Analysis

This new class of continuous external discovery will shift spend from periodic penetration testing toward always-on telemetry that feeds asset inventories and automation workflows. Expect procurement cycles to compress from enterprise pilot to procurement in 3-9 months, but meaningful ARR recognition for platform vendors will materialize over 6-18 months as discovery becomes a gating input to cloud-security posture and remediation toolchains. Second-order winners are platform vendors that can convert discovery signals into closed-loop remediation (identity, endpoint, CASB/CSPM) — they capture both discovery spend and downstream remediation ARR; legacy perimeter appliance vendors are at risk of 3-6% annual revenue erosion in their enterprise installed base as buyers reallocate budget to SaaS-based continuous controls over 2-4 years. Managed security providers and bug-bounty marketplaces win near-term professional services revenue, but face margin pressure as customers automate discovery→remediation. Key risks: easy visibility increases noise — higher false-positive rates will drive vendor differentiation around signal-to-noise and automation (SOAR) integrations; if vendors under-deliver on remediation automation, churn will rise and multiple compression could follow within 12 months. Regulatory and legal pushback on aggressive mass scanning is a non-linear tail risk (weeks → months to crystallize) that could curtail some techniques or force product changes, temporarily slowing enterprise adoption. Contrarian: the market is biased toward small pure-play EASM names being the winners; we think the more likely consolidation path benefits larger cloud/security platform vendors that bundle discovery as a feature, not a standalone TAM. That makes platform leaders preferable to speculative small-caps — the trade is about capture of cross-sell economics, not raw discovery volume alone.