Palo Alto Networks closed FY2025 with $9.2 billion in revenue, $5.6 billion in next-generation security ARR, and 1,250 active platformization deals among its largest accounts (Palo Alto Networks FY2025 earnings, August 2025). Behind those numbers is a deliberate commercial architecture: acquire point solutions before they reach IPO scale, integrate them into Cortex or Prisma, and offer the bundle to existing accounts at renewal. The category coverage now spans network, cloud, identity, and SecOps. For a cybersecurity startup building in any of those categories, the competitive question is no longer “is our product better?” It is whether the differentiation survives a procurement cycle where the buyer’s Palo Alto account team is already running a consolidation pitch at the annual QBR.
Key Takeaways
- Palo Alto Networks completed 26 acquisitions since 2014 and closed FY2025 with $9.2 billion in revenue, $5.6 billion in NGS ARR (up 32% year over year), and a remaining performance obligation of $15.8 billion (Palo Alto Networks FY2025 earnings, August 2025).
- Net revenue retention among platformized accounts runs above 120%, meaning consolidated accounts are not just staying, they are expanding spend inside the same contract (Palo Alto Networks SWOT Analysis, 2026).
- 75% of enterprise organizations are actively pursuing vendor consolidation strategies to reduce complexity (Gartner, 2024), which means the buyer Palo Alto is selling consolidation to is the same buyer a startup needs to displace them in front of.
- Wiz reached $100 million ARR in 18 months and was acquired by Google for $32 billion by building on an architectural premise, agentless Security Graph, that Prisma Cloud’s acquisition history made structurally difficult to replicate (SEC filing, March 2025).
Building in a category Palo Alto already owns? Book a GTM Diagnostic before your next sales cycle starts.
TL;DR
Palo Alto Networks has built a commercial architecture that makes it difficult for cybersecurity startups to compete on feature parity in categories it already covers. The mechanism is not product superiority: it is switching cost. When a large enterprise runs Prisma Cloud, Cortex XSIAM, and now CyberArk Identity Security under a single multi-year contract, the evaluation question for a new point solution shifts from “is this better?” to “is this better enough to justify a new vendor relationship?” Startups that have broken through, Wiz being the clearest example, did so by building on architectural or data-based differentiation that the Palo Alto acquisition stack could not replicate without rebuilding from scratch. Feature parity wedges do not produce those outcomes in consolidated accounts.
Nikesh Arora, Palo Alto Networks CEO, said something in 2025 that deserves more attention than it received from founders: “Long term, a billion-dollar revenue company should not be public. They should be part of a bigger entity that allows for the leverage and scale required to create large amounts of cash flow and a high market cap.” He was not offering M&A commentary. He was describing the procurement reality his company is building for every security buyer in the market. With $15.8 billion in remaining performance obligations growing at 24% year over year, Palo Alto’s largest accounts have already committed their security budgets multiple years forward (Palo Alto Networks Q4 FY2025 earnings, August 2025). A startup trying to land in those accounts is not selling against a product. It is selling against a signed contract.
The Acquisition Playbook That Built a $9.2 Billion Switching Cost
Palo Alto Networks has made 26 acquisitions since 2014 across cybersecurity, cloud infrastructure, and enterprise networking (Tracxn, 2026). The cadence was not opportunistic. Each deal followed the same logic: identify a high-growth point solution in an adjacent category, acquire it before IPO scale, integrate it into Cortex or Prisma, and offer it to existing accounts as part of a bundle at renewal.
The timeline is instructive. Evident.io and RedLock (2018) became Prisma Cloud’s CSPM foundation. Demisto (2019) became Cortex XSOAR. Twistlock and PureSec (2019) brought container and serverless security. Bridgecrew (2021) added developer-facing IaC security. IBM’s QRadar SaaS assets (2024, approximately $1.14 billion) handed Palo Alto a migration path from one of the largest SIEM installed bases in the market. CyberArk (completed February 2026, $25 billion) added identity security as a fourth platform pillar (SEC filing, February 2026).
What this builds is not a feature set. It is a switching cost structure. A large enterprise running Prisma Cloud for CSPM, Cortex XSIAM for SIEM replacement, and CyberArk Identity Security under a single support agreement faces a meaningful financial and political hurdle before bringing in any new vendor in those categories. Net revenue retention among platformized accounts runs above 120% (Palo Alto Networks SWOT Analysis, 2026). The accounts are not just staying. They are expanding spend without opening new vendor relationships. That is the commercial mechanism a startup is competing against, not the product.
