Cloud Security (CSPM/CWPP) Valuations: Q1 2026
Google's $32B acquisition of Wiz at roughly 60x ARR reset the sector ceiling for CNAPP platforms in Q1 2026 and effectively ended the market for standalone CSPM, while Fortinet's $225M pickup of Lacework against an $8.3B peak valuation illustrates the near-total destruction of value awaiting growth-at-all-costs players. Public market benchmarks are anchored by CrowdStrike at approximately 25.7x EV/Revenue, Zscaler at 14.5x, and Palo Alto Networks at 14.0x, with AI-native and agentic platforms commanding a 20 to 30x ARR median versus 2.5 to 7x for traditional SaaS, creating a pronounced valuation barbell that separates platform consolidators from subscale point solutions. The report covers subsector multiples across CSPM, CWPP, and Agentic AI Security, VC funding dynamics, NRR and payback period as valuation drivers, and the regulatory catalysts unlocking protected budgets through DORA, SEC disclosure rules, and the EU AI Act.
- Sector
- Cybersecurity
- Focus
- Valuations
- Published
- January 15, 2026
- Length
- 26 slides
- Reading time
- 16 minutes
Key findings
- Google's $32B acquisition of Wiz at ~60x ARR sets a new sector ceiling for CNAPP platforms and signals the end of standalone CSPM in enterprise buying.
- AI-Native/Agentic platforms trade at 20–30x ARR (median ~25.8x) while traditional SaaS multiples have compressed to 2.5–7x, creating a pronounced valuation barbell.
- Fortinet acquired Lacework for ~$225M against a $8.3B peak valuation and $1.8B raised, destroying approximately 98% of peak value and underscoring the death of growth-at-all-costs.
- CWPP is projected to reach $22.45B by 2030 at a 23.41% CAGR, while Agentic AI Security is the fastest-growing segment at 33.83% CAGR from $1.83B to $7.84B.
- CrowdStrike trades at ~25.7x EV/Revenue, Zscaler at 14.5x, and Palo Alto Networks at 14.0x, anchoring public market benchmarks for platform leaders in Q1 2026.
- Non-human machine identities outnumber human identities 82:1, with identity volumes projected to grow over 315% by 2030, driven by AI agents and ephemeral workloads.
- Global cybersecurity spend is projected at $522B for 2026 and trending toward ~$520B by 2030, lifted by AI infrastructure density and consumption-based pricing.
- Late-stage mega-rounds dominated VC activity: Cyera raised $540M, Cato Networks $359M, and Abnormal Security $250M, while Series B/C companies face flat or down rounds.
- DORA enforcement began January 17, 2025, SEC 4-day incident disclosure rules are active, and EU AI Act high-risk provisions apply fully from August 2, 2026, unlocking protected budgets.
- Best-in-class NRR of 120–140% at platform leaders like CrowdStrike, Wiz, and Palo Alto Networks correlates with 15x+ EV/Revenue multiples, while payback over 24 months risks sub-5x valuation.
Methodology
This report synthesizes data from Cybersecurity Ventures (global spend trajectory to $522B), Mordor Intelligence (CSPM, CWPP, and Agentic AI segment CAGRs), Gartner (2026 IT spending forecast and top strategic technology trends), PitchBook and Crunchbase (IPO pipeline and venture funding flows), public company SEC filings for CrowdStrike, Palo Alto Networks, and Zscaler (EV/Revenue benchmarks), BankInfoSecurity and CRN (Fortinet/Lacework transaction), and Dealroom.co (Q4 2025 cyber funding patterns). Windsor Drake applied its proprietary valuation framework to calibrate the AI-Native versus legacy tiering logic and Rule of 60 calculations, integrating regulatory catalysts (DORA, SEC 4-day disclosure, EU AI Act) into budget and multiple analysis.
Frequently asked questions
What EV/Revenue multiples are cloud security CNAPP companies trading at in 2026?
In Q1 2026, AI-Native/Agentic platforms command 20–30x ARR (median ~25.8x), high-growth cyber platforms trade at 12–18x, mature SaaS at 6–10x, and distressed or feature assets below 4x. Public benchmarks include CrowdStrike at ~25.7x, Zscaler at 14.5x, and Palo Alto Networks at 14.0x EV/Revenue.
Who is acquiring cloud security and CSPM/CWPP companies right now?
Strategic consolidators include Alphabet (Google) acquiring Wiz for $32B, Palo Alto Networks targeting identity security, and Fortinet acquiring Lacework for ~$225M. On the private equity side, Thoma Bravo, Vista Equity Partners, and Francisco Partners are executing platform roll-ups, establishing a valuation floor around 4–6x revenue for mid-market assets.
What happened to Lacework's valuation and what does it mean for cloud security M&A in 2026?
Lacework peaked at an $8.3B valuation in 2021 after raising $1.8B in total funding, but was acquired by Fortinet in August 2024 for approximately $225M—a roughly 98% value destruction. The lesson for 2026 is that narrow point solutions without platform breadth and efficient unit economics face severe multiple compression regardless of prior funding scale.
What is driving the valuation premium for agentic AI security platforms over traditional SaaS?
Agentic AI platforms that autonomously investigate and remediate Tier 1–2 incidents without human intervention command 20–30x ARR multiples versus 2.5–7x for traditional SaaS. Investors reward autonomous remediation, proprietary data moats, and Rule of 60 efficiency (growth rate plus FCF margin), with the Agentic AI Security segment growing at 33.83% CAGR through 2030.
What are the CWPP and CSPM market size projections through 2030?
CWPP is projected to grow from $7.84B in 2025 to $22.45B by 2030 at a 23.41% CAGR, driven by runtime defense of containers, serverless, and AI inference workloads. CSPM grows from $5.25B to $10.63B at a 15.2% CAGR but is increasingly commoditized as a baseline feature within CNAPP suites rather than a standalone premium product.
What GTM efficiency metrics do investors require for a premium cloud security valuation in 2026?
Investors targeting 15x+ EV/Revenue multiples expect enterprise CAC payback under 18 months, Net Revenue Retention of 120–140%, and a Rule of 40/60 score reflecting efficient growth. Payback periods exceeding 24 months and NRR below those thresholds typically result in multiples below 5x, consistent with the distressed or feature-asset tier.
Which cloud security companies are most likely to IPO in 2026 and at what valuations?
The leading IPO candidates identified in Q1 2026 include Abnormal Security ($5.0B, ~25x ARR, 85% ARR growth), Cato Networks ($4.8B, ~16x ARR, 55% growth), Snyk ($7.4B, ~12x ARR, 35% growth), Sysdig ($2.5B, ~10x ARR, 42% growth), and Orca Security ($1.8B, ~6x ARR, 20% growth).
Companies covered
Public and private companies referenced in this report.