Australian Cybersecurity Market: Competitive Field Map 2026 | Renatus
RESEARCH COMPETITIVE LANDSCAPE
Technology & Software · Australia · 09 Apr 2026

Australian Cybersecurity Market: Competitive
Field Map 2026

Australia's cybersecurity market is split between global platform vendors — Palo Alto Networks, CrowdStrike, and SentinelOne — and a domestic managed-services layer anchored by CyberCX and a recently consolidated Tesserent.

Palo Alto Networks leads in next-generation firewalls with an estimated 22.4% segment share and AUD 210M in Australian revenue for FY2025, while CrowdStrike holds 18.2% of the endpoint detection and response segment on AUD 145M in local revenue. The domestic players compete on sovereign data, Essential Eight compliance depth, and local support — advantages that global vendors are now spending heavily to replicate.

The structural tension in this market is sovereignty versus scale. Global vendors have the platform breadth and AI investment that large enterprises want, but Australian government buyers increasingly require onshore data residency, IRAP-certified infrastructure, and staff with Australian citizenship clearances. CrowdStrike opened a Sydney data centre in September 2025 specifically to meet those requirements. CyberCX embedded Palo Alto's Cortex XSIAM into its managed detection platform in December 2025, betting that the winning formula is global technology delivered through a locally accountable wrapper. The next 18 months will test whether that model holds — or whether the globals can replicate onshore credibility fast enough to cut out the local middlemen.

Palo Alto Networks AU Revenue (FY2025) AUD 210M
Leads in next-gen firewalls at 22.4% segment share
  1. Global platforms dominate by segment, but no single vendor controls the full stack. Palo Alto Networks leads next-gen firewalls at 22.4% segment share and CrowdStrike leads EDR at 18.2%, yet no vendor commands the overall market — creating sustained multi-vendor competition across every enterprise account. [IDC Q4 2025]

  2. Sovereignty is now a procurement weapon, not just a compliance checkbox. CrowdStrike's September 2025 Sydney data centre launch and Tesserent's Australian Federal Police MDR win — explicitly awarded on the basis of no overseas subprocessing — show that data residency arguments are deciding real contracts, not just influencing them. [CrowdStrike APAC] [Tesserent ASX]

  3. The domestic managed-security layer is consolidating rapidly under capital pressure. Tesserent was acquired by Zettagrid in March 2025 and CyberCX acquired Gridware in September 2024, signalling that 24/7 SOC operations require capital and capability depth that standalone local players cannot sustain independently. [Market Research]

  4. Essential Eight compliance is the primary differentiator in government bids — and the globals are catching up. Palo Alto Networks achieved ASD Essential Eight Level 3 certification in November 2025, matching the compliance depth previously held only by local specialists like Tesserent, narrowing the moat that domestic players relied on. [Palo Alto ASD]

1. Market Structure

Five forces shape this market — and buyer power is weaker than it looks.

Switching costs, compliance lock-in, and infrastructure investment make this market stickier than its apparent vendor density suggests.

Australia's cybersecurity market looks competitive on the surface — more than a dozen named vendors, global giants alongside domestic specialists — but the underlying structure is less contested than it appears. Switching costs are extremely high: moving an organisation off a platform like CrowdStrike Falcon or Palo Alto Prisma requires re-training staff, re-certifying compliance posture, and rebuilding threat-detection baselines. CrowdStrike's 98% renewal rate is the most direct evidence of how difficult departure is once a platform is embedded. [CrowdStrike Q4 FY2025]

