Chapter Seven: What Attackers Already Knew

Let’s think about this from the attacker’s perspective. You want to attack a large enterprise. It has a firewall, EDR, MFA, SIEM, and a SOC. It’s built an increasingly sophisticated defensive architecture over the past twenty years.

But you notice one thing: every employee spends eight hours a day working inside a browser. They log into all their systems there, handle sensitive data there, install extensions there, use ChatGPT there. You also notice that their browsers contain password managers storing all their login credentials; session cookies that, if obtained, bypass passwords and MFA entirely to access their accounts; and dozens of extensions, each claiming permission to “read and change all data on websites you visit.”

And you notice: nobody is protecting this place.

No EDR monitoring what happens inside the browser. No DLP detecting data leaking through prompt text. No tool telling the enterprise that an employee just pasted an entire customer contract into a personal ChatGPT account. Nothing that knows immediately when a session token is stolen, nothing that can immediately revoke that token.

At RSAC 2026, Sandra Joyce, Vice President of Google Threat Intelligence, cited a number that stopped the audience: the median time between initial access and handoff to a secondary threat group has collapsed from more than eight hours in 2022 to just 22 seconds in 2025. The figure comes from Mandiant’s M-Trends 2026 report, which analyzed over 500,000 hours of incident response investigations.

Twenty-two seconds. What is the human response speed? On this particular battlefield, the browser, the answer is: too slow.

Chapter Eight: Why It Exploded Now

The problem existed long before 2026. So why did it explode into an acquisition wave now Several factors converged simultaneously.

First: the arrival of AI Agents elevated browser risk from “serious” to “paradigm-shifting.” When AI Agents begin acting inside browsers on humans’ behalf, navigating webpages, filling forms, submitting requests, they create a new security problem: a hijacked AI Agent looks identical to a legitimate one. You can’t use the traditional “is this known malware?” test to determine whether an operating Agent has been compromised. It has a legitimate session, is operating within normal applications, using real credentials.

Vulnerabilities documented by researchers in the second half of 2025 foreshadow this threat: a “CometJacking” vulnerability discovered by LayerX allowed attackers to hijack Perplexity’s Comet browser by crafting specific URL parameters, stealing users’ email and calendar data; OpenAI’s Atlas contained a CSRF flaw enabling attackers to “poison” the AI’s long-term memory with malicious instructions that persist across sessions; and Google researchers identified a “task injection” attack against OpenAI Operator that could convince an AI Agent to treat a malicious sub-task as a legitimate part of the user’s original goal.

Second: the Cyberhaven incident forced the industry to confront a problem it had long avoided, that extensions themselves are an attack vector. Not downloaded files. Not network traffic. The tools you already trusted and installed.

Third: acquisition window timing. Island had completed a $250 million Series E in 2025 at a valuation approaching $5 billion, making it the largest independent company in browser security, but also too expensive for easy acquisition. Seraphic, SquareX, and LayerX were all still at acquirable scale, and each offered technical capabilities that large platform vendors wanted but couldn’t build quickly themselves.

These three factors together created an acquisition wave, three deals in three months, that the industry had never seen before in this specific segment.

Chapter Nine: Two Different Answers

CrowdStrike and Zscaler acquired different companies, and while the market sometimes describes them as competitors, they were solving different problems.

Seraphic’s core technology is runtime protection. It injects a lightweight JavaScript agent into browser sessions to monitor execution behavior, specializing in defense against the most technically sophisticated attacks: heap spraying, sandbox escapes, memory corruption. It also uses “moving target defense”, continuously randomizing the browser’s memory structure to deny attackers a stable exploitation foothold. CrowdStrike CEO George Kurtz described the acquisition’s intent in one sentence: “By decoupling security from the browser itself, we can make any browser a secure enterprise browser without forcing users to change habits or sacrifice productivity.”

In plainer terms: EDR has always monitored the endpoint. Seraphic lets it also see inside what happens in the browser. Both sources of telemetry converge in Falcon, building a more complete view of attack chains.

SquareX’s approach is closer to what Zscaler was already doing: a browser extension running on top of whatever Chrome or Edge the user already uses, delivering in-browser DLP, malicious extension detection, dynamic content isolation, and real-time behavioral monitoring. It works on both managed and BYOD devices, requires no browser replacement, requires no change in user habits. Zscaler’s logic: we already control how users connect to applications, SquareX lets us also control what they do inside those applications.

Both approaches are reasonable. Their differences reflect their starting points, not a question of right and wrong: one extends inward from the endpoint, one extends inward from network access control. Different enterprises, different existing security stacks, different primary pain points will lead to different choices.

But one critical voice deserves to be recorded separately. Push Security’s research directly challenges a fundamental assumption underlying the whole category: if CrowdStrike’s own 2026 Global Threat Report shows that 82% of detections are now malware-free, meaning attackers don’t rely on malicious files at all, using stolen credentials, hijacked sessions, and abused OAuth permissions instead, then all browser security solutions focused on detecting malicious code are protecting against a shrinking threat category.

The attacks that cause major breaches are identity theft, credential abuse, and session hijacking. They happen inside trusted browser sessions, using legitimate authentication flows, generating no malicious code. Traditional security tools, including many “browser security” solutions, are blind to them.

This debate has no clean resolution. But it offers a useful check: before purchasing any “browser security” product, the most important question isn’t “what does this product do?”, it’s “what are the actual threats I’m facing?”

Chapter Ten: Five Answers, None Complete

The browser security market today can be divided into roughly five directions. Each has its logic. Each has its limits.

The first direction is replacing the browser. Island takes this path. The argument is clear: Chrome and Edge were never designed for enterprise use; you should deploy a purpose-built enterprise browser with integrated DLP, access controls, session recording, and data governance. Island founder Michael Fey argues that “bringing a consumer browser to the workplace is an obsolete concept”, and he’s not wrong. But Gartner analyst Max Taggett is also right: “For decades, most organizations have been unable to mandate a single browser for productivity or security reasons. The emergence of secure enterprise browsers does not change this reality.”

With Perplexity launching Comet, ChatGPT launching Atlas, and other AI companies following suit, end users want more browsers, not fewer. Getting every employee in a large enterprise to use only Island faces the same enforceability challenges as requiring everyone to use only a company-issued phone.

The second direction is layering security on top of whatever browser the user already has. SquareX and LayerX take this path. No browser change required, install an extension to gain visibility and control. Lowest friction, fastest deployment. The problem: the extension itself can become an attack target. Cyberhaven was a company that built a security extension; its extension was hijacked and weaponized. You’re using an extension to protect the browser, but who protects the extension?

The third direction is runtime injection protection, focused on stopping exploits. Seraphic, now part of CrowdStrike, takes this path. It targets the most technically sophisticated attacks: zero-days, memory corruption, sandbox escapes. Critics note that these attacks are increasingly rare in enterprise environments, why exploit a Chrome memory vulnerability when you can phish the user’s password or hijack their session?

The fourth direction is Remote Browser Isolation. Menlo Security and Cloudflare Browser Isolation represent this approach’s extreme end: all web content executes inside cloud-hosted sandboxes; the user’s device receives only a safe rendered visual stream. Malicious code never touches the user’s device. Theoretically most complete. In practice, latency and user experience costs make wide deployment extremely difficult. Typically limited to highest-risk specialized scenarios, teams handling classified information, for example.

The fifth direction, and currently the most contested, is solving browser security at the identity layer. Push Security’s logic: the truly dangerous things in the browser happen after authentication, inside legitimate sessions. Detecting credential abuse, identifying hijacked sessions, blocking OAuth permission misuse, these are what actually prevent the majority of major breaches. No specialized browser needed, no complex extension needed. What’s needed is continuous monitoring of identity behavior inside the browser.

No single direction is a complete answer. If forced to offer practical guidance: understand your specific threat environment first, then make your selection from there, rather than chasing whichever direction just made news.

Chapter Eleven: Can You Get a Billion People to Abandon Chrome?

This is the least seriously examined question in all of browser security discussion. It may be the most important one. Because buried in every conversation about secure enterprise browsers is an assumption that keeps getting skipped: you need people to actually use it.

Here’s a fact: Chrome holds more than 65% of the global browser market today. Not because Google forced anyone to use it. Because Chrome’s speed, ecosystem, and cross-device sync led hundreds of millions of people, at some point after 2008, to set it as their default browser and never look back. That choice was voluntary, personal, almost emotional.

The browser is the most personal productivity tool that exists. Not because people have particularly strong brand loyalty to any browser, but because so much lives inside a browser: years of accumulated bookmarks, stored passwords, a carefully tuned suite of extensions, muscle memory around which tabs go in which order, multiple account profile configurations, the rhythm of switching between different contexts.

Switching browsers isn’t switching an application. It’s rebuilding an entire digital work environment. History Has Already Given Its Answer. There’s a relevant episode from history.

In the early 2000s, Internet Explorer held more than 95% of the browser market. Microsoft believed it could permanently lock in users through Windows bundling and enterprise IT policy. They were wrong. Firefox cracked the market open through a better user experience. Chrome accelerated IE’s collapse. And the final outcome was this: even with Microsoft controlling operating system distribution, even with large enterprise IT environments explicitly requiring IE, users voted with their feet and quietly installed Chrome anyway.

That history carries an uncomfortable conclusion: if even the force of Microsoft’s OS distribution couldn’t hold a browser’s market share, what are the odds that an enterprise IT team, armed only with security policy, can drive broad adoption of a browser users have no organic reason to install?

Gartner’s October 2025 report delivered the clearest judgment on this question. The report’s title is itself a position statement: “Focus on Securing Browsers, Not Forcing a Secure Browser.” The text reads: “For decades, most organizations have been unable to mandate a single browser for productivity or security reasons. The emergence of secure enterprise browsers does not change this reality.”

This doesn’t mean Island-class enterprise browsers have no value — they do, in specific scenarios, which we’ll come to. But Gartner’s point is: if your strategy depends on migrating your entire workforce to one specific browser, you should ask yourself a hard question before you start deploying: has any company actually accomplished this?

AI Browsers Make the Problem More Complex. While security teams are still debating whether to push Island adoption, the external environment has already shifted again.

In 2025, Perplexity launched Comet, an AI browser with deep search engine integration. OpenAI launched Atlas. Other AI companies followed. These aren’t just “better versions of Chrome.” They offer fundamentally new ways of working: Agents help you navigate websites, synthesize information across tabs, fill forms, book meetings, organize emails on your behalf.

Employees tried these browsers. They liked them. Security teams now face something more complicated than the binary “employees want Chrome, we want them to use Island.” The new reality: employees want to use Comet for AI work, Chrome for personal browsing, and are required to use Island for security-compliant tasks — which means three browsers, three account systems, three extension ecosystems, three data stores. Not simplification. Exponential complexity. So Who Are Enterprise Browsers Actually For? That said, enterprise browsers aren’t without a path. They have clear value in specific scenarios, and those scenarios are real.

Highly regulated work environments. Bank trading floors, hospital clinical systems, government classified environments, call centers. What these share: highly standardized work tasks, finite and clearly defined activities, strong compliance requirements. In these settings, Island can be deployed as a “work isolation zone”, employees complete all work-related operations in Island, personal Chrome browsing stays separate, with clean boundaries between the two account systems and data flows. This is logically workable and there are real deployments.

Contractor and third-party access. Enterprises can’t install EDR on external contractors’ devices, but they can require access to enterprise systems through Island or Prisma Access Browser. This places a controlled, auditable access layer on top of their personal devices without requiring anything at the device level. Friction here is much lower than requiring all employees to switch browsers, because contractors already expect “use a specific tool to access this.”

VDI replacement. Many enterprises use virtual desktop infrastructure to isolate high-risk work environments, but VDI is expensive and delivers a poor user experience. Enterprise browsers can substitute for VDI in some scenarios, delivering similar isolation-level control on local devices while maintaining normal browsing performance. The economics of this substitution are compelling.

Failed Adoption Explains the Market. There’s a reverse logic worth noting here. If enterprise browsers could achieve broad full-workforce deployment, CrowdStrike wouldn’t need to spend heavily acquiring Seraphic, and Zscaler wouldn’t need SquareX. They could partner with Island or build their own enterprise browser.

Instead they chose a different path: layering security on top of whatever browser employees already use. That choice is itself a judgment, they don’t believe they can get enterprise employees to switch browsers, so they chose to protect the browsers employees are already using.

In security industry terms, this is a shift from prescriptive to adaptive security strategy. Prescriptive strategy tells users “you should use this tool.” Adaptive strategy asks “what are users actually using, and how do we provide security there?”

Historically, every shift from prescriptive to adaptive security has happened after prescriptive approaches failed enough times. Email security wasn’t solved by mandating specific email clients, it was solved by adding filtering and detection to email traffic. Endpoint security wasn’t solved by requiring a specific operating system, it was solved by running agents on any device.

Browser security is going through the same transition. Two Philosophies, No Right Answer. So I don’t see this as Island being wrong and SquareX being right, or the reverse. This is a philosophical dispute about how enterprise security should work.

Island believes: if you create a controlled environment that’s good enough and secure enough, users will accept it, especially when their work already happens in a browser anyway. Island’s counterargument: VDI also “requires employees to use a specific environment,” and it has survived in high-control settings for decades. An enterprise browser is just a lighter, faster version.

SquareX/LayerX believe: user autonomy is harder to move than security team control instincts, and rather than trying to change users’ tool choices, you should build guardrails inside their choices. The cost of this approach: the security layer sits on top of an environment you don’t fully control, with always a risk of being circumvented.

Both philosophies have merit. They suit different organizational cultures, different security maturity levels, different work scenarios. But one thing is certain: if the success of your browser security strategy depends entirely on getting fifty thousand employees to uniformly abandon Chrome, you need a Plan B.

Chapter Twelve: What Comes Next

The browser security industry today most resembles the cloud security market of 2012. At that point, most enterprises were just beginning to migrate workloads to AWS. Cloud security as a category was new; nobody knew who the eventual winners would be. Multiple different approaches competed simultaneously. Substantial consolidation was underway. Many directions ultimately proved to be wrong. Browser security today is similar, but complicated by several new variables that are harder to handle.

The largest variable is AI Agents. When Agents begin executing tasks inside browsers, logging in on humans’ behalf, filling forms, submitting requests, traditional “user behavior analysis” loses meaning, because Agent behavior patterns are fundamentally different from human behavior patterns, and a hijacked Agent looks identical to one working normally. How to identify whether an operating Agent has been adversarially manipulated is the field’s most pressing unanswered question.

The second variable is platform consolidation pressure. CrowdStrike, Zscaler, and Palo Alto Networks are becoming increasingly comprehensive security platforms. When budgets tighten, CISOs tend to consolidate vendors, not because the consolidated platform beats the best point solution, but because consolidation reduces total cost, management complexity, and friction between tools. This creates pressure on still-independent browser security companies. Island is the largest of them, valued at $5 billion, and analysts widely predict it is the next major acquisition target.

The third variable is the evolution of attacks like ConsentFix. ClickFix makes users execute malicious commands themselves. ConsentFix goes further, it makes users grant application access permissions to attacker-controlled apps through what appears to be a legitimate OAuth authorization interface. The user simply clicks an “Authorize” button, executes nothing suspicious, but the result is the same: the attacker has account access. As attackers continue to refine techniques that abuse legitimate workflows, the difficulty of defense keeps rising.

Epilogue: A Glass Hall, and a Question Without an Answer

Let me return to the metaphor. The bank has security guards, a vault, surveillance cameras, and access controls. But the lobby walls are glass. Transparent. Bidirectional. Always open. Employees do all their work here, approving transactions, accessing customer data, communicating with colleagues, logging into every system. An attacker standing outside the glass can see everything happening inside. Sometimes they don’t even need to break through, they just wait for an employee to walk out, then take their keys.

For twenty years, we’ve been thickening the vault door, encrypting the surveillance signals, upgrading the guards’ equipment. The glass lobby stood there the whole time. Nobody felt the need to address it, because work happened there and replacing it seemed too disruptive.

Now, attackers are no longer content to stand outside the glass and watch. They’ve started walking in, sometimes disguised as maintenance workers, sometimes using keys an employee left outside, sometimes waiting for an employee to step out and hand them a document that looks harmless, asking them to sign it.

Three acquisitions are a signal: the industry has finally started taking this glass wall seriously. But how to reinforce it, where to reinforce it, with what technology, these questions are far from settled.

We are in the middle of this story. Not at the end.

check more in the cyber talk session

Christmas Eve

December 24, 2024. Christmas Eve. Most security teams had already shifted to holiday skeleton-crew mode. Everyone who could had gone home.

Sometime that day, an email landed in the inbox of an employee at Cyberhaven. It appeared to come from Google, official-sounding, urgent: your published Chrome extension is in violation of store policies and will be forcibly removed unless you act immediately. For any developer who takes their product seriously, this is exactly the kind of notice that triggers immediate action.

The employee clicked the link. The page redirected to what looked like an authentic Google OAuth authorization interface. He had already enabled multi-factor authentication and was enrolled in Google’s Advanced Protection program, every best practice the security team had ever preached, he’d followed. He authorized an application called “Privacy Policy Extension” to access his account.

Authorization complete. He probably assumed he’d just resolved a compliance issue, and went back to his holiday. The attacker now had his Chrome Web Store developer credentials.

At 1:32 AM UTC on Christmas Day, the malicious version, v24.10.4, was quietly uploaded. Chrome’s auto-update mechanism, the system designed to ensure users always run the latest, most secure version, went to work immediately. It pushed this new version to every enterprise user who had Cyberhaven’s extension installed. No warning. No prompt. Completely silent. Working exactly the way it was supposed to work.

By 11:54 PM UTC on Christmas Day, Cyberhaven’s security team detected the anomaly. Within 60 minutes they had pulled the malicious version and published a clean v24.10.5. But 60 minutes was enough. The cookies and session tokens of roughly 400,000 enterprise users had already been transmitted to servers the attackers controlled.

This wasn’t the end of the story, it was the beginning of a much larger one. Investigators subsequently found that the same group of attackers had, using the same method, compromised another 35 Chrome extensions that same month, affecting a combined 2.6 million users. They used almost no technical sophistication. What they used was trust, trust in legitimate workflows, trust in official-looking interfaces, trust in the assumption that “I already have MFA so I should be safe.”

A Problem Forgotten for Twenty Years

Almost exactly one year after the Cyberhaven incident, across the three months straddling late 2025 and early 2026, the cybersecurity industry seemed to collectively wake up to something.

On January 13, 2026, CrowdStrike announced the acquisition of Israeli browser security company Seraphic Security for approximately $400 million. Three weeks later, Zscaler acquired Singapore-based SquareX, terms undisclosed. In May 2026, Akamai announced the acquisition of LayerX for $205 million.

Three months. Three deals. Three browser-focused security companies absorbed by three different industry giants. No other segment had triggered consolidation this dense, this fast. The concentration of acquisitions suggested something broader: large security platforms increasingly viewed the browser as a critical control and visibility layer for the modern enterprise.

But the underlying problem wasn’t new. Let me take you back twenty years, and trace how we got here, because understanding what’s happening now requires understanding what assumptions we built everything on, and how those assumptions failed, one by one.

