Insights

Cybersecurity market share: who leads each category, with revenue receipts

Who leads each cybersecurity category, and who can prove it. Measured share for endpoint, firewall, SIEM, VM and backup; revenue receipts for the rest.

By Alexej Pikovsky  ·  Updated

There is no single company that leads cybersecurity, and anyone who tells you otherwise is selling something. Leadership fractures by category. Microsoft leads endpoint. Palo Alto Networks leads firewall revenue. Splunk, now inside Cisco, leads SIEM. Tenable leads vulnerability management. Veeam leads data protection. Wiz led cloud security right up until Google bought it. Those are the answers to "who leads the cybersecurity market," category by category, and each comes with its receipt attached: a named analyst tracker, a filed revenue number, or, in Wiz's case, the reported ARR behind the largest acquisition in security history, rather than a vendor slide.

Here is the catch that runs through the rest of this piece. Those categories are the ones where an analyst house actually measures share. In email security, identity, managed detection and response, cloud-security sizing, application security, and compliance automation, no share tracker exists at all. You reason from disclosed revenue instead, and disclosed revenue has two big holes: the largest player in most markets is Microsoft, which discloses the least, and most of the legacy vendors have gone private under private equity and froze their last public numbers at the take-private date. So "market share" in cybersecurity is really two questions. Who leads, and can anyone prove it. For half the map the honest answer to the second question is no.

I read this from an operator's seat, because I run growth for MSPs and cyber firms and spend my time on where the revenue and the margin actually land. This piece is the companion to the cybersecurity market map, which lays out the 14 domains and deliberately skips the question of who wins each one. This is the who-wins article, with the revenue receipts attached and the confidence level stated every time. Where I have a hard measured share I say so. Where I am inferring from revenue I say that too, and I never dress one up as the other.

The figures here are current as of July 2026, and I refresh them once a year, the same discipline I use on the cybersecurity almanac. Vendor fiscal years do not line up (Palo Alto closes at the end of July, CrowdStrike at the end of January, Microsoft in June), so a number that is two quarters old is normal here, not stale. Read the vintage on each claim, not the calendar.

The macro picture: total spend and the vendor league table

Start with the size of the pond. Gartner puts worldwide end-user spending on information security at $213 billion in 2025, rising to a forecast $240 billion in 2026. I use that one vintage throughout, because Gartner republishes this forecast roughly every quarter and restates the prior year each time, so blending releases just manufactures fake precision. IDC and Canalys both publish their own totals, and they are bigger, but they are measuring a wider basket (all IT security spend, plus services and channel), so they are not the same number counted differently. Treat the three houses as three different rulers, not three readings of one ruler.

Total cybersecurity spend by analyst house, and what each one counts
HouseFigureScope
Gartner$213B (2025), $240B forecast (2026)End-user spending on information security only. The figure I anchor to.
IDC$308B (2026, one vintage)Broader IT security spend including hardware and services. Do not compare head to head with Gartner.
Canalys (Omdia)$281B (2025)Technology plus services, with over 90 percent flowing through channel partners.

Now the vendors. No single company holds a dominant share of that $213 billion the way a hyperscaler dominates cloud infrastructure. The market is fragmented across dozens of platform vendors and hundreds of point players. Microsoft is the biggest by a distance on its last disclosure, but that disclosure is old, and everyone else is a low single-digit slice of the total. Here is the league table off the most recent filings, with the fiscal quirks flagged.

Largest cybersecurity vendors by most recent disclosed revenue or ARR
VendorFigureMetric and periodWhat it spans
Microsoft SecurityOver $20BAnnualized revenue, disclosed Jan 2023 (stale, no update since)Entire security business, dozens of products bundled
Palo Alto Networks$9.2BTotal revenue, FY2025 (ended July 2025)Network, cloud, SOC, and SASE combined
Cisco Security$8.09BSegment revenue, FY2025 (ended July 2025)Inflated by the Splunk acquisition, not network-security-only
Fortinet$6.80BTotal revenue, FY2025 (calendar)Firewall product ($2.22B) plus services plus SASE
CrowdStrike$5.51BEnding ARR, Q1 FY2027 (reported mid-2026)Falcon platform-wide: endpoint, cloud, identity, SIEM
Okta$2.92BTotal revenue, FY2026 (ended Jan 2026)Identity and access, company-wide
Check Point$2.73BTotal revenue, FY2025 (calendar)Network, workspace, exposure management
Zscaler$2.67BTotal revenue, FY2025 (ended July 2025)SSE and zero-trust platform

