Emerging Technologies in Cybersecurity¶
Cross-Cutting Analysis
This document synthesizes emerging technology themes identified across all 14 cybersecurity segment analyses, supplemented with current market data as of March 2026. It is designed for product builders evaluating build/buy decisions and investors assessing category timing.
Executive Summary¶
Seven technologies are reshaping cybersecurity faster than the market can absorb them. Each has moved beyond the whiteboard stage and is actively influencing vendor roadmaps, buyer requirements, and investment flows.
| # | Technology | Stage | Why It Matters Now |
|---|---|---|---|
| 1 | AI/ML in Security Operations | Early adoption / Growth | Agentic AI is automating Tier-1 SOC work; every major platform vendor has shipped an AI copilot or autonomous agent. The AI-in-cybersecurity market is projected to reach ~$35B in 2026 and $235B by 2032 (31.7% CAGR). |
| 2 | AI Security (Securing AI Systems) | Research / Early adoption | OWASP Top 10 for LLMs published; NIST reports >2,000% increase in AI-specific CVEs since 2022. No dominant vendor exists --- greenfield category. |
| 3 | Post-Quantum Cryptography | Early adoption | NIST finalized FIPS 203/204/205 in August 2024. NSA CNSA 2.0 mandates quantum-safe algorithms for new national security systems by January 2027. "Harvest now, decrypt later" attacks are already underway. |
| 4 | Deception Technology & BAS | Early adoption / Growth | BAS market growing at 27--39% CAGR toward $2.4--6.4B by 2029--2032. Gartner's CTEM framework positions BAS as the "Validation" stage. |
| 5 | Security Data Fabric / Data Lakes | Early adoption | Half of the world's 15 largest banks already use security data lakes. OCSF adoption accelerating. SIEM is becoming an analytics layer, not a data warehouse. |
| 6 | Identity Threat Detection & Response (ITDR) | Growth | $12.8B market in 2024, projected to $35.6B by 2029 (22.6% CAGR). Identity is the #1 attack vector; ITDR bridges the gap between IAM and the SOC. |
| 7 | Confidential Computing | Early adoption | Market estimated at $9--43B in 2026 (wide variance across analysts), growing at 34--63% CAGR. TEEs account for ~50% of deployments. Critical enabler for AI data privacy and multi-party computation. |
Technology Maturity Map¶
{
"$schema": "https://vega.github.io/schema/vega-lite/v5.json",
"description": "Technology Maturity vs. Market Impact (2026)",
"width": 500,
"height": 400,
"title": {
"text": "Technology Maturity vs. Market Impact (2026)",
"fontSize": 16,
"color": "#1B1F3B"
},
"config": {
"background": "transparent",
"axis": {
"labelColor": "#3D4166",
"titleColor": "#1B1F3B",
"gridColor": "#e5e8ee"
},
"text": {
"color": "#1B1F3B"
}
},
"layer": [
{
"mark": {
"type": "text",
"fontSize": 13,
"fontWeight": "bold",
"opacity": 0.15
},
"data": {
"values": [
{
"x": 0.75,
"y": 0.75,
"label": "High Impact, Mature"
},
{
"x": 0.25,
"y": 0.75,
"label": "High Impact, Early"
},
{
"x": 0.25,
"y": 0.25,
"label": "Lower Impact, Early"
},
{
"x": 0.75,
"y": 0.25,
"label": "Lower Impact, Mature"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#1B1F3B"
}
}
},
{
"mark": {
"type": "point",
"size": 150,
"filled": true
},
"data": {
"values": [
{
"x": 0.65,
"y": 0.9,
"label": "AI/ML in SecOps"
},
{
"x": 0.25,
"y": 0.8,
"label": "AI Security"
},
{
"x": 0.35,
"y": 0.7,
"label": "Post-Quantum Crypto"
},
{
"x": 0.5,
"y": 0.5,
"label": "Deception & BAS"
},
{
"x": 0.45,
"y": 0.65,
"label": "Security Data Lakes"
},
{
"x": 0.6,
"y": 0.75,
"label": "ITDR"
},
{
"x": 0.3,
"y": 0.55,
"label": "Confidential Computing"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "Early Stage \u2192 Production Ready",
"format": ".0%"
}
},
"y": {
"field": "y",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "Incremental \u2192 Transformative",
"format": ".0%"
}
},
"color": {
"value": "#00C9A0"
},
"tooltip": [
{
"field": "label",
"type": "nominal",
"title": "Technology"
},
{
"field": "x",
"type": "quantitative",
"title": "Maturity"
},
{
"field": "y",
"type": "quantitative",
"title": "Impact"
}
]
}
},
{
"mark": {
"type": "text",
"dy": -12,
"fontSize": 11
},
"data": {
"values": [
{
"x": 0.65,
"y": 0.9,
"label": "AI/ML in SecOps"
},
{
"x": 0.25,
"y": 0.8,
"label": "AI Security"
},
{
"x": 0.35,
"y": 0.7,
"label": "Post-Quantum Crypto"
},
{
"x": 0.5,
"y": 0.5,
"label": "Deception & BAS"
},
{
"x": 0.45,
