Cybersecurity looks like one industry from the outside and behaves like fifteen from the inside. Every few months a new category appears, a dozen startups raise money to own it, and a platform giant swallows the last one. If you buy, sell, or invest anywhere near this market, the map matters more than any single product.
So I built the map. Not CB Insights' proprietary version, which sits behind a paywall and buries the signal under a wall of logos, but a plain-language one: the major domains, the companies that matter in each, where the venture and private equity money has gone, and the part almost every map skips, which of these actually reach the mid-market. Because that is where MSPs live, and where most businesses actually buy their security.
The short answer, before the detail: the cybersecurity market splits into fourteen practical domains. Network, cloud and application security on the infrastructure side; endpoint, identity, email and data protection on the user side; security operations, threat intelligence, and risk, exposure and compliance in the operations layer; OT and IoT, fraud prevention and AI security at the frontier; and the managed services layer that actually carries security to the mid-market.
How to read this map
I split cybersecurity into fourteen domains. For each one you get what it covers, the notable vendors, where the money has gone, and the judgement most maps leave out: whether it is MSP-deliverable. One question this map deliberately skips is who wins each domain; that now has its own companion piece, who actually leads each cybersecurity category, with measured share and revenue receipts per category.
A tool is MSP-deliverable when a managed service provider can resell it and run it for a small or mid-sized business. A lot of the flashiest, best-funded security is not; it is bought direct by enterprise security teams with their own analysts. Knowing which is which tells you where the mid-market money flows, and it separates a category an MSP can build a practice on from one it will never touch.
One editorial choice: I put a full vendor table under the eight domains an MSP can genuinely act on, and cover the six enterprise-direct domains in prose. That split is itself part of the map.
A note on method up front: the map is my own synthesis of the public market maps, funding announcements and vendor disclosures, current as of July 2026. The detailed sourcing caveat is at the end.
| Acronym | What it is | MSP relevance |
|---|---|---|
| EPP / EDR | Endpoint protection and detection | High: the deepest MSP channel on the map |
| MDR | Managed detection and response | High: security operations as a service |
| SIEM / SOAR | Log analytics and response automation | Partial: the managed layer is MSP work, raw platforms are not |
| SASE / SSE | Network security delivered from the cloud | Partial: managed network is MSP territory |
| ZTNA | Zero-trust network access | Partial: usually part of a SASE bundle |
| CNAPP (CSPM, CWPP, CIEM) | Cloud-native application protection: posture, workload and entitlement security | Low: sold to cloud engineering teams, not through MSPs |
| DSPM | Data security posture management | Low: enterprise-direct today |
| NDR | Network detection and response | Low: enterprise SOC tooling |
| BAS | Breach and attack simulation | Low: enterprise validation tooling |
| vCISO | Virtual CISO: fractional security leadership | High: the compliance-led MSP growth offer |
The landscape on one page
Fourteen domains, grouped by how they actually reach the mid-market. The grouping is the point: the further down the page a domain sits, the less of it an MSP can package and sell.
Sold through MSPs
These reach the mid-market through MSPs because the products are operational and repeatable: priced per seat or per device, and close to what an MSP already manages every day.
Fortinet
Palo Alto
Zscaler
Cloudflare
Cato
ThreatLocker
CrowdStrike
Defender
Bitdefender
Huntress
Defender
Proofpoint
Abnormal
Mimecast
Hornetsecurity
KnowBe4
Splunk
Sentinel
Arctic Wolf
Huntress
Blackpoint
Torq
Arctic Wolf
Huntress
Cynomi
Cork
At-BaySplit between MSPs and direct
Some SKUs reach MSPs, but the strategic buyer often stays direct, because the work touches identity architecture, sensitive data, or compliance accountability that a client will not delegate.
Entra
CyberArk
SailPoint
JumpCloud
Silverfort
Veeam
Rubrik
Cohesity
Acronis
Cyera
Tenable
Qualys
Vanta
PenteraSold direct to enterprise security teams
Specialized, high-context, incident-driven products. MSPs mostly consume the outputs of these categories rather than resell them.