CrowdStrike's fiscal year runs a full year ahead of the calendar, so its Q1 FY2027 report actually landed in mid-2026, and that $5.51 billion ending ARR (up 24 percent year on year) is the current scale number to use, not the older $3.95 billion in revenue from its FY2025 close. I flag that once here so the offset does not trip you up later. And read the "what it spans" column hard, because it is the whole trap of this table: Palo Alto's $9.2 billion covers four domains, Cisco's $8.09 billion is puffed up by a $28 billion SIEM acquisition, and CrowdStrike's ARR spans several modules. None of these is a category number. A vendor's total revenue is never a proxy for the size of one category unless you say exactly what it includes.

One clean piece of measured concentration does exist, but on the services side, not the product side. In Gartner's Market Share: Security Services report for 2024, worldwide security services revenue grew to $77.1 billion and Deloitte ranked number one with 16.6 percent share, its second straight year on top. That is consulting and managed services, a different market from the software vendors above. Nobody publishes an equivalent "top vendor holds X percent" figure for security software, so I will not invent one.

The scorecard: who leads each category, and who can prove it

Before the domain-by-domain walk, here is the whole argument on one screen. The right-hand column is the one that matters. "Measured" means an analyst house publishes an actual share ranking. "Positioning only" means there is a Gartner quadrant but no share number. "No tracker" means you are reasoning from revenue because nobody measures the category at all.

Category leaders and the basis for the claim, July 2026
CategoryLeaderBasis and vintageHow solid
EndpointMicrosoft DefenderIDC modern endpoint share, 28.6% (2024)Measured
FirewallPalo Alto NetworksDell'Oro revenue share, 29% (Q2 2025)Measured
SSEZscaler and NetskopeGartner SSE MQ Leaders (2025)Positioning only
Cloud (CNAPP)Wiz (now Google)~$1B ARR at acquisition, no share trackerNo tracker
SIEMSplunk (Cisco)IDC SIEM share, #1 multiple yearsMeasured
MDRContested (Sophos by customer count)No analyst share tracker existsNo tracker
Data protectionVeeamIDC semiannual tracker, #1 (2H 2025)Measured
Vulnerability managementTenableIDC device VM share, #1 seven yearsMeasured
Email securityNo share leader (Proofpoint on execution)Gartner MQ only, no share numberNo tracker
Identity and accessNo share leader (Microsoft on execution)Gartner Access Management MQ onlyNo tracker
Application securityNo public leader (Snyk largest by ARR)All pure-plays private, no trackerNo tracker
Compliance automationVanta by ARRCompany-disclosed ARR, no trackerNo tracker
OT and cyber-physicalClaroty and peersGartner CPS MQ Leaders (2026)Positioning only

Endpoint security

The leader: Microsoft Defender, roughly 28.6 percent of the market per IDC. This is one of the few domains with a clean measured share. Microsoft has been ranked number one in IDC's Worldwide Modern Endpoint Security Market Shares for three years running, and its share climbed from 25.8 percent in 2023 to 28.6 percent in 2024. That is M365 E5 bundling doing exactly what bundling does.

The trajectory worth knowing is CrowdStrike's. It used to lead this metric: it held 14.2 percent of the endpoint market for the July 2020 to June 2021 IDC edition and was narrowly ahead of Microsoft the following year. Then Microsoft overtook it in 2023, and CrowdStrike quietly stopped issuing "number one by IDC share" press releases. It keeps growing total-company ARR fast, up 24 percent to $5.51 billion, but that figure spans cloud, identity, and SIEM alongside endpoint, and its exact 2024 endpoint share is not disclosed. My operator read: Microsoft wins endpoint on distribution, not detection, and CrowdStrike is winning the platform game even as it loses the single-category share crown.

Email and collaboration security

The leader: nobody you can prove. There is no IDC or Gartner share percentage for email security. The best signal is Gartner's Magic Quadrant, where Proofpoint is placed highest on execution for the second year running, with Microsoft, Abnormal AI, and Check Point also in the Leaders quadrant. Highest on execution is a position on a grid, not a revenue share, so I will not call Proofpoint "the market leader" on it.