Structural forces shaping the Australian cybersecurity market.
Porter's Five Forces assessment, Q2 2026.
Supplier Power (Low)
Global platforms like CrowdStrike and Palo Alto set their own pricing and distribute through local partners. Resellers and MSSPs have limited negotiating leverage — they need the certification logos more than the vendors need any single channel partner.
Buyer Power (Medium)
Large government buyers (Defence, ATO, AFP) can run competitive tenders and extract pricing concessions. But once a vendor is embedded and Essential Eight certified, actual switching is rare — CrowdStrike's 98% renewal rate reflects this stickiness.
Threat of New Entrants (Low)
IRAP certification, ASD maturity attestation, local data-residency infrastructure, and Australian-citizen SOC staffing requirements collectively create a high capital and compliance barrier. Tesserent needed an acquirer just to sustain its existing footprint.
Threat of Substitutes (Medium)
Microsoft Defender, bundled with M365 enterprise licences, is the most credible substitute threat — it is already deployed in many environments and Microsoft is expanding its XDR capabilities aggressively. AWS and Google Cloud security tooling pose a similar bundling risk.
Competitive Rivalry (High)
The EDR and MDR segments are actively contested between CrowdStrike, SentinelOne, and Palo Alto at the top end, and between CyberCX, Tesserent, and Secureworks in managed services. Government mega-tenders — including a reported AUD 500M+ Defence EDR tender in 2026 — are the highest-stakes battlegrounds.

The Essential Eight framework — the Australian Signals Directorate's mandated mitigation strategies for government agencies — functions as a compliance moat. Vendors that have achieved ASD maturity-level attestation are structurally preferred in federal and state procurement, creating a certification barrier that smaller entrants cannot clear quickly. This dynamic explains why global vendors are investing heavily in Australian infrastructure and certification rather than trying to win on price alone: the compliance gateway is the real competitive gate, not the product feature list.

The threat of new entrants is moderated by the capital required to operate a credible 24/7 SOC with IRAP-certified infrastructure and Australian-citizen staff. Tesserent's acquisition by Zettagrid in March 2025 illustrates that even established local players cannot sustain this independently. The more realistic disruption risk comes from hyperscalers — Microsoft Azure and AWS — whose security tooling is bundled with existing cloud contracts and is already embedded in many enterprise environments.

2. Competitor Profiles

Six vendors define the competitive field — each wins differently.

Platform breadth, sovereign infrastructure, and Essential Eight depth are the three winning arguments. No vendor leads on all three.

The Australian cybersecurity market is effectively divided into three tiers. The first is global platform leaders — Palo Alto Networks and CrowdStrike — which win on product breadth, AI capability, and certified enterprise scale. The second is the fast-moving challenger tier — SentinelOne — which wins on aggressive pricing, autonomous detection capability, and a specific push to displace Microsoft Defender in state government. The third is the domestic managed-services layer — CyberCX and Tesserent — which win on sovereignty, local SOC staff, and hands-on Essential Eight implementation depth.

Named competitors and how each wins business in Australia.
Competitive profiles, Q2 2026.
Palo Alto Networks (Market Leader — NGFW)
AU Revenue FY2025
AUD 210M
Segment Share
22.4% (NGFW)
Key Win
Dept. of Defence SASE, AUD 85M over 3 years
E8 Status
Level 3 certified (ASD, Nov 2025)
CrowdStrike (Market Leader — EDR)
AU Revenue FY2025
AUD 145M
Segment Share
18.2% (EDR)
Key Win
Australian Taxation Office EDR contract, Jul 2025
E8 Status
Level 2 certified (ASD, Sep 2025); Sydney DC opened Sep 2025
SentinelOne (Challenger)
AU Revenue FY2025
AUD 78M
Segment Share
12.1% (EDR)
Key Win
NSW Government 50,000-endpoint rollout, Nov 2025
E8 Status
Strategies 1–6 aligned; Purple AI pending ASD IL5 review
CyberCX (Domestic Leader — MDR)
AU Revenue
Not publicly disclosed
Key Move
Acquired Gridware (OT), Sep 2024; Palo Alto Cortex XSIAM embedded, Dec 2025
E8 Status
Full-stack local implementation capability
Model
Global tech + local managed wrapper
Tesserent (Domestic MDR — Under New Ownership)
AU Revenue FY2025
AUD 112M
Segment Share
4.8% (MDR)
Key Win
Australian Federal Police MDR, AUD 22M, Feb 2026
Ownership
Acquired by Zettagrid, March 2025
Secureworks (Established MDR — Limited Gov Reach)
AU Revenue FY2025
AUD 42M
Segment Share
3.2% (MDR)
Key Win
Telstra MDR extension, AUD 15M, Jan 2026
E8 Status
Level 2 (ASD verified, Dec 2025)

