Part 2 of a five part series on the cybersecurity industry.

Inside the Defensive Stack: 14 Markets, 1 Buyer

A friend who runs IT for a mid sized Israeli logistics company sent me his 2026 security budget last month. Twenty three line items, eighteen different vendors, four different acronyms I had to look up. He apologised for the mess. I told him the mess was the story.

Defensive cybersecurity is the part of the industry that pays the rent. It is where the public company giants live, where most of the venture capital still goes and where almost every company on earth is a customer of something, even if it is just the security features bundled with their email provider. The trouble is that "the defensive market" does not exist as a single market. It is fourteen overlapping sub industries, each with its own buyer, its own incumbent and its own pace of change.

The fourteen markets problem

Talking about defensive cyber as one category is like talking about "healthcare" as one stock. Endpoint is consolidating. Cloud security is still expanding. Data security posture barely existed in 2022. Treat them as one and you lose everything that is interesting about the space.

What follows is the working taxonomy I use when sizing the defensive stack. Each section explains what the technology does in plain language, who actually writes the check and the vendors worth knowing. I have flagged the Israeli vendors in each category because, in many cases, they are the category leaders.

Endpoint and Workload Protection

Every laptop, server, mobile device and cloud workload an organization owns needs a sensor sitting on it. That sensor used to be antivirus. Then it became Endpoint Detection and Response ("EDR"), which correlates suspicious behavior rather than just matching signatures. The current generation is Extended Detection and Response ("XDR"), which pulls signals from endpoints, networks, email and the cloud into a single pane of glass (Sysdig).

EDR is now table stakes. If a mid market IT team does not have it, their cyber insurance carrier will refuse to renew. XDR is sold to organizations that already run a Security Operations Center ("SOC") and want to consolidate tooling. CrowdStrike, SentinelOne and Microsoft Defender are the names that come up in every deal. On the Israeli side, SentinelOne, Cybereason and Cynet all play in this market.

Security Operations: SIEM, SOAR and MDR

This is the plumbing of a modern security team. Security Information and Event Management ("SIEM") aggregates logs and alerts from across the stack. Security Orchestration, Automation and Response ("SOAR") automates the repetitive parts of triage. Managed Detection and Response ("MDR") is the same capability delivered as a service by an outside provider for teams that cannot afford to run a 24/7 SOC themselves.

The big SIEM check writers are banks, large tech companies, hospital systems and governments. Splunk, Microsoft Sentinel and Palo Alto's XSIAM dominate that end of the market. MDR is the answer for everyone else. Arctic Wolf and Expel are the names that come up most. Israeli vendors include Hunters, Logz.io and Mitiga.

Network Security: Firewalls, SASE and Zero Trust

This is the category that protects traffic moving between users, applications and the internet. Traditional Next Generation Firewalls ("NGFW") have been joined by Secure Access Service Edge ("SASE"), a cloud delivered bundle of secure web gateway, cloud access security broker, zero trust network access and firewall as a service (CrowdStrike). Zero Trust is the philosophy underneath it all: never trust, always verify (Tufin).

Any organization with a distributed workforce or a serious cloud footprint is now a buyer. Palo Alto Networks, Zscaler, Netskope and Cisco are the household names. Israel is unusually deep here. Check Point is one of the largest pure play security vendors in the world, Cato Networks is the SASE unicorn and Perimeter 81 (purchased by Checkpoint in Sept 2023) helped pioneer the cloud native Zero Trust Network Access ("ZTNA") wave.

Identity and Access Management

Identity and Access Management ("IAM") has quietly become the most important defensive category in the industry. Roughly 75% of intrusions now involve compromised credentials (EC Council University). The category includes Single Sign On ("SSO"), Multi Factor Authentication ("MFA"), Privileged Access Management ("PAM") and identity governance.

Essentially every company with more than a handful of employees is a buyer. Okta and Microsoft Entra are the workhorses. On the Israeli side, CyberArk is the global PAM leader, PlainID does policy based authorization, Silverfort does unified identity protection and AU10TIX handles identity verification and fraud.