"y": 0.65,
"label": "Security Data Lakes"
},
{
"x": 0.6,
"y": 0.75,
"label": "ITDR"
},
{
"x": 0.3,
"y": 0.55,
"label": "Confidential Computing"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#3D4166"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"x": 0.5
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"y": 0.5
}
]
},
"encoding": {
"y": {
"field": "y",
"type": "quantitative"
}
}
}
]
}
timeline
title Technology Maturity Curve --- Cybersecurity Emerging Tech (2026)
section Research
AI Security (Securing AI) : LLM firewalls, AI red teaming
: Model supply chain integrity
Confidential Computing : Homomorphic encryption at scale
: Multi-party computation
section Early Adoption
Post-Quantum Cryptography : NIST standards finalized
: NSA CNSA 2.0 mandates (Jan 2027)
Security Data Lakes : OCSF normalization
: Federated analytics on Snowflake/Databricks
Deception & BAS : CTEM validation stage
: Automated purple teaming
section Growth
AI/ML in SecOps : Agentic SOC platforms shipping
: LLM copilots in every major SIEM/XDR
ITDR : $12.8B market, 22.6% CAGR
: CrowdStrike, Microsoft, Proofpoint leading
section Mature
Behavioral Analytics (UEBA) : Absorbed into SIEM/XDR platforms
Zero Trust (conceptual) : 86% have begun, 2% fully matureDetailed Technology Profiles¶
1. AI/ML in Security Operations¶
Category Definition
The application of artificial intelligence and machine learning to security operations: autonomous alert triage, AI-powered threat detection, LLM security copilots, and agentic AI that can investigate and respond without human intervention.
What It Is¶
AI/ML in security operations encompasses three generations of capability:
- ML-powered detection (2018--2023): UEBA, anomaly scoring, and behavioral baselines --- now table stakes in every major SIEM and EDR platform.
- LLM copilots (2023--2025): Natural-language interfaces for threat investigation. Microsoft Copilot for Security, CrowdStrike Charlotte AI, SentinelOne Purple AI, and Google Gemini in SecOps allow analysts to query security data conversationally.
- Agentic AI (2025--present): Autonomous agents that perform full Tier-1 triage workflows --- enriching alerts, correlating context, determining severity, and executing response playbooks without human intervention. ReliaQuest claims <5-minute detect-to-contain. Sophos deploys AI agents to "power the agentic SOC."
Market Size & Stage¶
| Metric | Value | Source |
|---|---|---|
| AI in cybersecurity market (2025) | ~$34.1B | Precedence Research |
| AI in cybersecurity market (2032) | ~$234.6B | Fortune Business Insights |
| CAGR | 31.7% | |
| Generative AI in cybersecurity (2025) | ~$8.65B | MarketsandMarkets |
| Agentic AI in cybersecurity CAGR | 39.7% | Market.us |
Key Players¶
- Platform incumbents: Microsoft (Copilot for Security), CrowdStrike (Charlotte AI), SentinelOne (Purple AI), Palo Alto Networks (Cortex XSIAM), Google (Gemini in SecOps)
- Agentic SOC startups: ReliaQuest (GreyMatter), Stellar Cyber, Torq (AI-driven SOAR)
- Detection-as-code: Anvilogic, Hunters, Panther
Segment Impact¶
AI/ML in security operations touches every segment analyzed:
- SIEM/SOAR: Agentic AI directly addresses the 70% analyst burnout rate and 79% MITRE ATT&CK coverage gap
- MDR/MSSP: "Automate or be automated" --- agentic AI threatens to commoditize Tier-1 managed services
- Endpoint: CrowdStrike and SentinelOne competing on AI-native detection and autonomous response
- Email: AI vs. AI arms race; AI-generated phishing surged 1,265%+ while behavioral AI defenses evolve
- Threat Intel: Google's agentic TI platform deploys specialized AI agents for autonomous threat hunting
Investment Signal¶
Strong buy signal. Every major cybersecurity M&A deal in 2025--2026 included AI capabilities as a core valuation driver. Palo Alto's prediction of 2026 as a "turning point for autonomous AI" in security operations aligns with vendor shipping timelines.
Timeline to Mainstream¶
- LLM copilots: Mainstream now (2025--2026)
- Agentic SOC (Tier-1 automation): Early mainstream 2027--2028
- Fully autonomous SOC (Tier-1+2): 2029+ (human-on-the-loop remains for Tier-3+)
2. AI Security (Securing AI Systems)¶
Category Definition
Protecting AI/ML systems from adversarial attack: prompt injection defenses, model poisoning detection, AI red teaming, LLM firewalls, training data governance, and AI supply chain security.
