This group sells software that protects computers, networks, cloud servers, user identities, and data from attackers. The five names in focus are pure-ish security software vendors: CrowdStrike (CRWD) protects laptops/servers ("endpoints" — the individual devices that connect to a network) and increasingly the whole security stack; Palo Alto Networks (PANW) sells firewalls (network gatekeepers that filter traffic) plus a broad cloud-and-operations security suite; Zscaler (ZS) routes all of a company's internet traffic through its own cloud and inspects it, an approach called "zero trust" (trust nothing by default — verify every connection and user rather than assuming anything inside the network is safe); Fortinet (FTNT) makes security hardware/firewalls and software, heavy in small/mid-business (SMB); SentinelOne (S) is a smaller, AI-native endpoint-protection challenger to CrowdStrike. The product is bought because security spending is treated as non-optional — and the arrival of more capable AI both widens the ways a company can be attacked (AI agents with access to tools and code) and gives defenders faster automated detection. Customers pay mostly as recurring subscriptions, measured in ARR (annual recurring revenue — the yearly run-rate of subscription dollars) and in seats/devices protected.
The facts assembled here point one way on demand: spending on this product is recurring and rarely cut, and increasingly capable AI tends to grow both the threat and the defense at the same time — so on the evidence gathered, aggregate demand looks set to exceed what any single vendor can capture. What limits "supply" here is not a factory; it is scarce security talent, the trust required to let a vendor sit in your critical path, and the effort customers spend switching. Because these are software businesses with high gross margins (most of each sales dollar is left after the direct cost of delivering the product) and recurring revenue, the market currently prices them at several dollars of market value per $1 of annual revenue for the fast growers, and less for the slower, more profitable ones. This sheet lays out the facts and the arithmetic; the reader judges whether that price is worth it.
The product is software (sometimes paired with hardware appliances) that detects, blocks, and responds to digital attacks. In plain terms, a company is buying a guard service for everything connected to its network: employee laptops, cloud servers, login identities, email, and the data flowing between them. Modern vendors increasingly sell a platform — many of these guard functions bundled together and managed from one console — rather than separate point tools (single-purpose products that each solve one narrow problem).
The unit sold is a recurring subscription, priced per device, per user ("seat"), per amount of data inspected, or per module switched on. The run-rate of those subscriptions is called ARR (annual recurring revenue — what the customer base is paying per year if nothing changes). Money comes in three plain steps: (1) win a new customer and start the subscription; (2) keep them renewing year after year (security is sticky because ripping out a vendor is risky and disruptive); (3) sell them more modules over time, so an existing customer pays more next year than this year. That last step is tracked as net retention (the change in revenue from the existing customer base after upsells, minus any churn — above 100% means the base is spending more even before new customers are added) — for the strong names, existing customers tend to spend meaningfully more each year (commonly above 100%). est. Because the software costs little to copy once built, most revenue above the cost of running the cloud and paying salespeople drops toward profit, which is why these are high-gross-margin businesses.
Today (roughly known): Cybersecurity is already one of the largest software categories. The total market is approximately $220–270 billion a year across all of security (products and services), growing in the low double digits. est. The five focus companies together represent a meaningful but minority slice of that — security has hundreds of vendors — and each reports its own subscription base growing faster than the overall market as buyers consolidate onto fewer, larger platforms.
Who the buyers are: Essentially every organization with computers — enterprises, governments, banks, hospitals, schools, small businesses. The defining feature of this demand is that it is non-discretionary (not optional spending that can be skipped): a breach can mean regulatory fines, lawsuits, shutdowns, and reputational ruin, so security is usually among the last line items cut in a downturn. Buyers also face regulatory mandates (breach disclosure rules, government security frameworks) that force minimum spend.
Forward demand (forecast — AGI lens): Reasoning from the premise that increasingly capable AI is arriving, demand for this product should rise on both sides at once. The following are forecasts, not contracted facts:
The net of the AGI lens: on the evidence gathered, this is one of the few software categories where the arrival of AI plausibly increases the budget rather than threatening to automate it away. The scan describes the AI demand driver as strong and structural and the security budget as one that is rarely cut.
✓ VERIFIED — the following figures were confirmed from primary sources after initial publication:
Unlike a chip fab or a power plant, software has no physical production ceiling — a vendor can sign another customer at almost no extra unit cost. So "supply" here does not mean factory capacity; it means the practical limits on how fast vendors can win and serve customers, and which vendors get to capture the demand. The real constraints are:
Market-share structure (who controls supply): The market is fragmented but consolidating — many vendors today, with spend gradually concentrating onto fewer of them. No single vendor dominates the whole of security; instead a handful of platform leaders are gaining share by bundling many functions. The scan names Palo Alto and CrowdStrike as the consolidation leaders that can bundle AI-native features, with Fortinet strong in firewalls/SMB, Zscaler leading in cloud "zero trust" traffic inspection, and SentinelOne as a smaller AI-native challenger. Because there are many capable vendors competing intensely, the ability to hold prices is greater for differentiated leaders and weaker for undifferentiated point tools.
