Analysis

A data-platform incumbent pushing down the stack into security creates asymmetric pressure: companies that control telemetry and storage can undercut per-ingest economics and capture higher-margin orchestration services. Expect a 20–40% effective TCO hit for legacy SIEM/ingestion business models over 12–36 months as customers re-evaluate recurring license and egress fees and favor architectures that minimize cross-vendor telemetry duplication. Second-order winners are orchestration and process vendors that become the glue for mixed security estates — firms that sell SOAR/process workflows or catalog/governance layers can increase wallet share even as detection/EDR margins compress. Incumbent gatekeepers of identity and network stacks (Okta/Zscaler/Palo Alto-style adjacencies) can either monetize telemetry flows via preferred integrations or be forced into reseller/partner economics; vendors who can sell embedded prevention or high-value incident response services will see lower elasticity of demand. Key risks and catalysts: near-term noise (wins, previews, partner logos) can move sentiment in days, but durable revenue share shifts need 12–36 months of enterprise pilots, procurement cycles, and SIEM-to-data-platform migrations. Reversal can come from two places — (1) poor execution on multi-tenant security primitives (false positives, model hallucinations, compliance hurdles) that slow adoption, or (2) coordinated incumbent counteroffers (bundle pricing or exclusive OEMs) that restore legacy economics within 6–18 months.