B2B Saas Risk Landscape: Southeast Asia 2026 | Renatus
RESEARCH RISK ASSESSMENT
Technology & Software · SEA

B2B Saas Risk Landscape:
Southeast Asia 2026

The single most important truth about B2B SaaS in Southeast Asia right now is that capital has repriced faster than business models have adapted.

Seed funding across the region dropped to $214 million in 2025 — down 57% from 2024 — and Series A ARR thresholds have risen from $1 million to $1.5–3 million. Only 20% of 2022 seed cohorts graduated to Series A. The funding environment that built Grab, GoTo, and the first generation of regional SaaS companies is gone. What replaced it demands proof of unit economics before scale, not after.

The structural tension is a three-way squeeze: regulatory complexity is rising across all five markets simultaneously, cloud infrastructure risk is concentrated in a handful of hyperscaler providers with demonstrated outage exposure, and the talent pools deep enough to build resilient systems are unevenly distributed across the region. Malaysia is absorbing RM144.4 billion in data centre investment while enforcing new cross-border data transfer rules from April 2025. Indonesia and Vietnam are tightening localisation mandates. Singapore's MAS is raising the compliance floor for every fintech-adjacent SaaS vendor. Each regulatory shift raises the cost of doing business — at the exact moment that investors are demanding faster paths to profitability.

SEA Seed Funding 2025 $214M
Down 57% from 2024
  1. The funding collapse is not a cycle — it is a structural reset. With seed funding down 57% to $214 million in 2025 and median M&A exits compressed to 3–5× ARR against prior expectations of 10–20× IRR, the capital model that funded the first generation of SEA SaaS companies has closed.

  2. Regulatory complexity is rising in all five markets at the same time. Malaysia's cross-border data transfer rules became enforceable April 1, 2025; Vietnam's Law on Data is pending; Indonesia's PDP Law mandates localisation for public services; Thailand requires government and critical infrastructure operators to host data onshore — compliance costs are no longer optional line items.

  3. Cloud infrastructure concentration is a live operational risk, not a theoretical one. A 2025 AWS global outage took down customer support systems, payment gateways, and logistics software for SaaS vendors including Zoho and Freshworks across emerging markets, demonstrating that geographic redundancy among regional providers remains inadequate.

  4. The investor shift toward profitability is already filtering which companies survive. Grab reached EBITDA positivity in Q3 2025 and Shopee and Tokopedia reported FY2024 profits — but these are the exception; the broader B2B SaaS field faces investor mandates for 12–18 month payback periods on customer acquisition cost that most early-stage operators cannot yet demonstrate.

SEA Seed Funding 2025
$214M
Down 57% from 2024
Series A ARR Threshold
$1.5–3M
Up from prior $1M bar
2022 Seed-to-Series A Graduation
20%
Four in five companies stalled

Seed funding across Southeast Asia fell to $214 million in 2025, down 57% from 2024. The Series A bar has moved: investors now expect $1.5–3 million in ARR before committing, compared to the $1 million threshold that characterised the 2019–2022 cycle. With only 20% of 2022 seed cohorts graduating to Series A, the overwhelming majority of early-stage B2B SaaS companies in the region are operating in a capital environment that will not fund them to the next stage on prior terms.

The exit market compounds this. Median M&A multiples for profitable SaaS firms have compressed to 3–5× ARR, against the 10–20× IRR expectations that underpinned valuations during the peak cycle. NinjaOne's $270 million acquisition of Dropsuite is a named data point — but it represents an outlier, not a trend. No SEA SaaS company has completed an IPO since GoTo in 2022 and Grab in 2021, both of which subsequently lost 60–80% of their post-listing value. The IPO window remains closed.

The practical consequence for B2B SaaS investors is a bifurcated portfolio: companies with $1–2 million ARR and 70–80% gross margins are still financeable; companies with high customer acquisition costs and no demonstrated payback within 18 months are not. Investor mandates for profitability have hardened — Grab's EBITDA positivity in Q3 2025 and Shopee and Tokopedia's FY2024 profits are now used as reference benchmarks, raising the bar for every company in the peer set.

2. Regulatory Risk

All five markets are tightening data rules at the same time — compliance is no longer optional.

Malaysia's cross-border transfer rules went live April 1, 2025. Vietnam's Law on Data is pending. The compliance cost wave is arriving now, not later.