Reason from revenue and the picture is muddier still. Proofpoint last disclosed around $1 billion in revenue in 2021, before Thoma Bravo took it private, and it has said nothing since. The fastest grower is AI-native: Abnormal AI crossed $200 million ARR growing 100 percent year on year at a $5.1 billion valuation. The legacy secure-email-gateway names (Proofpoint, Mimecast, KnowBe4) have all gone private under PE and gone dark on numbers, while Microsoft bundles the category into M365 and discloses nothing product-level. So email is a domain where the "share leader" question has no honest answer, and I would rather say that than pick a 6sense traffic-rank number off a chart.

Identity and access

The leader: no verified share leader; Microsoft tops the execution axis, but the category splits three ways. IAM, PAM, and IGA get lumped together and they should not be. On Gartner's 2025 Access Management Magic Quadrant, Microsoft ranks first on execution, then Okta, then Ping, then CyberArk, all via Entra bundling again. But that is Access Management only, and it is positioning, not share.

The revenue tells a cleaner story than the quadrant. Okta posted $2.92 billion in FY2026 revenue. SailPoint, the IGA specialist, just crossed $1 billion ARR. And the big move: CyberArk grew revenue 36 percent to $1.36 billion as the dominant privileged-access vendor, then got acquired by Palo Alto Networks for $25 billion in a deal that closed in February 2026. So identity is consolidating into the platforms, CyberArk being the clearest example. Microsoft likely has the distribution advantage through Entra bundling, but no disclosed seat or revenue figure exists to verify share leadership. That blind spot is real, and I flag it rather than paper over it with a mill-sourced number.

Network security

The leader: Palo Alto Networks by firewall revenue, roughly 29 percent per Dell'Oro; Zscaler and Netskope lead the SASE edge. This is the domain where "market leader" fractures by sub-segment, so pin down which metric you mean. By firewall revenue, Palo Alto holds about 29 percent of the segment in Q2 2025 Dell'Oro data, with Cisco and Fortinet tied around 15 percent each, and the top four vendors holding 68 percent of the market, an all-time high in concentration.

The growth has moved off the firewall box. Dell'Oro said in late 2025 that the overall network security market was on track to clear $26 billion for the year, but traditional appliances grew low single digits while SSE grew 20 percent and WAF 12 percent. On the cloud-delivered edge, Zscaler and Netskope are Gartner's SSE Magic Quadrant Leaders, with Fortinet a Challenger. Fortinet markets a "over 50 percent of firewalls deployed" claim on its own site with no citation attached, and the last verifiable IDC unit-share figure for it is 36.8 percent from 2021, so I would drop or heavily qualify that stat. My operator read: the box vendors are converging on SASE bundles, and Netskope's September 2025 IPO at $707 million ARR is the tell for where the money is flowing.

Cloud security

The leader: Wiz, except it no longer exists as an independent company. Wiz was the standalone CNAPP leader at around $700 million ARR when Google announced it was buying it for $32 billion, and it crossed $1 billion ARR before the deal closed in March 2026. It is the largest cybersecurity acquisition on record, and it folded the number-one pure-play into Google Cloud, where its financials vanish from independent reporting.

No analyst house publishes a sized CNAPP market or a clean share ranking, and no surviving vendor discloses cloud-security-only revenue. Palo Alto's Next-Gen Security ARR bundles cloud with SOC and SASE. CrowdStrike bundles cloud with SIEM and identity into a figure that grew past $1.9 billion. Microsoft folds Defender for Cloud into its overall security number. So the honest read on cloud security is that its defining event of the decade is a consolidation, not a share table: the presumptive leader got absorbed by a hyperscaler, and the survivors are all platforms selling cloud security as one line inside a bigger bundle.

Application and API security

The leader: no public leader; Snyk is the largest pure-play by ARR, but every serious contender is private. None of the AppSec pure-plays (Snyk, Checkmarx, Veracode) is public, so there is no filing to anchor a revenue-share claim. By last confirmed disclosure, Snyk was largest at $300 million ARR, though that is over a year stale now. Checkmarx crossed $150 million ARR in October 2025, and Veracode discloses nothing at all under PE ownership.