Wiz
Prisma Cloud
Orca
Aqua
Defender for Cloud
Checkmarx
Veracode
Cloudflare
Chainguard
Vault
Recorded Future
Flashpoint
Claroty
Dragos
Nozomi
Armis
TXOne
Sift
Signifyd
Feedzai
Protect AI
HiddenLayer
NomaSecuring the infrastructure
The oldest part of the market protects the pipes: the network, the cloud it now runs on, and the applications on top. This is where the biggest cheques and the biggest exits sit, and where the mid-market mostly does not shop directly.
Network security
Network security is the one infrastructure domain with real MSP depth. Fortinet, Check Point and Cato all run serious partner programs, and managed firewall, SD-WAN and zero-trust access are staple managed services. On measured share, Palo Alto leads the firewall segment with roughly 29 percent of revenue per Dell'Oro's Q2 2025 read.
The action moved from the box to the cloud edge: SASE and SSE. Netskope went public in September 2025 at roughly a $7.3B valuation, Cato raised a $409M round at over $4.8B, and Palo Alto, Zscaler and Cloudflare keep pulling the perimeter into their clouds. On the private-equity side, Thoma Bravo took Darktrace private for $5.3B.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Fortinet | NGFW, SASE, SD-WAN; deep SMB base | Public (FTNT) | Yes |
| Palo Alto Networks | Firewalls + Prisma SASE; platform leader | Public (PANW) | Partial |
| Zscaler | Zero-trust cloud proxy (SSE) | Public (ZS) | Partial |
| Cloudflare | Global edge, DDoS, ZTNA | Public (NET) | Partial |
| Check Point | Firewalls + Harmony SASE | Public (CHKP) | Yes |
| Cato Networks | Single-vendor SASE | VC · $409M round · >$4.8B | Partial |
| ThreatLocker | Zero-trust allowlisting, MSP-first | VC · ~$1.2B | Yes |
| Darktrace | Network AI detection | PE · Thoma Bravo ($5.3B) | Partial |
Cloud security
Cloud security is where the money is loudest and the mid-market is quietest. This is the CNAPP world: posture, workloads and cloud entitlements, bought by cloud and platform teams, not resold by generalist MSPs.
It also produced the biggest deal in the industry's history. Google closed its $32B acquisition of Wiz in March 2026, the largest deal Google has ever done, after Wiz itself had rolled up Gem Security and Dazz. Palo Alto (Prisma Cloud), CrowdStrike and Microsoft Defender for Cloud anchor the rest; Orca, Aqua and Sysdig are the independent challengers, and Fortinet absorbed Lacework. For an MSP, the only line that reliably reaches SMB is Defender for Cloud, sold through the Microsoft licensing motion.
Application and API security
Application and API security is the most developer-direct corner of the whole map. AppSec (Snyk, Checkmarx, Veracode, Semgrep), API security and software supply chain sell to engineering teams, not to MSPs. The consolidation here has been relentless: IBM bought HashiCorp (Vault) for $6.4B, Akamai bought Noname for about $450M, Harness merged with Traceable, and Chainguard raised to a $3.5B valuation securing the open-source supply chain. Two adjacent categories, WAF and the enterprise browser (Island, now at $4.85B, and Palo Alto's Talon), have a little channel delivery, but this domain is not MSP territory.
Securing endpoints, identity and email
The layer closest to the user is the heart of what an MSP actually sells. Two of these three domains are as MSP-native as security gets.