As it is too long, part I will cover Chapter One to Six in week and will cover the rest in Part II next week. I also made a small video here for your convenience:

Part I （This week):

• Chapter One: The Castle and the Moat

• Chapter Two: The Migration of Work

• Chapter Three: The Pandemic Opens Another Window

• Chapter Four: ChatGPT Sets Off the Powder Keg

• Chapter Five: Shadow Saas and AI: Nobody Knows What Employees Are Logged Into

• Chapter Six: ClickFix, or: Your Own Hands

Part II (Next week):

• Chapter Seven: What Attackers Already Knew

• Chapter Eight: Why It Exploded Now

• Chapter Nine: CrowdStrike and Zscaler M&A: Two Different Answers

• Chapter Ten: Five Answers on the market, None Complete

• Chapter Eleven: Can You Get a Billion People to Abandon Chrome? Failed Adoption Explains the Market Two Philosophies, No Right Answer

• Chapter Twelve: What Comes Next

• Epilogue: A Glass Hall, and a Question Without an Answer

Chapter One: The Castle and the Moat

In the early 2000s, enterprise cybersecurity had a satisfying clarity to it. The logic was simple: you had an internal network, your servers, your data, your employees, and outside it was the internet, where the bad guys lived. Your job was to build a wall between them, a firewall, and hold it.

Employees worked in the office. They accessed ERP systems over the internal network. Data lived on your servers, under your control. The browser was a minor utility in this picture, something you used to look things up or occasionally visit an external site. Security teams barely thought about it. In the playbooks of that era, the browser ranked alongside the calculator and the notepad: just another application you patched on a schedule.

This model was reasonable. It worked against the threats it was designed to face. Then, around 2015, it started to crack.

Chapter Two: The Migration of Work

Salesforce was the first crack. Customer data was no longer on your server, it was in Salesforce’s cloud. Then came Slack, internal communications no longer lived on your network, they lived on Slack’s servers. Google Workspace and Office 365 followed, pulling documents, email, and calendars out of the internal network and into browser tabs.

The migration happened quietly. No one announced on a specific day: “from now on, work no longer happens on the intranet.” It was incremental, one new SaaS tool purchased here, one new employee habit formed there.

But the cumulative effect was fundamental. By 2020, the first thing a typical knowledge worker did when they opened their laptop was open Chrome. Increasingly, enterprise workflows, collaboration, and identity interactions were happening inside browser sessions: CRM, project management, internal communications, financial approvals, and code repositories.

Security teams continued strengthening the traditional stack: CASB at the network perimeter, anti-phishing filters in email, EDR on endpoints, MFA in the identity layer. But many of these controls were originally designed around the assumption that enterprise activity could still be governed primarily through networks, managed devices, and centralized systems.

The challenge was no longer limited to crossing the perimeter. Increasingly, enterprise identity, workflow, and data movement were already happening inside the browser itself.

Chapter Three: The Pandemic Opens Another Window

In March 2020, COVID-19 pushed hundreds of millions of office workers back into their homes. The security implications weren’t fully understood at the time.

The most visible consequence was an explosion of demand for VPN capacity. But the deeper, quieter consequence was this: employees started using personal computers to access enterprise systems. Using personal browser profiles to store enterprise passwords. Sharing files from personal Google Drive accounts in company Slack channels. Two worlds, work and personal, began to thoroughly intermingle inside the browser.

Today’s numbers reflect that collapse: 62% of employees use unmanaged devices to access enterprise data. On 45% of enterprise devices, the browser is running under a personal profile, not a corporate one.

In practice, a growing portion of enterprise work now happens across environments that are difficult to consistently govern through traditional visibility models alone, especially when personal devices, unmanaged browsers, and personal SaaS accounts become intertwined with enterprise workflows.

Security teams were aware of the issue, but solving it often meant navigating difficult tradeoffs between security, usability, employee flexibility, and operational practicality. In many organizations, the challenge remained partially unresolved as browser-centric workflows continued to expand.

Chapter Four: ChatGPT Sets Off the Powder Keg

In November 2022, OpenAI released ChatGPT. On the surface, this had nothing to do with browser security. But it set off a chain reaction.

Employees started using ChatGPT constantly, pasting in draft contracts, asking for code review, requesting help with client emails. All of this happened in the browser, completely outside the enterprise security perimeter. Clearwater Analytics CISO Sam Evans recalled in an interview that in October 2023, his board asked him: “What’s your view on ChatGPT?” His answer: “It’s an incredible productivity tool, but I have no idea how we let employees use it safely, because my biggest worry is someone pasting in customer data or source code.”

His worry was correct. But stopping employees from using ChatGPT was roughly as feasible as stopping them from drinking water.

Today, nearly half of enterprise employees use GenAI tools in their daily work. Among them: 77% paste data into prompts, 82% use personal accounts rather than enterprise accounts, and 40% of files they upload contain personally identifiable information or payment card data. GenAI now accounts for 32% of all corporate-to-personal data movement, it has become the single largest data exfiltration channel in the browser, surpassing email, USB transfers, and file sharing combined.

Many traditional DLP approaches were originally designed around file movement and network boundaries, not browser-native AI workflows or prompt-based data interaction. As enterprise work increasingly happens inside browser sessions, visibility and governance models are being forced to evolve alongside user behavior.

Chapter Five: Shadow Saas and AI

GenAI just made an already existing problem impossible to ignore any further. That problem is Shadow SaaS. You’ve probably heard of Shadow IT, employees purchasing and using software tools without IT approval. This problem has existed since the early 2010s, and IT departments spent a decade trying to manage it through approved software lists, CASB, and proxy controls. Results were mixed, but at least there was some visibility.

Shadow SaaS is the browser-native version of Shadow IT, and it’s considerably harder to manage. Employees don’t need to “install” anything. They just open a webpage, create an account, and start using it. Much of this activity happens directly inside browser sessions, often outside normal software procurement, governance, or centralized IT review processes.

Picture your company’s engineers: they use Cursor for coding, Perplexity to look up technical documentation, v0 to prototype product interfaces, Notion AI to organize meeting notes, Gamma to build presentations, Grammarly to polish emails, DeepL to translate contracts. Every tool is genuinely useful. Many of these tools may end up handling sensitive internal context, often before governance, legal review, or data handling expectations have fully caught up. Not one of them is on IT’s approved list. Nobody knows whether any of them have enterprise data retention clauses, whether they train on user input, or whether they’ve signed a data processing agreement.

This isn’t an employee problem. It’s a structural gap, the permanent scissors between the rate at which tools proliferate and the speed at which governance processes can respond. A new AI tool can go from launch to widespread employee adoption in a week. Getting that tool from discovery through security review and onto an approved list takes at least three months. In those three months, usage doesn’t stop and data keeps moving.

LayerX’s data puts specific numbers to this: 82% of GenAI tool usage in enterprises happens through employees’ personal accounts, not enterprise-purchased accounts. According to Zylo’s 2025 SaaS Management Index, enterprises are managing an average of 275 SaaS applications, with roughly 7 new applications entering the environment every month, and 84% of those applications and 74% of SaaS spending sit outside IT’s sphere of responsibility.

What this means in practice: even if a company has paid for enterprise ChatGPT and carefully configured its data protection policies, employees can do exactly the same things through their personal ChatGPT accounts, potentially bypassing many of the controls enterprises intended to enforce through managed environments and approved workflows.

Managing personal devices makes this even more complicated. Today, 62% of employees use unmanaged devices to access enterprise data, and 45% of enterprise devices have the browser running under a personal profile. In these scenarios, IT management tools break down entirely, you can’t push policies to an employee’s personal MacBook, and you can’t see what they’re logged into through a personal Chrome profile.

The irony is that this isn’t malicious behavior. Most employees using unapproved tools are trying to do their jobs better and faster. They found something useful, created an account, started using it, and moved on with their day. Security never entered their mental model, because “is this secure?” is simply not a question they ask when they open a new tool. For attackers, this is excellent news.

If you don’t know what tools your employees are using, you don’t know which tools have security vulnerabilities, which data flows you should be monitoring, or whether your company is on the affected list when one of those tools gets compromised. Shadow SaaS is, at its core, a mass of unmonitored entry points, every account an employee has registered that IT doesn’t know about is a potential attack surface you have zero visibility into.

Netskope’s data shows the number of GenAI applications in active enterprise use growing from 13 to 15 between early and mid-2025, while the total number of distinct GenAI SaaS applications Netskope tracks has expanded past 1,550, up from 317 earlier in 2025. Shadow SaaS territory keeps expanding. Security team visibility is not keeping pace.

This is why browser security isn’t just about “preventing malicious attacks.” It’s also about “understanding where your data is going.” And understanding that requires visibility at the place where data moves: the browser, not at the network perimeter or the endpoint, where you’d only be trying to reconstruct a puzzle that was assembled somewhere else.

Chapter Six: ClickFix, or: Your Own Hands

In early 2024, security researchers began noticing a new attack technique spreading in the wild. They called it “Fake CAPTCHA” at first. The name that stuck was ClickFix. Its mechanics are unsettlingly simple.

You visit a webpage in your browser. The page asks you to complete a verification step, maybe a CAPTCHA, maybe “prove you’re not a robot,” maybe “follow these steps to fix a browser error.” The page instructs the user to perform a sequence of seemingly harmless manual actions, often framed as a browser verification or troubleshooting step. In reality, the user is unknowingly executing attacker-controlled commands through their own system interface.

You follow the instructions. The command you just executed was silently copied to your clipboard the moment you opened the page. It might be a PowerShell script that downloads and runs malware in the background. You are the one who brought it in.

No file attachment. No email. No exploit. Nothing technically clever. Just a webpage, a plausible reason, and a cooperative user.

According to Microsoft’s 2025 Digital Defense Report, ClickFix accounted for 47% of initial access events tracked by Microsoft’s Defender Experts team, nearly half, surpassing traditional phishing email at 35%.

By 2026, ClickFix had evolved into multiple variants. CrashFix mimics system crash dialogs. A DNS-based variant substitutes nslookup commands for PowerShell. FileFix uses the File Explorer address bar to execute OS commands. The technique has expanded to Mac, using the macOS terminal in place of the Windows Run dialog. Every variant is trying the same thing: find a pretext to make you execute malicious code yourself.

ClickFix succeeds because of a structural asymmetry: its payload never appears on disk as a file, so every file-detection security tool, antivirus, EDR, sandbox analysis, is blind to it. Security tools are waiting for a file to arrive. ClickFix never gives them one. The command comes from the user’s own clipboard, and from the operating system’s perspective, this is just the user doing something voluntarily. (Continues....The second half is in progress and will be published next week, you can subscribe my Chasing Polaris if you’d like to read the rest.)

Data current as of May 15, 2026. Browser security is a fast-moving field; some product and market details may have changed. The views expressed are the author’s own and do not represent any organization. This article contains no commercial endorsements.

Reference: The whole list is long and you are welcome to request separately if you are interested in reading all of them.

check more in the cyber talk session

SentinelOne’s go-to-market strategy can be captured in a single sentence: don’t sell directly to everyone, make it possible for everyone to buy. That sounds simple. Behind it is a set of deliberate and carefully constructed choices.

Start With the Right Question: Where Are the Customers?

The cybersecurity market has a structural problem that shapes everything about how you sell into it.

The customer base is impossibly fragmented. A five-person law firm and a Fortune 500 manufacturer both need security products, but their buying processes, decision-making structures, and budget cycles exist in completely different universes. Building a direct sales force to cover every segment of that market isn’t just expensive it’s the wrong model entirely.

Tomer figured this out early. Instead of trying to reach every customer directly, the answer was to find the people who were already serving them who already had the trust, already had the recurring relationships, already showed up in the client’s environment every day. Then put the technology inside their service offering and let them deliver it.

Those people are MSSPs: Managed Security Service Providers. They are embedded with thousands of enterprises, already trusted, already part of the operational fabric. SentinelOne’s job was to make MSSPs the company’s sales force, delivery force, and brand extension simultaneously.

The result: the majority of SentinelOne’s revenue is generated through its partner network. For a technology company of this scale, that proportion is unusual. In the cybersecurity market, it’s the smartest structural choice available.

PartnerOne: Giving the Channel a Real Home

As the company scaled, the partner base diversified. Some partners just resell the product. Others embed SentinelOne’s technology into managed services. Others build new products on top of the platform. Others handle deployment and incident response. Each of these relationships needs different support, different incentives, different resources.

In April 2025, SentinelOne unveiled the Global PartnerOne Program at its North American PartnerOne Summit, a unified framework that organized the entire partner ecosystem into four distinct tracks.

The Manage track is built for MSSPs and MDR providers. These partners don’t just resell, they integrate SentinelOne’s technology into their service delivery, operating it on behalf of multiple clients simultaneously. What SentinelOne gives them is platform depth: APIs, multi-tenancy architecture, and automation capabilities that let them manage dozens of clients from a single interface.

The Sell track is for value-added resellers and solution providers. Their core value is customer access, they have relationships, industry presence, and influence. SentinelOne equips them with sales tools, pricing structures, and deal support to convert that access into revenue.

The Build track is for ISVs and technology partners developing integrations and new products on top of the Singularity platform. This track is how SentinelOne transforms itself from a product into an ecosystem, letting the platform extend into use cases its own teams would never build.

The Deliver track covers system integrators and incident response specialists. When a large enterprise decides to deploy SentinelOne, it often needs professional implementation, custom configuration, and expert response capabilities when things go wrong. This track is for the people who do that work.

Melissa Smith, VP of Technology Partnerships and Strategic Initiatives at SentinelOne, described the philosophy behind the redesign in a single sentence: “We cannot have any partner type do it alone.” Alongside the structural overhaul, she did something rare in enterprise software: dramatically simplified the partner agreements, eliminating what had been pages of dense contractual requirements, and shifted incentives from short-term transactional commissions toward rewards tied to long-term performance. The message to partners was clear: help us build something durable, and we’ll share in the upside durably.

Direct Sales: Hunting the Top of the Pyramid

The channel covers the breadth of the market. The direct sales team does something different: it goes after the customers worth the most.

Direct sales teams focus on enterprise clients, delivering customized solutions and segmenting their efforts by customer size to maximize efficiency and impact. The ideal customer profile is specific: organizations with globally distributed infrastructure, undergoing cloud migration, requiring a unified security control plane across endpoints, cloud, and identity. The decision-makers in these organizations are typically the CISO or CIO , not the IT operations manager.

This shapes everything about how SentinelOne’s enterprise sales motion works. The conversation isn’t about features. It’s about risk, governance, and board-level accountability. Security has become a business problem, not a technical one, and SentinelOne’s sales language operates at that level.

Tomer himself is an engineer-turned-CEO, and in conversations with technical decision-makers, he can engage with architectural choices and implementation tradeoffs at a depth that most software CEOs can’t match. That credibility is a real competitive asset in high-stakes enterprise deals, where buyers are trying to assess whether a vendor truly understands the problem they’re solving.

In Q4 FY2026, the number of customers with $100,000 or more in ARR grew 20%, and 65% of enterprise customers were using three or more platform modules simultaneously. The second number is more telling than the first. These customers aren’t buying a point product, they’re building their security architecture on the Singularity platform. The deeper they go, the higher the switching cost, and the more durable the relationship becomes.

OEM: The Lightest Path to Scale

If the channel is SentinelOne’s main engine, OEM partnerships are the range extender.

In September 2024, SentinelOne and Lenovo signed a multi-year global agreement to embed the Singularity Platform and Purple AI directly into new Lenovo PC shipments, expanding Lenovo’s ThinkShield security portfolio with autonomous AI-powered protection.

The GTM logic here is clean and powerful. Lenovo ships tens of millions of devices every year through a global sales and distribution network that SentinelOne could never replicate on its own. Rather than building that reach from scratch, SentinelOne put its technology inside the device that enterprises are already buying anyway.

A company buys a fleet of Lenovo laptops. Security is already installed. No separate procurement process. No competitive evaluation at the point of entry. And once SentinelOne is running on those endpoints, the path to expanding into cloud security, identity protection, and AI security becomes significantly shorter.

Cloud Marketplaces: Show Up Where the Budget Already Lives

SentinelOne has made another smart move that doesn’t get enough attention: listing on AWS Marketplace.

By making Singularity AI SIEM available through AWS Marketplace, security teams and managed service providers can deploy SentinelOne’s capabilities directly through their existing AWS procurement infrastructure, no separate vendor relationship required.

The GTM logic is straightforward. Large enterprises already have committed AWS spend, existing approval workflows, and pre-negotiated pricing frameworks. When SentinelOne shows up inside that procurement flow, the friction of a new vendor relationship essentially disappears. And there’s a bonus: the AWS Marketplace listing comes with co-selling opportunities, AWS account teams actively recommend SentinelOne to customers when discussing cloud security architecture. SentinelOne gains a sales force it doesn’t have to hire or pay.

Wayfinder MDR: When the Channel Isn’t Enough

SentinelOne’s channel-led model has one natural blind spot: the very largest enterprise customers sometimes don’t want to go through an intermediary at all.

These organizations have sophisticated internal security teams, large security budgets, and a preference for working directly with top-tier experts rather than through managed service providers. They want a direct relationship with the vendor. The channel can’t fully serve them.

In November 2025, SentinelOne unveiled the Wayfinder Threat Detection and Response suite at its OneCon customer conference, including Wayfinder MDR Essentials, providing 24/7/365 managed detection and response across endpoints, cloud workloads, and identities, and Wayfinder MDR Elite, a premium high-touch tier with dedicated Threat Advisors. Both services combine SentinelOne’s proprietary threat intelligence with Google Threat Intelligence.

This move puts SentinelOne in a delicate position. Wayfinder competes, at least at the margins, with the MSSP partners the company depends on for the majority of its revenue. The way SentinelOne manages this tension is through segmentation: partners serve the mid-market, Wayfinder serves the accounts at the very top of the enterprise pyramid, where the service requirements exceed what most MSSPs are equipped to deliver. Whether that boundary stays clean as both sides grow is a question worth watching.

Third-Party Validation: Making Data Do the Selling

There is one more element in SentinelOne’s GTM that rarely gets called out as strategy, but functions like one: a sustained commitment to winning independent evaluations.

The Singularity Platform achieved a perfect 100% detection rate with zero delays in the MITRE ATT&CK 2024 Enterprise Evaluations. SentinelOne has been named a Leader in the Gartner Magic Quadrant for Endpoint Protection Platforms for five consecutive years, and carries a Net Promoter Score of 70.

In enterprise security sales, these numbers do work that advertising cannot. When a CISO needs to explain to a board of directors why the company chose SentinelOne over its competitors, the most defensible answer isn’t “the sales team made a compelling presentation.” It’s “in the most rigorous independent test in the industry, they were the only vendor with perfect detection and zero delays.” Third-party validation converts a sales conversation from “trust us” into “look at the data.” SentinelOne understands this deeply, and invests accordingly in consistently earning those results.

The Core Logic: Get In Through the Endpoint, Lock In Through the Platform

Put all of these GTM motions together, and a coherent strategic architecture emerges.