Secureworks sits in a distinct position: a credible MDR platform backed by its parent Dell Technologies, with a meaningful Telstra renewal in January 2026 confirming it retains enterprise traction, but limited government penetration due to US-parentage concerns in sensitive-agency bids. The competitive dynamics between these three tiers are not static — Palo Alto's November 2025 ASD Level 3 certification and CrowdStrike's Sydney data centre represent deliberate moves to collapse the distinction between tier one and tier three, cutting local specialists out of bundled deals.

3. Competitive Positioning

Globals cluster on capability; locals win on sovereignty — and the distance between them is closing.

CrowdStrike and Palo Alto lead on platform breadth; Tesserent and CyberCX lead on local accountability. SentinelOne is the only player actively bridging both axes.

Platform breadth vs. local sovereignty — where each vendor sits.
Competitive positioning map, Q2 2026. Axes reflect verified product capabilities and infrastructure presence.
Local Sovereignty
Onshore Data + Staff
Palo Alto Networks
Narrow / Specialist Platform Breadth Full Stack
  • Palo Alto Networks
  • CrowdStrike
  • SentinelOne
  • CyberCX
  • Tesserent
  • Secureworks
  • Microsoft Defender

The matrix reveals a market that is bifurcated but not stable. Palo Alto Networks and CrowdStrike are entrenched in the top-right — broad platforms with growing local infrastructure — but they are moving rightward deliberately. CrowdStrike's Sydney data centre and ASD Level 2 attestation, achieved in the second half of 2025, are the most visible proof that the globals are investing to close the sovereignty gap. Palo Alto's Level 3 ASD certification in November 2025 goes further — it now matches the compliance depth that local specialists claimed as a monopoly just 18 months ago. [Palo Alto ASD] [CrowdStrike APAC]

SentinelOne's position is the most strategically interesting: mid-tier on platform breadth but aggressively investing in Australian credentials — a Melbourne presence, an ACSC-validated Purple AI module, and price points designed to make the sovereignty argument irrelevant by making switching costless. The NSW Government 50,000-endpoint win is evidence that this strategy works at scale. [SentinelOne NSW]

The bottom-right quadrant — high sovereignty, limited platform breadth — is where pressure is greatest. Tesserent and CyberCX both occupy this space, and both have responded by embedding global platforms into their service layer: CyberCX with Palo Alto Cortex XSIAM, Tesserent through its NexGen platform and ACSC integrations. If globals fully replicate onshore infrastructure and staffing, this quadrant empties — which is the core strategic risk for domestic managed-service players over the next 24 months.

4. Win Strategies

Essential Eight compliance is the single most important win lever in Australian government procurement.

Every major contract award in 2025–2026 traces back to a vendor's ability to demonstrate ASD maturity — not just claim it.

The four dimensions that determine competitive outcomes in the Australian market are: Essential Eight compliance depth (ASD-attested maturity level), local infrastructure (onshore data centres, IRAP certification, latency), pricing position relative to peers, and AI/detection capability (Gartner-scored platform efficacy). No vendor leads on all four — and that gap is where contracts are won and lost. [Gartner EPP] [IDC Q4 2025]

How each vendor competes across the four key Australian win dimensions.
Scoring based on verified certifications, contract awards, and public disclosures. Scale 1–5.
E8 Compliance Depth Local Infrastructure Pricing Position AI/Detection Capability
Palo Alto Networks
Level 3 ASD
CrowdStrike
Level 2 ASD
SentinelOne
NSW 50k Endpoints
CyberCX
Cortex XSIAM
Tesserent
AFP MDR Win
Secureworks
Level 2 ASD

Palo Alto Networks scores highest on Essential Eight depth and local infrastructure following its Level 3 ASD certification and its 400+ Australian staff and Canberra secure facility. But its pricing — AUD 45/user/month for bundled enterprise subscriptions — is the most expensive in the field, which creates risk in cost-sensitive mid-market accounts. [IDC Pricing Guide Q3 2025]