Malaysia moved first and most specifically. The Personal Data Protection (Amendment) Act 2024 began phasing in from January 1, 2025, with cross-border data transfer provisions enforced from April 1, 2025. The mechanism is an adequacy-based model: data may leave Malaysia only if the destination jurisdiction has substantially equivalent protection, or if the controller has implemented Transfer Impact Assessments backed by Binding Corporate Rules or Standard Contractual Clauses. [ITIF] For a B2B SaaS vendor with multi-region cloud architecture, this is not a paperwork exercise — it is a structural review of every data flow.

Data protection and localisation rules by market: enforcement status, 2025–2026.
Regulatory status across Malaysia, Singapore, Indonesia, Thailand, Vietnam — as of Q2 2026.
Malaysia PDPA Amendment 2024 (Enforced)

Cross-border transfer rules live April 1, 2025. Requires Transfer Impact Assessments and adequacy-based approvals for offshore data flows. No blanket localisation for commercial entities.

Enforcer
Malaysian PDPC
Effective
April 1, 2025
Mechanism
Adequacy / TIAs / BCRs / SCCs
Indonesia PDP Law 2022 (Enforced)

Mandates onshore data storage for public services and core financial systems. OJK requires localisation for financial services data.

Enforcer
OJK / Kominfo
Scope
Public services, financial data
Mechanism
Mandatory onshore hosting
Thailand Cybersecurity Act — Cloud Notifications (Enforced)

Government bodies and critical infrastructure operators (telecom, energy, finance) must host cloud data inside Thailand. General commercial entities not covered by blanket localisation.

Enforcer
NCSA Thailand
Scope
Government and CII operators
Mechanism
In-country hosting mandate
Vietnam Decree 13/2023 + Pending Data Law (Partially enforced / Pending)

Decree 13 mandates localisation for personal data of Vietnamese citizens in telecoms and e-commerce. A broader Law on Data expected in 2025 would tighten cross-border flows significantly.

Enforcer
Ministry of Public Security
Pending
Law on Data (2025 expected)
Mechanism
Sector-specific localisation
Singapore PDPA + MAS Financial SaaS Rules (Enforced)

No blanket localisation. MAS layers financial sector SaaS compliance obligations including mandatory breach notification and third-party cloud provider scrutiny. AI governance frameworks expanding in 2026.

Enforcer
PDPC / MAS
Effective
Ongoing — MAS AI rules 2026
Mechanism
Transfer rules + sectoral mandates

Indonesia operates the tightest localisation regime for regulated sectors. The OJK mandates onshore storage for financial services and public company data under the 2022 PDP Law. Thailand's Cybersecurity Act requires government bodies and critical infrastructure operators — telecoms, energy, finance — to host data inside the country. Vietnam's Decree 13/2023 mandates localisation for personal data of Vietnamese citizens in specific use cases including telecoms and e-commerce, with a pending Law on Data expected to tighten cross-border flows further. [Rouse] Singapore's PDPC maintains a transfer-rule model without blanket localisation, but MAS compliance requirements for financial SaaS vendors layer additional obligations on top.

The risk is not that any single regulation is unmanageable. The risk is simultaneity: B2B SaaS vendors selling across all five markets must now run five materially different compliance programmes, or choose to exit markets they cannot afford to comply in. The vendors large enough to absorb this — SAP, Salesforce — have the infrastructure to respond. Smaller regional players and newer entrants face a compliance cost that was not priced into their unit economics at the time of their last funding round.

3. Operational Risk

Cloud infrastructure concentration is a live risk — the 2025 AWS outage proved it.

Regional SaaS vendors discovered geographic redundancy plans during an outage, not before it.

A 2025 AWS global outage took customer support systems, payment gateways, and logistics software offline across emerging markets, with Zoho and Freshworks among the SaaS vendors affected. [CSO Online] The incident confirmed what Cornell business researchers had characterised as structural fragility: regional B2B SaaS vendors lack geographic redundancy and are architecturally dependent on a small number of hyperscalers. When one goes down, the downstream customer impact is immediate and visible.