Use the channel to cover the market’s breadth. Use direct sales to win the high-value accounts. Use OEM to embed the product at the moment of hardware purchase. Use cloud marketplaces to remove procurement friction. Use MDR to lock in the accounts at the very top. Use independent test results to arm every conversation in the sales cycle.

But all of it serves the same ultimate purpose: get the customer in through the endpoint, then hold them through the platform.

A customer who has only bought the Endpoint product can switch vendors with relatively limited disruption. A customer running XDR, Purple AI, Singularity Data Lake, and Identity across their enterprise is looking at a different calculation entirely. Replacing SentinelOne means rebuilding the security architecture, retraining the security team, reestablishing data baselines across every environment. That’s a project most organizations will not undertake without a compelling reason.

In FY2026, the percentage of enterprise customers using five or more platform modules jumped from 9% to 22%. Every point of growth in that number deepens the moat. The further customers go into the platform, the harder they become to displace.

That is the real endgame of SentinelOne’s GTM.

Why SentinelOne

In the history of cybersecurity, only a handful of companies have ever crossed $1 billion in annual revenue. SentinelOne is one of them. To get there, they must have done something right.

First, a Metaphor

Imagine your office building has two security models：

The first is an old-school guard who carries a binder of mugshots. Every time someone walks in, he flips through it: have I seen this face before? Is it on the list? If not, they’re in. The problem is obvious, a criminal just needs a new disguise, a face that’s never been flagged, and they walk right through.

The second is an AI guard who never looks at a list. Instead, he watches behavior. Where did you go after you came in? What did you touch? Did you try to open a door you had no reason to open? Did you show up at 3am with a bag? The moment anything looks wrong, new face or not, he locks you down on the spot, then quietly puts everything you touched back exactly the way it was. No call to management. No waiting. Automatic.

Traditional antivirus software is the first guard, running on a database of known virus signatures, comparing every new file against the list. SentinelOne is the second, using AI to analyze behavior in real time, resolving threats in milliseconds, without any human in the loop. That distinction is the entire company.

The Founder’s Story

Tomer Weingarten grew up in a small Israeli town with few resources, and found in computers a kind of creative escape. In second grade, he met his future co-founder Almog Cohen. Through their teenage years, they built things together, took things apart, and developed a shared obsession with software and hacking.

At 24, Tomer sold his first startup and walked away with serious money. Then he did something almost no one does: he spent it all on purpose. He wanted to stay hungry. He wanted to stay foolish enough to build something genuinely big. That something became SentinelOne. Before founding the company, Tomer had served as VP of Products at Toluna, which had acquired his startup Dpolls, and co-founded a publisher monetization platform called Carambola Media, where he was CTO. He was not a first-time operator. He knew what he was getting into.

In 2013, he and co-founders Almog Cohen and Ehud Shamir launched SentinelOne around an idea that sounded almost reckless at the time: security software shouldn’t just observe threats. It should stop them and fix the damage the moment they happen, automatically, without waiting for a human to intervene.

In an October 2025 episode of the Inside the Network podcast, Tomer recalled the early conviction: “When SentinelOne launched in 2013, most endpoint vendors were still focused on signature-based antivirus. The idea of autonomous, behavior-based prevention powered by AI sounded like science fiction.” He chose to wait for the market to catch up to his judgment, rather than bend the judgment to fit the market.

That willingness to hold a contrarian position, for years, if necessary, runs through everything SentinelOne has done since.

The Timing: Why 2013

Walk into any large enterprise’s IT department in 2013 and ask how they protected against hackers. The answer was almost always the same: we have antivirus software, and we update the definitions every day. It was a reasonable-sounding answer. Tomer Weingarten thought it was a myth waiting to collapse.

The logic of traditional antivirus was elegant in its simplicity: fingerprint every known virus, store the fingerprints in a database, check every new file against the list. Flag what you recognize. Let through what you don’t. This model had run the industry for two decades. McAfee, Symantec, Norton, the combined market caps ran to tens of billions of dollars, all built on the same foundational assumption.

The problem was that the assumption had a fatal crack: it only worked if attackers used weapons you’d already seen. And real attackers never stop inventing new ones.

Ransomware, zero-day exploits, fileless attacks, these threats shared one defining characteristic: they’d never appeared in any signature database. Against them, the most expensive antivirus on the market was functionally equivalent to a locked screen door.

Tomer didn’t need a research report to understand this. He had worked across enough technology companies, watched enough security incidents play out, heard enough stories of organizations that had done everything right by conventional standards and still got breached. His conclusion was simple: the rules had changed. The tools were still speaking the old language. His answer was to invert the entire logic.

Stop asking “is this file on the list?” and start asking “is this program behaving like a threat?” Track every process in real time, what files is it accessing? What servers is it trying to reach? What permissions is it running under? The moment behavior turns suspicious, respond immediately. It doesn’t matter whether the file has ever been seen before. Block it. Remediate it. Don’t wait for a human to make the call.

In 2013, that idea sounded like science fiction. Almost no one in the endpoint security industry was taking it seriously. Tomer decided to bet on it anyway.

Early Validation: An Accidental Debut

The first few years were a grind. The product was being built. The funding was coming in, slowly. But the market hadn’t been convinced yet. SentinelOne was running proofs of concept with a small handful of companies, operating out of a borrowed office in Mountain View, held together by conviction and not much else. Then one day, everything exploded, in the best possible way.

“We arrived at the office to find our emails bombarded and the phones going off the hook,” Tomer recalled. A well-known streaming entertainment company had been quietly testing SentinelOne’s product. One of their employees, in an offhand conversation with a Forbes reporter, had said something they didn’t plan to say publicly: “You know those antivirus things? They’re garbage. They’re going away. We’re using this thing called SentinelOne and it’s going to replace all of them.” No press release. No PR campaign. No advertising budget. Just a real user, in an unscripted moment, saying exactly what they believed.

“If the market is already showing this kind of pull,” Tomer said later, “then what we’re doing is probably on the right track.” It was confirmation they didn’t expect, in a form they couldn’t have manufactured.

The Funding Journey

The market signal reached investors too. In 2013, Data Collective committed $2.5 million in seed funding, a bet on what looked, from the outside, like a pretty audacious idea. In 2014, Tiger Global Management led a $10 million Series A. After that, the rounds came faster and the numbers grew larger with each cycle. The Series D landed at $120 million in 2019. Then 2020 arrived, a pandemic year that simultaneously disrupted everything and accelerated enterprise spending on security. SentinelOne closed a $200 million Series E, then followed it with an additional $267 million round, pushing its valuation to $3.1 billion.

Then came June 30, 2021. The day the entire cybersecurity industry sat up and took notice. SentinelOne priced 35 million shares at $35 each, raised $1.2 billion, and watched its stock jump 21% on the first day of trading — closing with a market cap above $10 billion. By valuation, it was the largest cybersecurity IPO in history, surpassing CrowdStrike’s $6.7 billion debut in 2019. The ticker symbol was “S.” One letter. It had belonged to Sprint before the telecom giant’s merger with T-Mobile, and somehow landed in SentinelOne’s hands as if reserved for the occasion.

Standing on the floor of the New York Stock Exchange that day, Tomer told CNBC: “We maintain an incredible win rate across every competitor out there.” It wasn’t bravado. It was a statement of record.

The Product: How Singularity Works

SentinelOne’s core product is called the Singularity Platform, and the name is a mission statement as much as it is a brand. The idea: every security capability, in one place, running as a unified system. To understand it, you need to understand EDR, Endpoint Detection and Response.

An endpoint is any device connected to a company’s network: every laptop, every server, every smartphone, every virtual instance in the cloud. EDR’s job is to continuously monitor everything happening on those devices, every process running, every file being accessed, every network connection being made, and respond the moment something goes wrong.

SentinelOne’s differentiator comes down to a single word: automatically. The platform’s “Storyline” technology continuously maps the relationships between processes and behaviors across every endpoint. The moment a threat is detected, it isolates the attack, kills the malicious process, and restores every file that was modified back to exactly the state it was in before the attack happened, all without waiting for a human to notice, assess, escalate, and respond.

Back to the building metaphor: it doesn’t just catch the intruder. The moment the alarm triggers, it also puts every object in the building back where it was before they came in, as if the break-in never happened. This capability is built across several interlocking product lines:

Singularity Endpoint is the foundation, core endpoint protection across Windows, macOS, and Linux. The original product, and still the entry point for most customers.

Singularity XDR is the wide-angle lens. It extends visibility beyond individual devices to cloud environments, identity systems, and network traffic, stitching together threat signals from across the enterprise into a single coherent picture of an attack in progress.

Purple AI is the translator. Security analysts no longer need to write complex queries or dig through raw logs. They ask Purple AI questions in plain language, what unusual processes ran in the last 24 hours? Where did this IP address come from? and get back answers with context, not just data. At RSAC 2026, SentinelOne released Purple AI Auto Investigation in general availability: analysts can now trigger a complete, cross-source forensic investigation with a single click. Work that used to take hours or days now takes minutes.

Singularity Data Lake is the warehouse, a unified repository pulling in security data from endpoints, cloud, and identity systems. It’s the fuel that powers the AI, and the foundation that supports compliance requirements.

Singularity Identity guards the interior. Attackers rarely force their way in through the front door. They steal a key, a set of compromised credentials, and walk in quietly, then move laterally through internal systems for weeks or months before doing real damage. The $616 million acquisition of Attivo Networks was built specifically to detect and cut off this kind of movement.

Singularity Cloud (CNAPP) pushes the perimeter outward, extending protection from physical and virtual devices into cloud infrastructure itself, Kubernetes clusters, containers, cloud configurations, all of it now inside the defensive boundary.

The Acquisitions: Building the Platform One Deal at a Time

If the product lines are SentinelOne’s skeleton, the acquisitions are how it built muscle. Each deal targeted a specific gap in the platform, filling it in at the moment it mattered most.

2021: Scalyr, $155 million. Not a flashy deal, Scalyr built high-speed log management infrastructure. But without real-time, massively scalable, fully queryable data, AI is just an empty promise. Scalyr solved the foundational problem of ingesting and retrieving data at any scale. It became the engine underneath the Singularity Data Lake.

2022: Attivo Networks, $616.5 million. The largest bet in the company’s history, and the one that closed the most dangerous gap: identity. Attivo specialized in tracking how attackers move through internal systems using stolen credentials, mapping the lateral movement that traditional endpoint tools never see. With this acquisition, SentinelOne for the first time owned a complete chain of defense from endpoint to identity.

2023: Krebs Stamos Group. This wasn’t a technology deal. The firm’s two founders, former CISA Director Chris Krebs and former Facebook Chief Security Officer Alex Stamos, represented something different: strategic credibility, policy influence, and standing in both Washington and Silicon Valley. While it lasted, it gave SentinelOne something money can’t easily buy.

2024: PingSafe, over $100 million. This filled the cloud-native application protection (CNAPP) gap. Cloud workloads, containers, Kubernetes clusters, these had been outside the platform’s native protective range. PingSafe brought them in, giving enterprise customers a single platform covering both the devices their people use and the cloud infrastructure their applications run on.

2025: Prompt Security, approximately $250 million. This one reveals more about where SentinelOne thinks the next decade is going than any other deal. Prompt Security was built to protect enterprises as they adopt generative AI tools, preventing employees from leaking sensitive data into ChatGPT or Claude, detecting prompt injection attacks, and protecting AI agents from being hijacked. As AI tools become embedded in daily enterprise workflows, the security risk around them is no longer theoretical. SentinelOne moved to own that space before the window closed.

2025: Observo AI. An AI-native real-time data pipeline platform that filters, enriches, and routes security data before it reaches a SIEM or data lake, reducing data volume by up to 80% while keeping complete logs fully accessible. In an environment where security telemetry is growing exponentially, this is the intelligent filter that sits upstream of everything else.

In Tomer’s Own Words

Understanding a company from the outside has limits. Listening to its CEO, particularly in unscripted moments, often tells you more than a hundred quarterly reports.

On AI, his view is cooler than most of his peers are willing to say publicly. At the Notable Capital Conference in November 2025, he put it bluntly: “There is not a single LLM in the world today that is secure by any degree, no matter what people are telling you, no matter what they’re selling you. They are all being exploited as we speak.” His point wasn’t pessimism, it was a warning against premature confidence. “The best AI is the AI you don’t feel. The best AI is one that is totally integrated, totally embedded, and actually completely seamless.” He contrasted this sharply with the trend of bolt-on AI features that companies are layering onto existing products and calling transformation.

At RSAC 2026 in March, he took the stage with something more sweeping to say: “This year, I’ll be talking about a shift that goes far beyond technology, and why the future of cybersecurity is becoming inseparable from the future of civilization itself.” At the same conference, he announced a significant expansion of SentinelOne’s collaboration with Google Cloud, integrating the Singularity Platform’s AI-native capabilities with Google’s global infrastructure and threat intelligence, with a specific focus on helping enterprises adopt generative AI at scale without opening new attack surfaces in the process.

The Competition: Surrounded, and Growing Anyway

SentinelOne didn’t grow to this scale because the market was empty. It grew in the middle of one of the most competitive fields in enterprise technology, against opponents with more history, more resources, and in some cases more market share.

The most direct adversary is CrowdStrike. Founded around the same time, serving overlapping markets, betting on similar technology, building toward similar platform ambitions, from a distance, the two companies look almost like reflections of each other. Up close, their strategic instincts diverge sharply. CrowdStrike is more mature in threat intelligence, proactive hunting, and ecosystem integration, and it runs deep in large financial institutions and government agencies. SentinelOne’s edge lives in autonomous response and offline protection, its agent operates in user space, not the kernel, and keeps defending even when disconnected from the cloud.

That architectural difference became a story in July 2024, when a botched kernel-level update from CrowdStrike brought down 8.5 million Windows devices simultaneously. Airports went dark. Banks stopped processing. Hospitals rerouted patients. The total economic damage ran to billions.

SentinelOne didn’t issue a triumphant press release. It did something more effective: it kept repeating an architectural fact it had been stating for years. Its agent doesn’t touch the kernel. A failure in the cloud doesn’t cascade to the endpoint. The design decision Tomer had made a decade earlier, built in from day one, not retrofitted, became its most persuasive sales asset practically overnight.

As Tomer has acknowledged openly, legacy vendors still hold roughly 50% of the endpoint market. He doesn’t frame this as a threat. “This is a $100 billion market opportunity,” he said. “There’s room for multiple winners.” The incumbent share isn’t a ceiling. It’s a runway.

The Financials: Two Milestones, One Year

On March 12, 2026, SentinelOne reported its full-year results for FY2026. On the earnings call, Tomer used a single word to frame the year: landmark.

“FY2026 was a landmark year for SentinelOne. We achieved a $1 billion revenue scale, growing 22% year-over-year, and delivered full-year operating profitability, a significant milestone towards profitable growth.”

Two firsts arrived simultaneously: annual revenue crossing $1 billion for the first time, and the company achieving full-year non-GAAP operating profitability for the first time in its history. For a 13-year-old high-growth technology company, those two things happening in the same fiscal year signal something specific, a transition from “grow at any cost” to “grow with discipline.” The model is working, and it’s becoming self-sustaining.

The structural numbers beneath the headline tell an even more interesting story. Non-endpoint solutions now account for more than half of total annual bookings. The percentage of enterprise customers using five or more platform modules jumped from 9% to 22% in a single year.

What that means in practice: SentinelOne is no longer just a product customers install. It’s becoming the operating system their security teams build on. That kind of depth creates the kind of retention that can’t be manufactured, customers don’t leave platforms they’ve built into.

Purple AI’s ARR grew at triple-digit rates. Prompt Security’s ARR more than doubled sequentially following the acquisition. Data solutions crossed $130 million ARR. Cloud security crossed $160 million ARR. Each product line growing independently, each one reinforcing the others.

For FY2027, management guided toward $1.195 to $1.205 billion in revenue, approximately 20% growth, and non-GAAP operating income of $110 to $120 million. Growth holding, margin expanding.

What Comes Next: A Double Bet on AI

If you had to distill SentinelOne’s next chapter into a single phrase, Tomer has provided it across multiple stages and conversations over the past year: “AI for Security. Security for AI.”

The first half is the business they’ve been building for over a decade, now entering an acceleration phase. AI-driven threat detection and autonomous response are becoming not just a differentiator but an industry expectation. Purple AI is now attached to more than half of all licenses sold.

The second half is the frontier they’re staking a claim on. As enterprises race to embed generative AI tools into daily operations, AI itself has become a new and largely unguarded attack surface. Employees are pasting sensitive customer data into public AI tools. AI agents are being manipulated through prompt injection into executing unauthorized actions. These risks have moved from theoretical to documented. Prompt Security was the acquisition that put SentinelOne at that frontier before most competitors recognized it was one.

This isn’t just a product roadmap. It’s a bet on a specific reading of history: the companies that define security for a new technology era tend to carry that advantage forward for a long time. SentinelOne is trying to define it for the AI era before the window closes.

The Through Line

SentinelOne’s story is, at its core, about the willingness to hold an unpopular conviction long enough for reality to prove it right.

In 2013, the consensus said signature-based antivirus just needed to be faster. Tomer said the model itself was broken. He waited years for the market to see what he already saw. The ransomware wave made the case for him.

In 2024, a single update decision at a competitor brought 8.5 million devices to their knees simultaneously. An architectural choice Tomer had written into SentinelOne’s foundation on day one, not in response to a crisis, but in anticipation of one, became the clearest possible demonstration of why it mattered.

Now, AI agents are moving into the core of enterprise operations faster than any previous technology wave. New attack surfaces are opening. New rules are being written. And SentinelOne is, again, trying to be there first. As Tomer himself put it: “The moment you stop innovating, you’re dead in the water.” From where things stand right now, they show no signs of stopping.

(Next article, I will write about the Go to Market strategy part of SentinelOne Story.)

Check my previous Cyber talk articles:

Cyber Talk-1 - From Zero to Wiz: The Fastest Cloud Security Exit in History

Cyber Talk-2 From VPN Killer to Zero Trust Platform: The Zscaler Evolution

Cyber Talk-3: Vanta — How a compliance startup cut audit time by months and cost by 90%

Cyber Talk-4 Beyond Endpoints: How CrowdStrike Reinvented Cyber Defense

Cyber Talk-5 ServiceNow’s History and Next Chapter with cybersecurity acquisition

Cyber Talk-6: Fortinet’s Silicon Moat — $0 to $6.8B with the same founder

This article is based on SentinelOne’s public financial filings (FY2026 full year and quarterly results), SEC disclosures, founder interviews (Inside the Network podcast, October 2025; Notable Capital Conference, November 2025), RSAC 2026 keynote remarks, and publicly available industry sources. Nothing here constitutes investment advice.

In the long arc of cybersecurity history, only a handful of companies have ever surpassed $1 billion in revenue, and by 2025, Fortinet has climbed to $6.8 billion, placing it among the largest pure-play publicly traded cybersecurity companies in the world. Its success was not a matter of luck, but the result of a bet made in 2000 that most people dismissed at the time: putting firewall, antivirus, and IPS capabilities into a single proprietary chip. Twenty-five years later, that chip has become a moat.