What It Is¶
As enterprises deploy LLMs and AI agents at scale, a new attack surface has emerged that traditional security tools do not address:
- Prompt injection (OWASP LLM Top 10 #1): Attackers embed malicious instructions in user inputs or external data to hijack AI agent behavior
- Model poisoning: PoisonedRAG research achieves 90% attack success by injecting just five malicious texts into databases containing millions of documents
- AI supply chain attacks: Compromised model weights, malicious packages in model registries, and tainted training data
- Data exfiltration via AI: AI agents with broad permissions can exfiltrate confidential data without triggering traditional DLP
- Shadow AI: Unauthorized use of AI tools by employees, exposing sensitive data to third-party models
Market Size & Stage¶
Knowledge Gap
AI security as a standalone market category lacks reliable independent sizing. It is partially captured within the broader AI-in-cybersecurity market ($34B+) and partially within application security, data security, and GRC markets. No major analyst firm has published a dedicated "AI Security" market sizing report as of March 2026.
Indicators of market formation:
- NIST reported a >2,000% increase in AI-specific CVEs since 2022
- OWASP published the Top 10 for LLM Applications (2025 edition)
- AI-generated phishing surged 1,265%+ (Check Point)
- Italy fined OpenAI $15M for GDPR violations in training data processing
- EU AI Act high-risk compliance deadline: August 2026
- 45% of AI-generated code contains security flaws (Veracode)
Key Players¶
- LLM firewalls / guardrails: Lakera (Guard), Robust Intelligence (acquired by Cisco), Protect AI, Calypso AI, Arthur AI
- AI red teaming: HiddenLayer, Mindgard, Trail of Bits
- AI governance: Cranium AI, VerifyWise (open source)
- Platform plays: Microsoft (Purview AI governance), Palo Alto (AI Runtime Security), CrowdStrike (AI-SPM)
Segment Impact¶
- AppSec: 45% of AI-generated code contains security flaws; AI code security is a "large" gap with 57% of organizations reporting AI coding assistants have introduced new security risks
- Data Security: AI data governance is an "embryonic" multi-billion-dollar greenfield category --- training data auditing, model output monitoring, AI-specific DLP policies
- GRC: EU AI Act creates new compliance requirements (model risk assessment, bias auditing, transparency documentation) that current GRC platforms cannot handle
- Endpoint: AI agents create a new attack surface with "unrestricted permissions" --- Palo Alto's $400M Koi acquisition targets this gap
- Identity: AI agent identity management (agent-to-agent authentication, delegated authorization) is a greenfield market
Investment Signal¶
Strongest greenfield opportunity. No dominant vendor exists. Cisco's acquisition of Robust Intelligence and Palo Alto's AI Runtime Security launch signal platform vendor interest. Startups with technical depth in adversarial ML have a window before platform vendors build or acquire.
Timeline to Mainstream¶
- LLM guardrails/firewalls: Early mainstream 2026--2027
- AI red teaming as standard practice: 2027--2028
- Comprehensive AI security platforms: 2028--2030
- AI governance compliance tooling (EU AI Act driven): Urgently needed by August 2026
3. Post-Quantum Cryptography (PQC)¶
Category Definition
Cryptographic algorithms designed to resist attacks from both classical and quantum computers. Encompasses NIST-standardized algorithms (ML-KEM, ML-DSA, SLH-DSA), migration planning tools, and crypto-agility frameworks.
What It Is¶
Quantum computers capable of breaking RSA and ECC are not here yet, but the threat is already real:
- "Harvest now, decrypt later" (HNDL): Nation-states are intercepting and storing encrypted traffic today, planning to decrypt it once quantum computers arrive. Data with long secrecy requirements (classified information, health records, financial data, trade secrets) is at risk now.
- NIST finalized PQC standards in August 2024: FIPS 203 (ML-KEM for key encapsulation), FIPS 204 (ML-DSA for digital signatures), FIPS 205 (SLH-DSA for stateless hash-based signatures)
- NSA CNSA 2.0 mandates: New national security systems must be CNSA 2.0 compliant by January 2027; full compliance by 2033
Market Size & Stage¶
| Metric | Value | Source |
|---|---|---|
| Encryption software market (2025) | ~$18B | MarketsandMarkets |
| PQC-readiness in new encryption deals | >60% | MarketsandMarkets |
| PQC migration timeline (NIST target) | Widespread adoption by 2035 | NIST IR 8547 |
Key Migration Milestones¶
timeline
title Post-Quantum Cryptography Migration Timeline
section 2024
NIST Standards Published : FIPS 203, 204, 205 finalized
: Fourth standard (FN-DSA) expected 2025
section 2025--2026
Discovery & Planning : Cryptographic inventory
: Risk-prioritized migration roadmap
: CNSA 1.0 compliance for existing NSS (Dec 2025)
section 2027
First Compliance Deadlines : NSA CNSA 2.0 for new systems (Jan 2027)
: IETF PQC-in-TLS standards expected
: Cloudflare post-quantum SASE shipping
section 2030--2033
Migration Wave : Full CNSA 2.0 compliance (2033)
: Enterprise TLS/IPsec migration at scale
section 2035
Target State : Widespread PQC adoption (NIST goal)Key Players¶
- Standards bodies: NIST, NSA (CNSA 2.0), UK NCSC, IETF
- Crypto-agility vendors: InfoSec Global, Quantum Xchange, PQShield, SandboxAQ (spun out of Alphabet)
- Cloud/platform: Cloudflare (post-quantum SASE), Palo Alto (post-quantum VPN), AWS (post-quantum TLS)
- Certificate management: DigiCert, Venafi (now CyberArk/Palo Alto)
Segment Impact¶
- Network Security: Every TLS/IPsec connection must eventually migrate. Cloudflare has launched post-quantum SASE. Palo Alto announced post-quantum VPN support.
