DiSaaSter Strikes Cybersecurity
Anthropic's February 2026 cyber announcement causes a cyber market meltdown
Yesterday on February 20th, Anthropic announced their upcoming Claude Code Security product.
It’s been clear the model labs are investing in specific cybersecurity capabilities for some time, with Anthropic and OpenAI making meaningful hires over the last 18 months.
This makes a lot of sense given code generation remains the “killer AI use case”. At some point, the limiter for scaling code generation inside an enterprise is going to become security risk and CISOs are going to have to push back. Anthropic’s security product helps solve this, and will allow them to continue to sell and scale more sophisticated codegen tools into enterprises.
But now to the point: Cybersecurity markets reacted POORLY to the Anthropic news. The Cyber ETF, BUG, was down 5% on the news (down 14% YTD), and almost every cyber company was impacted. Drawdowns were as significant as -12% (Qualys) by the time markets closed.
Let me be the first to say that while SaaS may be dead (or in my opinion, decaying), cybersecurity is not dead. Long live Cybersecurity.
Even after the drawdown, most cyber companies still trade at EV / NTM revenue multiples that are meaningfully above the market average of 3.5x. The best of cyber still trade at 18-24x (CrowdStrike, Cloudflare) and are among the most premium names in software.
That said, the software market re-rate has hit cyber, and it has hit meaningfully - the median EV/NTM revenue multiple is down from 7.8x to 5.2x. But these businesses still have strong moats, compelling growth prospects, and meaningful new revenue opportunities as they expand to cover new AI attack surfaces (GPUs, LLMs).
But when I look at the cyber drawdowns, I see a public market that is rife with uncertainty.
We see some of what we would expect, given Anthropic’s announcement:
Cyber network infrastructure (particularly with physical deployments) like Check Point Software, PANW, and Fortinet saw smaller drawdowns than other categories. This make a lot of sense, as the threat of an app layer LLM-powered security tool is minimal to those deployments
Vulnerability management companies like Qualys, Tenable, and Rapid7 that are in the direct line of fire for Anthropic’s new product release were hit extremely hard and are trading at some of the lowest multiples in the category
Cyber services like SentinelOne were negatively impacted as we anticipate pricing compression and increased competition from AI software platforms
But the rest of this list feels somewhat inconsistent & surprising. Identity companies like Okta & SailPoint are trading down significantly (-10% and -11% specifically) despite Anthropic’s release not mentioning “identities” a single time in their blog. Netskope, CrowdStrike, and Cloudflare all saw 8% drawdowns despite owning complex software IP that is extremely difficult to replicate (Netskope’s network security offering, CrowdStrike’s endpoint agent, and Cloudflare’s CDN) and not really relevant to Anthropic’s release.
I think that there are a few different stories that are intertwined here:
Investors are becoming more cautious & conservative, and names like Cloudflare and CrowdStrike trading at super-premium 20x multiples saw significant drawdowns even though these businesses themselves are relatively safe from near-term Anthropic pressure
Similarly, newer, high growth cyber companies that are pure software like Rubrik and Netskope (both IPO’d in last two years) saw increased skepticism given investors have comparably limited information to underwrite their long-term performance expectations and quality of operators amidst a rapidly evolving cyber software ecosystem
The market is sprinkling skepticism across other cyber names where the implication of AI is unclear and the businesses have strategic vulnerabilities as AI agents become a greater portion of traffic - specifically, Okta and Sailpoint. These are products that have little intersection with Anthropic’s announcements but yet are trading down 11% and 10% respectively
Cyber companies with services components (e.g., MDR, endpoint detection & response, network detection & response, etc.) are seeing drawdowns as the belief is increasingly that AI will be better & cheaper than the current human-based services.
I expect we continue to see significant volatility here, particularly because I think Anthropic and OpenAI will both make a lot more noise about their security offerings.
That said, I am skeptical that the foundational model labs will launch many standalone security products. In fact, it’s possible this application security product may actually be the only real product that we see that is designed to replace existing security tools.
Why? Cybersecurity is a $200B market (~50% services, 50% software) but that software and services breaks down into ~20 categories (e.g., identity, network security, security operations, etc.) and ~50 individual product categories. Each of these products categories account for $500M to $5B in revenue. Frankly, for most of those, the juice just isn’t worth the squeeze for a $1T company like OpenAI (or aspiring $1T company like Anthropic).
For perspective: Both labs are adding more revenue in a single month from their APIs than Wiz has added in it’s lifetime for cloud security!
We’re in for an exciting time. For my part, on the investing side of things:
It cannot be overstated how strategically Cloudflare and Crowdstrike are positioned - the fact that they only saw a 10% decrease in their revenue multiples, and are trading at 24x and 18.4x revenue multiples, amidst such significant market skepticism means that the market agrees. I think these are great buys at this price - scaled, defensible businesses, with real software IP, and clear TAM expansion opportunities as the overall volume of software and AI agent traffic increases.
Network security is in for a meaningful evolution over the next 10 years as we see an increasing percentage of traffic come from AI agents, which leverage different protocols and have different traffic patterns. I’m bullish on names like Netskope as a result.
Okta & Sailpoint have real risks as the predominant “identity” to be secured shifts from humans to agents, but they are increasingly reasonably priced due to the threat of AI and for Okta specifically, their poor product evolution and rapidly slowing growth. There is likely some upside here, particularly given they are both good strategic acquisition targets that would have many bidders.
And most crucially, on the startup side of things: It is absolutely a phenomenal time to be founding an AI security business. M&A will continue to generate phenomenal outcomes for founders and investors, and there are multiple opportunities to build the next $10B+ cyber company.
That said, founders should be thoughtful about the categories they choose to build in. Application security testing (SAST, DAST) and software supply chain / SBOM and API security are in for a tough year as they face down the foundation model lab buzz saw.