What truly makes Fortinet worth studying is not that it sells the Unified Threat Management, but how it has managed, amid a cybersecurity landscape constantly reinventing itself, relentless industry consolidation, and ever-shifting capital market narratives, to become an extraordinarily rare structural outlier: consistently GAAP profitable every year since its 2009 IPO, and reaching $6.8 billion in revenue, $7.55 billion in billings, and $2.21 billion in free cash flow in FY2025, with a 33% free cash flow margin, while also securing the No. 1 position in global firewall unit shipments with 55% market share.

Even more rare is this: the same founder built the company from $0 to $6.8 billion without ever changing CEOs. In Silicon Valley’s corporate history, that alone is a legend.

What is Firewall and Unified Threat Management (UTM)?

What is a Firewall?

A firewall is the city’s intelligent border checkpoint and traffic gate.

It sits at the main entrances and critical intersections, examining every vehicle that tries to pass. When a car approaches, the checkpoint asks:

• Where are you coming from?

• Where are you going?

• Are you allowed on this road?

• Do you match our security rules?

If the vehicle fits the rules, it passes through. If not, it’s stopped immediately.

In technical terms, a firewall monitors and controls incoming and outgoing network traffic based on predefined security policies. It blocks unauthorized access, prevents suspicious connections, and ensures that only approved communication flows between networks, such as between your internal systems and the internet.

What is Unified Threat Management (UTM)?

Now imagine that city decides that checking only driver IDs at the border isn’t enough. Criminals are hiding contraband in vehicles, forging credentials, using disguises, and coordinating attacks from multiple directions.

Instead of building separate departments, one for border control, one for scanning cargo, one for detecting suspicious behavior, one for filtering destinations, the city creates a single, integrated security command center.

That is Unified Threat Management (UTM).

UTM combines multiple security functions into one coordinated system. When a vehicle arrives at the checkpoint, all of items including firewall, antivirus, intrusion prevention, web filtering, application control and VPN etc happens in one place, under one policy framework, managed from one console.

Instead of different guards shouting across departments, the entire security force works together in real time. If one system detects a threat, the others immediately respond.

In technical terms, UTM integrates firewall, antivirus, intrusion prevention (IPS), web filtering, VPN, and other protections into a single platform, simplifying management while strengthening security coverage.

In short:

• Firewall = the city’s gatekeeper controlling traffic at the borders.

• Unified Threat Management (UTM) = the city’s centralized security command center, combining multiple defenses into one coordinated system.

The firewall protects the entrance.
UTM protects the entrance and checks what’s inside the vehicle.

Both of them keeps the digital city secure without turning it into a traffic jam.

The founder’s journey

From Tsinghua to Silicon Valley: Ken Xie’s Entrepreneurial Philosophy

Ken Xie was born in Beijing, China, to academic parents. In a 2017 interview with Forbes, he recalled with a smile that his parents had always hoped he would return to China to become a professor. After all, as an electrical engineering graduate from Tsinghua University, he would have had a promising academic future. But Stanford changed everything. He told reporters that Stanford was deeply connected to the surrounding Bay Area ecosystem, Google, Yahoo, Sun Microsystems, and that the air there felt charged with the possibility of starting a company at any moment. So he stayed.

In 1993, while still a student at Stanford, Ken founded his first company, SIS, almost by accident, in a garage in Palo Alto. The company focused on software firewalls. But he quickly ran into a fundamental limitation: running security inspection on general-purpose CPUs simply couldn’t keep up with rapidly increasing network speeds. That realization led him to start again in 1996, founding NetScreen. There, he developed the industry’s first high-performance firewall and VPN system based on dedicated ASIC chips, a technological DNA that would later define Fortinet. In 2004, NetScreen was acquired by Juniper Networks for approximately $4 billion, marking what Ken later described as a “fast exit.”

An industry veteran once described Ken Xie as both a hardcore technologist and a master storyteller capable of articulating a grand vision to CIOs and CISOs, a rare combination in cybersecurity.

After leaving NetScreen, Ken arrived at what was then a bold conclusion: firewalls and VPNs addressed only network-layer problems, while the real threats, viruses, worms, spyware, spam, had already moved into the application and content layers. Simply blocking ports would never keep pace with attackers. What he envisioned instead was a device that could consolidate all threat protection functions into a single chip, inside a single appliance. In 2000, he co-founded Appligation, Inc. with his brother Michael Xie; the company was later renamed Fortinet, derived from “Fortified Networks.”

Michael Xie: Chief Technical Architect

Michael Xie, also a graduate of Tsinghua University (with a degree in automotive engineering), later earned a master’s degree in electrical and computer engineering from the University of Manitoba in Canada. He had served as Director of Software at NetScreen and witnessed firsthand the implementation of ASIC-based technology. At Fortinet, Michael led the foundational architecture design of FortiOS and the iterative evolution of the FortiASIC chips, becoming the principal architect behind the company’s technological moat.

Founding Fortinet

In 2000, as the dot.com bubble burst and a chill swept across the entire technology sector, Ken Xie saw a new window of opportunity. At the time, enterprise security stacks were a collection of disconnected boxes: one firewall, one IDS appliance, one antivirus gateway, one spam filter. Each device had its own console, its own logs, its own update cycle, operating in isolation from the others. Ken’s answer was to compress all of it into a single box, powered by a dedicated chip. That moment marked the birth of the Unified Threat Management (UTM) category.

The early days were extremely difficult. The company started with fewer than 20 engineers. The U.S. team worked out of a temporary office, while the other half operated out of Bangalore. Ken did not wait for outside funding to be secured before getting started, he invested his own money to move forward. From 2000 to early 2003, Fortinet raised only $13 million in private funding, far less than many of its competitors at the time. Yet in May 2002, the first FortiGate shipped: a rack-mounted appliance capable of delivering firewall, antivirus, intrusion detection, and content filtering in a single device, powered by FortiOS accelerated by proprietary ASIC technology. In throughput tests, it decisively outperformed software-based alternatives in the same price range.

Product，M&A and Competition

At the early times, Fortinet’s competitors were far from weak. Check Point dominated the enterprise market with its software firewall solutions, Cisco PIX leveraged the natural advantage of a networking giant, and SonicWall along with Juniper NetScreen competed aggressively for mid- to high-end customers with strong hardware performance. Fortinet’s survival strategy rested on two key pillars: first, the performance advantage delivered by its proprietary ASIC technology; and second, a more competitive total cost of ownership (TCO).

Fortinet’s product journey has followed a slower, more engineering-driven path，one that has produced a more stable and harder-to-replicate long-term advantage. Its story has never been about “catching the next wave,” but about “laying the foundation early.” In many ways, it resembles a moat built in silicon: while others talk about product narratives, Fortinet talks about chips and power efficiency; while others promote platform visions, it talks about unified kernels and integration friction.

This philosophy may sound old-fashioned in an era dominated by cloud-native architecture, security-as-a-service, and AI security buzzwords，even slightly counter-trend. Yet it explains why Fortinet’s business performance increasingly resembles a precision machine. As industry conversations shift from “Can it perform this function?” to “Can it perform more functions without slowing the network, increasing power consumption, or overwhelming operations?”, the physical layer and the integration layer once again become decisive veto points，and Fortinet secured that vote years in advance.

Looking at its product evolution, the journey can be divided into five distinct phases:

2000–2004 · Foundation Phase:
Fortinet effectively invented the Unified Threat Management (UTM) category, compressing firewall, antivirus, and IPS into a single appliance powered by proprietary ASIC technology. By delivering significantly lower total cost of ownership (TCO) than competitors, it penetrated the SMB market. Ken Xie was widely referred to as the “Father of UTM.”

2005–2012 · Expansion Phase:
FortiGuard Labs was established in 2005, shifting threat intelligence from external sourcing to in-house development. The company went public in 2009 and began evolving into a multi-product platform with launches such as FortiMail, FortiWeb, and FortiSandbox.

2013–2017 · Integration Phase:
In 2016, Fortinet launched Security Fabric, arguably its most important architectural declaration. What had once been independent products were formally declared a unified platform, connected by FortiOS as the nervous system.

2018–2021 · Deepening Phase:
This was the most acquisition-intensive period. Within three years, Fortinet completed its SOC “trifecta” (EDR, SOAR, SIEM) while simultaneously positioning itself in SASE, a demand that accelerated dramatically during the pandemic.

2022–2025 · High-Ground Phase:
SASE scaled meaningfully (FortiSASE ARR surpassing $1.28 billion), Lacework was acquired to complete cloud security capabilities, partnerships with NVIDIA positioned Fortinet in AI data center security, and FortiOS 8.0 achieved AI-native integration.

In Ken Xie’s view, the bottleneck in cybersecurity has never been whether features are “smart enough,” but rather the physical constraints that are often overlooked yet most likely to cause real-world failures: throughput, encryption and decryption processing, and deep packet inspection. From its founding in 2000, Fortinet committed to a long-cycle strategy: hardwire critical security processing into proprietary ASIC silicon, and unify all product forms under a single operating system. As quoted in a 2024 Morgan Stanley conference, Xie stated it plainly: security threats evolve every year and strategies shift quickly, but the foundational infrastructure，the performance layer and the integration layer，must be built years in advance, or you will always be catching up.

That statement serves as Fortinet’s strategic footnote: it is not chasing trends; it is pre-paying the “physics bill” of the future.

The first layer of Fortinet’s moat therefore comes from FortiASIC. The latest generation, powered by seventh-generation NP7 and SP5 ASICs, delivers up to seven times higher firewall throughput, four times greater threat protection performance, and seven times lower power consumption compared to comparable competitor products. These are not marketing exaggerations，they stem directly from hardware architectural differences.

When enterprises enter a network refresh cycle, why do they continue allocating the next round of budget to the same vendor? The answer is not aesthetics，it is performance, energy efficiency, and operational reliability.

Yet if Fortinet were only about chips, it might still be trapped in the fate of traditional hardware vendors，dependent on refresh cycles, competing on price and channels. The true leap from product to platform came from its second moat: FortiOS. FortiOS is the unified real-time operating system shared across Fortinet’s entire product portfolio, covering firewall, SD-WAN, ZTNA, SASE, endpoint protection, wireless AP, and more than thirty networking and security functions. It unifies policy management, log analysis, and threat intelligence sharing, allowing different products to genuinely “understand” one another and operate in coordinated defense. This unified architecture also creates customer stickiness，the deeper the ecosystem integration, the higher the switching cost.

FortiOS is like the iOS of enterprise security: one operating logic, one management interface, one command language across all hardware form factors. This model stands in contrast to competitors whose portfolios are heavily acquisition-driven，such as Palo Alto Networks，or whose product lines span decades of integration complexity，such as Cisco. Integrating heterogeneous systems requires significant engineering effort, and customers bear the friction of fragmented management in daily operations.

One enterprise CIO once described the difference clearly: policy updates that previously took weeks，or sometimes months，to complete can now be deployed across the entire network environment in a short period of time, thanks to a unified single-platform view.

In real IT organizations, that translates to fewer personnel requirements, fewer configuration errors, fewer change window conflicts，and deeper operational embeddedness for the vendor.

When Fortinet introduced Security Fabric in 2016, it effectively institutionalized this unified-core advantage. Security Fabric connects all products into an organic whole through shared telemetry, shared policy engines, and shared threat intelligence. This is not a marketing slogan, but an architectural choice: since all products share the same OS, agent, and ASIC, integrating new capabilities introduces minimal additional friction.

This is what fundamentally distinguishes Fortinet from many so-called “platform security companies.” Others use the platform concept to describe a future integration vision; Fortinet integrates first and names it later. The commercial value of this strategy is straightforward: customers typically begin with FortiGate and gradually expand into FortiSASE, FortiEDR, FortiSOAR, and other modules as their security maturity increases, continuously expanding lifecycle value.

Viewed through this unified-architecture lens, Fortinet’s acquisition history resembles an engineering blueprint rather than a capital markets story. Key milestones include the 2008 acquisition of IPLocks (database security IP) and first quarterly profitability; the 2009 acquisition of Woven Systems (Ethernet switching IP) and IPO; the 2015 acquisition of Meru (Wi-Fi hardware); the 2016 acquisition of AccelOps and launch of Security Fabric; the 2018 acquisitions of Bradford (IoT security) and ZoneFox; the 2019 acquisitions of enSilo (endpoint) and CyberSponse (SOAR); the 2023 strategic push into SASE and Security Operations; the 2024 acquisitions of Lacework (cloud security) and Next DLP (cloud-native DLP); and the 2025 acquisition of Everest Networks alongside the launch of FortiGate 700G and FortiOS 8.0.

Individually, these transactions may not appear dramatic, but collectively they reveal a clear intent: Fortinet does not acquire revenue; it acquires platform puzzle pieces，and each piece must be absorbed into FortiOS to become native capability within Security Fabric.

From 2008 to 2019, each of Fortinet’s acquisitions and strategic moves was fundamentally not about buying scale or revenue, but about methodically completing pieces of a long-term platform strategy. The 2008 acquisition of IPLocks represented an early attempt to extend security beyond the network perimeter into the data layer, signaling that Fortinet’s ambition went beyond being a stronger firewall vendor and toward addressing database security and compliance use cases. Although integration synergies were limited, it marked an early move toward data-centric security. The 2009 acquisition of Woven Systems’ switching IP embedded security deeper into network infrastructure, laying the technical groundwork for FortiSwitch and enabling Security Fabric to eventually span both access and security layers. In 2014, co-founding the Cyber Threat Alliance，while not an acquisition，was strategically significant, as it strengthened FortiGuard’s intelligence density and network effects through structured threat intelligence sharing, effectively expanding Fortinet’s data moat.

The 2015 acquisition of Meru Networks brought wireless access under unified FortiOS control, closing the physical blind spot created by BYOD and IoT adoption and extending the secure network vision beyond the perimeter to the access layer. In 2016, the acquisition of AccelOps alongside the launch of Security Fabric marked a pivotal shift from a product company to a platform company, using SIEM capabilities to connect distributed device telemetry into an operational architecture. The 2018 acquisitions of Bradford and ZoneFox filled critical gaps in IoT/OT visibility and insider threat detection, strengthening Fortinet’s security operations loop.

Finally, in 2019, the acquisitions of enSilo and CyberSponse completed the core SecOps stack，SIEM, EDR, and SOAR，enabling Fortinet to evolve from a firewall company into a full security platform provider. Taken together, these moves reveal a clear strategic thread: centered on FortiOS, Fortinet pursued small but precise acquisitions to reduce integration friction, expand its control surface from network edge to endpoint, data, and operations, and systematically build a unified, coordinated, and scalable security platform architecture.

The most dramatic puzzle piece came in 2024 with the acquisition of Lacework. Once valued at $8.3 billion at its peak, Lacework saw its valuation collapse by 97% during the capital downturn, and Fortinet acquired it for approximately $200–$300 million. This was not merely a discounted purchase，it expanded Fortinet’s strategic boundary. Historically stronger at the network edge and data center perimeter, Lacework allowed Fortinet to enter the internal cloud security narrative, gaining platform-level authority in multi-cloud configuration management, lateral movement detection, and cloud compliance.

Also in 2024, the acquisition of Next DLP filled another underestimated dimension within SASE: data. Traditional DLP architectures are incompatible with SASE’s cloud-proxy model, while Next DLP’s cloud-native design fits hybrid work environments. Integrating it into FortiSASE significantly strengthened Fortinet’s data security differentiation at the peak of SASE competition. If Lacework brought cloud workloads into the platform, Next DLP brought data flow into the control plane, arguably the most sensitive layer in the AI era, where not only humans access applications, but models access data and generate new data, blurring traditional data exfiltration boundaries.

In 2025, the acquisition of Everest Networks advanced Fortinet’s wireless infrastructure capabilities, emphasizing Wi-Fi 7 and high-density environments，AI data centers, large warehouses, stadiums，ensuring FortiAP and SD-Branch deployments align with next-generation standards. This signals that the future network edge extends beyond offices into high-density, high-throughput, low-fault-tolerance environments，conditions that align closely with Fortinet’s historical strengths in performance and stability.

What distinguishes Fortinet’s SASE strategy is a detail competitors struggle to replicate: FortiGate customers already own hardware and run FortiOS, allowing SASE activation on existing SD-WAN deployments within minutes. This makes SASE expansion an incremental extension of existing assets rather than a disruptive architectural overhaul，a distinction that determines how quickly SASE moves from slide decks to signed contracts.

Even more strategically significant is sovereign SASE. Ken Xie stated on the February 2026 earnings call that sovereign SASE may ultimately be larger than the public SASE market. Sovereign SASE allows enterprises or service providers to deploy SASE infrastructure within their own data centers or private clouds rather than consuming vendor-shared cloud nodes，particularly attractive to governments and regulated financial institutions. Pure cloud SASE architectures struggle to replicate this flexibility.

This represents a strategic fork: while the industry once assumed more cloud centralization was inherently better, regulatory and sovereignty pressures are pulling the market back toward hybrid reality，and because Fortinet designed for dual paths from the beginning, deployment optionality has become a competitive weapon.

At a competitive level, Fortinet is not simply fighting for device share; it is competing across security philosophies. Platform-first vendors assemble cloud and SOC portfolios through acquisitions, while networking giants integrate security downward through infrastructure dominance. The key difference lies in integration ownership: where competitors often leave integration complexity to customers, Fortinet’s unified FortiOS core and Security Fabric shared telemetry turn integration into a default experience, converting operational friction and time cost into competitive advantage.

Security Operations is another underestimated battlefield. Fortinet’s unified SecOps suite，FortiSIEM, FortiSOAR, FortiEDR, FortiNDR, FortiAnalyzer, and FortiGuard intelligence，allows a SOC running FortiSIEM to natively see events across FortiGate, FortiSASE, FortiEDR, and FortiNDR without complex connectors or cross-system latency. In a market long burdened by platform fragmentation, that argument is not marketing，it is operational economics.

Quick Financial Check

If acquisitions explain Fortinet’s strategic breadth, FY2025 financial mechanics explain its operational intensity. FY2025 was a record year: $6.8 billion in revenue (+14% YoY), $7.55 billion in billings (+16% YoY), $2.21 billion in free cash flow (33% FCF margin), 81.3% gross margin, and six consecutive years meeting Rule of 45 standards.

More importantly, these figures reflect structural dynamics. Product revenue briefly contracted in 2024 during a typical hardware digestion cycle, but 2025 saw a clean reversal, with Q4 product revenue up 20%, reflecting the anticipated firewall refresh cycle materializing as enterprises resumed delayed upgrades. Meanwhile, service revenue grew 13% to $4.58 billion but was described as a lagging indicator—customers purchase hardware first, then attach subscriptions and support over time. Deferred revenue grew to $5.03 billion, providing visibility into future service acceleration in the second half of 2026.

Fortinet does not rely on one-time box sales; it transforms hardware into a subscription anchor, smoothing hardware cyclicality through platform expansion.

The transition into the next narrative phase came in FY2025 when growth engines shifted from traditional firewalls to Unified SASE and Security Operations. Unified SASE billings grew roughly 40% for the year, FortiSASE billings growth exceeded 100% at one point in Q3, and Security Operations billings grew approximately 22%, with SecOps ARR reaching $491 million.