- Data Security: Over 60% of new encryption deals include PQC-readiness components. Long-lived data is the highest-priority migration target.
- Email Security: Email encryption (S/MIME, PGP) requires PQC certificate migration --- timeline is years out but planning is needed now.
- Identity: Certificate-based authentication (mTLS, FIDO2) requires PQC-safe certificates. Post-quantum identity is a 2027+ concern.
Investment Signal¶
Infrastructure play, long timeline. PQC is a compliance-driven migration, not a discretionary purchase. The market will be large but the timeline is 5--10 years. Early movers in crypto-agility tooling (discovery, inventory, migration planning) have a window before cloud providers commoditize the capability.
Timeline to Mainstream¶
- Cryptographic discovery/inventory tools: Now (2025--2026)
- Hybrid PQC in TLS/VPN: 2027--2028
- Full enterprise PQC migration: 2030--2035
- Quantum computers threatening current crypto: Expert estimates range from 2030 to 2040+
4. Deception Technology & Breach and Attack Simulation (BAS)¶
Category Definition
Technologies that validate security controls through offensive simulation (BAS), deploy decoy assets to detect attackers (deception), and automate adversary emulation for continuous security testing (automated purple teaming).
What It Is¶
Deception and BAS address a fundamental gap: most organizations do not know if their security controls actually work. Enterprise SIEMs cover only 21% of MITRE ATT&CK techniques (CardinalOps), and 13% of detection rules are broken.
- Breach and Attack Simulation (BAS): Automated, continuous testing of security controls by simulating real-world attack techniques (MITRE ATT&CK-mapped). Tests whether defenses detect and block known attack patterns.
- Deception technology: Deploys decoy assets (honeypots, honey tokens, fake credentials, decoy files) that have zero legitimate use --- any interaction is definitively malicious, producing high-fidelity alerts with near-zero false positives.
- Automated purple teaming: Combines red team (attack simulation) and blue team (detection validation) into a continuous, automated loop.
Market Size & Stage¶
| Metric | Value | Source |
|---|---|---|
| BAS market (2024) | ~$729M--$1.2B | MarketsandMarkets, Grand View Research |
| BAS market (2029--2032) | $2.4B--$6.4B | Various (27--39% CAGR) |
| Deception technology market (2025) | ~$2.5B | OpenPR |
| Deception technology market (2033) | ~$6.3B | 12.6% CAGR |
Key Players¶
- BAS: Cymulate (Frost Radar Leader), AttackIQ, SafeBreach, Picus Security, Pentera
- Deception: Acalvio (ThreatDefend), CounterCraft, Attivo Networks (acquired by SentinelOne), Lupovis
- Purple teaming / detection engineering: SnapAttack, SCYTHE, CardinalOps, SOC Prime
- Converging: Cymulate and Pentera are adding deception to BAS; XDR vendors integrating BAS-like validation
Segment Impact¶
- Vulnerability Management / ASM: BAS is the "Validation" stage of Gartner's CTEM framework. Gartner predicts organizations prioritizing CTEM will be 3x less likely to suffer a breach by 2026.
- SIEM/SOAR: BAS quantifies the detection gap --- showing which ATT&CK techniques the SIEM actually detects vs. claims to detect. This drives detection engineering investment.
- MDR/MSSP: BAS enables objective measurement of MDR provider effectiveness --- MTTD and MTTR against simulated attacks.
Investment Signal¶
Growing category with consolidation potential. CTEM adoption is driving BAS from "nice to have" to "must have." Pure-play BAS vendors are acquisition targets for XDR and CNAPP platforms seeking to add validation capabilities.