Four operational vulnerabilities active in SEA B2B SaaS infrastructure.
Ranked by immediacy of investor-relevant impact — Q2 2026.
1
Hyperscaler concentration — already materialised
2025 AWS outage took down Zoho, Freshworks, and other SaaS vendors across emerging markets. Regional providers lack geographic redundancy. Single-provider dependency is structural, not incidental.
2
Supply chain compromise — escalating
Open-source components, CI/CD pipelines, and cloud integrations are the primary attack entry points. A single compromised vendor cascades across its entire customer base. Forrester identifies this as the leading APAC risk vector for 2025.
3
Identity and session compromise — active and accelerating
AI-crafted phishing, session hijacks, and token theft now bypass standard MFA. CISOs across SEA report the attack pattern has shifted from network intrusion to impersonation. Vendors managing customer identity workflows are primary targets.
4
Security talent shortfall — structural
Vietnam holds the region's deepest engineering pool but coverage is uneven. Smaller SaaS operators in Malaysia, Indonesia, and Thailand frequently lack security engineering depth. Capital constraints following the funding reset make hiring harder, not easier.

The second vulnerability is harder to see but more persistent: multi-cloud sprawl. CISOs across Southeast Asia identify the proliferation of SaaS deployments as creating visibility gaps where a single misconfigured permission or leaked credential can expose sensitive customer data and, increasingly, expensive AI compute resources including GPU clusters. [Forrester] The attack surface grows with every new integration, and the supply chain is the primary pathway — compromised open-source components, CI/CD pipelines, and model repositories cascade across customer bases from a single entry point.

Identity compromise has overtaken network intrusion as the dominant attack vector. CISOs report fewer traditional break-ins and more attacks via AI-crafted phishing, voice scams, session hijacks, and token theft that bypass standard multi-factor authentication. [CSO Online] For B2B SaaS vendors managing customer identity workflows and storing credentials, this is the live threat that existing security architectures were not built to handle. The talent shortage compounds all of this: Vietnam has the region's deepest engineering pool but that capability is not uniformly available, and smaller SaaS operators in Malaysia, Indonesia, and Thailand frequently lack the security engineering depth to build and maintain hardened systems.

4. Macroeconomic Risk

Rate cuts are happening — but real borrowing costs remain high for SaaS companies that need debt.

Indonesia cut rates to 4.75% but lending rates have not followed. High household debt in Malaysia and Thailand constrains credit transmission.

Central banks across Indonesia, Malaysia, the Philippines, and India cut policy rates by more than one percentage point through 2025, with Indonesia's rate moving from 6.25% in August 2024 to 4.75% by late 2025. [World Bank] The ASEAN-6 economies continued coordinated easing into 2026, supported by benign inflation and a weaker US dollar that broadly supported Asian currency values — with the exception of Vietnam, where the currency depreciated against expectations.

Indonesia policy rate trajectory: the cut that has not reached borrowers.
Bank Indonesia policy rate (%), August 2024 to late 2025.
6 5 5 5 4 Aug 2024 Q4 2024 Q1 2025 Q2 2025 Q3 2025 Late 2025
Indonesia Policy Rate (%)

The problem is transmission. High loan-to-deposit ratios and weak deposit growth across the region mean that lending rates have not declined in line with policy rates. [ANZ] Household debt exceeds 60% of GDP in both Malaysia and Thailand, constraining credit demand and limiting the pass-through of monetary easing to actual borrowing conditions. For a B2B SaaS company seeking venture debt or growth financing, the macro environment looks supportive on paper; the actual credit market is more restrictive than headlines suggest.

FX conditions improved in 2025. Asian currencies broadly appreciated against the US dollar, which helped SaaS vendors with USD-denominated revenue or funding report stronger local-currency equivalents. Capital inflows to East Asia Pacific economies increased, and sovereign spreads declined. [World Bank EAP Update] The forward outlook for 2026 anticipates 4.5% regional growth — but this is a macro tailwind behind a structural headwind: the credit conditions that B2B SaaS companies actually experience are still tighter than the headline rate environment implies.

5. Horizon Risk

AI-native competition and open-source ERP adoption are on trajectory — but the evidence base is still thin.

The structural pressure from AI-native SaaS and geopolitical tech decoupling is real. The timeline and named impact in SEA markets is not yet confirmed by data.

Three emerging risks are on trajectory toward significance within 24 months, but the evidence for each in the Southeast Asian B2B SaaS context specifically is limited by the absence of Tier 1 data. The risk assessment here reflects the structural logic of each threat, not confirmed materialisation in named companies.