Put simply: aggregate demand for security is long (growing, recurring, mandated, and amplified by AI), while "supply" is limited less by capacity than by talent scarcity, trust, and the buyer's bandwidth to deploy. On the evidence gathered, the product as a category looks structurally short — the world appears to want more protection than it can staff and operate. But within that, vendor supply is plentiful and competitive, so the scarcity accrues to whoever earns trust and consolidates spend, not to the category uniformly.
| Signal | What it shows | Direction |
|---|---|---|
| Budget behavior | Security is rarely cut, and can grow even in downturns | Demand long |
| Net retention (leaders) | Existing customers spend meaningfully more each year est. | Demand long |
| Talent shortage | ~3.5M unfilled security roles globally est. | Supply constrained |
| Vendor count | Hundreds of vendors; intense competition | Vendor supply ample |
| AI attack surface | Every AI deployment adds new things to secure (forecast) | Demand long |
| Pricing for point tools | Undifferentiated tools face price pressure / commoditization | Local oversupply |
When could it flip to oversupply? At the category level, a flip is hard to picture while AI keeps widening the attack surface — the demand appears too structural. The more realistic "oversupply" risk is at the individual-vendor level: too many similar point products chasing the same buyers, so commodity features get cheaper and only platform leaders keep the ability to hold prices. A second risk is consolidation — buyers standardizing on one or two mega-platforms could squeeze the smaller, single-product vendors even as total spend rises. So on the evidence here the category stays short; the open question for an owner is which vendor inside a long category captures the spend.
All figures below are approximate and not live-verified; market caps and revenue scales especially should be re-confirmed against the latest filings/quotes. est.
| Company | What it makes | Exposure to this product | Rough scale est. | Position / edge |
|---|---|---|---|---|
| CrowdStrike (CRWD) | Endpoint protection; expanding into a full cloud-delivered security platform | Pure-play (~100% security) | Large-cap; revenue roughly $3–5B | Endpoint leader; rich threat data; named a consolidation leader |
| Palo Alto Networks (PANW) | Firewalls plus broad cloud + security-operations suite | Pure-play (~100% security) | Largest of the group by revenue; roughly $8B+ | Broadest platform; named the other consolidation leader; bundles AI-native features |
| Zscaler (ZS) | Cloud "zero trust" — routes/inspects all internet traffic in its cloud | Pure-play (~100% security) | Mid/large-cap; revenue roughly $2–3B | Leader in cloud-delivered zero-trust access; cloud-native architecture |
| Fortinet (FTNT) | Security hardware (firewalls) + software; strong in small/mid business | Pure-play (~100% security) | Large-cap; revenue roughly $5–6B; profitable | Cost-efficient hardware+software; broad install base; most profitable of the group |
| SentinelOne (S) | AI-native endpoint protection | Pure-play (~100% security) | Smallest of the five; revenue roughly $0.8–1B | AI-native challenger to CrowdStrike; faster grower off a smaller base |
| Adjacent (from scan) | CyberArk (CYBR — identity/privileged access, i.e. controlling and monitoring high-power admin logins), Cloudflare (NET — network/security, diversified), Varonis (VRNS — data security) | CYBR/VRNS pure-ish; NET diversified (security is one slice) | Varies | Specialists and one diversified network platform; broaden the group |
Source: company list and qualitative positioning from /Users/ravf/projects/work/.claude/worktrees/sector-hub/research/investments/500-stocks/05-software-cloud.html (Sector 5, "Cybersecurity (AI-Era)"). Revenue/market-cap scales are approximate general-knowledge estimates, not live-verified.
In plain money terms, here is the shape of what an owner buys. These are software businesses, not capital-heavy ones: they spend little on physical plant (low capex — capital expenditure, i.e. money sunk into equipment and buildings), so most of the cash a profitable security company generates is "owner cash" (free cash flow — cash left after running the business and any capital spending) rather than money it must reinvest in factories. That is the opposite of, say, a chipmaker or data-center operator.
What you pay for that: the market currently values fast-growing security names at a high multiple of revenue — meaning you pay several dollars of market value (the price of all shares combined) for every $1 of this year's revenue. est. The faster, more "AI-native" the grower, the higher that multiple has tended to run; the slower, more profitable names have traded at lower revenue multiples. As a rough, not-live-verified ordering by how richly the market has priced them:
Money-in / money-out shape: Cash comes in as recurring subscriptions, often paid up front (a working-capital tailwind — customers pre-pay, so the vendor holds the cash before delivering the full year of service). Cash goes out mainly on engineers and salespeople, not concrete and steel. The mature names (Fortinet, Palo Alto, CrowdStrike) generate real free cash flow today; the faster/smaller names reinvest most of their gross profit into growth, so reported profit can be thin even when the underlying subscription economics are healthy. The plain trade-off an owner is making: you pay a high price per dollar of current revenue in exchange for revenue that recurs, grows, and expands within each customer — and the bet is whether future revenue justifies today's multiple. This sheet states that arithmetic; the reader judges the price.
Factual pointers for where a company-level look would add the most information — not recommendations:
Hard vs approximate: Hard / grounded — the list of companies, their product categories, the qualitative demand/supply narrative, the talent-shortage figure, and the consolidation-leader naming all come from the provided scan. The fact that these are high-gross-margin, low-capex, recurring-revenue software businesses is well established. Approximate / not live-verified — every market-size, growth-rate, market-share, net-retention, pricing-multiple, and company revenue/market-cap number here. All are flagged with est. and should be re-confirmed against the latest filings and live quotes before any decision. Forecast (not contracted) — all forward demand claims tied to AI/AGI expanding the attack surface and creating new security products are reasoned forecasts, not signed contracts or guaranteed spend.