform are not single "LLM firewall" vendors but platforms that simultaneously hold identity, data, runtime, logs/telemetry, and the response loop. The closest to this shape today are Palo Alto Networks, CrowdStrike, Microsoft, and Zscaler, followed by Fortinet, Check Point, Datadog, and Cloudflare. This judgment rests on how quickly they unify agents, AI assets, data protection, SOC automation, and access governance into their existing control planes.
Agent security, AI identity security, non-human identity, and RAG permission control are among the segments with the greatest revenue elasticity, because once an enterprise lets agents directly reach internal knowledge bases, SaaS, code repositories, ticketing systems, and browsers, it must solve inventory, identity, least privilege, tool approval, audit trail, and secrets management. Anthropic has built connector permission controls into MCP's design; OpenAI builds tracing and evaluations into the agent stack; Microsoft places agent identities inside Entra and its Zero Trust model.
The segments with the best margins are usually not the sexiest "AI firewall" but the identity, data, and security-operations software layers built on high-margin SaaS. This already shows in the margins of Check Point, Qualys, and Fortinet, and is beginning to show in the operating-leverage improvement at CrowdStrike, Okta, Tenable, and SentinelOne. Check Point's 2024 operating margin was 34%; Qualys's Q1 2025 GAAP operating margin was 32% with an Adjusted EBITDA margin of 47%; Fortinet's Q1 2025 non-GAAP operating margin was 34.2%; SentinelOne reached full-year non-GAAP operating profitability for the first time in FY2026.
The most bubble-prone segments are the standalone small categories that are hard to make into mandatory near-term purchases yet easy for platforms to build in, especially pure prompt injection, jailbreak defense, generic LLM firewalls, and single-point AI red-teaming tools. Palo Alto has acquired CyberArk, Koi, and Portkey in succession and turned Prisma AIRS/Idira into a unified control plane; Microsoft embeds agent security into Entra/Defender; Zscaler and Check Point both build AI assets, data, and access control into their main platforms. This means many single-point vendors end up looking more like acquisition targets than long-term independent platforms.
The companies where valuation already clearly reflects AI security expectations include, first of all, CrowdStrike, Palo Alto Networks, Datadog, and Cloudflare. On a rough basis of current market cap against the most recent fiscal-year revenue, CrowdStrike trades at about 39x price-to-sales, Palo Alto at about 22x, Datadog at about 22x, and Cloudflare at more than 40x; these companies may of course keep delivering, but "business certainty" and "valuation attractiveness" have already clearly separated.
The companies where an expectation gap may still exist sit more in platforms that "already have a control plane but whose AI security revenue has not yet been fully and separately priced by the market," such as Fortinet, Check Point, SentinelOne, Okta, and Tenable. Their shared trait: valuations well below the hottest AI security platforms, yet they already possess the underlying capabilities needed to extend into AI security, including agent identity, SecOps, exposure management, Zero Trust, and Cloud/App/Identity.
The names facing the highest disruption risk from AI security platforms, cloud vendors, or AI-native security companies are, first, traditional SOAR, traditional log analytics, single-point vulnerability management, single-point CSPM, single-point DLP, single-point email and anti-phishing, and point tools without identity/data/platform capabilities. Rapid7 is a telling cautionary case: as of FY2025 full-year revenue grew only 2% with ARR of $840 million, while Q1 2026 revenue fell 0.3% year over year, signaling multiple pressures from platformization, automation, and budget migration.
The most important catalysts over the next 12–24 months are the pace of enterprise agent adoption, the AI security payment rate, M&A consolidation among platform vendors, and whether AI security enters RPO/cRPO/ARR disclosure. The biggest risks are that enterprises invest in compute and applications first and security later; that platforms bundle single-point AI security features for free; and that the autonomous SOC stays reluctant to go fully autonomous on high-risk actions. Microsoft, Anthropic, and OpenAI are all advancing agent capabilities quickly, but that does not automatically mean independent AI security budgets ramp in step.
The Value Chain Landscape and Budget Migration
First, answer the ten most important questions.
New AI security budget is not a single line item; it forms simultaneously from four procurement pools. First, the "mandatory governance layer" within AI project budgets, including AI asset discovery, AI-SPM, agent inventory, tool governance, runtime protection, audit, and approval. Second, the "platform upgrade layer" within existing security budgets, including AI SOC, AI SIEM, agentic SOAR, XDR, and threat-intel automation. Third, the "AI scale-out layer" within data and identity budgets, including DSPM, DLP, RAG permissions, machine/agent identity, PAM, secrets, and CIEM. Fourth, the "AI application protection layer" within developer and cloud budgets, including AI code security, model API security, AI gateway, secure browsers, and local agent control. Palo Alto's Portkey/Koi/CyberArk path, Microsoft Entra's agent identity, Zscaler's AI Asset Management/DSPM, CrowdStrike's secure AI, and Check Point's GenAI Protect/AI Cloud Protect all show that mainstream platforms are positioning around these four pools.
The difference between "using AI to do security" and "protecting AI itself" is this: the former optimizes the defense efficiency function, while the latter defines the boundary at which an enterprise lets AI go live. The former solves alert overload, false positives, staffing shortages, slow investigation, and rigid playbooks; the latter solves invisible AI assets, over-broad agent permissions, over-reading RAG, abuse of models/tools/browsers, sensitive data exfiltration, and unauditable runtime behavior. The former is therefore most easily picked up by existing security vendors, while the latter more readily pulls identity security, data security, cloud security, and application security back to the center of the budget.
Why won't enterprises rely on traditional security tools alone? Because agents, RAG, MCP, and multi-model APIs turn "who can read what, call what, act on whose behalf, who receives the output, and how behavior is audited" into entirely new questions. Anthropic states clearly that MCP requires access control over connectors and supports one-time or permanent authorization; OpenAI also makes tracing and evaluations part of the agent stack. This means AI security needs new control points, not merely added rules at the network edge or endpoint layer.
The table below gives the value-chain landscape. Scores run 1–5, with higher values indicating stronger benefit/investment elasticity under AI adoption; these are subjective scores based on public disclosure and this report's analytical framework, not management guidance.
