The State of Cyber
How the new regulatory environment will drive investor activity
Part 5 and the conclusion of a five part series on the cybersecurity industry.
In December of last year, a public company Chief Financial Officer ("CFO") I have known for the last 5 years called to ask me whether his board's cyber budget was "about right." He sent me his line items. I ran them against three Israeli founder friends and a Chief Information Security Officer ("CISO") at a U.S. money center bank. The verdict was identical from all four. He was overspending on legacy Security Information and Event Management ("SIEM"), underspending on identity and had nothing budgeted at all for non human identity, agent security or AI Security Posture Management ("AI SPM"). Three of his largest line items were going to vendors whose multiples were about to compress hard.
That conversation is the reason for this post. The first four installments of this series walked through the industry category by category. This one steps back. After mapping every offensive, defensive and AI era sub market, what does the cybersecurity industry actually look like in 2026, and where are the regulators pushing it?
A few things are clear. The market is no longer one market. It is a portfolio of thirty odd sub industries with very different growth rates. Consolidation is happening, but unevenly. AI has scrambled the budget cycle on both the buyer side and the seller side. And the regulatory environment is finally catching up to a decade of escalating breaches, which is creating both real tailwinds and real costs.
The shape of the market in 2026
Global cybersecurity spending is approaching $300 billion a year, with IDC's Worldwide Security Spending Guide projecting $308 billion in 2026 and $430 billion by 2029 (BizTechReports / IDC). The market is still growing at roughly low double digit percentages, but the growth is concentrated. Three categories are doing most of the work. Cloud security, identity (especially non human identity) and anything with "AI" in the name. The legacy categories (antivirus, traditional firewalls, on prem SIEM) are flat or declining.
The public market side of the industry has matured into a recognizable cohort. Palo Alto Networks, CrowdStrike, Zscaler, Fortinet, Check Point, CyberArk, SentinelOne and Cloudflare account for a meaningful share of the public market value of the entire sector. Each is now in active acquisition mode. Palo Alto alone has acquired more than ten cybersecurity companies in the last five years. The pattern is consistent. A platform vendor buys an emerging category leader to extend the suite, the standalone disappears and the multiple gets paid as a premium over public comp benchmarks.
The private market is bifurcated. Late stage cyber is well funded but selective. The bar to write a Series D in 2026 is roughly the bar to write a Series B was in 2021. Early stage cyber is unusually active, driven almost entirely by the AI wave. Roughly $3.6 billion has gone into agentic AI security startups alone in the last 18 months (LinkedIn / CRN).
The asymmetry that funds the whole industry
The cost of being unprotected has risen faster than the cost of being protected. That gap, not innovation, is the structural reason cyber keeps growing through every macro cycle.
The breach economy is the demand side
It is impossible to talk about the industry's growth without acknowledging what is driving it. Breaches keep getting worse, in three measurable ways.
First, the average cost of a breach is now north of $5 million globally, with U.S. and regulated industry breaches well into eight figures. Ransomware has evolved into what some analysts call "Ransomware 3.0," combining encryption, data theft and increasingly deepfake driven extortion of executives (EC Council University).
Second, identity is now the primary attack vector. Roughly 75% of intrusions involve compromised credentials (EC Council University). Phishing has been industrialized by Generative AI ("GenAI"), and credential theft attempts rose 160% in 2025 alone.
Third, the supply chain is now everyone's problem. The SolarWinds, Kaseya and Okta incidents established a pattern. A single upstream compromise cascades into thousands of downstream victims. Third Party Risk Management ("TPRM") is no longer a procurement checklist item. It is a board level concern.
For investors, this is the demand side of the market in one sentence. The cost of being unprotected has risen faster than the cost of being protected. That asymmetry is what funds the entire industry.
The global regulatory environment
The regulatory picture has shifted from "encouraged best practices" to "mandatory controls with real penalties." Five frameworks deserve attention.
The EU Network and Information Systems Directive 2 ("NIS2") went into full effect in late 2024 and is now actively enforced. It massively expands the scope of regulated entities (energy, transport, banking, healthcare, digital infrastructure, postal services, waste management, food production and more) and requires risk management, incident reporting within 24 hours and personal accountability for senior management. Fines reach €10 million or 2% of global turnover.
The EU Digital Operational Resilience Act ("DORA") has been live since January 2025 and applies to virtually every financial entity operating in the EU. It mandates Information and Communications Technology ("ICT") risk management, third party oversight (including cloud and AI vendors), threat led penetration testing for major institutions and information sharing. It is the most prescriptive financial services cybersecurity regulation in the world.