Timeline to Mainstream¶
- BAS in large enterprises: Mainstream now (2025--2026)
- BAS in mid-market: 2027--2028
- Automated continuous purple teaming: 2027--2029
- Deception-as-a-platform-feature: Being absorbed into XDR/NDR platforms (2026--2028)
5. Security Data Fabric / Data Lakes¶
Category Definition
The architectural shift from monolithic SIEM-as-data-warehouse to a modular stack where security telemetry is stored in general-purpose data lakes (Snowflake, Databricks, Amazon Security Lake) using open formats (Apache Iceberg, OCSF), with SIEM serving as an analytics and detection layer rather than a storage layer.
What It Is¶
Traditional SIEMs charge per gigabyte of ingested data, creating a perverse incentive to not collect telemetry. Security data lakes invert this model:
- Store everything cheaply: Cloud object storage costs a fraction of SIEM hot storage. Compliance-driven retention (1--7 years) becomes economically viable.
- Normalize with OCSF: The Open Cybersecurity Schema Framework standardizes telemetry across vendors, enabling cross-tool correlation without proprietary lock-in. AWS, Splunk, CrowdStrike, IBM, and others are OCSF contributors.
- Detection-as-code on top: Platforms like Anvilogic and Hunters provide detection engines that query data lakes directly, eliminating the need to duplicate data into a SIEM.
- Federated search: Query data where it lives rather than centralizing everything. Query.ai and Microsoft Sentinel support federated search across data lakes and third-party stores.
Market Size & Stage¶
Knowledge Gap
"Security data lake" is not yet tracked as a standalone market by major analyst firms. It is partially captured within the SIEM market ($6--7B) and partially within the broader cloud data platform market ($80B+). Dedicated market sizing is expected from Gartner and Forrester by late 2026.
Adoption indicators:
- Half of the world's 15 largest banks are already using security data lakes
- Microsoft launched Sentinel Data Lake (July 2025)
- Splunk expanding federated search capabilities under Cisco
- Anvilogic and Hunters built their platforms natively on Snowflake/Databricks
Key Players¶
- Data lake providers: Snowflake, Databricks, Amazon Security Lake (AWS)
- Security analytics on lakes: Anvilogic, Hunters, Query.ai
- Data pipeline: Cribl, DataBahn, Observability Pipelines (Datadog)
- SIEM vendors adapting: Microsoft (Sentinel Data Lake), Splunk (federated search), Google (Chronicle on BigQuery)
- Standards: OCSF (open schema), Apache Iceberg (open table format)
Segment Impact¶
- SIEM/SOAR: Existential disruption. SIEMs must evolve from data warehouses to analytics engines or risk being disintermediated by data lake + detection-as-code stacks.
- MDR/MSSP: Data lakes enable multi-tenant, cost-effective telemetry storage that improves MDR margins and enables longer retention for threat hunting.
- Threat Intel: OCSF normalization enables threat intelligence to be operationalized across heterogeneous toolsets without per-vendor integration.
Investment Signal¶
Infrastructure shift with large TAM. The security data lake is to SIEM what cloud was to on-premises infrastructure --- a generational architectural shift. Startups enabling the transition (data pipelines, detection-as-code, OCSF normalization) are well-positioned. The risk is that Snowflake, Databricks, and hyperscalers capture most of the value.
Timeline to Mainstream¶
- Early adopters (large banks, tech companies): Now (2025--2026)
- Mid-market adoption: 2027--2029
- OCSF as default schema: 2028--2030
- SIEM as analytics-only layer (majority of deployments): 2029--2032
6. Identity Threat Detection and Response (ITDR)¶
Category Definition
An emerging security category that bridges identity and access management (IAM) with security operations (SOC), providing real-time detection of identity-based attacks: credential theft, session hijacking, privilege escalation, lateral movement via compromised identities.
What It Is¶
Identity is now the #1 attack vector. The majority of breaches involve compromised credentials, yet traditional IAM and traditional SOC operate in silos:
- IAM manages who has access but does not detect when access is being abused in real time
- SOC/SIEM detects threats but lacks deep identity context (authentication patterns, entitlement baselines, identity graph)
- ITDR bridges this gap with real-time monitoring of authentication patterns, AD/Entra ID attack path detection (DCSync, Golden Ticket, Kerberoasting), and automated response (session revocation, forced re-auth, privilege de-escalation)
Market Size & Stage¶
| Metric | Value | Source |
|---|---|---|
| ITDR market (2024) | ~$12.8B | MarketsandMarkets |
| ITDR market (2029) | ~$35.6B | MarketsandMarkets |
| CAGR | 22.6% | |
| ITDR market (2031, alt. estimate) | ~$58.0B | Polaris Market Research |
Key Players¶
- Platform vendors: Microsoft (Entra ID Protection + Defender for Identity), CrowdStrike (Falcon Identity Threat Detection), Palo Alto Networks (via CyberArk acquisition)
- Specialist vendors: Proofpoint (ITDR), SentinelOne (Ranger AD), Silverfort (identity firewall), Semperis (AD resilience)
- Emerging: Authomize, Rezonate, Opal Security
Segment Impact¶
- Identity: ITDR is the fastest-growing sub-segment. Palo Alto's $25B CyberArk acquisition and SailPoint's IPO validate the category.