Cloud Security: CNAPP, CSPM and CWPP

If you run material workloads on AWS, Azure or GCP, you have a cloud security problem that traditional tools were never designed to solve. The purpose built stack is called Cloud Native Application Protection Platform ("CNAPP"), which combines Cloud Security Posture Management ("CSPM"), which flags misconfigurations, Cloud Workload Protection Platform ("CWPP"), which protects workloads, and cloud network security in a single platform (Aryaka).

The buyers are DevSecOps teams, cloud platform engineers and Chief Information Security Officers ("CISO") at any company with serious cloud exposure. Wiz, Palo Alto Prisma Cloud, Orca Security and Lacework lead the pack. This is arguably Israel's strongest category. Wiz was acquired by Google for a reported $32 billion, and Orca Security, Aqua Security and Upwind are all Israeli founded.

Application and API Security

This is the part of the stack that protects the software itself. It includes Static Application Security Testing ("SAST"), which analyzes source code, Dynamic Application Security Testing ("DAST"), which tests running apps, Software Composition Analysis ("SCA"), which scans open source dependencies, Web Application Firewalls ("WAF") and the fast growing Application Programming Interface ("API") security category. As attackers use AI agents to probe APIs at machine speed, runtime API protection has become its own market (SentinelOne).

This is the densest Israeli stack in the entire defensive industry. Snyk, Checkmarx, Veracode, Salt Security and Noname are the household names, and a striking number of them originated here: Snyk, Checkmarx, Salt Security, Noname Security (acquired by Akamai), Apiiro, Legit Security, Cycode, Backslash Security, Ox Security, Mend and Oligo Security all trace back to Israel (Tracxn).

Data Security and DLP

This is the category that classifies, encrypts and prevents leakage of sensitive data. It includes traditional Data Loss Prevention ("DLP"), the newer Data Security Posture Management ("DSPM") wave and an emerging set of controls designed to keep sensitive data out of AI prompts and training sets.

The buyers are the regulated industries (financial services, healthcare, defense, legal) plus any company sitting on valuable Intellectual Property ("IP"). Symantec/Broadcom, Forcepoint and Varonis are the legacy names. The DSPM wave that arrived around 2022 is heavily Israeli: Varonis, Cyera, Sentra, BigID, Eureka Security and Imperva all trace to Israel.

Email Security and Anti Phishing

Every organization that uses email is a buyer here, which is to say every organization. The category catches phishing, Business Email Compromise ("BEC") and malicious attachments before they reach a user. Phishing resistant MFA and AI driven content analysis are the baseline now, especially after generative AI drove a reported 160% increase in credential theft attempts in 2025 (EC Council University).

Proofpoint, Abnormal Security, Mimecast and Microsoft Defender for Office 365 dominate the category. Israeli vendors include Perception Point, IRONSCALES and Coro. The last one has built a broader Small and Medium Business ("SMB") security platform with email as one strong module.

GRC, Risk and Third Party Risk

This is the software that helps organizations manage compliance frameworks such as System and Organization Controls 2 ("SOC 2"), the International Organization for Standardization 27001 ("ISO 27001"), the Health Insurance Portability and Accountability Act ("HIPAA"), the Payment Card Industry Data Security Standard ("PCI DSS") and the EU Network and Information Systems Directive 2 ("NIS2"). It also covers risk assessments and vendor security evaluations under the heading Governance, Risk and Compliance ("GRC"). Supply chain attacks have made third party risk a board level concern (EC Council University).

Compliance officers, CISOs and increasingly procurement teams write the checks. Drata, Vanta and Secureframe serve startups and mid market. Archer, ServiceNow GRC and OneTrust dominate the enterprise. Israeli vendors include Anecdotes, a compliance operating system, and Panorays, which does third party cyber risk.

Threat Intelligence

This is the category that tells defenders what attackers are doing right now. Which vulnerabilities are being exploited, which ransomware groups are active, which credentials are circulating on the dark web. It includes Cyber Threat Intelligence ("CTI") platforms and dark web monitoring services.

The buyers are mature SOCs, threat hunting teams, fraud groups at banks and government agencies. Recorded Future, Mandiant (now part of Google) and Flashpoint are the names that come up most. Israeli vendors include Cyberint (acquired by Check Point), KELA, Cybersixgill and IntSights, which was acquired by Rapid7.

Continuous Threat Exposure Management and Attack Surface Management

A newer category, championed by Gartner, that gives defenders a continuously updated map of their own attack surface, also known as Continuous Threat Exposure Management ("CTEM") and Attack Surface Management ("ASM"). Shadow IT, forgotten subdomains, expired certificates, exposed APIs and partner connections that nobody remembers turning on. Gartner has projected that companies adopting CTEM are roughly three times less likely to suffer a breach (SentinelOne).

CISOs and vulnerability management teams at mid to large enterprises are the buyers. Censys, Randori (IBM), CyCognito and Tenable lead here, with Israeli vendors CyCognito, IONIX and Pentera. Pentera crosses the line into autonomous validation, which puts it on the offensive map too.

Operational Technology and IoT Security

Specialized monitoring and segmentation for Industrial Control Systems ("ICS"), Supervisory Control and Data Acquisition ("SCADA"), building management systems and connected devices. Operational Technology ("OT") and Internet of Things ("IoT") environments often run legacy protocols that traditional IT security tools cannot speak. Manufacturers, energy and utility operators, transportation, healthcare device makers, smart building owners and critical infrastructure operators are all buyers.

Claroty, Nozomi Networks, Dragos and Armis are the four names that show up in every shortlist. Israel dominates this segment more than any other. Claroty, Armis, Otorio, SCADAfence (acquired by Honeywell), Argus Cyber Security (automotive, acquired by Continental), Karamba Security and NanoLock Security are all Israeli founded.

Security Awareness and Human Risk

The category that turns employees into a stronger line of defense via training and simulated phishing. It is shifting away from annual compliance videos toward continuous, behavior based Human Risk Management ("HRM").

HR, IT and security teams at virtually every regulated organization are buyers. KnowBe4, Hoxhunt and Proofpoint's training suite are the common picks. Israeli vendors include CYE, which does cyber posture quantification, and CybeReady, which sells autonomous awareness training.

Backup, Recovery and Cyber Resilience

The last line of defense. Immutable backups, Disaster Recovery ("DR") and ransomware recovery platforms. As ransomware has evolved into what some analysts now call Ransomware 3.0, combining encryption, data theft and deepfake driven extortion, clean tested backups have become a cornerstone of every serious defensive strategy (EC Council University).

IT operations and infrastructure teams write the check, but CISOs are increasingly involved. Rubrik, Cohesity, Veeam and Commvault dominate the space. Israeli vendors include Continuity, which does storage and backup security, and Dream, an AI driven national scale cyber resilience company founded by ex NSO leadership.

Our view: where this leaves an investor

The temptation when looking at defensive cybersecurity is to bet on a single category and pick the leader. Sometimes that works. Endpoint has consolidated and the leaders are obvious. Sometimes it does not. The cloud security wave produced three category leaders in five years, with Wiz emerging as the biggest because it understood the buyer better, not because it had the best technology.

The categories that are still expanding fastest in 2026 are non human identity, data security posture and operational technology. The categories most likely to consolidate further over the next 24 months are SIEM, MDR and email security. The one with the highest variance, the one that will produce both the next billion dollar exit and the next high profile collapse, is anything with "AI" in the name. That is the subject of Post 4.

Final Thoughts

Defense is the part of the cyber industry that does not look like a story. There is no single big idea. There is a portfolio of fourteen sub industries, each at a different stage of maturity, each with a different buyer, and an Israeli vendor leading or co leading roughly half of them. An investor who can read that portfolio at the sub industry level has a real edge. An investor who treats "cyber" as one line item does not.