Securities and Exchange Commission ("SEC") cybersecurity disclosure rules in the U.S. now require public companies to disclose material cyber incidents within four business days and to describe their cyber risk management practices in annual filings. This has measurably increased board level attention and is one reason the CISO role has been formally elevated into the executive ranks at most large U.S. issuers.
The EU Artificial Intelligence Act ("EU AI Act"), fully in force in 2026, classifies AI systems by risk and imposes serious controls on high risk systems. Transparency obligations, post deployment monitoring and risk management requirements that directly create demand for the AI SPM, model scanning and AI red teaming categories described in Post 4 of this series.
Post Quantum Cryptography ("PQC") migration mandates are appearing in U.S. federal guidance, National Institute of Standards and Technology ("NIST") standards and a growing list of national strategies. Federal agencies have a 2035 deadline to migrate to quantum resistant algorithms. The private sector will be dragged along by procurement language and audit requirements long before that.
Regulation, for an investor, is rarely a clean bull case on its own. But the directional read is unambiguous. Every major framework is creating a new compliance driven category, and every existing category is being pulled upward in importance as boards get personally exposed to enforcement.
What has actually moved in the last twelve months
This series went to press once in early 2026. Between then and now the regulatory picture has moved enough to justify a fresh section. Six items are worth flagging.
NIST Cybersecurity Framework 2.0 has moved from published to operational. CSF 2.0 added a sixth function, Govern, alongside the original five, and NIST has spent 2026 rolling out community profiles that translate the framework into specific sub domains. The finalized Ransomware Risk Management profile (NIST IR 8374r1) landed in June 2026 (NIST CSRC). New Quick Start Guides on enterprise risk management and workforce alignment followed in March. The pattern is that CSF 2.0 is quietly becoming the backbone that state regulators, federal contractors and insurers reference when they define "reasonable security." For vendors, that means product mapping to CSF 2.0 is now table stakes in enterprise procurement.
CISA has rewritten how federal agencies triage vulnerabilities. Binding Operational Directive 26-04, issued June 10, 2026, replaces the old Common Vulnerability Scoring System ("CVSS") based approach with a risk based model built around four factors: public exposure, Known Exploited Vulnerability ("KEV") status, automation of the exploit and whether the flaw allows system takeover (Nextgov). The most aggressive tier gets a three day patch window (U.S. News / Reuters). That is the tightest federal remediation timeline ever set. For anyone in vulnerability management, exposure management or the broader continuous threat exposure category (Wiz, Tenable, Qualys, Rapid7, XM Cyber, Pentera), the directive is a demand accelerant. FedRAMP providers get pulled along by August 2026 and full compliance is required by year end.
The White House issued a June 2026 Executive Order on AI security that hands CISA a real operational role. Sitting alongside four other AI and cyber policy instruments issued between May 22 and June 10, it forms the most concentrated cluster of federal AI governance actions we have seen (Cloud Security Alliance). OMB Memorandum M-26-14, in the same window, retired the five year old SolarWinds era logging mandate and replaced it with a risk based continuous event monitoring requirement that explicitly covers Internet of Things ("IoT") and Operational Technology ("OT") environments. Read together, these documents drag AI security, OT security and continuous monitoring into the federal baseline. That is direct demand for the AI SPM, OT security and Extended Detection and Response ("XDR") categories.
Post Quantum Cryptography moved from theoretical deadline to procurement clock. On June 22, 2026, President Trump signed an Executive Order titled "Securing the Nation Against Advanced Cryptographic Attacks," setting a binding December 31, 2030 deadline for federal contractors to adopt the NIST PQC FIPS standards for key establishment and starting a 180 day clock for the Federal Acquisition Regulation ("FAR") Council to codify the requirements (GovConFeed). The underlying NIST work is now done. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) were finalized in 2024, and a third digital signature standard, FIPS 206 (FN-DSA), is expected to publish in late 2026 or early 2027. In parallel, the Cryptographic Module Validation Program shifts on September 21, 2026, when FIPS 140-2 validated modules move to the historical list, making FIPS 140-3 the operative baseline for federal procurement (Compliance Hub). This is the moment PQC stops being a slide in a keynote and starts appearing in contracts.
NIS2 hits its true enforcement wall in October 2026. The transposition deadline was October 17, 2024, and most member states missed it. As of mid 2026 the great majority have finally adopted transposition laws and the covered entity compliance obligations culminate in October 2026 (Compliance Hub). DORA is now in its first genuine supervisory enforcement cycle, and regulators have signaled that they will act on incident reporting failures and persistent gaps in the Register of Information (Compliance Hub). The first serious fines under either regime will move budgets across the continent within a quarter.
