CyberCompare Marktkommentar #36: LinkedIn Garbage; Microsoft and ESET numbers

Marktkommentar /

Hello everyone,

Albert Einstein knew that 3 things are infinite:

  1. The universe (not quite sure)
  2. Human stupidity
  3. The number of AI-generated LinkedIn posts from security apostles.
 

One thumbs up and you’re already stuck in the continuous loop of security calendar sayings. If you haven’t been promoted today and haven’t made a speech at a workshop with 5 colleagues and the office dog, you’re welcome to flush trivialities into my timeline. I applaud everything and always agree, I promise. The latest attack vector on my attention, and at the same time the height of mental laziness: Have newsletters reformulated by chatbots, “forget” the attribution and then nonchalantly publish it as your own ingenious ideas. That’s so brazen that I can’t help but grin, so thank you for that!

 

No matter how annoying, no one can get past LinkedIn in the B2B advertising world (or you just don’t take place, also a way). The biggest beneficiary in the fight for reach is, of course, owner Microsoft, who now make ~20 billion USD in sales with it and have beaten all competitors out of the field in flawless platform logic. We know this because the world’s largest security provider (quote: “planet-scale systems”) has published the figures for the calendar year 2025. Ctrl+F “Security” on the Microsoft Investor Relations page and analyst reports further reveals the following:

 

  • Sales of Sentinel, Defender, Purview & Co. are estimated to be around USD 37 billion or just under 15% of total revenues (for comparison: Palo Alto is at ~10 billion as N. 2, the total market is classified somewhere around ~200 billion).
  • 1.5 million customers for security products – but the figure also includes the consumer business (see proxy statement). My guess: About 900k of them are business customers. These are the ones that have at least 4 security SKUs in use
  • For MS, the security of Windows, Azure, etc. is of course strategically much more important than the sale of pure security solutions. Cybersecurity oversight is therefore now the top 1 task of the supervisory board
  • Without naming exact metrics, the security of their own products has been bonus-relevant for board members since 2025. For Satya Nadella, for example, fulfilling the security requirements accounts for 10% of the bonus
  • 34,000 developers work dedicated to security tasks, which corresponds to about 15% of the workforce and is more than the development capacities of PAN, Fortinet, Crowdstrike and the next 10 largest providers combined
  • Spending on sales + marketing is only 9% of total sales and decreases as a percentage => No one should be surprised with a quasi-monopoly. But instill respect in every competitor.
  • Experience from current projects: The preparation before customer appointments with structured test case demos was in need of improvement => Opens up opportunities for the competition

A few days ago, everyone was just as relieved as I was to learn that Poland, according to its own statements, was able to successfully fend off the most serious cyber attack on the energy infrastructure to date. How embarrassing that saboteurs caused a power outage in our H A U P T S T A D T for days almost at the same time by means of a homemade incendiary device. Yes, we all have to contribute to digital resilience. But it seems as if, at least in Germany, the next euro would also be well invested in conventional fire protection of cable bridges.

Through the eyes of a market observer, there are a few interesting aspects in the reports on the above-mentioned attack on wind turbines and solar plants, primarily that of CERT Polska:

  • Initial access was provided via Fortigate Firewalls/VPN Gateways in the transformer stations.
    • These were accessible from the Internet and configured without MFA
    • In my opinion, this is either a gross omission on the part of the operators, or (more likely): 2FA was technically impractical, the risk was known and was reduced by compensatory measures. In any case, no fault of the manufacturer recognizable, even if one can of course argue at will about the number of vulnerabilities found (also mentioned in the report)
  • As I understand it, no OT NIDS or NDR was used in the infrastructure
  • A malware (“LazyWiper”) was programmed using LLM, but does not seem to have had any effect
  • Dragos supported the Incident Resonse
  • However, the now much-cited core analysis of the core malware (“Dynowiper”, presumably by Sandworm) was not carried out by one of the common OT players, but by ESET, whose EDR solution has been proven to prevent execution .

This inspired me to take a look at ESET ajour and take a look at the annual reports of the holding company and ESET Germany .

  • With the headquarters in Bratislava closer to a potential front line than we do here, but above all of course one of the few EU EDR/XDR/MDR providers (main competitors Bitdefender and Sophos, I would say) and a nice European success story since its foundation in 1987:
    • Current turnover ~ EUR 700 million, 2,500 employees, active in > 170 countries worldwide, unbelievable 500k corporate customers
    • Profitable with net profit margin > 10%, cash flow similarly positive
    • The German market is growing at a rate of 6-7%, esp. driven by SME and MDR business. Private customers are also growing, but with the note “Freeware and aggressive prices of competitors are depressing the achievable sales prices”
  • Privately owned. Two of the three founders are still on the supervisory board, the CEO holds about 12% of the shares
  • In my opinion, it would easily be worth 5-10 billion USD for an American or Indian player. The ownership structure is not yet too fragmented, so it would be suitable for deals. I could also well imagine that an IPO will take place at some point
  • Unfortunately, in the MITRE ATT&CK evaluations far behind the market leaders. By the way, I would like to underline here again: The MITRE evaluations are certainly not perfect, but in my opinion they are the most thorough, independent and comparable public laboratory tests on AV/EDR – if you have other information on this, you are always welcome
  • ESET has not played a major role in our bid comparisons and tenders so far. This may change if digital sovereignty actually becomes a purchase criterion