Target Customers and GTM Strategy

Target Customer Profile

Fortinet’s core customers are mid- to large-sized enterprises operating complex network environments with extremely high demands for both performance and security. These customers are particularly concentrated in industries such as financial services and banking, government and critical infrastructure, manufacturing (especially OT security), healthcare, telecommunications carriers, and multinational distributed enterprises. They typically face three major pain points: fragmented multi-vendor security toolsets, VPN performance bottlenecks, and the convergence of IT and OT networks. These challenges align precisely with the core problem-solving scenarios addressed by Fortinet’s Security Fabric architecture.

Unlike vendors such as Zscaler that primarily focus on pure-cloud enterprises, Fortinet’s unique positioning lies in its ability to serve hybrid environments. Whether a customer operates entirely on-premises, fully in the cloud, or in a hybrid model, whether in corporate offices, factory floors, or retail branches, Fortinet can apply the same FortiOS policy framework across all environments. This enables a gradual migration toward SASE and ZTNA without forcing customers to dismantle and rebuild their infrastructure from scratch.

GTM Strategy: Channel-First + Platform Deepening

Fortinet is one of the largest channel-driven cybersecurity companies globally, with more than 95% of its business conducted through partners. Its ecosystem includes over 10,000 authorized partners worldwide, spanning VARs (Value-Added Resellers), MSPs (Managed Service Providers), SIs (System Integrators), and MSSPs (Managed Security Service Providers). These partners are not merely sales conduits, they play a critical role in consulting, designing, and implementing zero trust architectures for customers.

For large enterprise accounts, Fortinet maintains dedicated field sales teams that directly serve Fortune 1000 organizations. Supported by Sales Engineers (SEs) and Customer Success Managers (CSMs), these teams continuously drive expansion within existing accounts, guiding customers from foundational FortiGate deployments toward higher-value modules such as SASE and Security Operations. According to management disclosures, cumulative spending by Fortune 100 customers on Fortinet solutions continues to grow at a meaningful pace year over year.

FortiGuard Labs and FortiTrust Training: The Soft Power of the Brand

FortiGuard Labs is not only Fortinet’s threat intelligence engine, it is also one of the company’s most important brand assets. As early as 2005, when most competitors were still relying on third-party threat intelligence feeds, Fortinet built its own internal research team. Today, that team processes more than 7 billion threat signals every day. When a new threat is detected, updated signatures are pushed to FortiGate devices worldwide at near real-time speed. Ken Xie once described this mechanism as Fortinet’s immune system: if a new virus infects one corner of the globe, the entire network rapidly develops antibodies.

In 2021, speaking at the World Economic Forum, Ken Xie cited a figure that deeply concerned him: the cybersecurity industry’s talent shortage was projected to reach 3.5 million professionals. In response to U.S. President Joe Biden’s call to address the skills gap, he pledged to train one million cybersecurity professionals. The commitment did not remain a press release. The Fortinet Training Institute has since become one of the largest free cybersecurity training programs in the industry, with more than 700,000 learners trained to date. This initiative is not merely philanthropic，it reflects Ken Xie’s consistent business philosophy: solve industry problems first, and the market will follow.

What’s Next for Fortinet

Fortinet’s path into the AI era looks notably different from that of many peers. Rather than simply layering generative AI features on top of existing products, Fortinet has embedded AI deeply into its hardware acceleration model and operational workflows, building on more than a decade of threat intelligence accumulation. FortiAI spans three primary pillars. FortiAI-Protect enhances threat detection and prevention, including risk assessment for over 6,500 AI application URLs and zero-trust–based access controls for GenAI services, helping organizations prevent employee misuse or abuse of external AI tools. FortiAI-Assist provides AI-driven decision support for security operations teams, automating alert prioritization, policy recommendations, and incident response to reduce cognitive overload for SOC analysts. FortiAI-SecureAI focuses on protecting enterprise-deployed AI workloads, securing inference pipelines, training datasets, and the AI models themselves. Notably, FortiGuard Labs processes more than 7 billion threat signals daily，an extraordinary private dataset that fuels AI model training. This data moat cannot be easily replicated by pure cloud-native AI security startups through capital alone.

Looking ahead, Fortinet’s growth narrative rests on three strategic pillars. First, the acceleration of the secure networking hardware refresh cycle. In 2025, product revenue grew 16% year over year, confirming the materialization of the long-anticipated firewall refresh cycle. The FortiGate 700G series, powered by seventh-generation ASIC technology delivering up to seven times the throughput of competitors, is converting that refresh demand into share expansion. Fortinet currently commands 55% of global firewall unit shipments, reinforcing its leadership position.

Second, the scaled expansion of Unified SASE, including Sovereign SASE. FortiSASE billings grew approximately 40% for the full year 2025, with third-quarter billings growth surpassing 100%. CEO Ken Xie has put forward a provocative thesis: the sovereign SASE market may ultimately exceed the public SASE market, and few competitors today can effectively compete in that deployment model. If proven correct, this could become a major catalyst in 2026.

Third, AI data center security as the emerging high ground. In 2025, Fortinet launched its Secure AI Data Center solution and achieved deep integration with NVIDIA’s BlueField-3 DPU, embedding FortiGate VM directly into AI factory infrastructure. Ken Xie views this as a natural extension of Fortinet’s ASIC DNA，AI inference workloads demand extreme throughput and ultra-low latency, precisely the environment where hardware acceleration provides structural advantage.

In the AI era, data is oil. With more than 7 billion threat signals processed daily and over 20 years of accumulated security telemetry, Fortinet possesses a proprietary fuel reserve that few competitors can replicate. Its partnership with NVIDIA signals that this advantage is no longer confined to network security, but is extending directly into AI infrastructure itself.

Conclusion:

Fortinet’s story reads less like a typical growth narrative and more like a long-term experiment in conviction. While the industry chased concepts and rode valuation cycles, the Xie brothers built the company to solve a fundamental problem they had witnessed twice before: security was always treated as an afterthought，added after the network was designed, patched after applications were deployed. Over more than two decades, they continuously invested in ASIC technology, turning performance and energy efficiency，once seen as engineering details，into structural advantages. They used a unified FortiOS platform to transform integration cost into a default experience rather than a customer burden. Through a series of small but precise acquisitions, they completed the platform puzzle, and in 2024–2025, with the additions of Lacework and Next DLP, they brought cloud and data security fully into the Security Fabric architecture.

When you connect these threads, a once-radical proposition from the year 2000，that security must be embedded into the very fabric of the network，no longer sounds heretical. It has become industry consensus. Today, Fortinet is positioning itself as the operating system for enterprise networking and security, betting that over the next five years, physical constraints and integration costs，amplified by the demands of AI，will matter more than any new cybersecurity buzzword in determining who wins.

Also, when we talk about which stock has risen rapidly in the middle of a market winter, the answer is clear: the IT industry’s very own superhero - ServiceNow! Over the past decade its stock price has grown an astonishing 1,000%. It’s a spectacular comeback story, almost like a legend in the stock market, full of surprises and excitement with every step. Now, let’s uncover the story from its history.

The 49-Year-Old Legendary Founder

“That was November 5, 2003. I knew we had to start a company before I turned 50, because a 50-year-old can’t start a company. So at 49, my birthday is November 24, we began.”
This is how Fred Luddy, founder of ServiceNow, recalls the birth of the company.

Before that, he had nearly gone bankrupt. As if fate were playing a joke on him, in that same year, at age 49, the company he worked for collapsed due to accounting fraud, wiping out nearly $35 million of his personal wealth overnight.

So at an age when most people were thinking about retirement, Fred hid away in a small house in San Diego and began the grueling journey of entrepreneurship. At the start, he had nothing but a desk and a laptop. He didn’t even look for co-founders. And although he wasn’t trying to hire, a few people around him deeply believed in his vision and volunteered to work without pay.

These same people stayed even after ServiceNow went public. Why? Because they wanted to work with someone trustworthy, building something meaningful, promising, and impactful. What started as a ragtag group eventually grew into something far greater than anyone imagined.

ServiceNow’s initial mission was simple: IT was too hard for the average worker to deal with. Fred Luddy wanted to build a simple, flexible workflow that would allow employees to easily manage their IT requests.

With the team’s help, his vision became reality.

ServiceNow’s IT tool required no IT department to set it up. Once running, it provided a centralized place for inputting requests, data, and checklists and could analyze them using algorithms to predict demand, flag concerns, and measure efficiency.

Its innovation premium came from two scalable features: simplicity and customizability.

By taking these two features to the extreme, ServiceNow achieved a renewal rate of 98%, far above the typical 90% in this space, quickly becoming a trusted leader. As Sequoia Capital’s managing partner Doug Leone said, he had never seen so many enthusiastic reviews for an enterprise software product.

Luddy also possessed a rare founder trait, knowing when to step back for the company to grow larger. When ServiceNow’s revenue began doubling annually, profitability kicked in, and the team grew to 100 employees, Luddy set aside his ego and decided to find someone better suited to scale the company. He understood the product, but he needed a CEO who understood growth.

A CEO Who Understands Growth

He found Frank Slootman, a decisive operator who had taken Data Domain public and sold it to EMC. Frank excelled at building sales teams and tailoring products for high-value customers.

“Frank took us from a very large startup to a well-run giant, implementing processes and systems I could never have built,” Luddy said. In 2011, Luddy transitioned from CEO to Chief Product Officer.

Frank saw the bigger opportunity. To win large clients like Johnson & Johnson, he repositioned ServiceNow from an IT helpdesk that excited CEOs at conferences into a comprehensive power toolkit that could solve CIO-level challenges.

Frank’s straightforward leadership also brought unprecedented clarity and execution. When someone randomly interrupted him in a board meeting with suggestions, Frank replied:

“Thank you for your advice. Have I told you my view of the board? The board’s job is to hire and fire the CEO. If I’m doing a bad job, you should fire me. Otherwise, I’ll continue running the company.”

A year later, in 2012, Frank took ServiceNow to the New York Stock Exchange, ringing the IPO bell himself.

By 2016, revenue hit $1.39B with a market cap of $12.34B. The team saw a bigger vision: Why should ServiceNow only serve IT departments? With its software and reputation, it could expand into HR, customer service, finance, and more.

IT Workflow Software’s Stunning Transformation into the ERP of the Future

The company brought in its third CEO, John Donahoe, former CEO of eBay, while Luddy became chairman. John had no IT background, he came from Bain, but his vision aligned perfectly with the company’s next stage:

“Consumers want seamless experiences. Employees want the same.”

ServiceNow leveraged its dominance in IT services to cross-sell into other enterprise workflows , HR, finance, customer support, driving a 30% sales increase that year.

New technologies also came into play. AI-driven automation and analytics expanded the platform’s capabilities, and mobile apps boosted adoption. “This isn’t tech for tech’s sake,” John said. “We want to improve people’s quality of life at work. They call it employee experience; I call it productivity.”

Platform Strategy & Global Expansion

As ServiceNow pushed deeper into ERP and platformization, the fourth CEO arrived: Bill McDermott, former CEO of SAP.

Bill’s track record was exceptional, transforming weak divisions, doubling SAP’s revenue from $14.8B to $29B, and driving global expansion. For ServiceNow, he was a perfect match.

Under Bill’s leadership, ServiceNow maintained its innovation edge while accelerating international expansion into Korea, India, Latin America, and more. Sales repeatedly hit new records.

His new ambition:

“ServiceNow will become the enterprise software model of the 21st century.”

Bill believes ServiceNow is no longer just a buyer of applications — it is creating entire ecosystems. He predicts that in the next two years, more than 750 million applications will be built on ServiceNow.

New Cybersecurity Expansion

In December 2025, ServiceNow announced its plans to acquire Veza, a fast-growing identity security startup, to strengthen its identity and access governance capabilities. Founded in 2020, Veza is known for its AI-native “Access Graph,” which maps access relationships across human, machine, and AI identities, giving organizations unified visibility into who or what can access critical data and systems.

This acquisition is a strategic, forward-looking move for ServiceNow. If integrated effectively, Veza’s technology will enhance ServiceNow’s platform with robust, enterprise-grade identity security aligned with its AI-driven workflow orchestration. This positions ServiceNow to become the go-to platform for enterprises navigating complex SaaS, cloud, and AI environments.

More importantly, the deal moves ServiceNow closer to offering a full-stack enterprise governance platform, combining identity, access, AI agent oversight, compliance, and workflows within one system. While many vendors offer ITSM, workflow, or SaaS management tools, few pair those capabilities with strong, AI-native identity security. By adding Veza, ServiceNow has an opportunity to build a differentiated moat against legacy ITSM vendors, cloud-native SaaS tools, and emerging AI-platform competitors.

Today, when we talk about ServiceNow’s product line, we aren’t just cataloging modules or describing discrete departments. We are witnessing the architecture of a new kind of enterprise infrastructure , one where IT operations, HR workflows, customer experience, industry processes, low-code innovation, security operations, risk governance, and AI orchestration exist not as isolated tools but as interconnected capabilities inside a single platform.

Bonus: ServiceNow’s Fundamentals

Now that we’ve told the story, let’s examine whether this company is truly a high-quality business from a fundamentals perspective.

Market Size

First, let’s look at its market size. In 2025 Q3, ServiceNow’s market was worth approximately $192.80 billion. By 2033, this market is expected to soar to an astonishing $123.2 billion, a compound annual growth rate of 17.4%. Companies operating in a market like this are essentially riding an elevator upward; it’s certainly faster than climbing stairs.

Next, as mentioned earlier, ServiceNow is positioned as a cloud-based platform that integrates seamlessly with traditional software. It automates tedious workflows to improve operational efficiency across business processes, while being fast and convenient to use. It supports scenarios that organizations rely on frequently, and because it’s a lightweight SaaS business model, margins are naturally strong and reliable.

Competitors

Now let’s consider its competitors. ServiceNow sits at the intersection of IT service management (ITSM), enterprise workflow automation, and low-code platforms, so its competitive set is broad and layered rather than a single “direct rival.” In its original home turf of ITSM, ServiceNow competes with vendors that offer full service-desk and operations suites. These platforms compete most directly on ticketing, incident/problem/change management, CMDB, automation, and self-service portals, often differentiating through cost, ease of implementation, and vertical focus rather than breadth of enterprise workflow coverage. Beyond pure ITSM, ServiceNow increasingly runs into competition from general-purpose enterprise and CX platforms that are extending into service workflows.

Here we only did the competitor’s simple comparison on the key players and open source in ITSM.

To win against these rivals, a company needs a powerful platform, economies of scale, and continuous innovation, three advantages ServiceNow clearly holds. In addition, ServiceNow offers a more comprehensive and extensive set of features and solutions, spanning IT service management, human resources, customer service, and more. Its mission is to simplify processes and increase efficiency across the entire enterprise. Therefore, when it comes to addressing the diverse, complex, and demanding needs of large organizations, ServiceNow is the top choice.

Rule of 40

From a financial performance standpoint, the SaaS industry relies on an important rule of thumb: the Rule of 40. Generally, only companies whose growth rate + profit margin ≥ 40% are regarded as healthy businesses. Using this formula, we can calculate ServiceNow’s Rule of 40:

Levered Free Cash Flow Margin [ 31.2% ] (+) Revenue Growth [ 21.1% ](=) Rule of 40 [ 52.3% ]

Financial:

Looking at revenue and growth rates, ServiceNow continued to demonstrate strong and steady expansion from 2023 to 2025.

By the end of 2023, the company generated approximately $8.97 billion in annual revenue, representing about 23% year-over-year growth. In 2024, revenue rose further to around $10.98 billion, maintaining a growth rate of roughly 22%, well above the U.S. SaaS industry average of 15–18%. Despite a volatile macroeconomic backdrop and tightening IT budgets, ServiceNow continued to grow at a high-teens to low-twenties pace—truly behaving like a “gravity-defying” enterprise.

Entering 2025, based on the company’s Q3 financial results and market consensus estimates, ServiceNow’s trailing twelve-month (TTM) revenue has already reached roughly $12.67 billion, reflecting 20–21% year-over-year growth. Achieving this level of expansion during a capital-constrained era is impressive, further solidifying ServiceNow’s position as a core platform for enterprise digital transformation and AI-driven workflows.

A look at the revenue trajectory over the past several years shows that ServiceNow has barely paused its upward momentum:

• 2024: $10.98B, YoY growth 22%

• 2023: $8.97B, YoY growth 23%

• 2022: $7.245B, YoY growth 22.88%

• 2021: $5.896B, YoY growth 30.47%

• 2020: $4.519B, YoY growth 30.61%

This is a textbook example of a “high-growth + high-quality recurring revenue” SaaS trajectory: from 2020 to 2025, revenue expanded every single year, with growth consistently near the top of the enterprise software sector.

In terms of renewal strength, while the company does not publicly disclose a specific Net Revenue Retention (NRR) figure, ServiceNow’s reported contract renewal rate remains exceptionally high at 98% in 2025, signaling a very stable and loyal customer base. Subscription revenue growth remains strong as well, with Q3 2025 subscription revenue increasing approximately 21.5% year-over-year, indicating not only renewals but expanding usage among existing customers.

ServiceNow is not only a consistently growing enterprise, it has become a resilient, high-moat platform company that continues to strengthen its position regardless of economic cycles.

Ending

In the end, ServiceNow’s momentum from beginning to 2025, combined with its strategic bets like the acquisition of Veza, shows a company not merely growing, but actively shaping the future of enterprise operations. As identity security, AI governance, and workflow automation converge into a single strategic layer, ServiceNow is positioning itself at the center of that transformation. The story of ServiceNow is the story of how modern enterprises learn to operate with coherence, intelligence, and adaptability, and with the addition of identity governance and AI-native security, the chapters ahead promise to be even more transformative than the ones that came before. By then, the company may truly become a legend.

Reference:

https://www.netcials.com/invested-1000-in-stocks-10-years-ago-nyse/NOW-ServiceNow-Inc/

https://ycharts.com/companies/NOW/gross_profit_margin

https://finbox.com/DB:4S0/explorer/rule_of_40/

https://www.ngpcap.com/insights/unveiling-the-future-can-saas-successfully-bounce-back-in-2024

https://www.saastr.com/5-interesting-learnings-from-servicenow-at-7-billion-in-arr/

https://www.marketscreener.com/quote/stock/SERVICENOW-INC-10912979/company/

https://www.servicenow.com/blogs/2022/how-servicenow-was-born.html

https://www.servicenow.com/company/investor-relations/sec-filings.html

https://www.macrotrends.net/stocks/charts/NOW/servicenow/revenue#google_vignette

https://fortune.com/2025/12/04/servicenow-veza-deal-president-cyber-security-ai-agentss/

For those who are not familiar with CrowdStrike, a pioneer in cloud-native endpoint protection and threat intelligence, the company has long been a category leader with its powerful Falcon platform and widespread enterprise adoption. As organizations face increasingly sophisticated cyber threats, the rise of hyper-work, and growing regulatory pressures, CrowdStrike is positioning itself as a critical control plane for proactive threat detection, response, and security operations across the modern enterprise.