The NIST AI Risk Management Framework is being revised. The 1.0 version, published in 2023, has become the de facto reference for U.S. AI governance and is currently under revision (NIST AI Standards). The next iteration will almost certainly align more closely with ISO/IEC 42001 and the EU AI Act, which matters because it is the document that U.S. enterprise procurement teams point to when they define AI security requirements for vendors. Companies selling into the AI SPM, model scanning and AI red teaming categories should be reading every draft.
Our view: the aggregate signal from these six items is that the U.S. and EU are converging on a common cyber governance shape. Board level accountability, risk based prioritization, continuous monitoring, mandatory incident reporting and PQC migration on a hard clock. The vendors positioned across CSF 2.0 mapping, KEV based prioritization, AI security posture and PQC ready cryptography have a demand curve pulled forward by policy, not just by breach fear.
Geopolitical pressure and export controls
Cyber is now an instrument of statecraft, and the policy response is reshaping the industry.
The U.S. Commerce Department's Entity List has been used aggressively against commercial spyware vendors since 2021. NSO Group, Candiru, Intellexa and others have been blacklisted, and the Biden era executive order limiting U.S. government use of commercial spyware has carried into the current administration. Several European governments (France, Germany, Italy) have followed with their own restrictions.
China related export controls and the U.S. CHIPS framework are bleeding into cyber in ways that are not always obvious. Vendors with material exposure to China are increasingly being asked to provide assurances about codebase provenance and supply chain controls. The Kaspersky ban in the U.S. federal government was the visible tip. The iceberg is the procurement language now appearing in private sector contracts.
The conflict in Ukraine, the ongoing tensions in the Taiwan Strait and the broader fracturing of the global tech stack have made cybersecurity a near explicit instrument of national strategy. The countries with deep cyber industrial bases (the U.S., Israel, the U.K., France and increasingly Singapore and South Korea) are treating their vendors as strategic assets.
For Israel specifically, the picture is more interesting and more complicated. The country continues to produce a disproportionate share of the world's cybersecurity companies. Check Point, CyberArk, Wiz, Cato Networks, SentinelOne, Snyk, Claroty, Armis, Cyera, Pentera, SafeBreach, NSO Group, Cellebrite and many more (Tracxn). At the same time, the commercial spyware sub sector is under unprecedented international pressure, and a handful of Israeli vendors have been pushed off the Western institutional investor list entirely. The bifurcation is sharp. World class defensive and AI security companies on one side, regulated and reputationally exposed offensive vendors on the other.
Our view: five things to watch over the next 24 months
Out of all this, five things are worth tracking closely.
Consolidation of the AI cyber stack. The number of Large Language Model ("LLM") firewall and guardrail vendors is unsustainable. Expect aggressive acquisitions by Palo Alto, CrowdStrike, Microsoft and the cloud hyperscalers. The winners will be the ones embedded in cloud platform contracts. The losers will be the standalone point products sold to security teams.
The displacement of legacy SIEM. Splunk (now Cisco), IBM QRadar and Microsoft Sentinel are all under pressure from agentic Security Operations Center ("SOC") platforms. This is the single category most likely to produce a re platforming opportunity comparable to the move from on prem antivirus to cloud delivered Endpoint Detection and Response ("EDR"). Watch the renewal cohorts on Prophet Security, Dropzone AI and the agentic incumbents inside CrowdStrike and SentinelOne.
Non human identity becoming a top line category. Every enterprise AI agent is a new identity. Oasis Security, Astrix Security, Token Security and others are building what Okta built for humans, but for the machine layer. The leaders here will look obvious in retrospect, and a striking number of them are Israeli founded.
Enforcement of NIS2, DORA and the EU AI Act. The first wave of high profile penalties under these frameworks will move budgets faster than any analyst report. Watch the regulatory news cycle in Europe especially. The first €10 million fine under NIS2 will trigger meaningful procurement shifts across the continent.
The commercial spyware reckoning. The trajectory is clearly downward for vendors selling targeted surveillance to non democratic governments. Whether the wider mobile forensics market (Cellebrite, Magnet Forensics) escapes that trend or gets caught up in it is the open question. Several major U.S. allocators have already taken a position. More will follow.
What this means for Israeli cybersecurity operators
Regulation is not just an American and European story. Every framework in the section above lands on Israeli companies in a specific way, and the Israeli policy side has moved almost as fast as Washington and Brussels.