And finally, interesting thoughts from a reader (excerpts):

  • “When I look at the effort, costs and risks with regard to the mail infrastructure , I am actually not sure whether sending important documents in paper form would not be cheaper again in the meantime. The ratio of signal/noise, risk/benefit is no longer in a healthy ratio.”
  • “Malicious code is also becoming easier to develop. It can be unstable, poorly tested, and unmaintainable. He only has to generate an effect. When it comes to defense, everything must always be coordinated, coordinated, maintainable and stable. A slingshot (onager) is also easier and cheaper to build than a castle.”
 

M&A News:

  • LevelBlue is now also buying the MDR business of Fortra (Alert Logic) after the major acquisitions of Cybereason and Trustwave
  • Heydata (GRC from Berlin, approx. 2000 customers) gets 15 million in funding
  • Pictet (financial investor) invests in QGroup (MDR/IR, specialists for SentinelOne)
  • Varonis (DSPM+DLP) kauft AllTrue.AI (Ai Agent Governance, d.h., von Discovery bis Policy Enforcement) => Makes a ton of sense IMHO
 

Notes from vendor conversations:

Imprivata (Update):

  • Known in the healthcare sector for all kinds of IAM/PAM solutions, approx. 5,000 customers worldwide, ~1,500 employees. Certainly the market leader in this segment, coverage of clinics in the DACH region, e.g. around 50%. In addition, they are also used by banks, authorities, defense or the like
  • Cover identity lifecycles management, mobile device + account Mgmt, remote access via own gateway (e.g. with private laptop at home, without installation SW, with Face ID), compliance (access to sensitive patient data only under certain conditions). In hospitals, the 2nd factor is typically the ID card
  • In addition, there are also very special solutions such as a docking station, with which smartphones are automatically provisioned to a specific role (e.g. if the same person works in different departments)
  • Now the awareness in other industries, esp. production, to be increased
  • I looked at esp. the FIDO2 compliant SSO and MFA solution for OT. In many works, group accounts and passwords on post-its are still common practice to enable cross-shift work on legacy systems. Normally, there is also no connection to the IT AD
    • This is mapped via shared workstations / mobile devices. Conditional access possible (e.g. a four-digit PIN in addition to the ID card or a chip bracelet in clean rooms).
    • Provides the ability to show the screen of an application (e.g. chart of a running process), but without allowing access
    • For this purpose, several employees can be logged in at the same time (= type of terminal server function also with normal industrial PCs)
    • Also clever: Automatic logout when the MA (or his ID card) is no longer near the machine (“Proximity based secure walk away”)
    • Licensing based on number of users and mobile devices
  • All solutions are offered not only as SaaS/PaaS, but also on prem
  • Thoma Bravo is probably preparing the sale or IPO, reports Reuters. Target valuation ~$7 billion
 

Alpenshield:

  • Austrian startup for a very special solution: A complete system for MSSP and in-house SOCs between SIEM and analysts (reference customer including A1)
  • Important: Do not provide analysts 24/7 themselves, but the entire tool chain (detection library, workflow automation / SOAR, TI, ticketing) for SOCs in 1 interface (“SOC Guru”)
  • Optimized for MS Sentinel + Defender Suite
  • CTI from RST Cloud, Azure LogicApps/Automation as SOAR, Darknet Credential Monitoring via SysLeaks
  • Multi-client and level-capability (to map group structures)
  • Quotation and invoicing as accompanying support
  • Of course, we are constantly expanding the AI capabilities. Dynamic analysis of incidents already works to some extent, remediation is on the roadmap
  • Licensed by number of IT users. The Microsoft licenses remain with the MSSP
 

Permiso:

  • US startup for access visualization (access graph for each identity, incl. NHI, similar to CyberDesk or Veza) and monitoring
  • The core question to be answered is: Is access with valid credentials, but unauthorized?
  • Approx. 20 corporate customers
  • Of course, processes all information and logs from IdP, IGA and cloud platforms. On prem not in focus so far
  • CSPM and CTI are also considered to prioritize risks
  • Seemed like a small SIEM to me, just with a focus on logins, user creations, etc. => Ideal for smaller development-heavy companies
  • In addition, support services for analysis (not yet 24/7 MDR, but on the roadmap)
  • On the other hand, I find it difficult to sell this in the enterprise segment. If anyone has a different view on this, please feel free to contact me.
 

As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.

For the people who have received the market commentary for the first time: Here you can register if you are interested or search for typos in the archive.

Best regards,

Jannis Stemmann

Ready to make your cybersecurity more affordable?

CyberCompare is your independent partner to make IT, OT and IoT security easier, clearer and more affordable.

With our established cybersecurity ecosystem, you achieve cybersecurity excellence and increase your resilience: With us you save time and money but never lose focus.

Get in Touch

Get in Touch

Associations and industry collaborations

Scroll to Top