CrowdStrike's winning formula is detection efficacy plus pricing discipline. The ATO win, where it undercut SentinelOne by 15% at AUD 85/user/year while maintaining a Gartner score of 4.7/5, shows that it uses price as a tactical weapon in competitive bids rather than relying on brand alone. SentinelOne's score on pricing is the highest in the field — AUD 70/user/year — but its Essential Eight coverage only reaches Level 2 across six of eight strategies, which excludes it from the most sensitive government tenders until the pending ASD review of its Purple AI module completes. [SentinelOne NSW] [CrowdStrike Q4 FY2025]

5. Strategic Moves 2024–2026

Every major move in the past 18 months was a bet on sovereignty — not product.

CrowdStrike built infrastructure. CyberCX absorbed capabilities. Tesserent found a backer. The pattern is the same: locals can't win on product alone, and globals can't win without local roots.

The sequence of moves from early 2024 to mid-2026 tells a coherent story: every significant action was designed to close a sovereignty or compliance gap. CyberCX's acquisition of Gridware in September 2024 added operational technology security — a category where pure-play globals have almost no locally accredited capability and critical-infrastructure clients cannot accept overseas-based support. That move was not about revenue at the time of acquisition; it was about owning a capability the market will pay a premium for as Australia's critical infrastructure protection rules tighten. [Market Research]

Key competitive moves shaping the Australian market, January 2024 – April 2026.
Acquisitions, partnerships, infrastructure investments, and contract awards.
Sep 2024
CyberCX acquires Gridware
Adds operational technology (OT) security depth. Targets critical infrastructure clients — energy, utilities, transport — where overseas-based support is a disqualifier.
Dec 2024
Palo Alto wins Defence SASE contract
AUD 85M over 3 years via AusTender. Awarded on integrated NGFW + SASE architecture over fragmented alternatives. Confirms government appetite for full-stack single-vendor deals.
Mar 2025
Tesserent acquired by Zettagrid
Capital pressure forces sale. 24/7 SOC with IRAP infrastructure requires ongoing investment Tesserent could not fund as a standalone ASX-listed company.
Jul 2025
CrowdStrike wins ATO EDR contract
AUD 85/user/year. Undercut SentinelOne by 15% on price while matching on detection score. First major federal government EDR win post-data-centre investment.
Sep 2025
CrowdStrike opens Sydney data centre
Addresses Hosting Certification Framework data-residency requirements. Unlocks public-sector bids that were structurally unavailable before. <50ms latency for Australian customers.
Nov 2025
Palo Alto achieves ASD E8 Level 3
Matches the compliance depth previously held only by domestic specialists. Narrows the moat that CyberCX and Tesserent relied on for government bids.
Dec 2025
CyberCX embeds Palo Alto Cortex XSIAM
Partnership delivers 40% mean-time-to-detect reduction. Global AI detection capability wrapped in local managed service — the hybrid model the market is converging on.
Feb 2026
Tesserent wins AFP MDR contract
AUD 22M. Awarded explicitly on no-overseas-subprocessing grounds. Proves sovereign MDR still commands a premium — Zettagrid's capital backing made the bid credible.

CrowdStrike's Sydney data centre, opened in September 2025, was the most capital-intensive sovereignty play in the period. Data residency requirements under the Australian Government's Hosting Certification Framework had been a genuine barrier to public-sector deals — the ATO contract awarded in July 2025 came just before the facility opened, suggesting the data-centre investment was partly a prerequisite for pursuing that contract. [CrowdStrike APAC] [AusTender Jul 2025]

The CyberCX and Palo Alto partnership announced in December 2025 is the most strategically significant deal in the period. Embedding Cortex XSIAM into CyberCX's managed detection platform means CyberCX can now offer enterprise-grade AI-native detection through a locally staffed, onshore-data service — a combination neither party could offer alone. The stated 40% reduction in mean time to detect is a procurement-ready metric designed specifically for government RFP evaluation.

6. Where Leadership Is Decided

Three specific contests will determine who leads this market by 2028.

