Hello Cyber Builders 🖖
Your security stack is built on a model that was never designed to survive what’s coming.
Seat licenses. Annual renewals. Feature tier upgrades. That’s the architecture of every major security vendor you rely on — your SIEM, your EDR, your GRC platform, your identity solution.
It was a great model. It made vendors rich. It gave you predictability. And it is fundamentally changing.
In this issue, we step back from cybersecurity to examine two forces transforming the software landscape.
First, AGC’s private equity data shows that SaaS growth, valuation, and exit dynamics are slowing, challenging the traditional focus on short-term VC rounds.
Second, AI trends are advancing across all categories: models with longer time horizons, agents capable of end-to-end tasks, and an economic logic that not only depends on humans in the loop.
By considering these long-term shifts—rather than short-term turbulence—we can better understand what’s ahead for security vendors, buyers, and builders.
In this post, we’ll explore:
-
Why the classic SaaS model is stalling — and what the latest revenue, EBITDA, and PE data say about the end of “sell more seats” as a growth engine.
-
How AI breaks the seat-based logic of software — shifting value from coordination (humans in the loop) to delegation (agents doing the work) as time horizons explode from seconds to 10-hour tasks.
-
Why cybersecurity is the exception—and the test case — a market still growing and consolidating fast, with record funding, record M&A, and cloud-like AI absorption across SIEM, EDR, identity, and GRC.
-
Three hard questions security leaders need to sit with now — from the Great Bundling, to AI security as a category vs table stakes, to what happens when agents start doing the work of your 40–70-tool stack.
For 30 years, enterprise software — including cybersecurity software — ran on a single beautiful logic.
Sell licenses. Expand seats. Lock retention. Repeat.
The numbers were almost magical. 70–80% gross margins, because software scales without factories. 110–130% Net Revenue Retention, meaning customers expanded faster than they churned. Predictable ARR curves you could forecast 24 months out. The software industry grew at 27% annually for four decades. Public markets loved it because you could model it in a spreadsheet. Valuation multiples expanded. Venture capital flooded in. Private equity built fortunes on it.
In cybersecurity, the model was particularly potent. Fear and compliance drove seat expansion. Breaches created a new budget. Regulation created new categories. Every new threat spawned a new vendor. Every new vendor raised a round, reached Series C, and IPO’d into a rich multiple.
The game was good. Really good.
Something changed. And the numbers don’t lie.
According to AGC Partners’ Q4 2025 Tech Capital Markets report, the top 167 public SaaS companies are projecting just 11% revenue growth for 2026. Not 70%. Not 30%. Not even 23%.
Eleven percent.
The causes are structural, not cyclical. Buyers are upgrading, not discovering — growth is incremental, not exponential. CISOs are drowning in vendors; budget is consolidating, not expanding. And investors are losing confidence: a PE firm won’t underwrite to an 8-year time horizon on a company with 10% growth and, in their own words, “inherent AI risk.” The math doesn’t work.
Revenue growth is falling to 11%, while EBITDA margins are rising to ~29%. The model is shifting from growth at all costs to profitable growth — but growth is still what commands premium valuations.
The private equity market reflects this stall. $444 billion in tech dry powder is sitting uninvested. 5,604 portfolio companies are waiting for exits that aren’t materializing. Only 215 exits happened in 2025.
The old playbook ran out of runway.
Here is where it gets important.
AI is not just making SaaS better. It is replacing SaaS logic entirely.
The fundamental difference is this: SaaS monetized coordination. It made humans faster — better email, better CRM, better dashboards, better ticketing. The human stayed in the loop. You paid per seat because the value scaled with headcount.
AI monetizes delegation. It removes humans from the loop. For certain tasks, at certain time horizons — and that horizon is expanding fast.
METR (Model Evaluation & Threat Research) tracks what they call the time horizon: the length of a task — measured in human-equivalent time — that an AI model can complete autonomously with 50% reliability. They’ve measured it across every major model from GPT-2 to the present day.
The finding: AI time horizons have been doubling approximately every 7 months for six years straight.
Let the numbers land for a moment:
-
2020: AI could autonomously complete tasks taking a human ~4 seconds
-
2022: ~4 minutes (GPT-3.5)
-
Late 2024: ~40 minutes (o1)
-
Early 2026: ~10 hours (Claude Opus 4.6)
That last jump — from 40 minutes to 10 hours in roughly 18 months — is not incremental. The chart label at that level reads: “Implement complex protocol from multiple RFCs.” That is deep, multi-step knowledge work. Not trivia. Not autocomplete.
And the trend is accelerating. In 2024–2025 alone, time horizons doubled every 4 months, faster than the 6-year average.
If this holds, AI agents will autonomously complete month-long projects before the end of this decade.
What that means economically: if AI handles 20% of a knowledge worker’s time, you get a marginal efficiency gain. At 40%, you get a structural redesign of roles. At 60%, entire job categories mutate. This is not feature efficiency. This is time compression — and it breaks the seat-counting math on which SaaS was built.
For 30 years, software sold you tools that made your team faster. AI-native systems are becoming the team.
Here is where most macro analyses get it wrong. They treat cybersecurity like any other software vertical.
It isn’t.
Cybersecurity has its own dynamics and its own demand triggers. Cybercriminals. Compliance. Breaches. Geopolitics. None of those go away because SaaS growth slows.
And the 2025 data backs that up. While the broader software market projected 11% growth, the cybersecurity market raised $25.1 billion in funding — up 59% year over year. M&A hit $76.4 billion, the largest total in industry history. Google bought Wiz for $32 billion — the largest cybersecurity acquisition ever.
So is cybersecurity immune to what’s happening in the broader software market?
Not immune. But different. And it’s a very large and growing market
Three questions are worth sitting with — and they don’t have easy answers yet.
Is the Great Bundling a response to the SaaS slowdown? The biggest players — Palo Alto, CrowdStrike, Google — are acquiring aggressively. Are they building platforms because customers want consolidation? Or because the era of standalone, seat-based point solutions is running out of room?
Is AI in security a new category — or just table stakes? AI Security (e.g., Securing AI models, preventing distillation, model corruption, etc.) accounted for only 2.6% of cybersecurity funding in 2025. But AI is being absorbed into every existing category: SIEM, EDR, identity, GRC — the same pattern cloud followed from 2010 to 2020. That might be the most important sign of how deeply it’s being embedded.
What happens to your 40–70 tool stack when agents start doing the work? If AI compresses the time a security analyst spends on tier-1 investigations, does that mean fewer seats? Fewer tools? Or more — because the attack surface is expanding just as fast?
These are the questions that matter now. Not in five years. Now.
The macro is turbulent. The old SaaS model is decelerating. AI is compressing work at a pace without historical precedent. The investment math that powered enterprise software for 40 years is being stress-tested.
And cybersecurity is right in the middle of it — but telling its own story.
To understand that story, I spoke with someone who has been building a rigorous, independent dataset on cybersecurity funding and M&A for four years running.
Mike Privette, founder of Return on Security, just published his 2025 State of the Cybersecurity Market report. $25.1 billion in funding. $76.4 billion in M&A. A geographic concentration story that should make every European founder and investor pay close attention.
I got on a call with him to go deeper.
Next issue: The conversation — and what the data reveals about where cybersecurity actually stands.
Laurent 💚
Sources: AGC Partners, Tech Capital Markets Update Q4 2025. METR, Task-Completion Time Horizons of Frontier AI Models (March 2025) & Time Horizon v1.1 (January 2026).
