Windsor Drake
Research report · Cybersecurity · Valuations · Q2 2026

Cloud Security (CSPM/CWPP) Valuations: Q2 2026

Windsor Drake's Q2 2026 valuations analysis of the cloud security niche, spanning CSPM, CWPP, CNAPP, CIEM and container and Kubernetes security. Scaled cloud security platforms anchor a working benchmark near 14x NTM revenue while AI-native CNAPP leaders command 20x to 32x, and cloud security is the fastest-growing cyber subsegment at 28.8% in 2026 (Gartner). Google's $32B acquisition of Wiz, closed March 2026, sets the consolidation template for the quarter.

Sector
Cybersecurity
Focus
Valuations
Published
June 8, 2026
Length
9 slides
Reading time
12 minutes
Download slide deck (PDF) Download written report
Cover of Cloud Security (CSPM/CWPP) Valuations: Q2 2026 slide deck

Slide deck

9-slide deck. Desktop readers can page through the embedded viewer below. Mobile readers can open the direct PDF link.

Cover of Cloud Security (CSPM/CWPP) Valuations: Q2 2026 slide deck Open slide deck PDF

Key findings

  • Google's $32B acquisition of Wiz, closed March 2026, sets the consolidation template for the quarter and cleared roughly 32x forward to 43x trailing ARR.
  • Cloud security is the fastest-growing cyber subsegment, expanding 28.8% in 2026 against a sector growing 13.3% (Gartner), with Windsor Drake's working benchmark for scaled platforms near 14x NTM revenue.
  • AI-native CNAPP leaders command 20x to 32x revenue in private rounds, broad CNAPP platforms 14x to 22x, while legacy point cloud tools compress to 6x to 10x.
  • Gartner sizes the CSPM market at $4.7B in 2025 reaching $16.2B by 2030, with the combined cloud security market projected at $32.4B by 2029.
  • Palo Alto Networks delivered a 37.6% free cash flow margin in fiscal 2025 while growing next-generation security ARR 33% to $6.33B, and CrowdStrike posted FY26 revenue of $4.81B.
  • Upwind raised at a $1.5B valuation on 900% revenue growth, illustrating the premium private markets assign to AI-native CNAPP architecture.
  • Each ten-point improvement in the Rule of 40 score added approximately 1.1x EV/Revenue in Q4 2025, up from 0.8x a year earlier (Bain).
  • Strategics deployed an estimated 92% of cyber M&A capital in 2025, with $1.3T of PE dry powder in the system, concentrating exit liquidity at the top of the quality curve.
  • Israel accounts for approximately 22% of cloud security activity and is the global innovation hub, with Wiz representing the largest Israeli technology exit on record.
  • The Federal Reserve funds range holds at 3.50% to 3.75% after the April 2026 FOMC, with April 2026 CPI rising 3.8% year on year, the highest since 2023.

Methodology

This report synthesises data from Gartner forecast series covering CSPM, CWPP and CASB worldwide spending, PitchBook and CB Insights private-market comparables, S&P Global Market Intelligence public-company and M&A transaction data, McKinsey Global Private Markets Report 2026, Bain & Company software Rule of 40 and private equity research, PwC Global M&A Industry Trends 2026, EY M&A Activity Insights, KPMG Venture Pulse Q4 2025, Federal Reserve FOMC statements, and SEC filings including Alphabet's Form 8-K for the Wiz acquisition close. Windsor Drake calibrated these inputs through its proprietary valuation benchmark framework, applying sector-specific adjustments for AI-native architecture, Rule of 40 performance tiers, NRR quality and geographic liquidity to produce the niche multiples and driver analysis presented throughout the report.

Frequently asked questions

What multiples are cloud security companies trading at in Q2 2026?

Windsor Drake's working benchmark for scaled cloud security platforms sits near 14x NTM revenue, with public cloud-software proxies trading 11x to 19x. The range is wide: AI-native CNAPP leaders command 20x to 32x, broad CNAPP platforms 14x to 22x, CSPM assets 12x to 18x, and legacy point tools compress to 6x to 10x as platform incumbents absorb their capability.

Who is buying cloud security companies right now?

Hyperscalers and platform incumbents are the dominant buyers, with strategics deploying an estimated 92% of cyber M&A capital in 2025. Google's $32B acquisition of Wiz is the defining transaction of the cycle, and Palo Alto Networks' acquisition of CyberArk for $25B repriced cloud identity. PE dry powder of $1.3T remains available for take-privates of sub-scale point tools that cannot achieve strategic exit valuations.

How is the Rule of 40 affecting cloud security valuations in 2026?

The Rule of 40 is the primary filter for a premium multiple in cloud security. Bain finds that each ten-point improvement added about 1.1x EV/Revenue in Q4 2025, up from 0.8x a year earlier. AI infrastructure costs are pressuring margins across the cohort, and Bain has introduced a 'Rule of 30' alternative for AI-native players, but top-quartile performers scoring above 50 average 18x to 32x revenue.

What is the difference in valuation between CNAPP platforms and legacy CSPM or CWPP point tools?

The gap between cohorts is wider than at any point in the niche's history. AI-native CNAPP platforms trade at 20x to 32x revenue while standalone CSPM and CWPP point tools sit at 12x to 18x and 10x to 15x respectively, and legacy cloud tools compress to 6x to 10x. Standalone delivery is being absorbed into unified CNAPP buying decisions, and multiples reflect that structural shift.

What unit economics do investors require for cloud security assets in 2026?

An LTV/CAC ratio above 3:1 is the minimum threshold, with leading platforms targeting 5:1 or better and customer acquisition cost recovered inside twelve months. For CNAPP attach motions, net revenue retention above 115% to 120% is essential, alongside gross retention above 90%. Assets valued above 14x revenue are also expected to demonstrate a credible path to EBITDA profitability within 12 to 18 months.

How long does a cloud security M&A process take in 2026?

A full process runs 12 to 18 months end to end. Windsor Drake notes that founders who intend to engage the market while the current alignment of hyperscaler demand, AI-native premia and stable rate pricing holds are, in practice, preparing now. Strategic buyers map acquisition targets against declared cloud security capability gaps, so preparation well ahead of formal engagement is essential.

What geographic premium do North American cloud security companies receive compared to Israeli or European peers?

North America commands the clearest innovation and exit-liquidity premium, accounting for approximately 50% of activity and anchored by hyperscaler M&A and deep public-market liquidity. Israel accounts for roughly 22% of activity and commands a strategic premium on US exits, as demonstrated by Wiz. Europe trades at a fragmentation discount but offers regulatory moats from NIS2 and DORA, while APAC represents approximately 12% of activity at growth-stage pricing.

Companies covered

Public and private companies referenced in this report.

WizPalo Alto NetworksCrowdStrikeGoogleUpwindOrca SecurityAqua SecuritySysdigNetskopeCyberArkAlphabet

Download the deliverables

Slide deck (PDF) 9 slides Written report (PDF) Executive summary

Other Windsor Drake research

From Windsor Drake