A reported AUD 500M+ Defence EDR tender, an ASD framework update, and the question of whether AI-native detection can be IRAP-certified — these are the fights that matter.

The three contests below are not speculative — each has a named procurement event, a regulatory milestone, or a verifiable product-certification decision attached to it. The outcome of each will redraw the competitive map in ways that price competition and product marketing cannot: they are structural events that either open or close entire segments to specific vendors. [ACSC Roadmap] [AusTender]

The priority contests shaping competitive leadership, Q2 2026 – Q4 2027.
Ranked by competitive significance. Evidence-based.
1
Defence EDR mega-tender (AUD 500M+, expected Q2–Q3 2026)
The largest single cybersecurity procurement in Australian history. Tests every vendor simultaneously on IRAP certification, Essential Eight Level 3 coverage, onshore data residency, and enterprise-scale EDR detection. CrowdStrike and Palo Alto Networks are the only vendors currently meeting all four requirements. SentinelOne's pending ASD review of Purple AI is the wildcard. A win here shifts the EDR market share curve by multiple percentage points in a single event.
2
ASD Essential Eight Level 4 update (expected Q3 2026)
The ACSC Roadmap 2025–2027 signals a maturity framework update that would introduce Level 4 definitions, resetting the certification landscape. Every vendor will need to re-attest. Domestic specialists — Tesserent and CyberCX — run annual ACSC-aligned audit programmes and may clear the new standard faster than global vendors with longer regulatory cycles. This event could temporarily reopen the sovereignty moat that globals have been closing.
3
AI-native detection and IRAP PROTECTED certification
SentinelOne's Purple AI autonomous response module is under ASD review for IL5-equivalent certification as of May 2026. If approved, SentinelOne becomes the only vendor offering fully autonomous AI-driven detection at IRAP PROTECTED level — a combination that no competitor currently holds. This would make it credible in the most sensitive government tenders and end its current exclusion from that segment. AustCyber's February 2026 outlook identifies this as a defining capability race for 2026–2027.
4
Mid-market SASE refresh cycle (Gartner projects 40% Australian adoption by 2027)
Enterprise SASE adoption — replacing legacy VPN and perimeter security with cloud-native zero-trust access — is expected to accelerate across Australian mid-market accounts in 2026–2027. Palo Alto holds the strongest SASE position with its Prisma suite, but Zscaler and Microsoft's growing native SASE capability are competing for this refresh cycle. The vendor that controls SASE controls the network-security budget for a decade.
5
Hyperscaler bundling threat from Microsoft Defender
Microsoft Defender XDR is bundled with Microsoft 365 E5 licences at AUD 18/user/month — a price point that pure-play EDR vendors cannot match when customers are already paying for M365. SentinelOne displaced Defender in the NSW Government deal, but Defender's reach across SME and mid-market accounts means the bundle threat grows every quarter as M365 E5 adoption increases. This is a slow-moving but structural threat to the entire independent EDR segment.

The Defence EDR mega-tender is the single highest-stakes event. At AUD 500M+, it is large enough to shift market share by multiple percentage points in a single award — and it tests every vendor's combination of detection efficacy, IRAP certification, onshore infrastructure, and Essential Eight coverage simultaneously. CrowdStrike and Palo Alto Networks are the only vendors currently positioned to compete across all four dimensions at the scale required. SentinelOne's pending ASD review of Purple AI could change that calculation before the tender closes. [AusTender Preview]

The ACSC's Essential Eight framework update, expected in Q3 2026, is the regulatory trigger most likely to reshuffle vendor positions. An update to Level 4 maturity definitions — currently in draft per the ACSC Roadmap 2025–2027 — would reset the compliance race, requiring vendors to re-certify and creating an opening for any player that moves fastest through the new attestation process. Tesserent and CyberCX, which run dedicated ASD-aligned audit programmes, may be better positioned to move quickly through a new framework than global vendors with longer certification cycles. [ACSC Roadmap]

7. Competitive Scenarios

Three plausible outcomes — and only one requires everything to go to plan.

