Cyber Security for Dummies & Newbies

Part 1 of 5 · Cybersecurity for Investors

Cybersecurity is not one market. It is a portfolio of about thirty sub-markets held together by the fact that they all eventually report to the same buyer. Here is the map a generalist investor actually needs.

Most investors I talk to treat cybersecurity as a single line in their sector tear-sheet. That made sense in 1999. It does not make sense now. What people still call “cyber” is really thirty-odd distinct markets stitched together by a few shared customers and a lot of shared jargon. If you want to size opportunities, compare comparables, or pick the next breakout, you need a map that respects the way the market actually segments itself.

The cleanest first cut is also the oldest one: is the tool used to attack systems, or to defend them? Almost every category, every buyer, and every business model falls cleanly on one side of that line. A newer third bucket has appeared in the last 24 months — AI used for security work, and security work aimed at AI itself — and it is moving fast enough that it deserves its own column on the map.

This post is the orientation. The next four posts in the series go deeper on each layer. The aim here is to give a generalist investor a working mental model so the next pitch deck, S-1, or PitchBook export starts to look like a coherent landscape rather than acronym soup.

What the industry actually sells

At the highest level, the cybersecurity industry sells three things.

It sells defensive products and services — software and human labor that reduce the probability of a breach and limit the damage when one happens. This is by far the biggest piece of the pie. Almost every company on earth is a customer of something in this category, even if it is only Microsoft Defender bundled with their email license.

It sells offensive products and services — tools and engagements that simulate attackers, find weaknesses, or, in the most regulated corners of the market, conduct lawful surveillance for governments. The buyer base is smaller and more specialized, but margins and deal sizes are often higher.

It sells AI-era infrastructure that did not exist three years ago — agentic SOC platforms that replace human analysts, runtime guardrails that sit in front of LLMs, and tooling that scans models for tampering before they go into production. Funding here has been extraordinary. Agentic AI security startups have attracted roughly $3.6 billion in venture capital and $96 billion in M&A activity in the last 18 months (LinkedIn / CRN).

Defensive cybersecurity: the boring, enormous part

Defense is where the volume is. It is also where the largest public companies live — Palo Alto Networks, CrowdStrike, Zscaler, Fortinet, Check Point, CyberArk, SentinelOne. The category breaks down by what is being protected: the endpoint, the network, the cloud, identity, data, email, the application code, the operational technology behind a factory, the humans who keep clicking on links.

Each of those sub-segments has its own buyer, its own sales motion, and its own incumbent. The endpoint market is consolidating around CrowdStrike, SentinelOne, and Microsoft. The cloud security stack — what analysts call CNAPP — is consolidating around Wiz (now part of Google after a reported $32 billion acquisition), Palo Alto’s Prisma Cloud, and Orca Security. Identity is a duopoly with a long tail: Okta and Microsoft Entra at the top, CyberArk owning the privileged-access wing, and a wave of newcomers attacking the non-human identity problem that AI agents created.

The reason this matters for investors is that the segments do not move together. The endpoint market grew up. The CNAPP market is still expanding. The data security posture management (DSPM) market barely existed in 2022 and is now a billion-dollar category with companies like Cyera, Sentra, and BigID minting unicorns. Treating these as one market obscures the asymmetric growth.

Offensive cybersecurity: smaller market, bigger margins

Offensive is the part of the industry most outsiders misunderstand. It is not malicious hacking sold as a product. It is the discipline of thinking like an attacker on behalf of a defender — running simulated attacks, finding zero-day vulnerabilities, emulating the playbook of a specific ransomware group, and selling the lessons learned back to the organization being tested.

The market includes penetration testing, red team services, breach and attack simulation platforms (SafeBreach, Cymulate, XM Cyber, Pentera), vulnerability research firms, bug bounty platforms (HackerOne, Bugcrowd), and the most controversial corner of all — lawful intercept and forensic acquisition (Cellebrite, Magnet Forensics, NSO Group). Buyers range from a 50-person SaaS company that needs a SOC 2 attestation up to nation-state cyber commands that purchase exploit research from a handful of brokers.

That blurring of categories is one of the most important trends to track.

AI: a third axis, not just a feature

The last 24 months have produced an entirely new layer of the industry, and it is genuinely separate from the offense/defense split. Two distinct things are happening at the same time, and people in the market are still bad at distinguishing them:

1. AI for security. Companies like Prophet Security, Dropzone AI, and RunSybil are using LLM-powered agents to do the work that used to require human L1 and L2 analysts. The promise is a 60–95% reduction in analyst toil (D3 Security). Every major incumbent has bolted agentic AI into its platform — Microsoft Security Copilot, CrowdStrike Charlotte AI, SentinelOne Purple AI, Splunk Enterprise Security. There is a real possibility this displaces the legacy SIEM and SOAR markets in a way that creates the biggest re-platforming opportunity in security since the move to cloud.
2. Security for AI. A wholly new buying center has emerged inside the AI or ML platform team, often outside the CISO’s office. The buyers are looking at AI Security Posture Management (Palo Alto Prisma AIRS, Wiz AI-SPM), LLM firewalls and runtime guardrails (Lakera, Prompt Security, Pillar Security), model scanning and supply chain tools (HiddenLayer, Protect AI), and agent-security platforms (Noma Security, Kai, Aim Security). This category did not have measurable revenue three years ago.

For an investor, the most important takeaway is that this is the first time in twenty years that a major cybersecurity wave is being purchased outside the traditional CISO budget cycle. That changes the sales motion, the comparable multiples, and the typical time-to-revenue for early-stage companies. It is also why the venture activity has been so concentrated here.

Why Israel matters more than its market cap suggests

One observation worth flagging for any investor doing comparables work: Israel produces a disproportionate share of the cybersecurity industry. Check Point, CyberArk, Wiz, Cato Networks, SentinelOne, Snyk, Claroty, Armis, Cyera, Pentera, SafeBreach, NSO Group, Cellebrite, and a long list of others originated there. The country’s intelligence corps — Unit 8200 most famously — functions as a structural feeder of founders. Any investor mapping the space who ignores the Israeli ecosystem will end up with an incomplete view of the competitive landscape (Tracxn). The subsequent posts in this series will flag Israeli vendors in each category, because in many cases they are the category leaders.

How to read the rest of this series

The next four posts will progress category by category, first starting with defenseive offerings then followed by offensive and AI solutions and finally a map to Israel's cybersecurity industry.

Stay tuned..