- MDR/MSSP: Identity-centric detection is the new frontier --- most MDR providers remain endpoint-centric and are racing to integrate identity signal sources.
- SIEM/SOAR: ITDR data enriches SIEM alerts with identity context, reducing false positives and enabling identity-aware triage.
- Endpoint: Identity-aware endpoint detection correlates endpoint behavior with identity signals (impossible travel, MFA failures) to catch credential-based attacks.
Investment Signal¶
High-growth category, consolidation underway. ITDR is being absorbed into platform plays (Palo Alto + CyberArk, Microsoft Entra). Pure-play ITDR vendors (Silverfort, Semperis) are acquisition targets. Startups should differentiate on non-human identity ITDR (service accounts, API keys, AI agents) --- the governance of non-human identities is largely unaddressed.
Timeline to Mainstream¶
- ITDR in large enterprises: Mainstream now (2025--2026)
- ITDR as standard MDR capability: 2027--2028
- Non-human identity ITDR (AI agents, service accounts): 2028--2030
7. Confidential Computing¶
Category Definition
Hardware-based security technologies that protect data in use (not just at rest or in transit) through Trusted Execution Environments (TEEs), enabling computation on encrypted data without exposing it to the operating system, hypervisor, or cloud provider.
What It Is¶
Traditional encryption protects data at rest (disk encryption) and in transit (TLS). Confidential computing addresses the third state --- data in use --- using hardware-enforced isolation:
- Trusted Execution Environments (TEEs): CPU-level secure enclaves (Intel SGX/TDX, AMD SEV-SNP, ARM CCA) that process data in isolated memory regions inaccessible to the OS, hypervisor, or cloud operator
- Confidential VMs: Full VM encryption with attestation (Azure Confidential VMs, GCP Confidential VMs, AWS Nitro Enclaves)
- Homomorphic encryption (HE): Computation on encrypted data without decryption --- still largely research-stage for general workloads but accelerating for specific use cases (healthcare analytics, financial modeling)
Market Size & Stage¶
| Metric | Value | Source |
|---|---|---|
| Confidential computing market (2025) | ~$5.6--12.3B | Various (wide analyst variance) |
| Confidential computing market (2026) | ~$6.5--42.7B | Fortune Business Insights, 360iResearch |
| CAGR | 16--63% | Wide range reflects definitional differences |
| TEE market share | ~50% of deployments | 360iResearch |
Knowledge Gap
Market size estimates for confidential computing vary by an order of magnitude ($6.5B to $42.7B for 2026) depending on what analysts include in the definition. Some include all hardware security, others focus narrowly on TEE-enabled workloads. Treat absolute numbers with caution; the growth trajectory (strong) and direction (up) are consistent across all sources.
Key Players¶
- Hardware: Intel (SGX, TDX), AMD (SEV-SNP), ARM (CCA), NVIDIA (Confidential GPUs for AI)
- Cloud: Microsoft Azure (Confidential VMs, Always Encrypted with Secure Enclaves), Google Cloud (Confidential VMs/Space), AWS (Nitro Enclaves)
- Software/platform: Fortanix, Anjuna Security, Edgeless Systems, Decentriq
- Standards: Confidential Computing Consortium (Linux Foundation)
Segment Impact¶
- Data Security: Confidential computing enables analytics on encrypted data --- critical for healthcare, financial services, and multi-party data sharing. Homomorphic encryption and secure multi-party computation are "technically possible but not yet practical at scale."
- Cloud Security: Confidential VMs protect against insider threats from cloud providers and reduce the trust boundary. Critical for regulated industries and sovereign cloud deployments.
- AI Security: NVIDIA's Confidential GPUs enable AI training and inference on sensitive data without exposing it to the cloud provider --- a key enabler for regulated AI deployments.
Investment Signal¶
Infrastructure layer, platform-dominated. The value capture is concentrated in hardware vendors (Intel, AMD, NVIDIA) and hyperscalers (Azure, GCP, AWS). Software startups enabling confidential computing (Fortanix, Anjuna) face platform risk but have near-term opportunity in enterprise tooling and multi-cloud orchestration.
Timeline to Mainstream¶
- Confidential VMs in cloud: Available now, adoption growing (2025--2026)
- Confidential AI (GPU TEEs): Early adoption 2026--2027
- Practical homomorphic encryption: 2028--2032 for general workloads
- Confidential computing as default cloud posture: 2030+
Technology Convergence¶
These seven technologies do not exist in isolation. They are converging in ways that amplify their individual impact:
Key convergence patterns:
-
AI + Data Lakes = Next-Gen SOC. Agentic AI needs massive, normalized telemetry to reason effectively. Security data lakes with OCSF provide the substrate; AI provides the intelligence layer. Together, they obsolete the traditional SIEM-as-warehouse model.
