Analysis

Cybersecurity spend is shifting from box-sales and one-off projects to recurring, telemetry-driven services (SASE, XDR, identity) — that tilts durable economics toward cloud-native vendors and identity providers that can sustain >120% gross dollar retention. Over the next 12–24 months expect customers to reallocate 5–15% of legacy firewall/appliance budgets into cloud-delivered controls and identity, creating a bifurcation: high-growth ARR names with meaningful gross retention win, hardware-heavy vendors see slower top-line and margin compression. Second-order winners include MSSPs, managed XDR players and cloud hyperscalers who monetize additional security primitives; losers include appliance OEMs and lagging integrators that depend on capital refresh cycles. Regulatory catalysts — EU/US privacy rules and mandatory breach disclosure windows — create discrete 6–18 month events that increase compliance spending and accelerate migration to vendors who can prove data residency and auditability. Valuation and liquidity are the immediate frictions. The market has partially priced in steady 20%+ ARR growth for many names; what isn’t priced is margin/FCF convergence or a large breach that reallocates spend within 60–90 days. That creates a tradable setup where the trade-off is between durable ARR + retention (pay up) versus high-growth names without margin expansion (short or hedge). Time horizon: tactical swings (earnings, breaches) in weeks–months; structural reallocation across infrastructure in 12–36 months.