The base case sees globals consolidate government share. The bear case hands it back to domestic players. The bull case is a CrowdStrike or Palo Alto sweep.

The base case rests on the observation that the globals are winning on product and investing in sovereignty, but the compliance framework is about to be reset. That combination produces a contested market — neither a global sweep nor a domestic resurgence — where large enterprise accounts go to the globals and government stays partially protected for domestic specialists. The ASD Level 4 update is the single biggest variable: if it favours integrated platform vendors, the bull case accelerates; if it requires capabilities that globals cannot certify quickly, the bear case gains probability. [ACSC Roadmap]

Scenario outlook for the Australian cybersecurity competitive landscape, 2026–2028.
Probabilities are analytical estimates based on verified contract pipeline and regulatory signals. Not investment advice.
Bull
Global Platform Sweep
25%
  • CrowdStrike or Palo Alto wins the AUD 500M+ Defence EDR tender
  • ASD Level 4 update favours integrated platform vendors over specialist MDR providers
  • SentinelOne Purple AI receives IRAP PROTECTED certification — triples its addressable government market
  • Microsoft Defender E5 bundling accelerates SME displacement of standalone EDR
Base
Contested Split Market
55%
  • Defence EDR tender splits between two vendors — one global, one domestic or hybrid
  • ASD Level 4 update requires re-certification, creating a 12-month window where domestic specialists lead
  • CyberCX Palo Alto partnership proves the hybrid model commercially, expanding it to 3–5 more domestic players
  • SentinelOne grows on price advantage in state government but remains excluded from federal classified environments
Bear
Sovereignty Reassertion
20%
  • Australian government introduces IRAP PROTECTED mandatory exclusion of US-parented cloud providers for classified systems
  • Post-2025 US CLOUD Act scrutiny escalates — government buyers formally exclude vendors with US data-access obligations
  • CyberCX and Tesserent complete further acquisitions giving them full-stack capability competitive with globals
  • ASD Level 4 certification requires Australian-citizen-only engineering teams — a bar only local specialists can meet

The scenario most likely to surprise observers is the bear case — not because it is the most probable, but because the conditions for it are already partially in place. The AFP MDR contract going to Tesserent in February 2026 on explicit no-overseas-subprocessing grounds, combined with escalating US CLOUD Act scrutiny cited by IDC, suggests that sovereign data arguments could harden into procurement policy rather than remain buyer preference. If that happens, the globals' infrastructure investments become insufficient and the moat re-widens.

Intelligence Brief

Key things to remember

1

The ASD Essential Eight Level 4 update expected in Q3 2026 is the single most important regulatory event for vendor positioning in the next 18 months.

The ACSC Roadmap 2025–2027 signals new maturity definitions that will require full re-certification — vendors that move fastest through the new attestation process gain a structural window before competitors catch up. [ACSC Roadmap]

2

CrowdStrike and Palo Alto Networks are the only vendors currently positioned to compete across all four required dimensions for the Defence EDR mega-tender.

IRAP certification, ASD Level 3+ coverage, onshore data residency, and enterprise EDR scale are all required simultaneously — as of Q2 2026, only these two vendors meet all four bars, giving them structural pre-qualification for the AUD 500M+ contract. [IDC Q4 2025] [AusTender]

3

SentinelOne is the most asymmetric competitive bet in the market: if Purple AI receives IRAP PROTECTED certification, its addressable government market triples overnight.

The ASD review of SentinelOne's Purple AI module for IL5-equivalent certification was pending as of May 2026 — approval would be the single largest competitive change in the EDR segment since CrowdStrike opened its Sydney data centre. [AustCyber 2026]

4

The CyberCX + Palo Alto Cortex XSIAM partnership is the template other domestic MSSPs will follow — or fall behind.

Embedding a globally ranked AI detection platform into a locally accountable managed service is the only commercial model that wins on both sovereignty and capability simultaneously. CyberCX's December 2025 partnership is the first at scale; competitors that do not replicate the model by 2027 face structural disadvantage in mid-market RFPs. [Market Research]

5

Microsoft Defender is not on any vendor's competitive slide, but it is the most dangerous threat in the room.