Israel is finally passing its own national cyber law. On May 17, 2026, the Knesset approved the National Cyber Defense Bill in its first reading after more than ten years of stalled attempts (Israel.com). The bill establishes a binding baseline for essential organizations and digital service providers, mandatory incident reporting to the Israel National Cyber Directorate ("INCD") and sectoral supervision guided by the INCD (i24NEWS). It is deliberately structured to align with NIS2 (Dan Or-Hof / LinkedIn). The State Comptroller's June 2026 audit made clear why this took so long and why the timing is finally shifting (Ynet). Israel had been operating on "recommendations only," which is untenable in a country now facing sustained Iranian cyber campaigns (Times of Israel).
The INCD is behaving like an operational regulator, not a think tank. In early June 2026 the Directorate issued urgent guidelines for VPNs, Zero Trust Network Access ("ZTNA") systems and firewalls, mandating multi factor authentication, geo restrictions and end of life equipment replacement across critical infrastructure (Israel Defense). INCD chief Yossi Karadi has publicly framed his multi year plan around three areas by 2030: cloud security, the intersection of cyber and AI and quantum computing (Times of Israel). That is the same shape as NIST's PQC clock. Israeli critical infrastructure operators will effectively be running under an Israeli PQC migration timeline in parallel with the U.S. federal one.
For Israeli cyber vendors selling into Europe, NIS2 and DORA are pure tailwinds. The convergence between the emerging Israeli law and NIS2 means Israeli companies whose products already map to CSF 2.0 and NIS2 controls have an unusually clean sales motion into both markets. Wiz, Cyera and Cato Networks sit squarely in the categories that NIS2 pushes budget toward. Claroty and Armis sit in OT and IoT security, which is exactly the category OMB M-26-14 pulled into the federal baseline. CyberArk, Oasis Security, Astrix Security and Token Security sit on non human identity, which is the category regulators have not yet named but are already dragging into scope through AI governance rules.
PQC creates a specific opening. Israeli cryptography and Public Key Infrastructure ("PKI") vendors, and any Israeli company already touching FIPS validated modules, have a hard procurement clock now working in their favor. The FIPS 140-2 to FIPS 140-3 transition on September 21, 2026, and the December 31, 2030 federal contractor PQC deadline are two of the clearest budget forcing events in the entire cyber calendar. Israeli companies with existing federal or NATO customer relationships should be having procurement conversations right now.
The AI security regulatory picture is more nuanced for Israeli companies. Israel has no comprehensive AI law equivalent to the EU AI Act as of mid 2026 (Future Proof Intelligence). The INCD has published AI security guidance for critical infrastructure operators, but for private sector operators outside critical infrastructure it is not binding in the way a regulation would be. That is a temporary advantage. Israeli AI security companies can develop and deploy at home with less regulatory friction than European peers, while selling into the EU AI Act and NIST AI RMF driven procurement demand abroad. The window closes when Israel eventually passes its own AI framework, which is telegraphed by the appointment of Erez Askal as the country's first AI Chief and the recent NIS 120 million AI directorate budget (Jerusalem Post).
The commercial spyware overhang remains the counter narrative. Everything above is a tailwind for the defensive and AI security cohort. It is not a tailwind for the offensive and mobile forensics cohort. NSO Group, Candiru and Intellexa are still on the U.S. Entity List. The Israeli commercial spyware sub sector is still excluded from most Western institutional capital pools. Whether Cellebrite and Magnet Forensics escape that categorization depends heavily on how the U.S. Congress and European regulators define "lawful intercept" versus "commercial spyware" over the next twelve months.
Our view: the aggregate effect of the 2026 regulatory wave on Israeli cyber is a widening of the bifurcation we called out earlier in this series. The defensive, AI security, non human identity and OT security cohort is running into a broader and faster procurement pull than at any point in the last five years. The offensive and mobile forensics cohort is running into the opposite. The rate of change in the middle, where cryptography, identity and cloud security overlap, is where the next generation of Israeli category leaders will announce themselves.
Final Thoughts
If you take a single thesis from this series, take this one. Cybersecurity is one of the few sectors where the underlying driver, the cost of being unprotected, keeps rising faster than the cost of being protected. That asymmetry is the structural reason the market keeps growing through every macro cycle, every consolidation wave and every shift in regulation.
The complication, and the source of opportunity, is that the market does not grow uniformly. It grows in waves. Endpoint in the 2010s, cloud security in the late 2010s, identity and Data Security Posture Management ("DSPM") in the early 2020s and now AI security. Each wave creates a small number of category defining companies, a larger number of acquired into a suite companies and a much larger number of also rans.
The investors who do well in cybersecurity tend to be the ones who can speak about it in the plural. Who know which sub segment is in which phase, which buyer signs which check and which incumbent is most exposed to the next re platforming. The five part map in this series is a starting point for that kind of literacy. The next 24 months will fill in the picture in ways that are easier to read once the underlying taxonomy is clear.