The $2 Trillion Opportunity: How AI, Fragmentation, and Industrial Risk Will Reshape Cybersecurity
In the years ahead, cybersecurity will not simply be a matter of defense. It will be a matter of continuity – of business, of infrastructure, of trust. The threat landscape has grown faster than any organization’s capacity to keep up. Ransomware attacks are now a multi-billion-dollar industry, insider threats account for over a third of all breaches, and AI has begun to shift the equilibrium in a profound and unsettling way. Yet even as the danger multiplies, so too does the opportunity for innovation.
Cybersecurity spend is on track to exceed $500 billion globally by 2030 and is already considered a $2 trillion opportunity with the rapid adoption of AI. That figure reflects more than just budget expansion - it’s a signal that security is no longer a cost center, but a strategic pillar. While the digital transformation of the past decade has made companies more agile, more cloud-native, and more interconnected, it has also made them more vulnerable. Every new endpoint, every third-party service, and every AI-generated line of code opens the door a little wider. Companies are responding with urgency, but their tools are often fragmented, reactive, and poorly integrated.
This fragmentation is a critical fault line in the current market. The fourteen largest vendors together account for just 18 percent of industry revenue. That leaves over 80 percent in the hands of hundreds – if not thousands – of point solutions, each solving one sliver of the problem. For enterprise security teams, that means complexity. For attackers, it means opportunity. And for investors, it means there is enormous room for consolidation, for better platforms, and for smarter, AI-native approaches to risk management.
Artificial intelligence, in particular, is not just a new threat vector – it’s also the defining battleground. Developers using AI assistants are shipping more insecure code, introducing flaws that slip through traditional scanning tools. Simultaneously, adversaries are using generative AI to create sophisticated malware, mimic legitimate users, and exploit known vulnerabilities at scale. Static, rules-based systems are quickly becoming obsolete. The future belongs to tools that can ingest diverse forms of telemetry - structured logs, behavioral signals, unstructured text - and learn over time. AI-native platforms that can automate tier-one SOC triage, run continuous penetration tests, and even patch autonomously will define the next generation of security infrastructure.
Just as urgent, though often less visible, is the industrial and IoT frontier. While much of the cybersecurity conversation focuses on software companies and cloud-native enterprises, operational technology, the systems that power energy grids, water treatment plants, manufacturing lines, remains dangerously exposed. Less than five percent of these environments have dedicated security tooling, despite the fact that a single compromise could lead to physical harm, economic disruption, or worse. The sector’s under-penetration isn’t due to lack of need, but rather the technical complexity of securing real-time, legacy, and proprietary systems. Companies that can bridge that gap, those that understand industrial protocols, can quantify risk in financial terms, and offer compliance-ready solutions, are poised to lead in one of the most overlooked markets in cybersecurity.
Taken together, these trends point to our high-conviction investment thesis: back cybersecurity platforms that (1) simplify fragmented environments through modular design, (2) are native to the threats and opportunities presented by AI, and (3) expand protection into under-secured but mission-critical verticals like industrial and IoT. Ideal companies will show high net retention, compounding product usage, and the ability to either bolt onto existing ecosystems or become platforms in their own right. They will combine technical depth with commercial clarity, turning regulatory pressure into product features and threat data into enduring moat.
In short, the most valuable security companies of the next decade will not simply respond to threats - they will reimagine the infrastructure of digital trust. The urgency is clear, the market is ready, and the tools are finally catching up to the task. The job now is to find and fund the teams building what comes next.
Written by Cecilia Sanchez - Senior Associate
Sources:
McKinsey
Ion Analytics
Fintech Collective
In the years ahead, cybersecurity will not simply be a matter of defense. It will be a matter of continuity – of business, of infrastructure, of trust. The threat landscape has grown faster than any organization’s capacity to keep up. Ransomware attacks are now a multi-billion-dollar industry, insider threats account for over a third of all breaches, and AI has begun to shift the equilibrium in a profound and unsettling way. Yet even as the danger multiplies, so too does the opportunity for innovation.
Cybersecurity spend is on track to exceed $500 billion globally by 2030 and is already considered a $2 trillion opportunity with the rapid adoption of AI. That figure reflects more than just budget expansion - it’s a signal that security is no longer a cost center, but a strategic pillar. While the digital transformation of the past decade has made companies more agile, more cloud-native, and more interconnected, it has also made them more vulnerable. Every new endpoint, every third-party service, and every AI-generated line of code opens the door a little wider. Companies are responding with urgency, but their tools are often fragmented, reactive, and poorly integrated.
This fragmentation is a critical fault line in the current market. The fourteen largest vendors together account for just 18 percent of industry revenue. That leaves over 80 percent in the hands of hundreds – if not thousands – of point solutions, each solving one sliver of the problem. For enterprise security teams, that means complexity. For attackers, it means opportunity. And for investors, it means there is enormous room for consolidation, for better platforms, and for smarter, AI-native approaches to risk management.
Artificial intelligence, in particular, is not just a new threat vector – it’s also the defining battleground. Developers using AI assistants are shipping more insecure code, introducing flaws that slip through traditional scanning tools. Simultaneously, adversaries are using generative AI to create sophisticated malware, mimic legitimate users, and exploit known vulnerabilities at scale. Static, rules-based systems are quickly becoming obsolete. The future belongs to tools that can ingest diverse forms of telemetry - structured logs, behavioral signals, unstructured text - and learn over time. AI-native platforms that can automate tier-one SOC triage, run continuous penetration tests, and even patch autonomously will define the next generation of security infrastructure.
Just as urgent, though often less visible, is the industrial and IoT frontier. While much of the cybersecurity conversation focuses on software companies and cloud-native enterprises, operational technology, the systems that power energy grids, water treatment plants, manufacturing lines, remains dangerously exposed. Less than five percent of these environments have dedicated security tooling, despite the fact that a single compromise could lead to physical harm, economic disruption, or worse. The sector’s under-penetration isn’t due to lack of need, but rather the technical complexity of securing real-time, legacy, and proprietary systems. Companies that can bridge that gap, those that understand industrial protocols, can quantify risk in financial terms, and offer compliance-ready solutions, are poised to lead in one of the most overlooked markets in cybersecurity.
Taken together, these trends point to our high-conviction investment thesis: back cybersecurity platforms that (1) simplify fragmented environments through modular design, (2) are native to the threats and opportunities presented by AI, and (3) expand protection into under-secured but mission-critical verticals like industrial and IoT. Ideal companies will show high net retention, compounding product usage, and the ability to either bolt onto existing ecosystems or become platforms in their own right. They will combine technical depth with commercial clarity, turning regulatory pressure into product features and threat data into enduring moat.
In short, the most valuable security companies of the next decade will not simply respond to threats - they will reimagine the infrastructure of digital trust. The urgency is clear, the market is ready, and the tools are finally catching up to the task. The job now is to find and fund the teams building what comes next.
Written by Cecilia Sanchez - Senior Associate
Sources:
McKinsey
Ion Analytics
Fintech Collective