The Feature-Parity Wedge No Longer Survives in Consolidated Accounts
Until roughly 2020, the viable startup path in cybersecurity was to build a materially better version of something enterprises were buying, win a POC on technical merit, and grow from there. That path still exists in some markets. It does not exist in categories Palo Alto already covers at scale.
The reason is not product superiority. Prisma Cloud, assembled from six acquisitions between 2018 and 2021, shows the seams of its history. The Twistlock-derived Defender agent for container runtime requires ongoing version management and agent lifecycle overhead that purpose-built competitors have eliminated. Its SIEM replacement, Cortex XSIAM, is still proving displacement capability against entrenched Splunk deployments.
The issue is that “technically superior” is not the evaluation criterion inside a consolidated account. The criterion is: is this better than what we already have by enough to justify a new vendor relationship, a new support contract, a new procurement cycle, and the political capital required to tell the Palo Alto account team we are going elsewhere?
A CSPM startup that had strong technology and active pipeline in 2021, after Evident.io, RedLock, and Bridgecrew had been absorbed, was increasingly not losing evaluations. Evaluations were not happening. The procurement decision was being made at the platform level, before the point solution reached demo. Several well-funded CSPM startups from that period either pivoted, sold, or quietly wound down their enterprise motion. Feature advantage alone did not save them.
Selling into accounts where Palo Alto is already in the QBR? Book a GTM Diagnostic ➔.
Why Prisma Cloud Feature Competitors Specifically Struggled
The Prisma Cloud case is the clearest example of what a feature-parity wedge runs into inside a consolidated account.
By feature breadth, Prisma Cloud is the most comprehensive CNAPP in the market. It spans code security through Bridgecrew, CSPM, container runtime protection via the Twistlock Defender agent, CI/CD pipeline security through Cider, CIEM, network security, and DSPM. No single vendor covers as many CNAPP subcategories in one product license (WeavAI, 2026).
A startup that built strong CSPM capability in 2019 was entering a real market with real buyer appetite. By 2021, after the acquisitions closed, that same startup was being evaluated against Prisma Cloud’s bundled offering inside accounts where Palo Alto’s team was running a cost-reduction pitch. The conversation shifted from “is your CSPM better than Prisma Cloud’s CSPM?” to “why would we add a new vendor for CSPM when our Palo Alto renewal includes it?”

Those are different questions with fundamentally different answers. The first is answered with a benchmark. The second requires the startup to justify a new procurement motion, a new security team relationship, a new contract, and a new integration. TechTarget research found that 59% of cybersecurity buyers rank case studies as one of their top three purchase influencers (TechTarget, 2025). A case study from a reference customer does not answer the second question. It answers the first. And in consolidated accounts, nobody is asking the first question anymore.
How Wiz Built a Wedge That Prisma Cloud’s Architecture Could Not Absorb
Wiz did not win cloud security by building better CSPM features. It won by making an architectural choice that Prisma Cloud’s assembly history made difficult to replicate.
Prisma Cloud is a platform assembled from acquisitions. Evident.io handled CSPM. RedLock added compliance. Twistlock brought container workload protection via its Defender agent. Bridgecrew added IaC and developer-facing security. Each acquisition brought strong technology. None of them shared a unified data model.
Wiz was built from scratch in 2020 by former Microsoft Cloud Security Group engineers around a single premise: a Security Graph, a normalized view of cloud resources, identities, network paths, vulnerabilities, and exposed data, connected so attack paths could be computed across all of them simultaneously. The agentless architecture meant onboarding a new cloud environment took hours, not the weeks required to roll Twistlock Defender agents to every node (AppSec Santa, 2026).
The “toxic combinations” framing was not a feature. It was a way of structuring risk data that no existing tool produced. A cloud security engineer could take the output back to their CISO and explain a real attack path in one sentence. That is a different kind of value than “better vulnerability scanning.”
Wiz reached $100 million ARR in 18 months. By mid-2024, ARR was at $500 million. Google acquired Wiz for $32 billion in March 2025, the largest cybersecurity acquisition in history (SEC filing, March 2025). The architectural wedge held long enough to produce a $32 billion outcome. Feature wedges in Palo Alto’s shadow do not produce those outcomes.
Three Differentiation Models That Survive Platformization. And the Trade-offs Each Carries.
The Wiz outcome suggests a framework, not a formula. Three types of differentiation have held against incumbent bundling. Each has a ceiling.
Architectural differentiation requires the incumbent to rebuild, not acquire. Wiz’s Security Graph is the example. Prisma Cloud added agentless scanning, but the Twistlock Defender agent for runtime remains because that is how the product was assembled. A startup that makes an architectural choice the incumbent cannot adopt without breaking its existing customer base has real protection. The cost is time and capital. Wiz took 18 months to reach $100 million ARR with significant venture backing throughout. Many architectural bets never prove out.
Data differentiation is built on proprietary training sets or behavioral baselines. Abnormal Security’s email protection model analyzes over 45,000 signals per user to build a baseline that detects business email compromise by identifying deviations from normal communication patterns. The model requires years of training data that a new entrant or an incumbent adding a feature cannot replicate quickly. Abnormal crossed $200 million ARR on this basis (Abnormal Security Series D announcement, 2024). The constraint is accumulation time. The data moat is only real after the data exists.
Buyer differentiation goes around the CISO to someone with shorter procurement cycles, typically a developer, DevOps engineer, or SOC analyst with tool-level purchasing authority. Snyk built developer security on this model through CLI integrations and npm audit before security teams had codified a formal SCA strategy. The risk is that this approach has a time limit. Security teams have clawed back purchasing authority from developers since 2022, and the window for pure developer-led adoption in enterprise security has narrowed considerably.

What none of these share with a feature-only position is survivability inside a consolidated account where the incumbent is running a platform motion at annual renewal.
Frequently Asked Questions (FAQs)
Does Palo Alto’s platformization actually produce better security outcomes, or is it primarily a commercial lock-in strategy?
Both dynamics operate simultaneously, and which one dominates depends on the account. For enterprises that have deeply integrated Cortex XDR, Prisma Cloud, and now CyberArk Identity Security, the cross-product telemetry sharing and unified policy management produce genuine security improvements that siloed point solutions cannot match. The CyberArk integration, for example, links privileged access events directly to endpoint and cloud activity in a unified data layer. For accounts where Palo Alto products were bundled without deep integration work, the operational reality is four separate products with one contract and one account team. The 120%+ net revenue retention rate among platformized accounts suggests customers are expanding spend, but it does not distinguish between genuine security improvement and the friction of switching away.
Is there still a viable path for a startup building in a category Palo Alto already covers?
There is, but it requires a specific condition. The startup must be building for a buyer type or deployment context that the Palo Alto platform does not serve well. Companies below $200 million in revenue are often excluded from Palo Alto’s ideal customer profile due to minimum contract sizes and implementation complexity. Regulated sectors with specific compliance requirements (FedRAMP High, for example) sometimes need purpose-built tooling that a bundled platform cannot certify quickly enough. Developer-native tools with CLI-first deployment can gain adoption in engineering organizations before a formal security evaluation runs. None of these paths lead to the same enterprise accounts Palo Alto targets with its platformization motion. They are adjacent markets where the consolidated platform’s weight works against it.
How does the $25 billion CyberArk acquisition change things for identity security startups specifically?
It narrows the viable paths significantly. CyberArk had $1.3 billion in ARR at acquisition (CyberArk Q2 2025 earnings), making it the dominant independent identity security vendor. The combination of privileged access management, session management, and machine identity capabilities under a Palo Alto contract makes it structurally harder to land a standalone identity deal in any account running Palo Alto products. The viable wedge for identity startups now requires either a buyer CyberArk does not serve well (non-human identity in cloud-native environments, where CyberArk’s tooling is newer) or an architectural approach CyberArk’s enterprise PAM model cannot reach (machine identity in CI/CD pipelines, agentic AI workloads). Both paths exist. Neither scales to the full CyberArk replacement opportunity in the near term. If your growth plan depends on displacing CyberArk inside Palo Alto accounts, that plan needs revisiting. A GTM diagnostic at Noir Dove starts with exactly this kind of commercial system examination before any outbound motion is built.
What does the $15.8 billion RPO signal for startups trying to get into Palo Alto’s installed base?
Remaining performance obligation is contracted revenue not yet recognized. At $15.8 billion and growing 24% year over year, Palo Alto’s largest accounts have signed contracts extending two to three years forward. For a startup targeting those accounts, the annual renewal cycle (usually the best window to introduce a new vendor) is already committed for the next several years in most cases. The realistic entry points are the expansion budget when a genuinely new use case arises outside the existing contract scope, or a new project budget tied to a specific initiative (AI security, regulatory requirement, cloud migration) that was not in the original platform deal. Neither is as reliable as a competitive renewal. The RPO growth rate confirms the window is not getting wider.
Your differentiation needs to survive a buyer who is already in a Palo Alto contract.
If your GTM assumes a standard evaluation process, that assumption is worth testing before the next pipeline cycle. The commercial landscape for cybersecurity startups has shifted structurally, not cyclically. Startups that are winning have differentiation the incumbent cannot bundle. The ones that are not are often competing on the wrong variable entirely.
We help B2B security founders examine the commercial system before building the outbound motion, so the positioning is built for the market as it actually works now.