Endpoint Protection and Threat Intelligence

Imagine your organization as a bustling modern city. Every computer, laptop, server, and mobile device is like a gate into that city. If these gates are left unguarded, thieves, vandals, and spies can easily sneak in. Endpoint Protection is like placing highly trained guards and smart locks at every gate, they watch for suspicious activity, stop intruders in their tracks, and make sure the city keeps running safely. These guards notice unusual attempts to open doors, strange tools being used, or abnormal patterns—basically anything that looks like a potential breach.

But having guards isn’t enough if the attackers constantly invent new tricks. That’s where Threat Intelligence comes in, it’s the city’s intelligence agency and reconnaissance network. It gathers information from across the globe about the latest tactics, tools, and targets that attackers are using. This intelligence is fed to the guards so they know what threats to expect, who’s likely to attack, and which tools are most dangerous, allowing them to stop threats before they even reach the gates.

In short: Endpoint Protection is the frontline warrior defending every gate, while Threat Intelligence is the scout and strategist feeding the warrior real-time information about the enemy. Together, they keep your city secure and your digital endpoints standing strong in an increasingly dangerous world.

Why do we talk about CrowdStrike

The reason I’d like to write about CrowdStrike is because there are only ten companies in the history of cybersecurity history that have over 1B revenue so it is worth knowing why . Now, let us drive into the company to see more details.

The founder’s journey

George Kurtz’s background gives me more encouragement to continue my journey in the cybersecurity area. Believe it or not, he actually started his career in PwC, one of the big four as a CPA accountant after he got this BS of accounting. In 1993, he got into cybersecurity penetration tester because the firm established the security division to meet the market needs. He later joined Ernst & Young, where he continued penetration testing and helped develop internet security protocols and practices that remain part of the cybersecurity field. These experiences gave him deep insight into how attackers operate, the weaknesses of traditional security tools, and the growing need for proactive, intelligence-driven security.

In 2001, he co-founded Foundstone, a cybersecurity consulting and penetration testing firm that provided cutting-edge security services to Fortune 500 clients. Foundstone quickly became known for its expertise in vulnerability assessment, incident response, and risk management, and in 2004, Kurtz sold the company to McAfee.

At McAfee, Kurtz took on leadership roles in threat research and enterprise security, eventually becoming CTO and President of the Enterprise and Government Business. During this time, he witnessed the limitations of traditional endpoint security solutions: they were reactive, slow, and often insufficient against advanced, fast-moving threats. This insight planted the seed for his next bold move. After resigned from McAfee in 2011, Kurtz joined private equity firm Warburg Pincus as an "entrepreneur-in-residence" where he began developing the concept for a new cybersecurity venture

Founding CrowedStrike

In 2012, as the cybersecurity industry remained largely confined to traditional defensive approaches, George Kurtz, together with Dmitri Alperovitch (co-founder and former VP of Threat Research at McAfee) and Gregg Marston, launched CrowdStrike with a bold, transformative vision: cloud-native, AI-powered cybersecurity capable of detecting, preventing, and responding to breaches in real time. 

Drawing on their extensive experience in the field, they imagined a new paradigm, proactive defense, recognizing that conventional signature-based antivirus solutions could no longer keep pace with increasingly sophisticated attacks. This philosophy of “prevention over cure” became the foundation of CrowdStrike’s approach. 

At the heart of the company’s innovation is the Falcon platform, which unites endpoint protection, threat intelligence, and proactive threat hunting, enabling organizations to detect and neutralize attacks faster and more effectively than ever before.

CrowdStrike’s management also stated that they had invented a new cybersecurity category called the “Security Cloud.” The Security Cloud was introduced to better counter modern hacker strategies while providing powerful backend support for the Falcon platform. Leveraging the scale of cloud computing and AI, the Security Cloud processes trillions of cybersecurity events every week, correlating them with attacks, threat intelligence, and enterprise data to generate actionable insights. These insights help identify shifts in adversary tactics and automatically detect and prevent threats across the entire customer base.

Product and Competition

By 2012, Falcon was rolling out pilot deployments to early adopters in tech, finance, and government, companies frustrated with traditional antivirus tools that couldn’t keep up with sophisticated attacks. The cloud-native design and proactive threat hunting made Falcon stand out, catching malware in real time and identifying suspicious background processes that other solutions often missed.

The core product Falcon Sensor actively monitors for these suspicious background processes and halts them before they can execute, preventing infections in real time. Unlike legacy endpoint protection, CrowdStrike’s cloud-native architecture leverages network effects, the more endpoints connected, the smarter its AI becomes at detecting malicious activity, including novel and evolving threats. By combining AI with IoA detection and scaling it across the cloud, Falcon continuously trains its threat models on data collected from countless endpoints worldwide.

Positive results quickly turned pilots into full-scale enterprise contracts, bringing in tech giants and large financial institutions willing to bet on the founders’ expertise. In the following years, CrowdStrike expanded Falcon into a full-fledged Endpoint Protection Platform (EPP) with AI-driven Indicators of Attack (IoA) detection. By 2015, the launch of Falcon X integrated threat intelligence directly into the platform, providing real-time insights and attack attribution that helped organizations stay ahead of adversaries. Over the next few years, the Falcon platform grew its capabilities further with Falcon Discover, offering asset visibility and IT hygiene, and Falcon OverWatch, a human-led, AI-augmented threat hunting service.

CrowdStrike didn’t just innovate in software, it also strategically expanded through acquisitions. In 2020, the acquisition of Preempt Security brought identity protection and zero-trust capabilities to the platform. CrowdStrike CEO George Kurtz explained, “After completing the second round of the ‘100 Days, 100 Customers’ tour (where I met with 100 customers and prospects in 100 days), I heard clearly that enterprises are looking for a modern, identity- and workload-centric zero-trust security strategy to serve as the foundation for their security transformation.”

After integrating with Preempt’s technology, CrowdStrike launched a new identity protection platform, Falcon Identity Protection, designed to safeguard employee identities and enable seamless zero-trust security for enterprises. Given that 80% of successful breaches involve compromised credentials, Falcon Identity Protection unifies identity threat detection with conditional access for both on-premises and cloud identities, helping organizations prevent attacks before they happen.

In 2021, the purchase of Humio integrated observability and log management, extending Falcon’s reach into cloud workloads and security analytics. In October 2021, CrowdStrike also announced the launch of its pioneering XDR module, providing real-time detection and automated response across the entire security stack. At the same time, it introduced Fusion, an automated workflow solution designed to enable a full SOAR (Security Orchestration, Automation, and Response) framework.

A year later, SecureCircle strengthened data protection, while Falcon Fusion added orchestration and automation to streamline security operations. After incorporating SecureCircle’s technology, CrowdStrike modernized its approach to data protection, extending its frictionless zero-trust model to frictionless data security. This enables customers to implement zero trust simultaneously across multiple layers—device, identity, and data—for comprehensive, end-to-end protection.

The crown jewel came in 2023, with the integration of Mandiant, bringing world-class threat intelligence, incident response, and consulting services under the CrowdStrike umbrella. This move transformed Falcon into a complete XDR ecosystem, connecting endpoint, network, and cloud telemetry with AI-driven detection and proactive response.

By integrating endpoint protection, threat intelligence, zero trust, XDR and cloud security into a single, AI-driven platform, CrowdStrike delivers comprehensive protection for modern enterprises. Its strengths lie in proactive detection, broad enterprise adoption, and continuous threat model improvement.

In 2024 Q4, CrowdStrike CEO confirmed their pjatformization strategy once more time: "As you can imagine, last week I heard a lot of talk about 'platformization.' To me, it’s a bit of a buzzword. But what I believe our competitors are really talking about is bundling, discounts, and giving away products for free, something that’s not new in software or security software; it’s been happening for the past 30 years. So, when we look back at past collaborations with other vendors, we know that ‘free’ is never really free. Users end up with more hosts, more point products masquerading as a platform, leaving their environments exhausted. One thing we’ve always focused on is that a single-agent architecture, a single platform, and a single console enable us to prevent violations. More importantly, it reduces operational costs while addressing many use cases, or solving multiple use cases at once." This strategy significantly reduces the operation costs and provide more value to the customer.

So far, the market that CrowdStrike in is still a good business. According to Gartner and IDC reports, the global EPP market was valued around $11–13B in 2024.It’s projected to grow at a CAGR of 10–12%, potentially reaching $20B+ by 2028–2030, driven by cloud adoption, hybrid work, and AI-enabled threats.

Picture today’s enterprise battlefield: hybrid workforces, cloud workloads, and AI-driven applications, constantly under attack from increasingly sophisticated adversaries. In this landscape, CrowdStrike has emerged as a category-defining leader, consistently recognized in Gartner’s 2025 Endpoint Protection Platforms (EPP) quadrant for its combination of vision and execution.

It also has carved out a leadership position in cybersecurity by focusing on Indicators of Attack (IoA) rather than relying solely on traditional signature-based detection. While threats such as malware, ransomware, phishing, and spear phishing come in countless variants, they all share one fundamental requirement: to execute, they must run processes that leave identifiable patterns. These patterns may manifest as changes to Windows registry entries, creation of new user accounts, or initiation of encryption routines on a host.

If you use end point security key metrics to evaluate the CrowdStrike product, you will understand why it is on the top of the Gartner chart:

If you compare CrowdStrike to its competitors, you can find out some very interesting:

1. IoA & Proactive Defense Leaders: CrowdStrike and SentinelOne are the most aggressive in AI-powered, proactive detection. CrowdStrike adds managed hunting (OverWatch) and global AI network effects, giving it an edge in preventing zero-day threats. Palo Alto’s Cortex XDR also offers strong behavioral analytics but is broader across network and cloud security.

2. Cloud-Native Advantage: CrowdStrike, SentinelOne, and Palo Alto leverage SaaS models for continuous AI updates, threat intel sharing, and scalable deployment. Legacy vendors like McAfee and Trend Micro rely more on hybrid or on-prem options.

3. Enterprise Adoption & Ecosystem: CrowdStrike’s Falcon platform benefits from rapid adoption, creating network effects for AI learning. Microsoft Defender benefits from OS-level integration and enterprise ubiquity, while Palo Alto benefits from multi-layered security integration.

In short, CrowdStrike has rewritten the rules of endpoint security. It is no longer about reacting after breaches occur, it’s about predicting, preventing, and responding faster than attackers can adapt, making CrowdStrike the go-to solution for enterprises navigating the complex and evolving threats of today’s digital world.

Pricing Model

When CrowdStrike first started thinking about how to price its Falcon platform, the team knew one thing: cybersecurity isn’t one-size-fits-all. Organizations vary, from small startups with minimal IT staff to global enterprises managing thousands of endpoints across multiple continents. So CrowdStrike built a model that could grow with a customer’s needs, while keeping the value clear at every step.

At the entry level, Falcon Pro gives small and medium-sized businesses the essentials: strong endpoint protection, threat intelligence, and easy deployment for teams with limited IT resources. It’s like having a security guard who never sleeps, at a cost that won’t break the budget.

As organizations grow, Falcon Enterprise steps in, offering advanced threat detection, incident response, and visibility across complex IT environments. Financial institutions, healthcare providers, and other high-security industries rely on this tier to meet compliance requirements and protect sensitive data, because in these industries, even a single breach can cost millions.

For large enterprises that need proactive defense, Falcon Premium goes beyond reactive security. It provides automated IT hygiene, vulnerability scanning, and rapid response tools, helping IT teams find and stop threats before they can cause damage. It’s the difference between reacting to fires and preventing them.

At the top of the line is Falcon Complete, a fully managed service where CrowdStrike’s experts handle detection, threat hunting, and response 24/7. This is for high-risk organizations, think government, defense, and top-tier finance, that want absolute certainty their assets are safe, while freeing internal teams to focus on strategic priorities.

If you map the customer groups to its core product packages, you will see the clear picture:

Target Customers and GTM Strategy

CrowdStrike currently serves over 24,000 customers, including a large portion of the Global 500, such as Tesla, Microsoft, and Amazon. Its reach spans diverse industries, from airlines and broadcasters to banks and healthcare organizations, demonstrating the platform’s broad adoption and trust across critical sectors.

From small and medium-sized businesses to massive multinational enterprises, Falcon protects organizations that value cybersecurity as a strategic asset. Its story is one of trust, innovation, and relentless defense, a narrative where every endpoint is a frontline, and CrowdStrike ensures its clients are always ready for what’s next.

From go-to market perspective, CrowdStrike’s Falcon platform has earned multiple awards from leading research and consulting firms and consistently achieved top scores in independent cybersecurity tests, cementing its reputation as a best-in-class solution. The company also became the first cloud-native independent software vendor (ISV) to surpass $1 billion in software sales through AWS Marketplace, highlighting its innovative approach to distribution. By 2025, CrowdStrike’s annual recurring revenue (ARR) reached $3.15 billion, up 35% year-over-year, demonstrating the strength of its GTM strategy. This success is driven by several key factors:

First, CrowdStrike’s data collection advantage allows it to continually deliver high-quality security services: every new customer contributes high-fidelity data to its Security Cloud, improving detection, prevention, and response capabilities for the entire platform.

Second, the platform benefits from strong network effects, as more endpoints connect, the system becomes smarter, accelerating AI training and threat intelligence.

Third, customer stickiness reinforces growth: the deeper an organization’s investment in Falcon, the higher the cost of switching, encouraging long-term engagement.

Finally, CrowdStrike continuously leverages this data to optimize and evolve its solutions, ensuring that Falcon adapts to the ever-changing threat landscape. Together, these factors form a virtuous cycle that drives rapid adoption, sustainable growth, and market leadership.

Quick Financial Check

Great product and go-to-market lead to the good funding history and financial as well:

Financially, the company has seen robust expansion, with annual recurring revenue (ARR) reaching $3.15 billion, a 35% increase year-over-year, reflecting strong subscription growth and the stickiness of the Falcon platform. Total revenue for FY2025 reached $2.88 billion, growing roughly 37% compared to the prior year. CrowdStrike maintains healthy gross margins around 76–77%, highlighting the efficiency of its cloud-native, SaaS-first model. Its $1.5 billion in cash reserves positions the company to continue investing in platform expansion and M&A opportunities.

The real power behind CrowdStrike’s financial performance comes from its Security Cloud and network effects. Every new customer adds high-fidelity data to the platform, improving threat detection and fueling Falcon’s AI-driven capabilities. This virtuous cycle not only strengthens the product but also drives high customer retention, expansion, and cross-sell opportunities, ensuring that CrowdStrike’s growth story is far from finished.

What's Next for CrowdStrike?

CrowdStrike has come a long way from its early days as a cloud-native endpoint protection startup. But the journey is far from over. Today, the company is pivoting from being just an endpoint security provider to becoming a holistic, intelligence-driven cybersecurity platform that protects identities, workloads, endpoints, and data—all under the umbrella of its Security Cloud.

The next chapter for CrowdStrike centers around three key pillars:

1. Expanding Identity and Data Protection
   With the acquisition of Preempt and SecureCircle, CrowdStrike is now deepening its zero-trust offerings. Falcon Identity Protection and data-centric zero-trust extend protection beyond endpoints, ensuring that compromised credentials or sensitive data don’t become vectors for attacks. The goal is clear: provide frictionless, multi-layered security across devices, identities, and data.

2. Strengthening AI and XDR Capabilities
   CrowdStrike’s proactive defense philosophy, combining Indicators of Attack (IoA), AI-powered models, and Falcon OverWatch’s managed threat hunting, will evolve further. New modules in XDR and Fusion automation promise real-time, cross-stack threat detection and response, helping organizations anticipate and neutralize attacks before damage occurs.

3. Global Scaling and Platformization
   CrowdStrike aims to turn its network effect into a competitive moat. Every new endpoint, identity, or workload added to the Falcon platform enriches the Security Cloud, providing smarter threat intelligence for all customers. The company is also working to simplify deployment for global enterprises, integrating multiple security layers into a single agent, console, and operational workflow, reducing costs while expanding coverage.

In essence, CrowdStrike’s future isn’t just about stopping malware, it’s about shaping a unified, AI-driven, cloud-scale security ecosystem where customers can trust their endpoints, identities, and data are protected, while the platform continually learns and adapts to an ever-changing threat landscape.

Conclusion:

Today, CrowdStrike has elevated its platform beyond traditional endpoint protection, positioning itself as a comprehensive SaaS-based solution that integrates endpoint security, threat intelligence, and cloud protection.

For organizations navigating hybrid workforces, cloud workloads, and increasingly sophisticated adversaries, CrowdStrike offers more than protection, it provides visibility, intelligence, and assurance that every endpoint, identity, and byte of data is continuously monitored and defended. As the cybersecurity landscape evolves, CrowdStrike’s platform-centric strategy and innovation-driven culture suggest that the company is not only prepared to defend against today’s threats but also to anticipate and neutralize tomorrow’s challenges, solidifying its leadership and influence for years to come.

Why we talk about this company:

Compliance has always been a rigid demand in the security field. Vanta, founded by Christina Cacioppo in 2017, is a textbook market disruptor. It shortened an entire category of security audits from several months to just a few weeks, transforming the industry’s cost structure and reducing prices by up to 90%. As such, we want to talk about this startup.

What is Cybersecurity Compliance (GRC):

First of all, for some of you who does not familiar with Cybersecurity compliance, GRC stands for Governance, Risk, and Compliance. It’s an integrated approach organizations use to align business objectives with risk management and regulatory requirements, while establishing clear accountability.

Imagine you’re running a big ship sailing across the ocean.

Governance (G) is like your ship’s captain and navigation plans. The captain sets the destination, makes sure everyone knows their role, and ensures the crew follows rules (Policies etc) so the ship stays on course.

Risk (R) is like watching for storms, icebergs, or pirates. You and your crew constantly check what could go wrong, the priorities (risk rating), plan how to deal with it, and decide how to respond if something happens.

Compliance (C) is like following international maritime laws and port regulations. If you don’t follow these rules, you might get fined, banned from ports, or even have your ship seized. So you make sure your paperwork is right, your safety gear meets standards, and you’re operating legally. This part involves a lots of interactions with different security groups and external auditors.

With clear governance, careful risk management, and good compliance, you reach your destination safely, avoid unnecessary problems, and keep everyone confident in your leadership. Some examples of cybersecurity GRC related frameworks:

• SOC 2 (Service Organization Controls 2)

• ISO/IEC 27001 (information security management)

• HIPAA (healthcare privacy and security)

• GDPR (EU data protection regulation)

• CMMC (for contractors working with U.S. DoD)

• SOX (Protect shareholders, employees, and the public by making sure companies report their financial information honestly.)

The Founder’s Journey:

As the daughter of two professors in Ohio, Christina Cacioppo’s original ambition was to follow in their footsteps to become a professor by the time she was 20 or 21。 While majoring in economics at Stanford, Cacioppo began to feel confused about that goal. She felt frustrated that all the work she did was ended with just a paper so she tried to search the new way to find her path. As the result, she joined Union Square Ventures (USV) as their newest analyst to explore the new world. The analyst job gave her a good trust regarding what a good business looks like.

Before she started Venta, Cacioppo wasn’t sure what the business should actually be. “Very few people can walk into a dark room and come out with a great idea. That wasn’t me,” she said. Cacioppo decided she would learn by doing and she started by teaching herself to code, then built tools that might help others. From her personal website, you can find dozens of side projects she tried at different points, demonstrating her remarkable resilience and resourcefulness. Although most of the projects were not successful, she learned something important: “The vast majority of what you build only serves to teach you how to make a small part of it truly take off.”

Founding Venta:

After several attempts of trying to have her own business without a workable result, She joined dropbox as a junior product manager, Cacioppo was quickly given authority, managed and grew the product manager team from fewer than 10 employees to 80. At the time when she was responsible for the product Paper, Cacioppo reached out to the company’s customer success managers, hoping to distribute Paper to companies already using or about to sign up for Dropbox. Dropbox’s legal team explained to Cacioppo that while Dropbox itself had gone through various security validations, Paper had not. They told her it hadn’t undergone penetration testing and wasn’t SOC 2 compliant.

This is the first time that she started to know what SOC2 was. Later on, when she talked to several people and tried to start a new business, she noted that the traditional security audits were slow (often taking months), expensive (costing six figures), and painful for both small startups and growing companies. Security and compliance were supposed to help businesses build trust, but the process itself was broken and outdated.

From those conversations, she also noticed something surprising: even the most innovative startups struggled when it came time to prove they were secure enough to handle customer data, especially when big customers demanded SOC 2 compliance, a critical security certification.

Once the idea came, the action followed. The first MVP was a excel with the standardized SOC2 process, she sent it to a friend at the email collaboration startup Front. To her surprise, it worked very well. Soon, other companies began reaching out. They had heard about the spreadsheet and wanted to use it for their own SOC 2 processes. The first try turned out clearly that the SOC2 could be standardized, and there was strong demand for it. It was time to double down.

In 2017, Christina founded Vanta and enrolled into Y Combinator with a bold goal: automate security monitoring and simplify compliance so companies could get certified in weeks, not months, and at a fraction of the cost.

Product and Competitor:

In its early days, the company kept a low profile, quietly gaining traction to avoid the additional competitors to find this cash cow business. Before raising its Series A from Sequoia Capital, Cacioppo and her team had already reached $10 million in revenue, achieved explosive customer growth, and established themselves as the industry benchmark. Sequoia led this round, underscoring investors’ confidence in the company. In Sequoia’s mind, a leader in an emerging market ranks first. This is because 50% of the revenue, 75% of the profits, and 80% of the eventual market value go to the market leader. Venta has the characteristics.

By leveraging technology, Vanta dramatically reduced the cost of SOC 2 certification, and later expanded its product line to include ISO 27001, HIPAA, GDPR, and PCI DSS.

The product concept is simple: It first connects to a company’s services, including platforms like AWS, Heroku, Google Workspace, Slack, Datadog, Linear, Asana, Gusto, and more. Vanta’s solution monitors these tools and runs checks to ensure they’re securely configured. It does this without creating friction for employees while building an internal map of the organization’s data practices.

Using this information, Vanta can assess audit readiness and identify security gaps that need to be addressed. It can also sync with existing processes as well.

Recently, the company launched AI-powered questionnaire automation services and has been gradually evolving into a trust center and broader security tools platform.

Another formidable player in this space is Drata, which recently acquired the trust center company safebase, is also growing rapidly. Please see the summary of competitor analysis below in more details:

Target customers:

When a fast-growing startup lands its first big enterprise customer, excitement often turns to anxiety the moment the security requirement arrives. That’s when Vanta’s ideal customers realize they need help: early-stage and growth-stage tech companies, who suddenly face enterprise-grade security demands but don’t have the time, resources, or expertise to navigate complex compliance requirements like SOC 2 or ISO 27001.

Majority of the companies are cloud-native, using AWS, GCP, or Azure, and modern tools like Slack, GitHub, and Google Workspace. Those companies are small with simple IT and security environment, they may not need a full time GRC or security employee at the moment. Vanta steps in to automate evidence collection, continuously monitor controls, and simplify audits, giving these startups the certifications they need to unlock larger deals and scale faster.

But it’s not just startups, Vanta also attracts mid-market companies expanding their cloud footprint, and regulated businesses in fintech or healthtech where frameworks like HIPAA and PCI DSS are mandatory. For all of them, Vanta becomes the key to turning painful, slow compliance into a competitive advantage, building trust with customers while saving time and cost.

Core GTM Approach:

Vanta focuses on easy onboarding and a simple trial experience, letting startups quickly connect their cloud services and see compliance progress. This self-serve motion helps capture SMB and early-stage customers without heavy sales overhead. It also counts auditing firms as “market friends” and partners with accounting firms, audit firms (e.g., Insight Assurance), and VC/accelerator (e.g: YC) programs. These partners refer startups that need compliance to Vanta, embedding it early in customers’ growth journeys.

They also demonstrate the strong thought leadership through blogs, guides, webinars, and security checklists that demystify SOC 2 and ISO 27001 for non-experts, positioning Vanta as the go-to compliance authority.

Team culture and funding:

Cacioppo has already built an impressive team with diverse talents. “She has a true growth mindset,” her investor said. The personal characters made the impact to the company culture, Sarah Scharf shared, “It’s an incredibly kind company. Everyone who works here is generally a good person and willing to help.” Product lead Boris Logvinsky highlighted the existence of a “no assholes rule,” while also noting a pervasive, charming nerdiness among the team.

Combined with a booming market for cybersecurity and regulatory compliance, a visionary founder with a proven track record, and a product strategy evolving from point solution to comprehensive trust platform, investors see Vanta as a category leader poised for massive, recurring revenue growth. As the result, Vanta become unicorn startup and steadily climbed from a $3M seed to a $150M Series C in 7/2024 , supported by top-tier investors and reaching a $2.45 B valuation—signaling strong market confidence in their mission to redefine compliance and trust management. (The investor list includes Pear VC, Sequoia Capital, Craft Ventures, CrowdStrike V, Goldman Sachs, J.P. Morgan, Atlassian Ventures, HubSpot Ventures, Workday Ventures, and Y Combinator etc.)

What is next?

The story of Vanta continutes, Vanta is evolving rapidly beyond its roots in SOC 2 automation, positioning itself as an AI-driven trust management platform that can handle comprehensive security, compliance, and vendor risk needs. Strategically, Vanta is leveraging its $150 million Series C funding to expand globally into markets like the UK and Australia, while moving up-market to serve larger enterprises with complex compliance demands and may extend to audit area. By combining advanced AI capabilities with a broadened GRC offering, Vanta aims to solidify its role as the default platform for fast, efficient, and scalable compliance worldwide.

Conclusion

Vanta’s journey shows how a deep understanding of customer pain points, combined with relentless iteration, can transform an outdated industry. What started as a simple spreadsheet to help friends has become a category-defining platform, changing the way companies achieve and maintain security compliance. Vanta’s evolution, from automating SOC 2 to becoming an AI-powered trust management suite, demonstrates both the founder’s adaptability and the massive, ongoing demand for modern, streamlined compliance solutions.

As more businesses move to the cloud and face growing regulatory complexity, Vanta is positioned not just as a tool for startups, but as an essential partner for organizations of all sizes aiming to build trust with customers quickly and cost-effectively. Ultimately, Vanta’s story is a reminder that in industries resistant to change, there are always opportunities for bold innovators willing to rethink the status quo—and that those who solve problems with clarity, empathy, and precision can redefine entire markets.

Four key takeaways from this company:

1. Highly profitable industries with little incentive for innovation can be prime opportunities for disruption.

2. Once someone realizes it’s a good business, how big an edge can you achieve if you pursue it?

3. The core commercial need behind a good product is trust, delivered simply, elegantly, and cost-effectively. The model: better, faster, cheaper.

4. The founder’s flexibility and growth mindset: Cacioppo not only invented a category from scratch, but at various stages of Vanta’s growth, she took on different roles, including overseeing finance, sales, and partnerships. She also built an impressive, diverse team, and many describe her as embodying a true growth mindset.

On 5/27/2025, Cloud security provider Zscaler has agreed to acquire software company Red Canary for an undisclosed sum. The deal will see Zscaler create a "unified, agentic Security Operations Center that combines AI-driven workflows with human expertise.

For those who are not familiar with Zscaler, a pioneer in Zero Trust and cloud-native security, has long been a category leader with its robust platform and deep enterprise adoption. But the company’s story is no longer just about early innovation, it’s about strategic expansion. As enterprises shift toward hybrid work, AI workloads, and zero trust architectures, Zscaler is positioning itself as a critical control plane for secure digital transformation. 

Why do we talk about Zscaler

The reason I’d like to write about Zscaler is because there are only ten companies in the history of cybersecurity history that have over 1B revenue, in the past 15 years, the number is three and Zscaler is one of them. If Zscaler makes it to the top ten in history, it must have done something right. Now, let us drive into the company to see more details.

The Founder’s Journey

Jay Chaudhry was born in Panoh, a remote village tucked away in the hills of Himachal Pradesh, India. The village had no electricity, no running water, just grit, community, and a quiet determination. That same determination would define Jay’s life.

After earned his undergraduate degree in electronics engineering from IIT-BHU, one of India’s top technical institutes, he left for the United States to satisfy his ambitions, where he pursued not one, but three master’s degrees at the University of Cincinnati, in industrial engineering, computer engineering, and marketing, equipping himself with a rare combination of technical depth and business insight.

Jay spent his early career in the corporate world at IBM, Unisys, and NCR, gaining hands-on experience across engineering, sales, and leadership. But he wasn't destined to stay in the comfort of corporate halls. In 1996, alongside his wife, he launched SecureIT, a cybersecurity startup well ahead of its time. It was the first of several bold bets. Over the next decade, Jay would go on the roller coaster journey through the full life of the other three startups: CipherTrust, CoreHarbor, and AirDefense, selling them to industry giants like VeriSign, Secure Computing, and Motorola.

Founding Zscaler

The right person is waiting for the next big opportunity and it comes in 2007. In that year, the U.S. internet landscape was booming. The internet was experiencing explosive growth, bringing a surge in the majority of dominant .com companies we currently know and tons of shared resources. Alongside this growth came a wave of web-based threats: botnets, malicious content, and phishing attacks proliferated rapidly.

In this suddenly hostile and increasingly complex security environment, traditional on-prem security gateways used by distributed enterprises began to fall short. The emerging risks sharpened Jay’s conviction: the future of security wouldn’t be built on hardware boxes, it would live in the cloud. That conviction became Zscaler. As a successful entrepreneur Jay knows one tree does not make a forest so he quickly reconnected with Kailash, his classmate from IIT, at a conference in San Jose.

During the conference, Jay shared his vision of cloud-native security, and despite the technical challenges, Kailash quickly saw its potential. Kailash recalls:“After four months of development, discussion and lots of trial and error, it seemed that we had a viable solution.” Later on, as the Chief Architect, he led the foundational engineering to create a cloud-native Zero Trust platform. 

Zscaler seized the opportunity by entering the Secure Web Gateway (SWG) market. The company offered core web protection capabilities, but differentiated itself by delivering them through a multi-tenant, distributed cloud architecture, distinct from the hardware-centric solutions of the time.

It promised better threat detection, lower total cost of ownership, easier management, and a flexible pay-as-you-go model, helping enterprises tackle web threats more efficiently and scalably. Jay believed that simple is more, he personally invested $50 million of his own money to fund its early growth, with just 10 engineers, half based in Bangalore, the other half working out of a borrowed office in the U.S. before Zscaler became a $32 billion company in 2012. 

Early Competitors, Target Customers and GTM Strategy

The massive emerging market is never owned by just one player. By 2008, Blue Coat, Secure Computing acquired by McAfee, Websense, Trend Micro, and ScanSafe were also making aggressive moves.  Zscaler had to compete against appliance-heavy giants with mature, boxed solutions. In order to survive, they moved smartly to solve its first burden: handling network traffic meant bearing direct infrastructure costs, a tough proposition for a startup without the backing of appliance-based revenue models.

The smart way is to find a good partnership which has network effects as the distributor. After the deep research, they found one: Service Providers (SPs), the broadband network operators.  Back then, service providers were facing serious challenges of their own. The broadband access market had become fiercely competitive, as cable MSOs and telecom carriers battled for dominance over residential and SMB customers.

To attract and retain users, SPs were forced to bundle multiple services, TV, wireless, voice, and internet, into a single offering. As a value-added service provider to secure users and traffic in the cloud, Zscaler integrated into this ecosystem and started to acquire the customer through the handle network delivery of SP distribution. However, most SP customers were small businesses and residential users, they weren’t the ideal long-term customer profile to sustain a high-growth enterprise SaaS model. 

It is time that the company starts to build up its own enterprise sales team. Zscaler targeted customers who have tens of thousands of employees spread across global regions, requiring a unified cloud security control platform. These organizations are typically undergoing cloud migration, adopting SaaS applications (e.g., Office 365, Workday, Salesforce), or shifting to hybrid work models.

They are also replacing traditional VPNs and firewalls with identity-based Zero Trust access and granular access controls. Many customers have CISOs or CIOs championing Zero Trust and SASE adoption, they are also interested in having good ROI and IT Simplification during the vendor selection. 

As such, in Zscaler GTM principle, it clearly claimed its target: “We don’t sell to network admins. We talk to business leaders about secure digital transformation.” Jay wasn’t just the founder, he was the first salesperson, relentlessly pitching to CIOs and CISOs about a new, cloud-native Zero Trust vision.

He brought to the table extensive domain knowledge and had set an early expectation: focus on solving customer problems, not on internal metrics or fiefdoms. It also scaled faster by leveraging channel partnerships including: VARs (Value-Added Resellers), such as cybersecurity solution providers, ISVs (Independent Software Vendors) and began targeting sectors such as healthcare, government, finance, SMBs, education, and retail for sales.

Zscaler’s remarkable growth attracted funding right on schedule. They raised a $12 million Series A in 2008 led by Norwest Venture Partners, followed by a $38 million Series B in 2012 with participation from Lightspeed Venture Partners.

Product 

Pure cloud-native architecture & Zero Trust 

From 2012 to 2016, Zscaler’s evolution toward Zero Trust and global scale, including SSL decryption, ZPA launch, and POP expansion.

Imagine a modern office building where you need to scan your badge to enter—not just the front door, but every room you access. Your badge only works for areas you're approved to enter, and security checks your identity, role, and device each time. Even if someone steals a badge, they can’t get far, every move is logged and reverified. That’s Zero Trust: no implicit trust, continuous verification, and least-privilege access, everywhere, every time. From a technical standpoint, every access request must be continuously verified based on identity, device posture, location, and more, before granting limited, least-privilege access.

The concept was first formalized by John Kindervag, a Forrester Research analyst, in 2010. He challenged the idea that internal networks should be trusted by default. Zscaler is one of the pioneers and leading enablers of the Zero Trust model. It didn’t just adopt Zero Trust, it operationalized it at internet scale, helping thousands of companies move beyond legacy VPNs and perimeter firewalls to a modern, identity-based security model.

The unique architecture made this concept perfectly match Zscaler’s strategic focus. Zscaler built its platform from day one to be cloud-based and distributed, making it scalable, fast, and location-agnostic, key to supporting Zero Trust at global scale. The Zero Trust Exchange connects users only to specific applications, based on identity, posture, and context, exactly what Zero Trust calls for. In 2014, Zscaler added automatic SSL/TLS decryption & inline APT protection, ​​bringing full visibility to encrypted traffic, a cornerstone of Zero Trust inspection. 

Trying to move quickly on the Zero Trust product, in 2015, they secured a $110 million Series D, which included a $25 million extension led by Google Capital(now CapitalG).

In 2016, while most enterprises were still buying firewalls and expanding VPN capacity, Zscaler launched something radically different: Zscaler Private Access (ZPA), a cloud-native, software-defined alternative to VPNs. At the time, it was a bold, even risky move. Zero Trust Network Access (ZTNA) wasn’t yet an industry term. But the Zscaler team saw the cracks in the perimeter-based security model long before they made headlines. They believed users shouldn’t be trusted just because they’re “on the network.” Access should be based on identity, device posture, and context, and scoped only to the apps they need.

It wasn’t what CIOs were asking for. But it was what they were going to need. It was met with skepticism. Yet, early adopters, especially in financial services and tech, saw the value: better security, smoother user experience, and no VPN headaches. No one knows at that time, after just a few years during the CV-19, remote work exploded, VPNs collapsed under pressure, and ZPA went from “nice to have” to mission-critical overnight. What once sounded futuristic became the new standard.

To me, this is more than product vision. It’s a reminder that real leadership isn’t about following demand, it’s about building ahead of the curve and having the courage to bet on the right future.

IPO, Leadership Team & M&A

The past momentum culminated in a successful IPO in 2018, offering approximately 12 million shares at $16 each, raising $192 million, and a total of $220.8 million including over-allotments. The IPO provided capital to scale Zero Trust cloud and expand R&D. The company has continuously invested in leadership as it scaled, from architect and engineering leaders like Kailash and Sinha, to business executives like Canessa and Welch who drove SaaS and scaling strategies. Today’s team reflects a mature enterprise: combining innovation (Phil Tee on AI), product leadership, global sales (Mike Rich), and operational excellence, all under Jay’s consistent vision. 

After the IPO, through nine M&A and internal R&D from 2018-2024, Zscaler enhanced the core product lines into the Security Service Edge (SSE) and Zero Trust markets through:

*2018-2020: Foundational Platform Expansion (2018 TrustPath, 2019 Appsulate and 2020 Cloudneeti & Edgewise Networks)

*2021-2022: Deepening Zero Trust & Cloud Capabilities (2021 Trustdome & Smokescreen Technologies and 2022 ShiftRight)

*2023: Platform Integration (2023 Canonic Security and Launched the unified Zero Trust Exchange Platform at Zenith Live) 

*2024- Now: AI Expansion and AI & Data Security Enhancements (2024 Avalor & Airgap Networks and 2025 Red Canary) . 

Main Product lines

In addition to its core products, ZIA (internet access), ZPA (private app access), ZDX (digital experience monitoring), and AI-powered threat protection which feeds real-time context and policy, All traffic funnels through the Zero Trust Exchange control plane, Zscaler has expanded into cloud and workload security with ZCP (Zscaler for Cloud Protection).

ZCP secures cloud infrastructure through posture control, workload segmentation, and secure app-to-app communication. The platform also includes browser isolation, SD-WAN/branch integrations, deception and privileged access for OT, and risk-based policy engines. All services are unified under the Zero Trust Exchange, Zscaler’s global control plane that enforces identity- and context-aware security across users, apps, and workloads.

Platform Strategy

From the product lines and M&A distribution, we can see the strong Platform Strategy from Zscalar’s product lines and how they interact with each other. From Secure Access to Unified Zero Trust Control:

1. Cloud-Native by DesignZscaler was built entirely in the cloud, no hardware, no retrofits.

Zscaler’s platform stands out by completely eliminating the need for traditional firewalls and hardware appliances. Built as a cloud-native service from day one, it secures user, app, and device traffic through a global Zero Trust Exchange, without backhauling, patching, or deploying physical boxes. This architecture reduces cost and complexity while enabling faster, more secure access anywhere users work. Unlike legacy vendors tied to perimeter firewalls, Zscaler delivers security as a scalable, inline cloud service, designed for the modern, perimeter-less enterprise.

In order to support the smooth operation of platform products, Zscaler also operates 150+ globally distributed Points of Presence (POPs), essentially cloud data centers that serve as inline security checkpoints for user and application traffic. Every time a user connects to the internet or a private application, their traffic is routed through the nearest POP, where Zscaler inspects it in real-time using Zero Trust policies. Because POPs are globally distributed and co-located with major cloud providers (AWS, Azure, etc.), users get fast and secure access to apps, regardless of location.

The strategy minimizes latency and maximizes resilience for global enterprises.

2. Unified Zero Trust ArchitectureZscaler connects users, workloads, and devices directly to apps, not networks, through its Zero Trust Exchange. This eliminates lateral movement, reduces attack surface, and enforces identity- and context-aware policies in real time.

3. Platform Core: ZIA + ZPA + ZDX + ZCP

• ZIA: Secures internet access (SWG, CASB, DLP, Cloud Firewall)

• ZPA: Zero Trust access to private apps

• ZDX: Measures digital experience across user-to-app paths

• ZCP: Protects cloud workloads, app-to-app traffic, and DevOps pipelines

4. AI-Driven Security and Policy AutomationWith acquisitions like Canonic, Avalor, and Red Canary, Zscaler is embedding AI across its platform, enhancing threat detection, risk scoring, posture visibility, and SOC automation.

5. Open Ecosystem IntegrationZscaler partners with Microsoft, CrowdStrike, Okta, AWS, ServiceNow, and others to create a flexible, API-driven ecosystem for identity, incident response, and governance.

6. Full-Spectrum SSE and BeyondAs a leader in Security Service Edge (SSE), Zscaler delivers an integrated solution that spans ZTNA, SWG, CASB, DLP, DEM, and now MDR/SOC, consolidating point solutions into one control plane.

The platform strategy is highly beneficial for Zscaler because it amplifies both business value and competitive advantage. It also drives growth, retention, and security outcomes, transforming it from a security vendor into a strategic control plane for enterprise connectivity and trust.

Competitors

Again, all the profit business has more than one competitor. Zscaler’s competitors including Platform-Level Competitors (SSE + Zero Trust), Zero Trust & ZTNA Specialists, Cloud & Workload Security Rivals and Threat Detection & MDR / XDR. Here’s a concise competitive analysis of Zscaler compared to key players in the Security Service Edge (SSE) and Zero Trust markets:

Compared to other companies, Zscaler has its unique strengths:

• Cloud-native architecture with flexible deployment and globally distributed acceleration nodes.

• Industry-leading Zero Trust approach, with a closed-loop model via ZIA + ZPA + ZDX.

• Rapidly advancing AI-driven data protection and threat detection capabilities.

• Broad integrations with Microsoft, AWS, CrowdStrike, and an open ecosystem.

See more details of the competitive landscape below:

It also has some potential Challenges:

• For large enterprises requiring full-stack observability, Zscaler’s log integration often depends on APIs or external SIEMs.

• Some organizations still prefer hybrid or private cloud deployments, which may not align with Zscaler’s pure cloud model.

Although the competition is high, through the time, Zscaler helped define the Zero Trust implementation playbook for enterprises and is cited in many analyst reports(e.g., Gartner, Forrester) as a Zero Trust leader. Its architecture directly aligns with NIST SP 800-207 and supports federal Zero Trust mandates (e.g., EO 14028). In 2021, It was named a Leader in Gartner’s inaugural Security Service Edge (SSE) Magic Quadrant, which is the industry recognition that Zscaler’s platform delivers holistic Zero Trust at cloud scale.

Customer Success teams

Zscaler also has a great Customer Success teams to proactively help clients maximize product value after deployment with emphasizing customer-centric engagement, sales, and support.

Zscaler offers end-to-end lifecycle support, from initial implementation to daily operations, and tightly integrates this process with its channel partners. Their model embeds partners into every step of the customer journey, from early needs assessment to final deployment. These partners provide services and support, guiding customers through the transformation from traditional network architectures to a Zero Trust model.

This approach ensures that whenever customers face challenges with new product adoption, there is always someone available to assist, greatly enhancing the overall experience. Internally, Zscaler enforces cross-functional coordination for customer success, ensuring pre-sales, sales, delivery, and support teams work in sync with partners to quickly respond to client needs and feedback.

As a result, customers receive more than just a product, they benefit from a full solution and service experience, deepening their loyalty and trust in the Zscaler brand.

Current Financial Achievement

Doing the right things makes direct positive customer satisfactions and financial results - over 95% customer retention rate and average annual customer spend grows over 20%, reflecting expansion from ZIA to modules like ZPA, ZDX, and DLP. As a result, Zscaler's Q3 2025 financial results, released on May 29, 2025, showed a strong performance with revenue reaching $678 million, a 23% increase year-over-year. Annual Recurring Revenue (ARR) also grew to approximately $2.9 billion, representing a 23% year-over-year increase. 

The Rule of 40 is a key SaaS valuation metric that combines revenue growth and profit margin to assess financial health. If the result is 40% or more, the company is considered to be in healthy financial shape for a high-growth SaaS business.

Based on the Zscaler’s financial numbers, in FY25Q3, its rule of 40 is 45%, signaling strong balance between growth and profitability. Despite a small GAAP net loss due to increased investment in sales, marketing, R&D, and integration efforts tied to recent initiatives, including acquisitions like Red Canary, its operational discipline and recurring revenue strength also place it among top-tier public cybersecurity companies.

What is the next for Zscaler

What is next? Data is the oil of the AI era, as the SaaS company with tons of data, Zscaler is positioning itself as the security foundation for the AI-first enterprise. As generative AI tools like Microsoft Copilot become mainstream, Zscaler is expanding its Data Security Everywhere strategy with prompt-level controls, AI-extended DLP, and full data protection across web, SaaS, email, endpoints, and GenAI apps. This is driving major enterprise wins, including multi-million-dollar deals with Fortune 50 and Fortune 100 companies. New capabilities like AI-Powered Segmentation and Digital Experience Network Intelligence further automate identity-based access and optimize network performance. As AI adoption accelerates, Zscaler’s platform is emerging as a critical layer for secure, compliant digital transformation.

Conclusion: 

Zscaler began as a bold bet on a cloud-first future, at a time when enterprise security was still locked in hardware and perimeter firewalls. Through strategic acquisitions, cloud-native innovation, and deep CxO engagement, Zscaler evolved into a unified platform securing not just users, but workloads, data, and digital experience across cloud and hybrid environments. Now, with AI-powered threat protection, MDR expansion, and growing influence in DevSecOps, OT security and Data Security, let us see how Zscaler continues its journey to sharp the cybersecurity history.

Questions? My LinkedIn

Wiz, a fast-rising star in the cloud security space, had already attracted attention with its strong product offerings and rapid market share growth. But this deal isn’t just about scale, it’s a strategic play to boost Google Cloud’s competitiveness, especially in multi-cloud and AI-driven environments.

Beyond the headline-making exit, Wiz has also been one of the fastest-growing cybersecurity unicorns to reach Series D. Given the scale of the deal, the speed of Wiz’s growth, and the popularity of its product, I wanted to write about it.

Funding History

Round Year Amount Investors Valuation

Seed. 2020. $6M Index, Sequoia N/A

Series A 2020 $100M. Sequoia, Index. ~$500M

Series B 2021. $130M. Salesforce Ventures, others. ~$1.7B

Series C 2021. $250M. Insight, GGV, others. ~$6B

Series D 2023 $300M. Lightspeed, others $10B+

The Founders' Journey

To understand Wiz, you have to start with its founding team and their first company. Assaf Rappaport once said in an interview, "We’re the closest group technically, we served together, wrote code together, stayed up late together. Starting a company was just continuing a long-term plan." This team’s deep-rooted trust and chemistry have been key to Wiz’s rapid success. Assaf, Ami Luttwak, Roy Reznik, and Yinon Costica all came from Israel’s elite tech units, including the 8200 Unit of the Israel Defense Forces, often referred to as one of the world’s top hacker incubators.

Back in 2012, the team founded Adallom after Assaf observed during his MBA at Stanford that US enterprises were rapidly adopting SaaS tools like Salesforce, Box, and Google Workspace, yet lacked sufficient security controls. He teamed up with Yinon, Roy, and later Ami to create Adallom, which offered SaaS access monitoring and behavior analytics, what later became known as CASB (Cloud Access Security Broker). In less than three years, Microsoft acquired Adallom for $320 million.

Microsoft didn’t sideline Adallom but instead put its founders in charge of core Azure security products. Assaf became GM of Azure Security, Ami became CTO, Yinon led product, and Roy led engineering. Satya Nadella deeply influenced Assaf during this time, encouraging him to challenge norms and foster innovation, an ethos that shaped Wiz’s future. After years of building at Microsoft, the team left in 2019 to create what they believed could be the world’s next-generation security platform.

They didn’t jump into it immediately. The four took a one-month break to reflect and decide if they were truly ready to do it again. They went hiking, held coding contests, played cards, and talked about their dreams, ultimately agreeing to go for it.

Founding Wiz

In 2020, at the height of COVID-19’s uncertainty, they rented a small office in Tel Aviv and started talking to CISOs. These conversations revealed a clear shift: cloud-native architectures (Kubernetes, serverless, microservices) were taking over, but there was no security platform that could interpret this new infrastructure holistically, especially with context and visibility.

They decided not to patch together point solutions like legacy vendors but instead build a “Cloud Security Graph” that connects identity, vulnerabilities, networks, and misconfigurations across cloud environments. It doesn’t just tell you “there’s a vulnerability”, it tells you if it’s externally exposed, tied to sensitive data, or linked to privileged identities.

Assaf later explained that they chose the competitive cloud security space not to find a new blue ocean but because known problems meant real customer needs. Though they weren’t seeking funding initially, Doug Leone of Sequoia offered $100M pre-product and pre-customer, recognizing the team's potential. Sequoia partner Doug Leone said, “They had no product, no customers, but we knew they would win.”

Wiz kept burn disciplined despite fast fundraising. Assaf repeatedly said, "We raise for choice, not for spending." Hiring standards were extremely high. Founders interviewed the first 200 employees, each expected to independently build a small SaaS service. Everyone from engineering to sales had decision rights and had to understand customer needs.

They also knew Israel had deep engineering talent but their market was in the U.S., so they built a dual-core model: R&D in Tel Aviv, GTM in New York/Bay Area.

Product and Competition

From the outset, Wiz was clear about its ambition to become a long-term, strategically resilient platform company, not just a point solution. This conviction shaped many of its early and unconventional decisions across people, processes, and culture. Their initial product was built around a few fundamental customer pain points:

• Security Challenges in Multi-Cloud and Hybrid Environments: Traditional tools were limited to single-cloud environments and couldn’t address the complexity of securing assets across multiple platforms.

• Misconfigurations and Vulnerabilities: Cloud security incidents often stem from misconfigurations (e.g., improper permissions, exposed ports), yet many enterprises lacked the resources or tools to identify and remediate them effectively.

• Speed and Automation: In a rapidly scaling cloud-native environment, companies needed tools that could automate security discovery and response, not rely on manual scanning and patching.

To address these needs, Wiz chose to start with a highly focused, high-impact feature set, building a security product that delivered instant visibility and fast deployment. Their MVP prioritized user experience and simplified traditional cloud security complexity. The product embraced usability and automation, key values for modern DevOps environments.

Unlike traditional solutions requiring agents on each cloud host, VM, or container, Wiz employed agentless side-scanning. By accessing cloud platform APIs directly, Wiz could scan across environments without installing or maintaining software on each instance, saving compute resources and reducing failure points.

This approach allowed for minute-level deployments, zero agents, zero code changes, and no disruption to customer traffic. Wiz extended this to offer deep protection for cloud-native workloads like containers and Kubernetes. Their workload security went beyond VMs to include containerized services and microservice architectures. The system scanned for vulnerabilities and misconfigurations, offering developers and ops teams real-time remediation guidance.

The early product centered around helping organizations assess and prioritize risk in their cloud environments, with clear, actionable reports. Engineers could quickly "see the issues", exposed assets, misconfigurations, or dependency risks, making it easy to build internal credibility with security teams and business leaders.

In Wiz's own words: "Our product isn’t about finding the most issues, it’s about helping CISOs explain whether risk is under control to the board." This customer-centric philosophy won praise and adoption early on. Once the vision settled in the right direction, the wheel flies.

In 2020, Wiz launched its AWS-only MVP and quickly secured its first customer: Telstra, Australia’s largest telecom. Telstra was drawn to Wiz’s cross-cloud visibility and agentless design, which solved its multi-cloud management challenges. This use case helped validate Wiz’s value proposition and served as a springboard for market expansion.

By 2021, Wiz added support for multi-cloud and Kubernetes, launched its risk graph, and began acquiring enterprise customers like GitLab and Zscaler. These partnerships helped establish market trust and attracted others through word of mouth. A strong feedback loop with early adopters enabled rapid product iteration focused on practical value, especially improving scan accuracy and report utility.

This product-market momentum led Wiz to further strengthen cross-cloud scanning, risk visualization, and vulnerability remediation capabilities. In 2022, it launched a full CNAPP suite, including CI/CD pipeline scanning, and expanded globally, targeting the U.S., Europe, and Asia. This international push aligned with surging cloud security demand. Wiz was soon named a leader in cloud security and received multiple industry awards, elevating brand visibility.

In 2023, Wiz acquired Raftt to enhance DevSecOps integration. With the rise of ChatGPT and broader AI interest, Wiz accelerated innovation in automated remediation, AI-powered risk detection, and vulnerability management. It launched intelligent features for real-time cloud security insights.

As demand grew, Wiz attracted more enterprise clients, especially in finance, retail, and healthcare. Collaborations with CSPs like AWS, Azure, and Google Cloud deepened product compatibility and integration.

By 2024, Wiz launched IAMGraph and Data Security Posture Management (DSPM), pushing valuation beyond $10B. It also acquired Gem Security and Dazz to further enhance its threat detection capabilities and AI-driven vulnerability remediation technology. With an expanding module suite, CSPM, container security, vulnerability management, CI/CD protection, and CNAPP, it evolved into a unified cloud security platform and data pipeline. Each module added more value and stickiness. According to Sacra, as of June 2024, Wiz reached $500M in ARR, growing \~216% YoY, and was valued at $12B (24x revenue multiple).

Wiz’s platform model anchored around a simple but powerful value proposition: **Cloud + Context + Clarity**. It steered clear of vague "AI detections" or opaque scoring. Instead, it focused on helping security teams understand business risk and prioritize real threats. This made it an effective bridge between CISOs and developers.

Compared to competitors, Wiz’s edge lies in:

* Agentless simplicity: Minimal deployment and maintenance friction

* Multi-cloud visibility: Supports AWS, Azure, and GCP out of the box

* Real-time risk insights: Contextual detection and remediation

* Deep cloud workload protection: Especially for containers and Kubernetes

* Excellent user experience: Intuitive dashboards that simplify cloud security

These strengths set the stage for its successful go-to-market strategy and why customers love it.

Target Customers and GTM Strategy

In addition to its product strengths, Wiz diverged from the traditional slow-paced enterprise sales models of legacy cybersecurity vendors. Instead, it adopted a modern SaaS motion with deep security domain expertise and platform vision, executing a clear product-led sales (PLG) strategy. But Wiz's broader go-to-market (GTM) approach was equally deliberate:

Wiz focused on large enterprises with complex cloud environments, especially those in highly regulated sectors such as finance, healthcare, and telecom. Through industry education (e.g., webinars, whitepapers, case studies) and thought leadership, Wiz raised awareness around cloud security needs and the value of its solutions. It also engaged heavily in ecosystem partnerships, particularly with CSPs and other security vendors, embedding itself deeply within customer infrastructure for more integrated delivery.

The company expanded reach through partnerships with system integrators (SIs) and security consultants. Although its PLG strategy helped build grassroots credibility, Wiz’s high contract values (typically $300K to $1M+ annually) required CISO- and CIO-level relationships. Avoiding channel resellers, the founders themselves often demoed to CISOs. Wiz also hired seasoned sales leaders from Palo Alto, CrowdStrike, Splunk, and others to form a robust enterprise sales team.

Wiz ran a dual-track sales process:

• Hands-on trials and feedback loops with engineering/security teams

• Parallel business-level discussions with CISOs and IT leads focused on compliance and trust-building

To accelerate procurement, Wiz provided compliance kits (e.g., SOC 2, FedRAMP-ready, ISO 27001), prebuilt risk assessment templates, and high-touch customer success support.

Tiered Pricing

Wiz structured its product into modular capability layers, allowing customers to pay by feature or subscribe to full-enterprise bundles.

Pricing wasn’t based on user seats. Instead, Wiz priced by cloud asset volume and enabled functional modules, charging per number of VMs, containers, Kubernetes nodes, and total assets (e.g., databases, APIs). This usage-based, tiered subscription model aligned with modern multi-cloud operations and scaled naturally with customer growth without locking pricing to headcount.

Thanks to this modular platform approach, Wiz found product-market fit across large, compliance-driven enterprises with complex, multi-cloud architectures and high demands for automation and integrated security. The result: broad adoption and strong customer retention in its core market segments.

What's Next for Wiz Under Google?

In 2025, Wiz is on track to hit $1 billion in annual recurring revenue (ARR) . That puts Google’s buyout at a 32x price-to-sales (P/S) ratio, far higher than industry leaders like CrowdStrike, which trades at around 18x ARR. This signals Google’s strong belief in Wiz’s long-term value and innovation potential.

For early investors, the outcome is a windfall. The $9 billion jump from the previous year’s offer represents a major return on investment—and validation of Wiz’s market strategy.

This acquisition isn’t just about buying a successful company. Google Cloud currently holds only 11% of the global cloud infrastructure market, well behind AWS (33%) and Azure (20%). Integrating Wiz gives Google a powerful edge in cloud security, which is becoming a critical differentiator for enterprise adoption.

More importantly, Wiz brings top-tier cybersecurity talent, a major asset in a space where expertise is scarce and innovation is key.

Assuming the deal clears regulatory hurdles, it’s under scrutiny due to Google’s ongoing antitrust cases, the earliest close would be in 2026.

Once inside Google, Wiz’s platform boundaries and market positioning will likely shift. Past acquisitions offer clues:

• Stackdriver became GCP-centric

• Mandiant was integrated into Google’s Chronicle platform

A similar path could await Wiz. Google may modularize Wiz’s technology and embed it into its broader security suite, like the Google Security Command Center. We could also see deeper integrations across Chronicle, Mandiant, and BeyondCorp, forming an end-to-end cloud security loop within the Google ecosystem.

Conclusion

From zero to a $32B valuation, Wiz’s rise reflects the leap in demand for cloud-native security. Google’s acquisition is more than a headline, it signals that security is no longer a defensive afterthought, but a core part of the enterprise infrastructure stack in the AI-native era.

Wiz’s graph-driven, context-first, platform-native model may become a template for future security design, and a reminder that in an AI-accelerated world, the biggest security winners will be those who help companies understand risk in the language of business.