Endpoint security
Endpoint security is the deepest MSP channel in the entire market. On measured share, Microsoft Defender leads at 28.6 percent per IDC's 2024 tracker, its third straight year at number one. CrowdStrike and SentinelOne are the public heavyweights, and a whole set of vendors are effectively MSP-distribution businesses: Huntress ($150M Series D at about $1.55B), Sophos (now the largest pure-play managed-detection provider after buying Secureworks for $859M), Bitdefender, ThreatDown and Blackpoint. If an MSP builds one security practice, it starts here.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| CrowdStrike | Falcon EDR/XDR platform | Public (CRWD) | Partial |
| SentinelOne | Autonomous EDR/XDR | Public (S) | Yes |
| Microsoft Defender | Native Windows EPP + EDR | Microsoft-native | Partial |
| Sophos | Endpoint + MDR (+ Secureworks) | PE · Thoma Bravo | Yes |
| Bitdefender | GravityZone EPP/EDR + MDR | Private (Vitruvian minority) | Yes |
| Huntress | Managed EDR built for MSPs | VC · $150M · ~$1.55B | Yes |
| ThreatDown (Malwarebytes) | MSP-focused EPP/EDR/MDR | Private | Yes |
| Blackpoint Cyber | MSP-delivered 24/7 MDR | VC · $190M | Yes |
Identity and access
Identity and access splits down the middle, and it is the single busiest domain for consolidation. Workforce sign-on, MFA and directory for smaller firms are MSP-deliverable (JumpCloud, Entra through Microsoft licensing, Duo, and Huntress Managed ITDR). Privileged access, governance and machine identity are enterprise-direct and where the deals happened: Palo Alto bought CyberArk for about $25B (closed February 2026), its biggest deal ever and its entry into identity; CyberArk had already bought Venafi for $1.54B; Cisco agreed to buy Astrix for around $400M for non-human identity; and Thoma Bravo merged Ping and ForgeRock, then re-floated SailPoint in a $1.38B IPO. Machine and non-human identity is the hot new sub-category, driven by AI agents, with Oasis ($120M) and Astrix raising fast before being bought.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Okta | Workforce SSO/MFA + Auth0 (CIAM) | Public (OKTA) | Partial |
| Microsoft Entra ID | Native cloud identity + MFA | Microsoft-native | Partial |
| CyberArk | Privileged access + machine identity | Public (CYBR) → Palo Alto (2026) | No |
| SailPoint | Enterprise identity governance | Public (SAIL); Thoma Bravo ~88% | No |
| JumpCloud | Cloud directory + SSO for SMB | VC-backed | Yes |
| Silverfort | Agentless MFA + identity threat detection | VC · ~$1B | Partial |
| Oasis / Astrix / Aembit | Machine / non-human identity | VC (Astrix → Cisco) | No |
Email and collaboration security
Email and collaboration security is, with endpoint, the most MSP-distributed domain on the map. Microsoft Defender for Office 365 is the bundled baseline; on top of it sit vendors built for or leaning heavily on the channel. The defining deal came in December 2025, when Proofpoint bought Hornetsecurity for about $1.8B explicitly to reach the SMB market through its 12,000-plus MSP partners. Abnormal, the behavioural-AI challenger, raised at a $5.1B valuation; KnowBe4 (awareness training) went private with Vista for $4.6B; Mimecast sits with Permira.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Microsoft Defender for Office 365 | Native M365 email security | Microsoft-native | Partial |
| Proofpoint | Email platform (+ Hornetsecurity) | PE · Thoma Bravo | Yes (via Hornetsecurity) |
| Abnormal AI | Behavioural-AI cloud email security | VC · ~$5.1B | Partial |
| Hornetsecurity | M365 email security for MSPs | Proofpoint (~$1.8B) | Yes |
| KnowBe4 | Security awareness training | PE · Vista ($4.6B) | Yes |
| Mimecast | Email security + archiving | PE · Permira | Yes |
| IRONSCALES / Graphus | AI anti-phishing for MSPs | VC / Kaseya | Yes |
Protecting and recovering data
Data security is really two markets. The backup half, now rebranded as cyber resilience, is highly MSP-deliverable: Veeam (Insight Partners, widely reported around a $15B valuation), Acronis, Datto under Kaseya, and N-able Cove are all MSP staples, while Rubrik went public in 2024 and Cohesity merged with Veritas to claim the largest-vendor spot, before Veeam took IDC's number-one data-protection tracker position in late 2025. The other half, data security posture management and data-loss prevention, is enterprise-direct and classification-heavy. Cyera is the breakout there, raising to a $12B valuation, while the smaller posture tools keep getting absorbed into bigger platforms (Dig into Palo Alto, Normalyze into Proofpoint).
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Veeam | Backup + ransomware resilience | Private · Insight (~$15B) | Yes |
| Acronis / Datto | MSP-native backup + cyber protection | Private / Kaseya | Yes |
| Rubrik | Zero-trust backup + cyber recovery | Public (RBRK) | Partial |
| Cohesity | Data protection (merged Veritas) | Private (~$7B+) | Partial |
| Cyera | AI-era data security posture (DSPM) | VC · ~$12B | No |
| Varonis | Data access governance + DSPM | Public (VRNS) | Partial |
Detection, response and exposure
Once the controls are in place, someone has to watch them. This cluster is where the mid-market genuinely buys through MSPs, because almost no small business runs its own security operations centre.
Security operations
Security operations is a High-MSP domain, but only the managed layer. On measured share, Splunk has held IDC's SIEM number one for years, while MDR has no analyst share tracker at all. Raw SIEM is being swallowed by platforms: Cisco bought Splunk for $28B, Microsoft Sentinel and Google SecOps fold detection into their clouds, and Palo Alto pitches Cortex XSIAM as a SIEM replacement. Where MSPs live is managed detection and response, and here the vendors are built channel-first: Arctic Wolf, Huntress, Blackpoint and Todyl.
The hottest and best-funded sub-category is the agentic SOC, AI analysts that triage and investigate alerts. Torq raised $140M at a $1.2B valuation, 7AI raised $166M, and Dropzone, Prophet and Exaforce all raised in 2025. Zscaler bought Red Canary for $675M to build one. Almost none of it reaches the mid-market yet except when an MSSP runs it for you, which is exactly the opening.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Splunk | Market-leading SIEM | Public (CSCO) · $28B deal | Partial |
| Microsoft Sentinel | Cloud-native SIEM/SOAR | Microsoft-native | Partial |
| Arctic Wolf | Concierge SOC-as-a-service | VC · ~$1B+ raised | Yes |
| Huntress | Managed EDR/SIEM for MSPs | VC · $150M | Yes |
| Blackpoint / Todyl | Channel-only MDR platforms | VC · $190M / $50M | Yes |
| Torq | Agentic SOC automation | VC · $140M · $1.2B | Partial |
| Dropzone / 7AI / Prophet | Autonomous AI SOC analysts | VC (2025 rounds) | Partial |
Threat intelligence
Threat intelligence is the lowest-MSP domain in this cluster. Standalone intel is bought by enterprises and governments, or shows up bundled inside the MDR an MSP already resells. The category is consolidating into non-security strategics: Mastercard bought Recorded Future for $2.65B, and Google owns Mandiant. Below them sit Flashpoint, Intel 471, ZeroFox and Bitsight's Cybersixgill, and an MSP never sells any of it as a line item.
Risk, exposure and compliance
Risk, exposure and compliance is the most bifurcated domain on the map. In vulnerability management, Tenable is IDC's measured share leader, seven straight years at number one. Vulnerability management (Tenable, Qualys, Rapid7) and compliance automation (Vanta, valued around $4.15B; Drata, around $2B) have genuine MSP and vCISO channels into the mid-market, because compliance is now a sales requirement, not a nice-to-have. Attack-surface management, breach-and-attack simulation and third-party risk skew enterprise: Pentera raised at over $1B, Horizon3.ai at around $750M, and Schwarz Group bought XM Cyber for $700M. For an MSP, the actionable slice is vulnerability scanning and the compliance tooling that underpins a vCISO offer. The sharpest version of that compliance opportunity for MSPs is CMMC for the defense supply chain.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Tenable / Qualys / Rapid7 | Vulnerability & exposure management | Public (TENB/QLYS/RPD) | Yes |
| Vanta | Compliance automation (SOC 2, ISO) | VC · ~$4.15B | Yes |
| Drata | Trust & compliance automation | VC · ~$2B | Yes |
| Pentera | Automated security validation (BAS) | VC · ~$1B | Partial |
| Horizon3.ai | Autonomous penetration testing | VC · ~$750M | Partial |
| SecurityScorecard / Bitsight | Security ratings + third-party risk | VC / Moody's-backed | Partial |
The frontier: OT, fraud and securing AI itself
Three domains sit at the edge of the map. All three are mostly enterprise-direct today, but they matter because they show where the next wave of money and consolidation is going.
OT, ICS and IoT security
OT, ICS and IoT security protects the machines that run factories, utilities and hospitals. It is bought direct by asset-heavy enterprises, often with strategic money from the equipment makers themselves (Schneider, Mitsubishi and Honeywell all back Nozomi). Claroty raised a $150M round at a $3B valuation, Armis reached a $6.1B valuation in a pre-IPO round, and Dragos, Nozomi and TXOne round out the field. A generalist MSP rarely touches this; a specialist systems integrator does.
Fraud and abuse prevention
Fraud and abuse prevention is a large market that sits almost entirely outside the MSP world. It is sold by API to fintech and e-commerce teams: Sift, Forter (valued around $3B), Signifyd ($1.34B), HUMAN for bots, and Feedzai ($2B) for financial crime. Useful to understand, but not something an MSP resells.
AI security
AI security is the newest domain on the map, and it is consolidating faster than anything else on it. Securing AI apps, models and agents went from a whiteboard to a shopping list in barely a year: Cisco bought Robust Intelligence, Palo Alto bought Protect AI (about $635M), Check Point bought Lakera, SentinelOne bought Prompt Security, and Cato bought Aim Security, all inside twelve months.
The independents still standing (HiddenLayer, Noma at $100M, Cranium, Lasso) are the next acquisition targets. It reaches the mid-market only through the platforms and, eventually, through Microsoft. Note the pattern: the big vendors are buying this category rather than letting startups own it, the clearest tell of where security is heading.
How security reaches the mid-market
Of the fourteen domains, only a handful reach a small or mid-sized business through an MSP. The rest are bought direct by companies big enough to run their own security team. That gap is the whole reason the colour-coding matters.
The MSP-deliverable core is small, stable and unglamorous: endpoint, email, managed network, backup, workforce identity, the compliance and vulnerability tooling behind a vCISO offer, and above all the managed services layer that ties it together. That last domain, cyber services and risk transfer, is the most MSP-native of all, and it is where the independent venture money still has open runway while the product categories consolidate.
| Vendor | What it does | Backing | MSP |
|---|---|---|---|
| Arctic Wolf | MDR / SOC-as-a-service | VC · ~$1B+ raised | Partial |
| Huntress | Channel-only managed security for SMB | VC · $150M | Yes |
| Blackpoint Cyber | MDR built for MSPs | VC · $190M | Yes |
| ThreatLocker | Zero-trust endpoint for MSPs | VC · ~$1.2B | Yes |
| Cynomi | AI vCISO platform for MSPs | VC · $37M Series B | Yes |
| Cork | Cyber warranty for MSP clients | VC · $6M seed | Yes |
| Coalition / At-Bay / Cowbell | Cyber insurance (SMB / mid-market) | VC-backed insurers | Partial |
One force sits underneath this whole layer: cyber insurance. To bind or renew a policy, carriers now require MFA, EDR or MDR, tested backups and email filtering. Fail a control and coverage lapses or premiums jump.
The insurance application has quietly become the security purchase order, and the MSP is the one who implements and attests to the controls for a client with no security staff. That is why MDR, zero-trust endpoint, vCISO tooling and warranties are all built channel-first, and it is the strongest tailwind an MSP security practice has.
If you want the same lens on the tools MSPs run day to day, I mapped the full MSP tool stack by where the money goes in a companion piece.
The four forces reshaping the map
Step back from the domains and four patterns explain almost every move on the map.
The megacaps are buying the map. Platformisation stopped being a slide and became a shopping spree. Google bought Wiz ($32B), Palo Alto bought CyberArk ($25B), Cisco bought Splunk ($28B), IBM bought HashiCorp ($6.4B), and Mastercard bought Recorded Future ($2.65B). The independent category-leader logo is getting rarer by the quarter.
Private equity owns the incumbents, then re-floats them. Thoma Bravo alone holds or held Sophos, Proofpoint, Ping, SailPoint and Darktrace; Vista has KnowBe4; Permira has Mimecast. SailPoint, Rubrik and Netskope show the exit path back to the public markets. This is a category that private equity has learned to farm. The same logic is moving down-market: venture firms are now funding buyers of MSPs themselves.
Microsoft is the gravity. Defender, Entra, Purview and Sentinel come bundled into licences businesses already buy. Every point vendor now has to either differentiate hard enough to justify a second bill (Abnormal, Cyera, CrowdStrike) or go all-in on MSP distribution to reach the customers Microsoft's own sales motion cannot (Huntress, Hornetsecurity). There is very little middle ground left.
AI is opening two new frontiers at once. The agentic SOC (Torq, 7AI, Dropzone) and machine identity (CyberArk with Venafi, Cisco with Astrix, Oasis) are the two categories drawing the freshest money, and both exist because AI agents create work and risk that the old tools were not built for. Watch these two for the next wave of acquisitions.
What it means if you run an MSP
Three conclusions fall straight out of the map.
Your territory is smaller and more durable than the noise suggests. Endpoint, email, managed network, backup, MDR, workforce identity and compliance are where you sell, and they are the calmest, most channel-friendly corners of the market. The billion-dollar categories in the headlines, cloud security, AppSec, DSPM, AI security and privileged access, are mostly not yours. Do not chase them; refer them, or partner, and go deeper where you already win.
Bet on the vendors built for the channel. As the product categories consolidate onto platforms and onto Microsoft, your value is integration, management and trust, not tool selection. Pick the category leaders with real MSP programs (Huntress, SentinelOne, Sophos, Bitdefender, Hornetsecurity, ThreatLocker, Blackpoint, Todyl), and where you adopt a smaller tool, keep your data portable so you can move when it gets acquired. Because it will. The funding side of that story is mapped in where $1B of venture money in MSP software went.
Sell to the insurance renewal. The fastest-growing reason a mid-market business buys security is that its cyber insurer now requires it. MFA, EDR, backups and awareness training are no longer a pitch, they are a condition of coverage. Build your security offer around the renewal questionnaire and you are selling something the client has already been told they must buy. And if the security-heavy book is where your MSP is heading, it is also what pays at sale: this is the revenue profile behind the top end of MSP valuation multiples and the core of exit readiness.
FAQ
Into roughly fourteen domains. It runs from infrastructure (network, cloud and application security) through the user layer (endpoint, identity, email and data) to the operations layer (security operations, threat intelligence, and risk, exposure and compliance). Three frontier domains sit at the edge: OT and IoT, fraud prevention, and AI security. A services and risk-transfer layer ties the rest together.
The MSP-deliverable core is endpoint, email, managed network, MDR and managed services, and backup, plus workforce identity and the compliance and vulnerability tooling behind a vCISO offer. That set is small, stable and channel-friendly. Cloud security, application security, DSPM, privileged access and AI security are bought mostly enterprise-direct, so an MSP refers or partners on those rather than reselling them.
The largest was Google buying Wiz for $32B, the biggest deal Google has ever done. Palo Alto bought CyberArk for about $25B, its own biggest deal. Cisco bought Splunk for $28B, IBM bought HashiCorp for $6.4B, and Mastercard bought Recorded Future for $2.65B. Together they show platform giants rolling up independent category leaders.
Yes, on two tracks. Megacap platforms are rolling up independent leaders (Google, Palo Alto, Cisco, IBM, Microsoft), and private equity takes incumbents private, then re-floats them, the way Thoma Bravo did with SailPoint, Netskope and Rubrik showing the path back to public markets. The independent category-leader logo is getting rarer by the quarter. Keep your data portable so you can move when a tool gets acquired.
Foundational tooling is the baseline every client needs and cyber insurers now require: MFA, EDR, tested backups and email filtering. Advanced tooling is the detection-and-response layer, MDR, managed SOC, SIEM and zero-trust access, which is the fastest-growing and highest-margin part of an MSP security practice. Foundational wins the policy renewal; advanced deepens the account.
For the deal-flow view of this same map, read what the 2026 cybersecurity almanac means for a small MSP.
A note on the map
The map is my own synthesis. It is informed by the public market maps (CB Insights, Momentum Cyber and others) but copied from none of them; the category boundaries and the MSP-relevance calls are mine. Funding and ownership figures trace to company announcements and reputable trade coverage, cross-checked during research and current as of mid-2026. Funding data is self-reported at origin, so treat totals as directionally exact rather than audited. Categories blur at the edges and plenty of vendors sit in more than one, so I placed each where its centre of gravity is. Several logos here now belong to their acquirers (Wiz to Google, CyberArk to Palo Alto, Splunk to Cisco, Hornetsecurity to Proofpoint), which is rather the point.