Value-chain position Segment Core products AI security demand drivers Revenue model Main customers Competitive moat Margin profile Representative companies Public/Private Benefit strength Investment elasticity Key sources Model layer Foundation model safety model safeguards, evaluations, tracing, connector controls external model calls, enterprise private data access, behavior audit API/platform add-on, enterprise edition model developers, platform owners, large enterprises model capability, data, evaluation framework high gross margin, but safety revenue often not itemized OpenAI, Anthropic Private 4 4 Application layer AI application security AI gateway, runtime policy, output filtering rapid expansion of embedded enterprise AI applications per app/API/seat SaaS, developer platforms, large enterprises runtime telemetry, policy engine, integration breadth high-margin SaaS PANW, Zscaler, Check Point Public 5 5 Agent layer Agent security inventory, behavior monitoring, approval, logging autonomous agents begin executing real operations per seat/agent/usage large enterprises, finance, dev teams audit trail, permission model, workflow integration high margin, but fierce early competition Microsoft, PANW, CrowdStrike Public 5 5 Tool-calling layer MCP / tool governance connector allow/deny, tool approval, sandboxing MCP and function/tool calling become the default architecture platform add-on, per agent/API AI dev platforms, enterprise IT protocol control and identity binding high margin; independents easily absorbed by platforms Anthropic, OpenAI, PANW Hybrid 5 5 Data layer RAG and knowledge-base security permission inheritance, vector-retrieval authorization, content-level DLP RAG makes "querying equal to reading data" per data volume/seat/index large enterprises, regulated industries data classification, ACL mapping, content understanding high margin, complex to deploy Zscaler, Microsoft, Varonis, Rubrik Public 5 4 Data layer AI data security DSPM, DLP, sensitive data discovery AI greatly widens the enterprise data access surface per TB/object/user large enterprises, cloud-native enterprises classification accuracy, context-and-permission linkage high margin Zscaler, Check Point, Microsoft Public 5 4 Identity layer AI identity security IAM, PAM, CIEM, agent identity, NHI surge in agents/service accounts/secrets per user, workload, permission object all industries identity graph, least privilege, audit high margin, high customer switching cost Microsoft, Okta, PANW-Idira Public 5 5 Runtime layer AI runtime security LLM firewall, runtime inspection, abuse detection real-time blocking of prompt injection and unauthorized tool calls per request volume/API call AI application teams low latency, policy and log scale high early margin but price-pressured PANW Prisma AIRS, CrowdStrike, Check Point Public 4 5 Evaluation layer AI red teaming and model evaluation eval, red teaming, policy testing pre-launch validation for heavily regulated, high-risk scenarios project-based + subscription finance, government, model companies methodology and case library many vendors face "good product, hard to monetize" OpenAI, Anthropic, platform security vendors Hybrid 3 3 Development layer AI code security code review, secret scan, supply chain AI coding raises code volume and dependency complexity seat/repository/pipeline dev teams, platform engineering code semantic understanding, ecosystem integration high margin but crowded Microsoft/GitHub, Elastic, Datadog Public 4 4 Operations layer AI SOC AI analyst, automated triage, investigation summary, response staffing shortage, alert explosion, MTTR pressure platform subscription, per data/event SOC, MSSP, large enterprises security data, case graph, workflow margins improve markedly with scale CrowdStrike, PANW, Microsoft, Fortinet Public 5 5 Data platform layer AI SIEM / security data lake lakehouse, search, AI query, detection need for low-cost storage plus AI analytics data volume/node/platform package SOC, cloud-native enterprises data model, search, ecosystem relatively high margin, strong scale effects CrowdStrike, Elastic, Datadog, Microsoft Public 5 4 Orchestration layer Agentic SOAR automated playbooks, agent workflow, approval shift from rule-driven to goal-driven response platform add-on SOC, MDR scenario library, connectors, approval chain standalone SOAR profit pool weakening PANW, Microsoft, CrowdStrike Public 4 4 Detection layer XDR / EDR / NDR / ITDR joint endpoint, identity, network, cloud detection AI attacks make cross-domain correlation more important per endpoint/user/workload large enterprises, government telemetry scale, threat graph, response loop high margin CrowdStrike, SentinelOne, PANW, Fortinet Public 5 4 Cloud layer CNAPP / AI-SPM AI asset discovery, model exposure surface, configuration risk explosion of multi-model, multi-cloud, shadow AI workload/cloud account/platform package cloud-native enterprises cloud control-plane integration, graph high margin but rapidly consolidating PANW, Check Point, CrowdStrike, Fortinet Public 5 4 Network and access layer SASE / SSE / Secure Browser AI usage governance, browser isolation, local agent control employees use agents directly in the browser/endpoint per user/site/bandwidth large enterprises, distributed workforces network distribution + identity + data good margin, strongly platform-oriented Zscaler, Cloudflare, Fortinet, PANW Public 4 4 API layer API security model API protection, abuse monitoring rising exposure of tool calls and model APIs API/request volume dev teams, SaaS traffic understanding, policy engine high margin but easily bundled by platforms Check Point, Cloudflare, PANW Public 4 3 Resilience and recovery layer Data resilience / Cyber Recovery backup, isolated recovery, AI data protection data is more valuable and ransomware costlier in the AI era subscription/capacity/node large enterprises, regulated industries recovery capability, data-plane stickiness high margin and strong ARR Rubrik Public 4 4 Operations services layer MDR / MSSP AI-assisted detection, investigation, remediation customers lack people and capability subscription/managed service mid-to-large enterprises people + platform + process margin depends on automation rate CrowdStrike, Fortinet, PANW ecosystem Public 3 3 Buyer budget layer Enterprise customers joint procurement across security, AI, data, IT AI projects must pass governance before launch platform package, add-on modules Fortune 500, finance, government, healthcare procurement relationships, compliance bar large-deal driven Microsoft, PANW, CrowdStrike, Zscaler Public 5 5 Attack side AI-driven attacks deepfakes, social engineering, automated phishing, rogue agents scaling and customization of attacks N/A attackers low-barrier proliferation N/A demand-driven, not an investable target N/A 5 5 Budget migration assessment.
My view: within the AI security budget, in the near term (next 12 months) more than half will still appear as "reallocation of existing security budget," most typically by adding AI modules or platform packages within SIEM/SOAR/XDR/MDR, SASE, data security, and identity security. But over the medium term (12–36 months), the share of net-new budget will rise quickly, especially from AI application owners, data platform leads, Copilot/agent project owners, and enterprise architecture teams. The reason is that once AI moves from a "Q&A tool" to an agent that "can call tools, access knowledge bases, and act on behalf of users," the security responsibility chain extends from the CISO to the CIO, CTO, and data and business owners. Microsoft has disclosed that 230,000+ organizations use Copilot Studio to build AI agents and automations; this pulls agent governance demand forward to the deployment moment.
Scenario analysis.
Dimension Conservative Base Aggressive Core assumption AI stays mainly at the copilot/retrieval layer; agents used in only a few workflows enterprises move from copilots to workflow agents and begin multi-model and knowledge-base integration agents take over internal workflows at scale, with deep browser/endpoint/knowledge-base/API linkage Enterprise AI adoption 55% 70% 85% Agent adoption 10% 20%–25% 35%–45% AI security payment rate 20% 35% 50%+ AI attack growth moderate fast very fast Security budget change total security budget +2%–4%, mostly reallocation total security budget +5%–8%, new and replacement coexist total security budget +10%–15%, AI security forms an independent budget Most-benefited segments AI SOC, SASE, DLP, Identity AI SOC, AI-SPM, RAG security, agent identity, security data lake agent security, MCP security, AI runtime, NHI, AI data security Benefiting companies FTNT, CHKP, OKTA, TENB PANW, CRWD, ZS, FTNT, RBRK, S PANW, MSFT, CRWD, ZS, OKTA, RBRK, S Disrupted companies traditional SOAR, single-point log tools traditional SOAR, point CSPM, point DLP, RPD traditional SIEM/SOAR, point AppSec, vulnerability-management-only tools Main risk low payment rate; customers treat AI security as a free platform feature immature standards; conservative boundaries on automated remediation cloud vendors/platforms absorb the profit pool; small standalone categories hard to IPO independently Enterprise AI Security Architecture and Segment Value
The typical architecture of an enterprise-grade AI security system is shifting from a three-layer "network–endpoint–cloud" defense to a six-layer control plane of "asset discovery–identity–data–runtime–logs–governance." The most central change: AI is no longer only an object that gets accessed but a subject that actively reads, reasons, calls, writes back, and executes actions. Therefore the layer with the deepest long-run moat is no longer just the endpoint or gateway but the platform layer that ties together identity, data lineage, runtime telemetry, approval, and audit. Microsoft places agent identities inside Entra and lands them in Zero Trust; Anthropic emphasizes connector-level control within MCP; OpenAI adds tracing/evals to the agent stack; PANW, through Portkey, Koi, and CyberArk, tries to converge entry, identity, endpoint, and runtime onto a control plane such as Prisma AIRS / Idira.
The table below merges the requested 15-layer architecture into a single value-decomposition table and directly answers "where the moat is deepest, where it is easiest to build in, and where it is most suitable for independent entry."
Architecture layer Main control objective Easiest to build a moat Easiest for cloud vendors/platforms to build in Most suitable for independent security companies to enter Most suitable for large-platform consolidation Willingness to pay Margin Growth/competitive dynamics Main judgment AI asset discovery layer discover models, agents, APIs, knowledge bases Medium High Medium High Medium High high growth/high competition easily absorbed by cloud/security platforms; independents better suited as a wedge Model and agent inventory layer inventory, owner, risk Medium Medium-high Medium High Medium-high High high growth tightly bound to identity, approval, configuration management; suits platforms Data discovery and classification layer sensitive data, permissions, lineage High Medium Medium High High High high growth among the highest long-run value, especially after RAG and Copilot go live Identity and permission layer human/NHI/agent identity, least privilege Very high Medium Medium Very high Very high Very high high growth one of the core security budgets of the AI era Prompt and input protection layer injection, unauthorized input, malicious context Medium-low High Medium High Medium Medium-high high growth/high competition many good products, but long-run independent pricing may not be strong Output and data-leak protection layer output filtering, redaction, policy High Medium Medium High High High steady growth bound to DLP and compliance; easier to win revenue, reputation, and budget RAG permission control layer retrieval authorization, ACL inheritance High Medium High High High High high growth a key bottleneck layer, easiest to make sticky MCP / tool-calling governance layer tool allow/deny, approval, audit High Medium High High High High one of the fastest-growing good early independent-entry space, but platforms will absorb it mid-term Agent runtime monitoring layer behavior, cost, anomaly, abuse High Medium High High High High one of the fastest-growing a re-run of cloud runtime security for the AI era Agent behavior audit layer traceability, evidence chain, attribution High Medium High High High High high growth value rises when combined with compliance/approval AI red teaming and evaluation layer security validation before and after launch Medium Medium-high High Medium Medium Medium-high high growth/high competition high "good product but hard to monetize" risk Security data lake layer telemetry, retrieval, long-term storage Very high Medium Medium Very high High High high growth the foundation of the autonomous SOC, one of the strongest platform moats SIEM / SOAR / XDR layer detection, investigation, response High Medium Medium Very high High High being rebuilt AI rewrites the workflow but will not eliminate this layer Human approval and governance layer HITL, policy, exception handling Medium-high Medium Medium High Medium-high Medium-high stable growth mandatory in high-risk workflows, not replaceable by pure automation Compliance and audit layer regulation, recordkeeping, accountability chain Medium-high Medium Medium High Medium-high High stable growth the faster AI budget lands, the more rigid this layer becomes Segment value ranking.
Viewed through "degree of commercialization × platform moat × budget landing speed" over the next 12–24 months, what I weigh most is not the hottest single technology but the following 8 main segments:
Segment Segment logic Commercialization stage How revenue converts Main customers Pricing/gross-margin trend Moat 12–24 month catalysts Main risk Investment appeal AI SOC use AI analysts to improve triage, investigation, response commercialized platform expansion, seat, event volume, MDR add-on large enterprises, MSSP margin rises alongside platformization data lake + workflow + threat intel AI agents move from copilot to autonomous workflows hallucination/mishandling 5 AI SIEM / security data lake AI query and automated investigation need a low-cost, high-quality telemetry layer commercialized data volume, platform package, upsell SOC, cloud-native enterprises high margin, strong scale effects data model, search, ecosystem unification of log/security/AI data cost and migration complexity 5 Agentic SOAR shift from playbook to agent workflow early-to-mid replace legacy SOAR, attach to XDR/SIEM SOC, mid-to-large enterprises weak standalone pricing, stronger when bundled workflow, approval chain platform-internal agents go live at scale standalone SOAR marginalized 4 XDR / EDR / ITDR attack chains cross endpoint/cloud/identity/data; AI improves detection and response commercialized module expansion, platform package, Flex contracts large enterprises, government high margin telemetry and response loop AI-driven attacks accelerate commoditized competition 4 CNAPP / AI-SPM extend from cloud asset visibility to AI asset visibility early-to-mid workload/cloud account/platform package cloud-native enterprises high margin cloud control-plane integration demand for AI asset/model/dataset discovery explodes cloud vendors build it in 5 Identity security / NHI / Agent Identity an agent is essentially a new non-human identity early-to-mid user, workload, secret, privilege all industries high margin identity graph and least privilege agent productionization, Zero Trust moves forward immature standards 5 AI runtime / LLM firewall / Prompt / Jailbreak address real-time abuse, injection, unauthorized calls early API call volume, app count AI application teams high margin but price-pressured runtime policy and logs high-risk AI applications go live easily built into platforms 3 RAG security / AI data security DSPM/DLP data is AI's fuel and also its highest-risk exposure surface entering volume ramp data objects, TB, seat, platform upsell large enterprises, regulated industries high margin classification + permission + context enterprise knowledge bases and Copilot truly land complex to deploy 5 Agent security / MCP security / Tool Governance once agents start "doing things," they must be controllable and auditable early but highly elastic billed per agent/API/connector or as a platform add-on AI dev teams, large enterprises high early margin protocol control, audit trail MCP/connectors proliferate easily absorbed via platform M&A 5 AI red teaming / model evaluation assess model and application risk before launch early project-based + enterprise package model owners, large enterprises margin can be high, but scale is hard methodology and datasets adoption by regulated and high-risk industries budget not mandatory 2 Code security / software supply chain / API security AI coding increases code volume and dependency risk commercialized seat/repository/API calls dev teams high margin deep DevOps/SDLC integration AI coding proliferates open-source price pressure 4 Browser security / local Agent / Secure Browser humans and agents share the browser/endpoint early-to-mid user/device/browser seat distributed-workforce enterprises medium-high margin endpoint + network + identity linkage agentic browsers gain popularity customer education cost 4 Email security / AI phishing / deepfake detection AI amplifies social engineering and identity impersonation commercialized seat/domain/mailbox all industries high margin data labeling and graph attacks escalate easily squeezed by platforms 3 MDR / MSSP AI raises per-capita output and gross margin commercialized managed contracts, platform add-on mid-to-large enterprises margin heavily affected by automation process and reputation persistent talent shortage competition from platform direct services 3 AI security compliance and governance audit, policy, accountability chain early-to-mid seat/project/platform package regulated industries relatively good compliance templates and workflow regulatory refinement absorbed by large GRC vendors 3 AI-native security startups use Agent/MCP/runtime as a wedge early pilot to platform add-on frontier AI adopters high early margin first-mover and specialization M&A wave hard to scale as an independent market 4 On balance, the five segments most worth digging deeper are: AI SOC / security data lake, agent identity and permission governance, RAG/AI data security, AI-SPM/CNAPP extension, and the agent/MCP/runtime control plane. These simultaneously satisfy four conditions: "budget necessity," "fits within existing procurement line items," "can form a platform control plane," and "strong M&A value."
Investment Universe Master Table and Tiering
The table below includes only the key public names from this round of research with high confidence and fairly clear financial evidence or platform paths. The "rough price-to-sales" in the valuation column uses a simple conversion of current market cap against the most recent full fiscal-year revenue, without netting out cash or interest-bearing debt, so it is better suited for cross-comparison than for precise valuation.
Company Ticker Market Segment Core AI security product/path AI security benefit path Key financial evidence Gross/operating margin Rough valuation observation Tier Overall judgment Key sources Palo Alto Networks PANW NASDAQ platform, AI runtime, identity, SOC, CNAPP Prisma AIRS, Portkey, Koi, Idira, Cortex direct benefit + platform; AI Gateway, agent endpoint, identity, SOC unified control plane FY25 Q2 NGS ARR $4.8 billion, +37%; RPO $13 billion, +21%; FY24 revenue $8.03 billion; FY26 Q1 NGS ARR $5.9 billion, RPO $15.5 billion FY24 total gross margin 74.3%; FY26 Q2 non-GAAP op margin over 30% current market cap about $176 billion, PE about 136x, expectations already high A clearest benefit, but valuation is not cheap CrowdStrike CRWD NASDAQ AI SOC, XDR, Identity, Cloud, Next-Gen SIEM Charlotte AI, Falcon Flex, Secure AI direct benefit + platform; AI-native SOC and multi-module expansion end-of-FY25 ARR $4.24 billion, +23%; FY25 revenue $3.95 billion, +29%; Next-Gen SIEM/Cloud/Identity ARR together >$1.3 billion; 97% gross retention FY25 total gross margin 75%; FY25 FCF $1.07 billion current market cap about $155.5 billion, rough price-to-sales about 39x A one of the strongest AI SOC assets, but the hottest valuation Fortinet FTNT NASDAQ security operations, SASE, platform network security FortiOS, SecOps, Unified SASE direct benefit; AI drives modular expansion of SecOps and SASE Q1 2025 revenue $1.54 billion, +14%; Unified SASE ARR +26%; Security Operations ARR +30%; RPO $6.49 billion FY24 total gross margin 80.6%; Q1 2025 non-GAAP op margin 34.2% current market cap about $94 billion, PE about 49x A clear benefit path, valuation below the hottest AI security names Zscaler ZS NASDAQ SASE/SSE, AI asset and data security AI Security, AI Asset Management, DSPM, Copilot Data Protection direct + platform benefit; Zero Trust extends to AI and data control plane FY25 Q2 revenue $648 million, +23%; billings +18%; deferred revenue $1.88 billion, +25%; FY24 revenue $2.17 billion, +34% FY24 gross margin 78% current market cap about $27.9 billion, rough price-to-sales about 13x A strong platformization, valuation relatively acceptable Rubrik RBRK NYSE data resilience, AI data security, recovery cyber resilience, AI data protection direct benefit; data value rises in the AI era, recovery and isolation more critical FY25 Q4 Subscription ARR $1.093 billion, +39%; FY25 revenue $887 million, +41%; FY26 Q4 revenue $378 million, +46% subscription model lifts visibility current market cap about $12.9 billion, rough price-to-sales about 15x A not the center of the "agent security" narrative, but a genuinely revenue-generating, high-elasticity asset SentinelOne S NYSE XDR, AI SOC, AI security platform Singularity, Purple AI, AI security medium-high benefit; evolving from EDR to an AI-native autonomous security platform FY2026 revenue $1.0 billion, +22%; ARR $1.119 billion, +22%; $100k+ ARR customers 1,667, +18%; FY2026 non-GAAP op margin turned positive to 3% FY2026 GAAP gross margin 74%, non-GAAP 79% current market cap about $5.8 billion, rough price-to-sales about 5.8x B high elasticity, modest valuation, but fierce competition with platform giants Okta OKTA NASDAQ IAM, agent identity, Zero Trust Identity cloud, RPO/cRPO driven medium-high benefit; long-run benefit from agent identity, access, and governance, but AI security revenue not itemized FY25 Q4 revenue $682 million, +13%; RPO $4.215 billion, +25%; cRPO $2.248 billion, +15%; FY2026 non-GAAP op margin 26% margin markedly improved current market cap about $15.5 billion, PE about 78x B could be re-rated if agent identity becomes a core budget Check Point CHKP NASDAQ platform, AI application security, cloud and email security Infinity AI Copilot, GenAI Protect, AI Cloud Protect medium benefit; AI strengthens platform stickiness, but financial contribution not separately disclosed FY2024 revenue $2.565 billion, +6%; operating margin 34%; Q1 2025 revenue $638 million, +7%; Security subscriptions +10%; RPO +11% high margin, high cash flow current market cap about $14.4 billion, rough price-to-sales about 5.6x B strong financial quality, but AI revenue validation still weak Datadog DDOG NASDAQ security data platform, cloud security, AI operations security Bits AI Security Agent, MCP Server, Cloud/App Security platform benefit; AI strengthens observability + security convergence Q1 2026 revenue $1.006 billion, +32%; about 4,550 $100k+ ARR customers; FY2025 revenue $3.43 billion, +28%; FY2025 non-GAAP op margin 22% high margin, strong cash flow current market cap about $76.2 billion, very high PE, rough price-to-sales about 22x B good company, but AI security is more a platform bonus than an independent revenue bucket Cloudflare NET NYSE AI application/browser/network/development platform security AI apps/agents/workforce, Workers, AI features platform benefit; AI application hosting and security run in parallel, security revenue hard to break out Q1 2025 revenue $479 million, +27%; landed its first Workers contract over $100 million; signed its longest-tenor SASE contract; 3,497 customers with >$100k annualized revenue in 2024 Q1 2025 GAAP gross margin 75.9% current market cap about $71.1 billion, very high valuation B strong platform position, but "AI security" is more a strategic narrative than equatable to independent revenue Microsoft MSFT NASDAQ identity, data, Security Copilot, agent governance Security Copilot, Entra agent identity, Defender/Purview/Intune agents platform + defensive benefit; can absorb a large AI security profit pool 230,000+ organizations use Copilot Studio to build agents/automation; Security Copilot agents already cover phishing, data security, identity; Entra extends to the agentic workforce extremely strong corporate profitability, but security revenue does not separately break out AI current PE about 25x B extremely strong as the "control-plane owner," but AI security is not a standalone valuation factor in the public market Elastic ESTC NYSE search, security data lake, AI SIEM Search AI Company, Elastic Security defensive/indirect benefit; AI reinforces its security-data and search positioning Q3 FY2026 revenue $450 million, +18% security and observability on one platform current market cap about $5.7 billion C technically valuable, but AI security financial visibility weaker than the leading platforms Tenable TENB NASDAQ exposure management, vulnerability and assets exposure management extends to AI asset risk medium benefit; AI-SPM/exposure surface can benefit, but needs product validation Q1 2025 revenue $239 million, +11%; current billings +9%; non-GAAP op margin 20%; Q1 2026 revenue $262 million, +9.6%, turned to GAAP op profit margin improving current market cap about $2.7 billion C an expectation gap exists if AI asset discovery and exposure management truly take shape Qualys QLYS NASDAQ vulnerability management, cloud security, compliance traditional platform plus AI efficiency gains defensive benefit; more about lifting platform efficiency Q1 2025 revenue $160 million, +10%; GAAP gross margin 82%; GAAP operating margin 32%; Adjusted EBITDA margin 47% extremely strong margins current market cap about $3.5 billion, PE about 17.6x C strong financial defensiveness, but limited AI security growth elasticity Identity peer note: CyberArk acquired by PANW N/A PAM / Identity Security Idira no longer applicable as a standalone target, but the identity security segment's value is validated PANW has completed the acquisition and renamed its platform Idira N/A N/A N/A important corroboration of "identity centralization in the AI era" Rapid7 RPD NASDAQ risk detection, traditional security operations traditional platform with added AI higher disruption risk; slow growth, platformization pressure FY2025 revenue $860 million, +2%; ARR $840 million; Q1 2026 revenue $210 million, -0.3% year over year positive cash flow, but growth markedly slowing current market cap about $450 million E a textbook case of "may be consolidated/replaced by AI security platforms" Company tiering.
Tier A: PANW, CRWD, FTNT, ZS, RBRK. Their shared traits: an established platform, clear evidence of accelerating ARR/RPO/revenue, and the ability to convert AI security features into platform expansion and higher margins.
Tier B: S, OKTA, CHKP, DDOG, NET, MSFT. Clear benefit, but either AI security revenue is not itemized, valuation already partly reflects it, or the benefit shows up more as platform control than as separate disclosure.
Tier C: ESTC, TENB, QLYS. AI is more a defensive capability or moderate-elasticity extension; near-term financial elasticity lags A/B.
Tier D: insufficient high-confidence evidence this round, not separately ranked; this tier appears more among single-point LLM firewall / prompt defense / standalone AI red-team startups. This does not deny the demand but stresses that product launch is not revenue landing. The supporting basis is the continued build-in and M&A cadence of large platforms, not a negative conclusion about any single startup.
Tier E: Rapid7, plus the broader traditional SOAR, point log tools, point CSPM/DLP/email security. Their shared problem: lacking an identity/data/AI runtime/platform control plane, they are easily consolidated by AI platforms.
Scoring model.
This report uses the following subjective weights: direct AI security revenue exposure 25%, platform position and customer base 20%, data and technology moat 15%, product coverage and integration capability 15%, financial quality and margin 10%, growth elasticity 10%, valuation reasonableness 5%. The resulting research priority is below (out of 100, for research ranking rather than investment advice):
Rank Company Total score Core logic 1 Palo Alto Networks 88 highest platform completeness; successive M&A converges identity, agents, AI Gateway, endpoint, and SOC into a unified control plane 2 CrowdStrike 86 strongest delivery of AI-native SOC and multi-module ARR, but one of the priciest valuations 3 Fortinet 80 Security Operations and SASE already show visible ARR, excellent margins, valuation relatively less extreme 4 Zscaler 79 Zero Trust extends to AI, data, and asset control planes; revenue and deferred-revenue growth still strong 5 Rubrik 76 the importance of data resilience in the AI era is underestimated; ARR and subscription growth are fast 6 SentinelOne 73 clear autonomous-SOC and platform-upgrade logic, relatively moderate valuation 7 Okta 71 high long-run value of agent identity, but near-term AI security revenue not itemized 8 Microsoft 70 extremely strong control plane, but AI security is a group-level variable; equity elasticity lags pure security names 9 Check Point 69 high margins, low valuation, but AI narrative stronger than revenue validation 10 Datadog 68 high data-platform value, but security is only part of the platform and valuation is high 11 Cloudflare 66 excellent position in AI apps/agents/workforce, but "AI security" leans more strategic narrative 12 Tenable 64 possible expectation gap if exposure management extends to AI assets 13 Qualys 61 high financial quality, weaker AI elasticity 14 Elastic 59 has data-lake value, but moderate visibility on security/AI monetization 15 Rapid7 42 high risk of disruption from platform consolidation and budget migration In the reverse risk score ("risk of disruption by AI security platforms"), the highest-risk samples are: Rapid7 > traditional standalone SOAR/log tools > single-point vulnerability management > standalone prompt/jailbreak gadgets > point CSPM/DLP. The reason is that these areas are the easiest for platforms to absorb and the hardest in which to build a compound moat of identity + data + runtime.