-
AI Security + Confidential Computing = Regulated AI. EU AI Act and healthcare/financial regulations require protecting sensitive training data and model inference. Confidential computing (NVIDIA Confidential GPUs, Azure Confidential VMs) enables compliant AI deployments. AI security tools (LLM firewalls, AI red teaming) validate that protections work.
-
ITDR + AI = Identity-Aware Autonomous Response. AI agents monitoring identity signals (authentication anomalies, privilege escalation, impossible travel) can automatically revoke sessions, force re-authentication, and de-escalate privileges --- without waiting for a human analyst.
-
BAS + Data Lakes = Measurable Security Posture. BAS validates whether detections work; data lakes store the validation results alongside production telemetry. This enables continuous measurement of security posture over time --- a capability that boards and insurers increasingly demand.
-
PQC + Identity = Future-Proof Authentication. Post-quantum certificates must eventually replace current PKI infrastructure. Organizations migrating to passkeys/FIDO2 today should plan for PQC-safe credential chains to avoid a second migration cycle.
Implications for Product Builders and Investors¶
For Product Builders¶
Build Guidance
Highest-conviction opportunities (build now):
- AI security tooling --- LLM firewalls, AI red teaming platforms, AI governance for EU AI Act compliance. No dominant vendor exists. The compliance deadline (August 2026) creates urgency.
- Non-human identity governance --- Lifecycle management, access certification, and compliance reporting for service accounts, API keys, AI agent identities. Current IGA platforms only govern human identities.
- Detection-as-code on data lakes --- Analytics layers that run on Snowflake/Databricks with OCSF-normalized data, enabling organizations to decouple detection from SIEM storage.
- SMB-accessible versions of enterprise categories (MDR, SIEM, AppSec, ITDR) --- Nearly every segment analysis identified SMB underservice as a top gap.
Platform-risk categories (build with caution):
- Confidential computing software --- Hardware vendors and hyperscalers control the platform layer. Software startups face commoditization risk.
- Standalone AI copilots for security --- Every platform vendor has shipped one. Differentiation requires deep vertical specialization or agentic capabilities beyond chat.
- Standalone deception --- Being absorbed into XDR/NDR platforms. Build as a feature, not a company.
For Investors¶
Investment Guidance
Category timing signals:
| Category | Stage | Window |
|---|---|---|
| AI Security | Pre-market | 12--18 months before platform absorption |
| Non-human identity (ITDR for machines/agents) | Pre-market | 18--24 months |
| Security data lakes / detection-as-code | Early growth | 24--36 months |
| BAS / CTEM validation | Growth, consolidation imminent | Acquisition targets now |
| PQC migration tooling | Early, compliance-driven | Long cycle (5--10 years) |
| Agentic SOC | Early growth | 12--24 months before platform lock-in |
| Confidential computing software | Early, platform-dominated | High platform risk |
M&A prediction: BAS vendors (Cymulate, Pentera, SafeBreach) and AI security startups (Lakera, HiddenLayer, Protect AI) are the most likely acquisition targets over the next 12--18 months. XDR platforms need validation capabilities; platform vendors need AI security credibility.
Counter-signal: The 4.8M cybersecurity workforce shortage is not going away. Technologies that require fewer skilled operators (agentic AI, autonomous SOC, managed services) will outperform those that assume available talent (traditional SIEM, complex GRC platforms, manual pen testing).
Sources¶
Market Research¶
- Precedence Research --- AI in Cybersecurity Market 2026
- Fortune Business Insights --- AI in Cybersecurity Market 2032
- Grand View Research --- AI in Cybersecurity Market 2030
- MarketsandMarkets --- Generative AI Cybersecurity Market 2030
- Market.us --- Agentic AI in Cybersecurity Market
- MarketsandMarkets --- ITDR Market 2029
- Polaris Market Research --- ITDR Market 2032
- MarketsandMarkets --- BAS Market 2030
- Grand View Research --- BAS Market 2030
- Fortune Business Insights --- Confidential Computing Market 2034
- Mordor Intelligence --- Confidential Computing Market 2031
- MarketsandMarkets --- Encryption Software Market 2030
AI & Security Operations¶
- Palo Alto Networks --- 6 Predictions for Autonomous AI in 2026
- Sophos --- AI Agents Powering the Agentic SOC
- Stellar Cyber --- Top 10 Agentic SOC Platforms 2026
- HBR / Palo Alto Networks --- Cybersecurity Predictions for the AI Economy
AI Security¶
- OWASP --- Top 10 for LLM Applications (Prompt Injection)
- Practical DevSecOps --- AI Security Statistics 2026
- Practical DevSecOps --- AI Security Trends 2026
- Lakera --- AI Security Trends 2025
- VentureBeat --- 11 Runtime Attacks Breaking AI Security
- Microsoft --- AI Recommendation Poisoning
- Check Point --- AI Security Report 2025
Post-Quantum Cryptography¶
- NIST IR 8547 --- Transition to Post-Quantum Cryptography Standards
- UK NCSC --- PQC Migration Timelines
- Palo Alto Networks --- PQC Standards Guide
- QuantumXC --- Post-Quantum Cryptography Predictions 2026
Security Data Lakes¶
- Query.ai --- SIEM and Security Data Predictions 2026
- DataBahn --- The Case for a Security Data Lake
- Microsoft --- Sentinel Data Lake Announcement
- Hunters --- Security Data Lake on Snowflake
- SentinelOne --- OCSF and the Security Analyst Experience
Deception & BAS¶
Segment Analyses (Internal)¶
- All 14 segment deep-dives in
/docs/segments/--- "Emerging Technologies & Trends" sections
Glossary¶
This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.