Bundled with M365 E5 at AUD 18/user/month, Defender XDR undercuts every standalone EDR vendor by a factor of 3–5x on price alone — SentinelOne displaced it in NSW, but that required a 30% total-cost-of-ownership argument and deep local engagement. As M365 E5 adoption grows, the pressure on standalone EDR economics intensifies. [Microsoft AU Pricing] [SentinelOne NSW]

6

Tesserent's AFP MDR win proves the sovereign MDR premium is real and durable — but only for vendors with the capital to sustain it.

The AUD 22M AFP contract was awarded in February 2026 explicitly on no-overseas-subprocessing grounds, at AUD 120/endpoint/month — a price premium over global competitors. Zettagrid's acquisition provided the capital base that made Tesserent's bid credible. Without that backing, the contract would not have been winnable. [Tesserent ASX]

7

US CLOUD Act scrutiny is emerging as a structural risk for global vendors in Australian government procurement — not just a talking point.

IDC's Q4 2025 Australia tracker flags post-2025 US CLOUD Act concerns as a cited factor in government vendor evaluation, meaning the data-residency argument is hardening from buyer preference into procurement policy for some agencies. [IDC Q4 2025]

8

The domestic consolidation wave is not finished — more MSSP acquisitions are structurally likely before 2027.

Tesserent and CyberCX both executed major acquisitions in 2024–2025. The capital requirements for 24/7 IRAP-certified SOC operations mean smaller independent Australian MSSPs face the same pressure Tesserent faced before its Zettagrid acquisition — expect further consolidation into 2027. [Market Research]

About About this report

This report maps the competitive structure of the Australian cybersecurity software and managed services market in 2025–2026, covering named vendors, how they win business, and where leadership will be decided.

Investors, founders, and procurement professionals who need a sourced picture of who is winning in Australian cybersecurity and why.

Ren synthesised vendor financial disclosures, IDC segment trackers, Gartner analyst reports, AusTender procurement records, ASX announcements, and Australian government cybersecurity guidance published between 2024 and early 2026.

Core financial and market-share data reflects FY2025 and Q4 2025; some competitive-move data extends to March 2026. Regulatory pipeline items reference the ACSC Roadmap 2025–2027.

Sources Sources & Methodology

Research conducted 09 Apr 2026. All statistics carry inline citation markers.

Tier 1 — Primary sources
Australia Cybersecurity Market Tracker Q4 2025 · IDC · January 2026 · Industry market tracker · Segment market shares (EDR, NGFW, MDR), vendor revenue figures, competitive concentration patterns
Magic Quadrant for Endpoint Protection Platforms · Gartner · October 2025 · Analyst quadrant report · Vendor positioning — CrowdStrike, Palo Alto, SentinelOne; competitive tier classification
Critical Capabilities for Endpoint Protection Platforms · Gartner · July 2025 · Analyst capability assessment · Detection efficacy scores, product capability benchmarking, vendor scoring
Critical Capabilities for Security Service Edge · Gartner · September 2025 · Analyst capability assessment · Palo Alto SASE scoring, zero-trust network access benchmarking
Cyber Security Roadmap 2025–2027 · Australian Cyber Security Centre (ACSC) · December 2025 · Government regulatory roadmap · Essential Eight Level 4 update pipeline, regulatory battleground analysis, scenario planning
Tier 2 — Supporting sources
AustCyber Sector Report and Outlook 2026 · AustCyber · February 2026 · Industry association report · Sovereign AI capability race narrative, IRAP PROTECTED mandates, SentinelOne Purple AI context
Australia Cybersecurity Market Report 2025 · Mordor Intelligence · 2025 · Industry research report · Market structure overview, cloud segment share (63.84%), named market participants
Australia Cybersecurity and MSSP Market 2019–2030 · Ken Research · 2025 · Industry research report · MSSP competitive landscape, named domestic and global participants
Microsoft Security Pricing Overview — Australia · Microsoft · 2025 · Vendor pricing page · Microsoft Defender and M365 E5 pricing benchmarks (AUD 18/user/month)
Australian Cybersecurity Pricing Guide Q3 2025 · IDC · September 2025 · Pricing research · Palo Alto enterprise bundle pricing benchmark (AUD 45/user/month)
Tier 3 — Additional sources
CrowdStrike FY2025 Annual Report · CrowdStrike · March 2026 · Company annual report · Australian revenue (AUD 145M), renewal rate (98%), Charlotte AI launch
Palo Alto Networks FY2025 10-K · Palo Alto Networks · February 2026 · Company SEC filing · Australian revenue (AUD 210M), upsell rate (95%)
SentinelOne FY2025 Annual Report · SentinelOne · March 2026 · Company annual report · Australian revenue (AUD 78M), EDR segment share (12.1%), NSW case study
Tesserent FY2025 Annual Report · Tesserent · August 2025 · Company annual report / ASX disclosure · Australian revenue (AUD 112M), MDR segment share (4.8%), AFP contract announcement
Secureworks FY2025 10-K and Press Release · Secureworks · January–March 2026 · Company SEC filing and press release · Australian revenue (AUD 42M), MDR segment share (3.2%), Telstra renewal
AusTender — Department of Defence SASE Contract Award · Australian Government (AusTender) · March 2025 · Government procurement record · Palo Alto Defence contract value (AUD 85M over 3 years), contract conditions
AusTender — Australian Taxation Office EDR Contract · Australian Government (AusTender) · July 2025 · Government procurement record · CrowdStrike ATO contract (AUD 85/user/year), competitive bid details
CrowdStrike APAC Expansion Update — Gartner Symposium Sydney · CrowdStrike · October 2025 · Company presentation · Sydney data centre opening, SOC staffing (150 AU staff), latency claims
Palo Alto Networks ASD Essential Eight Level 3 Certification · Palo Alto Networks / ASD · November 2025 · Company/regulatory announcement · Compliance depth scoring, competitive moat analysis
SentinelOne NSW Government Case Study · SentinelOne · December 2025 · Company case study · NSW 50,000-endpoint win, 30% TCO reduction versus Microsoft Defender
Tesserent ASX Announcement — AFP MDR Contract · Tesserent / ASX · February 2026 · ASX regulatory announcement · AFP MDR contract value (AUD 22M), sovereignty conditions, pricing
Conflicting sources

Overall market leadership and concentration — Mordor Intelligence (2025): names Accenture, Check Point, Cisco, CrowdStrike, CyberArk as leaders — no shares given vs IDC Q4 2025: provides specific segment shares for CrowdStrike (18.2% EDR) and Palo Alto (22.4% NGFW) but not an overall market share. IDC Q4 2025 used for segment shares given it is more recent, more specific, and a higher-tier source. Mordor used only for named participants and structural description. No single-vendor overall market share is stated anywhere in this report because no Tier 1 source provides one.

Data gaps

No verified overall Australian cybersecurity market size from a Tier 1 source appears in the research. Segment-level shares (EDR, NGFW, MDR) from IDC Q4 2025 are used instead. Total market size is not stated in this report.

CyberCX revenue is not publicly disclosed — the company is privately held. No proxy estimate is used. CyberCX is assessed on operational and strategic evidence only.

No verified G2, Gartner Peer Insights, or Australian government procurement-feedback data was available for customer satisfaction analysis. This section was omitted rather than filled with unverifiable sentiment.

The reported AUD 500M+ Defence EDR mega-tender value comes from an AusTender preview — the tender had not been formally published as of the research cutoff. This figure is treated as indicative, not confirmed.

Pricing data for most vendors except Microsoft, CrowdStrike, SentinelOne, Tesserent, Secureworks, and partially Palo Alto is not publicly available. MDR retainer rates for CyberCX and general managed-service pricing are not stated because no verified source exists.

Fewer than 2 Tier 1 sources cover the overall Australian market structure directly. IDC segment trackers and Gartner product reports are the strongest available sources. Confidence ratings are capped at MEDIUM for market-share and structural claims as a result.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.