In-Depth Analysis of Key Public Companies
Palo Alto Networks. Its segment role is the "overall AI security control-plane platform." Through Prisma AIRS, Portkey, Koi, and CyberArk/Idira, it ties AI runtime, AI gateway, agentic endpoint, identity security, and Cortex/SecOps into one whole, making it the public company closest to the definition of an "AI security platform" today. Financially, FY25 Q2 Next-Generation Security ARR reached $4.8 billion, up 37% year over year, with RPO at $13 billion, up 21%; FY24 revenue was $8.03 billion at a 74.3% gross margin; FY26 Q1 NGS ARR already reached $5.9 billion with RPO at $15.5 billion. The benefit path is very direct: once enterprises move from "using models" to "using agents to execute actions," identity, endpoint, gateway, logs, and response must be procured together, and PANW is turning these purchase points into one platform package. The main risk is not demand but a valuation that already fully prices in platform win-rate, along with the integration cadence after successive acquisitions. Conclusion: strong benefit / high certainty / valuation on the high side but the strongest platform position.
CrowdStrike. CrowdStrike is one of the strongest commercialization cases within "using AI to do security." End-of-FY25 ARR reached $4.24 billion, up 23% year over year; FY25 revenue was $3.95 billion, up 29%; FY25 free cash flow was $1.07 billion. Management also disclosed that Next-Gen SIEM, Cloud Security, and Identity Protection together reached end-of-period ARR above $1.3 billion, with 97% gross retention, and Falcon Flex delivered over $1 billion in deal value in a single quarter. Its AI security benefit path has two stages: first, the SOC budget concentration from Charlotte AI and the AI-native SOC; second, the Secure AI, Cloud, Identity, and Data modules pulling "protect AI itself" budget into the Falcon platform. The catch is an extremely high valuation, with the market already treating it as the core scarce asset in AI cybersecurity. Conclusion: strong benefit / high elasticity / elevated valuation.
Fortinet. Fortinet's market often focuses on its historical positioning in network security, but what truly merits re-rating now is its three-line advance of "Secure Networking + Security Operations + Unified SASE." Q1 2025 revenue was $1.54 billion, up 14% year over year; Unified SASE ARR grew 25.7% year over year; Security Operations ARR grew 30.3% year over year; RPO was $6.49 billion; meanwhile FY24 total gross margin reached 80.6%, and Q1 2025 non-GAAP operating margin reached 34.2%. Fortinet's AI benefit path is not the sexiest LLM security narrative but turning SecOps and SASE into AI-driven, high-margin add-on layers on top of a large existing install base and the FortiOS platform. This revenue quality is often better than that of standalone AI security gadgets, with stronger margins. Conclusion: strong benefit / high certainty / relatively more affordable valuation.
Zscaler. Zscaler's core is not a single "AI security product" but extending the Zero Trust Exchange into an AI and data control plane. Its website already places AI Security, AI Asset Management, DSPM, Microsoft Copilot Data Protection, and Security Operations in the same platform catalog. Financially, FY24 revenue was $2.17 billion, up 34% year over year, at a 78% gross margin; FY25 Q2 revenue was $648 million, up 23%, with billings +18% and deferred revenue at $1.88 billion, up 25%. Management states clearly that combining AI with Zero Trust is creating a new growth path for the secure customer use of AI applications. What matters most about Zscaler is not the "model layer" but governance of the enterprise AI usage surface: who can access which AI apps, which data can be fed to Copilot, and which AI assets are discovered and controlled. Conclusion: strong benefit / platform winner / medium-high valuation but still below the hottest names.
Rubrik. Rubrik is not always placed at the center of "AI security" discussions, but it is in fact an important realizer of data security and cyber resilience in the AI era. FY25 Q4 Subscription ARR reached $1.093 billion, up 39% year over year; FY25 total revenue was $887 million, up 41%; by FY26 Q4, total revenue reached $378 million, up 46%. As enterprises feed more critical data to RAG, Copilot, and agents, data recovery, isolation, ransomware resilience, and data-plane governance grow more important, and Rubrik benefits directly from this trend. Its edge: not "blocking every attack," but firmly holding the most valuable data and recovery chain in the AI era. Conclusion: strong benefit / high elasticity / still possibly underestimated.
SentinelOne. SentinelOne is an AI-native challenger worth continued study. FY2026 revenue broke $1 billion, up 22% year over year; ARR reached $1.119 billion, up 22%; $100k+ ARR customers grew to 1,667. More importantly, its FY2026 non-GAAP operating margin turned positive to 3%, showing that the "autonomous security platform" is no longer just a technology narrative but is starting to reflect operating leverage. The company states clearly that its platform is being standardized by frontier AI model builders as well as leading customers across semiconductors, automotive, aviation, finance, and smartphones. Its opportunity: if AI SOC and autonomous security truly become the next-generation workflow, SentinelOne may be one of the few AI-native platforms able to take share of traditional EDR/legacy SOC budgets. The risk is that its scale and ecosystem remain weaker than CRWD/PANW/MSFT. Conclusion: medium-high benefit / high elasticity / higher risk than the leading platforms.
Okta. The point the market most often underestimates about Okta in the near term is that an AI agent is not "just another application" but a new identity subject. Once enterprise agents need to read knowledge bases and call ERP/CRM/Jira/GitHub/browsers and SaaS, they need identity, authentication, permissions, sessions, audit, and lifecycle governance. Okta's FY25 Q4 revenue was $682 million, up 13% year over year; RPO was $4.215 billion, up 25%; cRPO was $2.248 billion, up 15%; FY2026 non-GAAP operating income already reached 26% of total revenue. The current question is only whether these identity security capabilities can be clearly understood by the market as "a necessary part of AI security," and whether Okta gets squeezed from both sides by Microsoft Entra and PANW-Idira. Conclusion: medium-high benefit / expectation-gap candidate / track the cadence of agent identity products.
Check Point. Check Point's AI narrative is not weak: its 2024 20-F already includes Infinity AI Copilot, Infinity GenAI Protect, and Infinity AI Cloud Protect, and specifically mentions an AI cloud infrastructure security collaboration with NVIDIA. Financially, FY2024 revenue was $2.565 billion, up 6% year over year, with a 34% operating margin; Q1 2025 revenue was $638 million, up 7%, with Security Subscriptions revenue up 10% year over year and RPO up 11% year over year. The issue is not a missing product but the still-absent separate disclosure between AI features and financial contribution. So it looks more like a "defensive benefit + solidly priced valuation" combination than a high-elasticity pure AI security trade. Conclusion: medium benefit / high financial quality / AI contribution needs validation.
Datadog. Datadog's importance lies in its placing observability, security, AI workloads, and agent operations on a single data plane. Q1 2026 revenue was $1.006 billion, up 32% year over year, with about 4,550 $100k+ ARR customers; in the same disclosure batch the company mentioned capabilities such as MCP Server, Bits AI Security Agent, and GPU Monitoring. FY2025 revenue was $3.43 billion, up 28% year over year, with a 22% non-GAAP operating margin. Datadog's AI security benefit path leans toward platform absorption: rather than selling "AI security" standalone, it sells runtime, observability, and security together to cloud-native teams as AI workloads grow. The upside is strong platform fit; the downside is that investors find it hard to carve out a separate AI security revenue bucket. Conclusion: platform benefit / relatively expensive valuation / security is not the sole driver.
Cloudflare. Cloudflare has explicitly cast itself as "the platform to connect, protect, and build apps, agents, and the workforce." Q1 2025 revenue was $479 million, up 27% year over year; it landed the first Workers contract over $100 million in company history and signed its longest-tenor SASE contract; as of end-2024, the number of customers with over $100k annualized revenue was 3,497. Cloudflare's opportunity is that it sits simultaneously at several intersections of AI application hosting, network distribution, secure access, browsers, and developer platforms; but to the question "has AI security formed an independent financial contribution," the answer is still on the cautious side. Conclusion: platform benefit / strong narrative / insufficient AI security financial validation.
Microsoft. Microsoft is not a pure security company, but it holds one of the strongest systemic advantages on the AI security control plane. In March 2025 it publicly launched Security Copilot agents for phishing, data security, identity, and other scenarios; in May 2025 it brought agent identities into the Entra and Zero Trust narrative; meanwhile Microsoft disclosed that 230,000+ organizations already use Copilot Studio to build agents and automation, including 90% of the Fortune 500. In other words, Microsoft controls not just the "security market" but the creation entry, identity entry, productivity entry, and data entry for agents. But because both security revenue and AI security revenue are hard to break out separately, MSFT is better suited as a "value-chain profit-pool observation target" than as a pure equity bet on AI security elasticity. Conclusion: platform winner / weaker direct elasticity / extremely high strategic value.
Elastic. Elastic's value lies in security data lake, search, and AI query capabilities rather than near-term AI security revenue disclosure. Q3 FY2026 revenue was $450 million, up 18% year over year, showing its growth as a search and data platform continues. If the AI SOC ultimately evolves into a "security data lake + agent query + investigation graph + automation" model, Elastic theoretically has room to benefit; but as of now, public materials do not indicate that its AI security has financial realization close to PANW/CRWD/ZS. Conclusion: indirect benefit / better suited for comparative study, not for stretching valuation as a pure AI security trade.
Tenable. What is most worth studying about Tenable is not the old story of "vulnerability management" but whether exposure management can extend to AI assets and the AI attack surface. Q1 2025 revenue was $239 million, up 11% year over year; current billings grew 9% year over year; non-GAAP operating margin was 20%; by Q1 2026, revenue was $262 million, up 9.6% year over year, having turned to GAAP operating profit. If the market views AI-SPM as a natural extension of CNAPP/exposure management, Tenable may show an expectation gap; if AI security budgets are mostly swallowed by platforms, it looks more like steady traditional security software. Conclusion: medium benefit / expectation-gap target / continued validation of product extension needed.
Qualys. Qualys's strengths are high margins and steady cash generation, not high-intensity AI security elasticity. Q1 2025 revenue was $159.9 million, up 10% year over year, with GAAP gross margin of 82%, GAAP operating margin of 32%, and Adjusted EBITDA margin of 47%. This financial profile is excellent within security software, but it also means the market sees it more as a mature, cash-flow-driven platform than as a target for AI security re-pricing. Conclusion: defensive benefit / good quality / limited elasticity.
Rapid7. Rapid7 is the most typical case of "with AI here, worry first about integration pressure." FY2025 full-year revenue was $860 million, up only 2% year over year, with ARR of $840 million; more critically, Q1 2026 revenue was $210 million, down 0.3% year over year. Against the backdrop of AI SOC, AI SIEM, platformized XDR, and unified data lakes being rapidly rewritten, a traditional platform that lacks data scale, an identity/data control plane, and strong platform M&A moves easily degrades from a "platform" into a "feature layer." Conclusion: may be disrupted / risk outweighs the benefit logic.
CyberArk. As a standalone public company, CyberArk is no longer appropriate to treat as a separate public-market target, because Palo Alto Networks has completed the acquisition and named its next-generation identity security platform Idira. This event itself matters more than "whether to buy CyberArk": it shows the strategic position of identity security in the AI era has been markedly elevated, and that platform giants are willing to make large acquisitions to bring PAM, machine identity, and agent identity into the main control plane. Conclusion: no longer applicable as a standalone target, but the identity segment's value is reinforced and validated.
The Private Market, Disruption Paths, and Final Judgment
The private market and unlisted directions.
Among private companies, I prefer to focus on directions that "may become acquisition targets, or can lock down a new control point" rather than on generic "AI security startups." The key directions currently confirmable directly from high-confidence public materials include: the Anthropic/MCP ecosystem, OpenAI agent tooling, Portkey (AI gateway, covered by PANW's acquisition announcement), Koi (agentic endpoint, acquired by PANW), and Lakera AI (acquired by Check Point). This shows value concentrating at the protocol layer, the runtime entry, endpoint control, and the intersection of identity and data. It also means that for many private projects the optimal outcome is not a long-term independent IPO but absorption by a large platform.
Based on direction rather than financial disclosure, this report's watchlist of private companies worth continued tracking includes: Prompt Security, Noma Security, Zenity, Astrix Security, Veza, Aembit, Entro Security, Cyera, Normalyze, BigID, Socket, Semgrep, Snyk, Chainguard, Panther, Cribl, Tines, Torq, Island, Cato Networks, Netskope, Abnormal Security, Material Security, Red Canary, Arctic Wolf, and Huntress. Which of these actually become large, durable companies hinges not on "whether they have AI features" but on whether they can seize a strong control point among agent identity, AI gateway, runtime telemetry, RAG permissions, data security, and the autonomous SOC. For this batch, given insufficient high-confidence public financial disclosure this round, no ARR/valuation quantitative ranking is provided.
AI's reconstruction of traditional cybersecurity.
The AI SOC will markedly compress the staffing needs for frontline alert triage, incident summarization, simple investigation, and playbook execution, but it will not eliminate senior analysts, threat hunters, or approval and accountability links; therefore the SOC staffing structure will be rebuilt, but people will not disappear. The product roadmaps of CrowdStrike, Microsoft, Fortinet, and PANW all show the future looking more like a new operating layer of "AI analyst + human approval + platformized data lake" than traditional brute-force staffing.
AI SIEM will not eliminate SIEM, but it will eliminate a large swath of legacy log tools that cannot carry low-cost storage, AI retrieval, cross-domain investigation, and automated response. The truly reconstructed market looks more like "security data lake + semantic retrieval + AI analyst + workflow," so platforms that hold both the data layer and the action layer, such as Elastic, Datadog, CrowdStrike, Microsoft, and PANW, have the edge.
Agentic SOAR will most likely replace the "standalone category" form of traditional SOAR playbook tools. SOAR's value used to lie in connectors and playbooks; future value shifts to goal-driven, context-driven, human-in-the-loop agents with approval. This change is not friendly to traditional SOAR/automation tools, but it is additive for already-in-the-loop platforms such as PANW/CrowdStrike/Microsoft.
AI-SPM will more likely become an extension of CNAPP than a fully independent new platform over the long run; prompt/jailbreak/LLM firewall will more likely become built-in modules of AI application security platforms. Judging from the product roadmaps of PANW, Check Point, Zscaler, and Microsoft, and from PANW's successive M&A moves, the long-run profit pool looks more likely to be absorbed by large security platforms, cloud vendors, and large SaaS security platforms.
Cloud vendors will compress the space for independent cloud security companies, but they will not fully consume the security profit pool. The reason is that cloud vendors excel at building basic visibility and default defenses into the platform, while enterprises will still pay for a unified control plane across clouds, SaaS, identity domains, and data domains. So the greatest danger is not that "security is no longer needed" but that point tools lacking a platform moat get absorbed by native platforms.
The ten public companies most worth continued study. Palo Alto Networks, CrowdStrike, Fortinet, Zscaler, Rubrik, SentinelOne, Okta, Microsoft, Check Point, Datadog.
The ten private/early-stage directions most worth tracking. The Anthropic/MCP ecosystem, OpenAI agent tooling, Prompt Security, Noma Security, Zenity, Astrix, Cyera, Veza, Socket, Chainguard. The first two reflect the direction of the protocol and agent stack; the latter eight are better validated from the angle of "whether they hold a new control point."
The five points the market most easily misreads.
First, product launch is not revenue landing. Almost every platform company is shipping AI security products, but few yet disclose ARR/RPO/module growth.
Second, AI security is not the same as LLM firewall. The real budget center is more likely in identity, data, runtime, and the SOC.
Third, agent security is essentially the re-centering of identity security and data security.
Fourth, the best AI security company is not necessarily the best stock; companies like CrowdStrike, Palo Alto, Datadog, and Cloudflare have strong business logic, but valuation attractiveness does not automatically follow.
Fifth, the AI SOC will replace low-end security services but will also lift the margins of genuinely platform-grade MDR/MSSP; so the divergence among service companies will widen rather than all of them being harmed.
The metrics most worth tracking over the next 6–12 months.
Top priority: separate disclosure of AI-related ARR/module ARR, changes in RPO/cRPO, $100k+ customer counts, platform bundle/Flex contracts, whether AI security features enter the paid tier, real large-customer cases tied to agents/AI, and cross-selling after M&A integration. At this stage, Fortinet's Security Operations ARR, PANW's NGS ARR, CrowdStrike's platform ARR, Okta's RPO/cRPO, Rubrik's subscription ARR, and SentinelOne's ARR and large-customer count are the quantitative metrics most worth continuing to watch.
Final conclusion.
AI cybersecurity's importance within the AI value chain has risen to an infrastructure-level position that "determines whether an enterprise can scale AI into production." In the near term, AI SOC / AI SIEM / XDR / SASE / identity security deliver first; over the medium term, what truly re-rates the security industry is agent identity and permissions, AI-SPM, RAG/AI data security, AI runtime/AI gateway, and MCP/tool governance. Among public companies, those most worth prioritizing for further research are PANW, CRWD, FTNT, ZS, RBRK, S, OKTA, MSFT, CHKP, DDOG; the first five are better viewed through "AI security revenue elasticity and platform position," and the latter five through "control-plane value and expectation gaps." On the private side, the focus is not betting on "who will build a standalone LLM firewall" but betting on who can seize the key junctures of agent connection, identity, data, runtime, and audit.
A narrower follow-up research direction. If I had to pick only one direction to keep digging, I would prioritize agent security and agent identity security; if two, I would add RAG/AI data security. The reason is that these two directions are the most likely to simultaneously satisfy five conditions: "net-new budget," "high stickiness," "high moat," "the strongest platform convergence," and "a future M&A hotspot."
Open questions and limitations. This report has tried to use high-confidence public materials current as of today, but three categories of items still need further validation: first, many companies have shipped AI security products yet have not separately disclosed AI security revenue/ARR; second, some Chinese, European, Israeli, and private-market companies have insufficient public financial disclosure and are therefore not included in the quantitative scoring; third, agent/MCP standards and enterprise procurement frameworks are still evolving quickly, and product pricing and contract structures over the next 2–4 quarters may significantly change this report's judgment on single-point tools versus platform winners.
This report is based on public information and does not constitute investment advice. Markets carry risk; invest with caution.
Full report
Sign in to read the full report
Sign up free to unlock the full text, the Baillie growth scorecard, and full-text search.
Log in / Sign up free