A¶
| Term | Definition |
|---|---|
| ACL | Access Control List — rules determining which users/systems can access resources |
| APT | Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access |
| ASM | Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets |
| ASPM | Application Security Posture Management — unified visibility and risk management across the application lifecycle |
| AV | Antivirus — software designed to detect, prevent, and remove malware |
B¶
| Term | Definition |
|---|---|
| BAS | Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls |
| BEC | Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data |
C¶
| Term | Definition |
|---|---|
| C2 | Command and Control — infrastructure used by attackers to communicate with compromised systems |
| CASB | Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers |
| CCPA | California Consumer Privacy Act — California state law granting consumers rights over their personal data |
| CIAM | Customer Identity and Access Management — managing and securing external customer identities and authentication |
| CIEM | Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments |
| CTEM | Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures |
| CNAPP | Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle |
| CSPM | Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks |
| CWPP | Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless) |
| CVE | Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities |
D¶
| Term | Definition |
|---|---|
| DAST | Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks |
| DCS | Distributed Control System — a control system for managing industrial processes across multiple locations |
| DLP | Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage |
| DORA | Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities |
| DSPM | Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments |
E¶
| Term | Definition |
|---|---|
| EASM | External Attack Surface Management — discovering and monitoring internet-facing assets for exposures |
| EDR | Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities |
| EPP | Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response |
F/G¶
| Term | Definition |
|---|---|
| FAIR | Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk |
| GRC | Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations |
| GDPR | General Data Protection Regulation — EU regulation on data protection and privacy for individuals |
H¶
| Term | Definition |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information |
I¶
| Term | Definition |
|---|---|
| IAB | Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers |
| IAM | Identity and Access Management — framework for managing digital identities and controlling access to resources |
| ICS | Industrial Control System — control systems used in industrial production and critical infrastructure |
| IDS | Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts |
| ITDR | Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises |
| IoT | Internet of Things — network of physical devices embedded with sensors, software, and connectivity |
| IPS | Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic |
L¶
| Term | Definition |
|---|---|
| LOTL | Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection |
M¶
| Term | Definition |
|---|---|
| MaaS | Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals |
| MDR | Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response |
| MITRE ATT&CK | MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques |
| MSSP | Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices |
| MFA | Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource |
N¶
| Term | Definition |
|---|---|
| NDR | Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns |
| NERC CIP | North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid |
| NGAV | Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection |
| NIS2 | Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk |
O¶
| Term | Definition |
|---|---|
| OT | Operational Technology — hardware and software that monitors and controls physical devices and processes |
| OWASP | Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance |
P¶
| Term | Definition |
|---|---|
| PAM | Privileged Access Management — securing, managing, and monitoring privileged accounts and access |
| PCI DSS | Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data |
| PII | Personally Identifiable Information — any data that could identify a specific individual |
| PLC | Programmable Logic Controller — an industrial computer used to control manufacturing processes |
R¶
| Term | Definition |
|---|---|
| RaaS | Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits |
| RGB | Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations |
S¶
| Term | Definition |
|---|---|
| SASE | Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud |
| SAST | Static Application Security Testing — analyzing source code for vulnerabilities without executing the application |
| SBOM | Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product |
| SCA | Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase |
| SCADA | Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely |
| SD-WAN | Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic |
| SEG | Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies |
| SIEM | Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance |
| SOAR | Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows |
| SOC | Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents |
| SOX | Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies |
| SSE | Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services |
| SWG | Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats |
T¶
| Term | Definition |
|---|---|
| TAM | Total Addressable Market — the total revenue opportunity available for a product or service |
| TCO | Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime |
| TIP | Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data |
| TLS | Transport Layer Security — a cryptographic protocol that provides secure communication over a network |
| TTP | Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations |
V¶
| Term | Definition |
|---|---|
| VM | Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities |
X¶
| Term | Definition |
|---|---|
| XDR | Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email |
Z¶
| Term | Definition |
|---|---|
| ZTNA | Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles |