CyberCompare Marktkommentar #32: NIS2 Question Mark + Hope, AI as Another Factor for Consolidation in the MSSP Market

Marktkommentar, Marktkommentar /

Hello everyone

we are not only happy about the first Christmas parties, but also about NIS2. LinkedIn has the infosec community (consisting of at least 75% ragebaiters and raised index fingers) fully on the wrap, the statements fluctuate on the spectrum between

  • “Long overdue! Finally you have to do something, you rebellious management idiots! #SecurityistChefsache. By the way, we are happy to help you with the implementation.”
  • “This does not go far enough, full of disappointment, where are the municipalities and why is not a managed SIEM explicitly prescribed for everyone?”
  • “Ver… Bureaucracy, if you don’t make your own provisions, you don’t deserve better!! We don’t need more laws, but more entrepreneurial freedom!”

A few impressions apart from wild discussions and outrage posts around the farewell:

  • Concrete design in many important points still unclear after years:
  • In the end, we all don’t know how auditors will interpret the requirements. Example: What does cyber hygiene mean? What does vulnerability management mean?
  • Reporting obligations for locations in several EU countries still undefined or “the responsibility of the companies”
  • Internal IT service providers: Do the same strict requirements apply to them as to providers of public cloud or telecom services? (My current interpretation: Yes, if the IT service provider is spun off into an independent GmbH, and the business purpose is to operate data centers for other companies)
  • I am not an expert on legislative procedures and do not presume to judge whether specifications for fire protection or the like have been made better in the past. However, the NIS2 seems unnecessarily confusing to me in such a long procedure. The CRA shows that you can at least make uniform cybersecurity requirements throughout the EU.

  • At the same time, the BSI is trying to increasingly specify the requirements with FAQs, etc. Examples:
  • Managing director training: Concrete handout from the BSI available. Time required 1h (important) or 4h (particularly important) stated as sufficient
  • Own electricity generation, e.g. via PV systems: In the future, too, KRITIS will only be available if > 104 MW of capacity is installed
  • The BSI is allowed to carry out vulnerability scans of publicly accessible systems at all affected institutions – but only for known vulnerabilities

  • All measures should be appropriate: the costs must also be explicitly taken into account
  • An indication of the appropriate effort of measures can certainly be derived from the cost estimates (“performance expenses”) and their justifications, which are buried in the documents:
  • It was assumed that about 1/3 of all affected facilities already meet the NIS-2 requirements anyway, and therefore no or negligible additional costs are incurred

  • For everyone else:
    • For important (i.e. the smaller) facilities, additional costs for NIS-2 of around EUR 50 thousand are estimated on average in the first year, and ~EUR 25 thousand/year in the following years
    • For particularly important facilities, ~EUR 120 thousand additional expenditure was assumed in the first year and then ~60 thousand EUR in subsequent years
  • In the execution, the term “compliance with a minimum level of IT security” is used. From my point of view, this, together with the above-mentioned rather low figures, currently indicates that the BSI does not impose any requirements on most companies that go beyond the requirements for obtaining basic cyber insurance, and that this will not be checked particularly strictly
  • Nevertheless, if the estimates are halfway correct, this would mean ~2.2 billion euros in additional expenditure per year throughout Germany, which would be an increase of 20% for the local cybersecurity market. In the first year (2026) even about twice as much. I put the champagne in the fridge, rub my hands and look forward to the fat end-of-year parties of the vendors (although, I probably won’t be invited to the really good ones with my luck)
  • A small boom is probably also good for our industry: It feels like the German security job market has cooled down towards freezing point along with the rest of the economy. One manager said that 1000 applications were received for an advertised IR position. A larger IR team in Germany has reportedly just dismantled almost half of the team. Bitdefender reduces the workforce by ~7%, Axonius by ~10%.

A field report by eSentire , MDR provider from Canada with ~2000 corporate customers, fits the job market on the practical use of AI:

  • With a comparable assessment quality as a “Senior SOC Analyst” of ~95% precision in determining the cause and recommending measures, about 40 times as many analyses could be completed in the same time
  • The agent n workflows accessed EDR, network flows, logs, directory services, and vulnerability data
  • Tasks: Enriching incidents with information from distributed individual systems, examining process trees, log queries, correlating with old similar incidents, matching with CTI feeds
  • Results were verified together with customers, many of them operators of critical infrastructures
  • Claude is used on AWS Bedrock using the LangGraph Framework
  • From my point of view, the whole topic of AI will continue to lead to consolidation in the MSSP market : Large SOC players can afford to develop mature systems that actually bring added value in practice and also have their own training data for them. Smaller MSSPs will have to rely on pre-terminated platforms and will become more interchangeable as systems become more capable. Anyone who deals with AWS etc. has long known that affordable security requires automation. Automation increases the fixed cost block = > barrier to market entry and advantage for the big players.

A few weeks ago, I argued that firewalls are the most profitable security products. In the list of manufacturers, however, I overlooked F5 .

This became clear to me when I looked at the numbers at F5 after they had just fallen victim to a cyberattack themselves. The source code of the BIG IP products (Load Balancer, WAF, Perimeter FW…) was also compromised. Interestingly, the Chinese attackers did nothing at all after the initial access > 1 year, probably so that the usual data retention period of logs was exceeded. Anyway, F5 still has a fantastic EBIT margin around 25%.

Varonis (DSPM/DLP, approx. 600 million USD sales, at breakeven point, ~100 million free cash flow, ~4 billion market cap) dismisses the on prem solution and subsequently reduces the short-term sales (growth) forecast – and the share price plummets by > 30%.

A small indication that the current high valuations are based on equally high expectations, which of course also leads to insane pressure on the sales teams. The market capitalization of Palo Alto Networks and Crowdstrike alone is already significantly higher than the global cybersecurity market.

M&A News:

  • Palo Alto continues to go on a shopping spree and acquires Chronosphere (Data Pipeline Mgmt., comparable to Onum/Observo/Databahn/Cribl/Tenzir) for ~USD 3 billion
  • Confirms the impression that the tooling for observability (performance management) and security is converging
  • And of course, the big XDR/SIEM manufacturers don’t want to have a third-party in the middle of the stack.
  • I also see a great opportunity for MSSP here:
  • The complexity and benefits of the tech stack are increasing. This is accompanied by economies of scale that are even more effective
  • Existing customer relationships can be leveraged
  • In my opinion, the lock-in effect is higher for revenue-relevant application / system monitoring than for pure security services, among other things because contact persons from various specialist departments are involved on the customer side
  • This results in a clear business case for customers if the astronomical costs for (cloud) log ingest and storage can be reduced
  • ArcticWolf acquires Upsight (ransomware block + rollback on local endpoints, similar to Deep Instinct)
  • ZScaler buys SPLX (Security for Customer-Owned AI Applications)
  • Bugcrowd takes over Mayhem (AI-based DAST + API tests) => 90% of simple vulnerabilities are to be found by AI in the future, bug bounty hunters can focus on the sophisticated rest
  • Pentera acquires EVA (smaller pen test/red teaming service provider)
  • SAFE (Cyber Risk Quantification) kauft Balbix (CTEM/ASM)
  • Databricks is valued at ~$130 billion in the new funding round

Notes from Vendor Briefings:

Trustspace:

  • ISMS/GRC Software und ISMS Beratung inkl. ISB as a Servce aus Deutschland, ca. 15 MA
  • Customer focus mainly on startups + SMEs in the DACH region with low organizational complexity (~70 corporate customers)
  • That’s why frameworks are primarily ISO27x, NIS2, TISAX (e.g. not yet with SOC2, NIST CSF, DORA). Next up is probably CRA
  • Simple onboarding with ~100 questions => On this basis, the ISMS documents are drafted and action planning is initiated
  • Supplier management: For large software providers, the information from the Trust Center is automatically recorded, for all others questionnaires can be sent + followed up
  • On the Roadmap: Training Tool for Security Awareness + Policy Content

NACView:

  • As the name suggests, a NAC solution 😉, i.e. purely on prem, from Poland
  • Reference customers, esp. Polish authorities and operators of critical infrastructures
  • Authentication Methods 802.1x Certificates, MAC Addresses
  • MAC spoofing is made more difficult by additional queries (identity characteristics, endpoint configuration), but of course it cannot be completely prevented
  • Interestingly, many of the small customers use switches from Chinese manufacturers for cost reasons, and then use the NAC as an additional security layer
  • Of course, we score points over competitors such as Cisco, Aruba, Forescout, etc. through lower license costs (especially for customers with many locations) for comparable features and the EU HQ
  • We also offer purchase licenses (perpetual). Order of magnitude for 2000 endpoints ~20 thousand EUR/a incl. support
  • Still looking for channel partners in the DACH region

Forcepoint:

  • DSPM / DLP / DDR incl. Firewalls + Email Gateways from USA
  • Approx. 2,000 employees, ~12,000 corporate customers, including many universities / research institutes in the DACH region (because of IP protection)
  • On prem first strategy (e.g. also file shares as a data source). SaaS possible with largely the same features
  • With Discovery + Classification, an AI-generated suggestion is made to classify files based on content + context. The AI can then be trained on a customer-specific basis
  • For this purpose, outdated / redundant data can be deleted directly
  • Monitoring of deletion periods for sensitive data
  • Risk assessment based on configurations and access rights (e.g. sharing via link allowed?)
  • Automatic execution of different reactions (confirmation, alarm, encryption on new location, block) based on user actions (e.g. mass download vs. single file)
  • New customer inquiries probably driven by M365 Sharepoint / Teams / OneDrive + AI applications
  • DSPM (acquired at the beginning of the year) and DLP products are not yet fully integrated with each other, but of course they will come. But it also offers advantages if someone is already using another DLP system, for example
  • Typical rollout via introduction to HR department (= few users) for testing
  • Partner u.a. Orange, Computacenter

Cogent Security:

  • Vulnerability management startup from the USA, about 20 customers, sounded similar to Vulcan, Brinqa, Axonius etc.
  • Ingest of various scan and asset inventory data
  • Deduplication of asset and vulnerability data
  • Agentic Workflows for Prioritization and Remediation => This is where the music plays. Let’s see how well this works in practice, experiences are welcome

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or set up an Advent wreath in the archive.

Regards

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top