The one large number in the neighborhood is Akamai's security segment at $2.24 billion for FY2025, but that spans WAF, DDoS, bot management, and microsegmentation, and Akamai's core business is CDN, adjacent to AppSec rather than in it. So AppSec is the category that most resists a clean market-share table: no public pure-play is big enough to anchor it, and the incumbents bundle it into broader edge suites. That absence is itself the headline for anyone trying to size the market.

Security operations: SIEM and MDR

The SIEM leader: Splunk, now inside Cisco, number one on IDC's tracker for years. Splunk has topped IDC's Worldwide SIEM Market Shares tracker for multiple consecutive years, and Cisco closed its $28 billion acquisition of Splunk in March 2024, folding the number-one SIEM franchise into its security portfolio. Splunk's last standalone year was $4.2 billion in revenue. The exact 2024 share percentage is paywalled inside the IDC report, so I can confirm the ranking but not the point figure. The fastest-growing challenger is Palo Alto's Cortex XSIAM, which crossed $600 million ARR growing 100 percent year on year. Microsoft pushes Sentinel as an Azure attach and discloses no Sentinel-specific revenue, so, again, the biggest bundler is the least measurable.

The MDR leader: genuinely contested, and no analyst tracker settles it. There is no IDC or Gartner share percentage for MDR. By customer count, Sophos MDR is the largest, protecting over 26,000 organizations, and past 28,000 after buying Secureworks in early 2025. By revenue, Arctic Wolf is usually cited as the largest dedicated player, but it is private and its numbers are third-party estimates, not disclosures. So "MDR leader" depends entirely on whether you mean customers, revenue, or ARR growth, and I would not state a single winner without naming the metric. The economics underneath all of this, and who keeps the margin as AI absorbs the triage work, is the subject of AI SOC economics.

Data protection and backup

The leader: Veeam, number one on IDC's tracker as of 2H 2025, after the title changed hands mid-decade. This is a rare domain where the crown visibly moved. In December 2024, Cohesity claimed the top spot after combining with Veritas, citing over $1.7 billion in pro forma revenue. Then Veeam overtook it: it is ranked number one worldwide in IDC's Semiannual Software Tracker for data protection in 2H 2025, at roughly 13.6 percent share (Veeam citing IDC, so I attribute it that way rather than as an independent IDC quote).

The public pure-plays behind them are compounding hard on ransomware-recovery demand: Rubrik grew revenue 48 percent to $1.32 billion in FY2026, and Commvault crossed $1.12 billion ARR. Sum the disclosed leaders (Cohesity plus Veritas, Veeam, Rubrik, Commvault) and you clear $6 billion before you even count Dell, IBM, or the MSP-tier players like N-able Cove, which tells you the category is large and genuinely competitive. My operator read: data protection rebranded itself as "cyber resilience" and it worked, because backup is now sold as the last line against ransomware rather than an IT insurance policy nobody thinks about.

Vulnerability management

The leader: Tenable, number one on IDC's device vulnerability tracker for seven straight years. This is the cleanest domain on the map. Three public companies, all with audited revenue, and a genuine IDC-confirmed share leader. Tenable ranks first in IDC's Worldwide Device Vulnerability and Exposure Management Market Shares for 2024, its seventh consecutive year on top, and it posted $999 million in FY2025 revenue.

Qualys ($669 million) and Rapid7 ($860 million) round out the trio, though Rapid7's revenue spans SIEM and detection-and-response alongside vulnerability management, so it is not a pure comparison against Tenable and Qualys. The exact IDC percentage points are paywalled, and any "Rapid7 holds 14 percent" figure floating around traces to an AI-generated comparison page, not an analyst source, so ignore it. The real fight here has moved from scanning to exposure management and CTEM breadth, but the share crown itself is settled and has been for years.

Compliance automation

The leader: Vanta by disclosed ARR, in a category with zero analyst coverage. No IDC or Gartner tracker touches SOC 2 and compliance automation at all, so this is purely a company-disclosed ARR comparison, never a market-share claim. On that basis Vanta leads comfortably: Vanta reported $300 million ARR and 16,000 customers at a $4.15 billion valuation, against Drata's roughly $100 million ARR on its last self-reported milestone.

That is about a 3x gap on the numbers each company discloses about itself, which is the strongest statement I can honestly make. Vanta is riding AI-compliance demand (monitoring "shadow AI" usage), and Drata has gone quiet on updated valuation since 2022. Treat any "Vanta has X percent share" line as fiction, because nobody measures the denominator.

The frontier: threat intel, OT, fraud, and AI security

These four are mostly private, mostly unmeasured, and best read through disclosed deals rather than share tables. I will keep each honest and short.

Threat intelligence: no analyst-house market size exists for this category as a standalone. The signal is in the exits. Mastercard bought Recorded Future for $2.65 billion (around $300 million in revenue), Google bought Mandiant for $5.4 billion, and ZeroFox and Flashpoint sit under PE. The category leaders are being absorbed into payments networks and hyperscalers rather than competing as independents.

OT and cyber-physical security: here Gartner does publish a quadrant, and the 2026 CPS Protection Platforms Leaders are Claroty, Dragos, Microsoft, Armis, and Nozomi Networks, with Claroty positioned highest. This is positioning, not share, and the story is consolidation: Mitsubishi Electric bought Nozomi for around $1 billion, Accenture took a majority stake in Dragos, and Armis crossed $300 million ARR and raised $435 million at a $6.1 billion valuation to stay independent. Industrial and consulting giants are buying the OT specialists or taking control stakes in them.

Fraud and abuse prevention: genuinely contested. The only credible analyst figure is Juniper Research's $21 billion in financial-institution fraud spend, and it is low-to-medium confidence; the report mills size the same 2025 market anywhere from roughly $32 billion to $55 billion, which tells you nobody actually knows. The public-company anchor is Riskified at around $229 million in revenue by its latest reported year, a figure worth a filing check before you lean on it; the actual leaders (Sift, Forter, Signifyd) are private and disclose nothing. The useful framing is not a market size at all but the loss multiplier: LexisNexis finds North American institutions lose $5.75 for every $1 of fraud.

AI security: too new for share data, full stop. Read it through the M&A wave instead: Palo Alto bought Protect AI for $634.5 million, and cybersecurity M&A overall surged to around $96 billion in 2025. A separate Gartner forecast, from its Q4 2025 AI cycle rather than the July information-security release I anchor to elsewhere, sizes the AI-cybersecurity segment near $26 billion for 2025, and being an early-stage forecast it should carry more caution than the mature-market numbers above. The venture money is following it fast, which the most active cybersecurity VCs are betting on directly.

The pattern underneath: who discloses, and who goes dark

Step back from the domains and a pattern falls out that no per-category page shows you, and it is the real reason "cybersecurity market share" is so slippery. Line up the categories by whether a leader is provable and the map splits cleanly in two.

On one side sit the measurable categories, all of them with a named analyst tracker: endpoint (IDC), firewall (Dell'Oro), SIEM (IDC), vulnerability management (IDC), and data protection (IDC). In every one of these you can name a leader and cite a house and a vintage. On the other side sit the categories with no tracker at all: MDR, email security, IAM share, compliance automation, CNAPP sizing, and AppSec sizing. For those you are reasoning from disclosed revenue, because no analyst measures the denominator.

Now the two facts that make even the disclosed-revenue side unreliable. First, the biggest player discloses the least. Microsoft is the measured leader in endpoint and a major force in email, identity, and SIEM, and it breaks out revenue for none of them, folding everything into one stale "over $20 billion" company-wide number from January 2023. The single most important vendor in half these markets is a black box by design. Second, private equity froze the incumbents. Proofpoint, Mimecast, KnowBe4, Veracode, and others all went private and stopped disclosing, so their last public revenue is a fossil dated to the take-private year. That is not a research gap I failed to close. It is a structural feature of the market, and it is the direct product of the private equity move into cybersecurity that took so many of these names dark.

So when a report claims a tidy "X percent market share" for email security or IAM or MDR, treat it as manufactured. The data to compute it does not exist in public. The honest version of this map has measured leaders in five categories, revenue-inferred leaders in several more, and a plain "nobody can prove it" in the rest.

What I would take from this

If you sell security, the lesson is that a defensible number beats a big number. Tenable's seven-year IDC crown and Veeam's tracker win are worth more in a sales cycle or a diligence room than a report-mill share chart, because they survive scrutiny. If you buy security, discount any vendor's self-reported "market leader" claim until you see the house and the vintage behind it, and assume the categories with no tracker (MDR, email, IAM, compliance) are being sold to you on positioning, not proof. And if you are valuing one of these businesses for an exit, the same asymmetry drives the MSP security exit multiple: provable category leadership commands a premium precisely because so little of this market is provable.

For the full landscape these leaders sit inside, the cybersecurity market map lays out all 14 domains, the MSP tool stack covers what actually gets deployed, and the pattern of who is buying whom runs through insurers buying MSSPs and the wider consolidation wave. I refresh the numbers on this page once a year. If a figure here looks off against a fresher filing you are holding, trust the filing, and tell me, because keeping this honest is the entire point of writing it.

Frequently asked questions

Who leads the cybersecurity market overall?

No single company leads cybersecurity overall. Microsoft is the largest vendor by revenue on its last disclosure (over $20 billion company-wide, from January 2023), but that figure is stale and bundles dozens of products. Leadership is category by category: Microsoft in endpoint, Palo Alto Networks in firewall, Splunk (now Cisco) in SIEM, Tenable in vulnerability management, and Veeam in data protection. The overall market is fragmented, and no vendor holds a dominant share of the $213 billion Gartner counts for 2025 the way a hyperscaler dominates cloud infrastructure.

Which cybersecurity categories have a provable market-share leader?

Five categories have a leader backed by a named analyst tracker: endpoint (Microsoft, per IDC's modern endpoint share), firewall (Palo Alto Networks, per Dell'Oro revenue share), SIEM (Splunk, per IDC), vulnerability management (Tenable, per IDC), and data protection (Veeam, per IDC's semiannual tracker). Outside those, most categories have no share tracker at all, and any leadership claim is reasoning from disclosed revenue rather than a measured percentage.

Who is the biggest cybersecurity vendor by revenue?

Microsoft, though it has not updated the figure since disclosing over $20 billion in annualized security revenue in January 2023. Among vendors that report current numbers, Palo Alto Networks leads at $9.2 billion for FY2025, followed by Cisco's security segment at $8.09 billion (inflated by the Splunk acquisition), Fortinet at $6.80 billion, and CrowdStrike at $5.51 billion in ending ARR. None of these totals maps to a single category, because each vendor spans several.

Why is Microsoft's true cybersecurity market share so hard to measure?

Because Microsoft never breaks out product-level revenue. It leads or is a top force in endpoint, email, identity, and SIEM, but it folds all of it into one company-wide security number that it last updated in January 2023 (over $20 billion). There is no Defender-specific, Entra-specific, or Sentinel-specific revenue in any filing. So the single most important vendor across half the market is a deliberate black box, which is one reason so many category share figures cannot be computed cleanly.

Who leads endpoint security, Microsoft or CrowdStrike?

Microsoft, on IDC's measured share. Microsoft has ranked number one in IDC's Worldwide Modern Endpoint Security Market Shares for three straight years, with its share rising from 25.8 percent in 2023 to 28.6 percent in 2024, driven by M365 E5 bundling. CrowdStrike led this metric through 2021 and 2022, then went quiet on it after Microsoft overtook it. CrowdStrike keeps growing total-company ARR fast (up 24 percent to $5.51 billion), but that spans cloud, identity, and SIEM modules alongside endpoint, not endpoint alone.

What happened to Wiz and cloud security leadership?

Wiz was the standalone cloud-security (CNAPP) leader at around $700 million ARR, crossing $1 billion before Google completed its $32 billion acquisition in March 2026, the largest cybersecurity deal on record. Wiz now sits inside Google Cloud and its financials are no longer broken out. No analyst house publishes a sized CNAPP market or a share ranking, and the surviving platforms (Palo Alto, CrowdStrike, Microsoft) all bundle cloud security into broader ARR figures, so the category has no clean independent leader anymore.

Which cybersecurity categories have no market-share data at all?

MDR, email security, IAM share, compliance automation, CNAPP sizing, and application security all lack any analyst share tracker. For these you can only compare disclosed revenue or ARR, and even that is patchy because the biggest players (Microsoft especially) disclose nothing product-level, and many incumbents (Proofpoint, Mimecast, KnowBe4, Veracode) went private under PE and froze their last public numbers. Any tidy "X percent market share" claim for these categories should be treated as manufactured, because the public data to compute it does not exist.