24-month risk scenarios: how the SEA B2B SaaS risk environment could shift.
Scenario planning across funding, regulatory, and competitive risk axes — Q2 2026 to Q2 2028.
Bull
Regulatory convergence unlocks growth
25%
  • ASEAN cross-border data agreement signed
  • MAS–OJK mutual recognition framework
  • Regional SaaS IPO completed successfully
Base
Fragmentation persists — only well-capitalised vendors survive
55%
  • Series A bar holds at $1.5–3M ARR
  • No ASEAN data harmonisation before 2027
  • Profitability mandates persist from institutional investors
Bear
Compliance cost spike and hyperscaler outage combine
20%
  • Vietnam Data Law passed with strict localisation
  • Second major AWS or Azure regional outage
  • USD strengthening reverses 2025 FX gains
  • Investor redemptions from SEA tech funds

AI-native SaaS competition is the most frequently cited emerging threat, but no dated evidence of displacement of SAP, Salesforce, Zoho, or Hashmicro by AI-native alternatives in the five target markets exists in available research. The DBS CIO guide notes that AI monetisation is expected to drive 10% year-on-year SaaS revenue growth through 2025 — framing AI as a tailwind for incumbents, not a near-term displacement threat. [DBS] The more credible near-term risk is that AI raises customer expectations for workflow automation, and vendors that cannot deliver on those expectations face higher churn in contract renewal cycles from 2026 onward.

Geopolitical technology decoupling — specifically, the risk that US-origin SaaS tools face procurement restrictions or compliance barriers in the five markets — has no confirmed named signal in available research. The direction of regulatory travel in Indonesia and Vietnam (localisation mandates, data sovereignty rules) creates the structural conditions for this risk to develop, but no enterprise has publicly announced exclusion of US-origin SaaS tools from procurement on geopolitical grounds. Open-source ERP adoption by SMEs in Indonesia and Vietnam is logically plausible given price sensitivity and localisation mandates, but no named adoption data for Odoo or comparable platforms in these markets appears in available sources.

6. Investor Monitoring

Six specific signals tell a SEA B2B SaaS investor that the risk environment is deteriorating.

The signals to watch are not abstract indicators — they are named events from named institutions with observable timelines.

The MAS Securities and Futures Amendment Bill 2026 is the single most consequential regulatory document to track. [MAS] It extends AI governance, stablecoin frameworks, and anti-scam obligations across payment institutions in Singapore, and sets the compliance floor that every fintech-adjacent SaaS vendor operating in the city-state must meet. Watch for the IPA (In-Principle Approval) conversion rate for new fintech licences: if it drops below 50%, the barrier to operating regulated SaaS in Singapore has materially risen.

Early-warning signals: what to monitor and what each movement means.
Named signals by source institution — monitoring cadence for Q2–Q4 2026.
MAS Securities and Futures Amendment Bill 2026 Regulatory
Extends AI governance and AML/CFT obligations across Singapore payment institutions. IPA conversion rate below 50% signals a raised compliance barrier for all fintech-adjacent SaaS. Monitor MAS filings monthly.
AWS and Google Cloud APAC quarterly pricing Infrastructure
Price increases above 10% year-on-year compress SaaS vendor margins on fixed-term customer contracts. Signals cost pass-through pressure within one to two contract renewal cycles. Monitor quarterly release notes.
SEA SaaS headcount changes (Grab, GoTo, Salesforce, SAP) Company Signal
Headcount reductions above 10% in quarterly IR filings from named regional SaaS operators signal six-to-nine months of revenue stress ahead of it appearing in disclosed ARR. Grab's 2025 MAS licensing delays correlated with 12% regional staff cuts.
DBS and Maybank Q1–Q2 2026 IT budget disclosures Enterprise Demand
Banks represent a significant portion of B2B SaaS ARR in Southeast Asia. IT spend cuts above 15% or SaaS vendor consolidation announcements from DBS or Maybank signal softening enterprise demand before churn data is visible.
Vietnam Law on Data — passage and implementation rules Regulatory
Expected in 2025 but not yet passed as of Q2 2026. Strict localisation provisions would force SaaS vendors to re-architect data flows for Vietnam or exit the market. Monitor Ministry of Public Security announcements quarterly.
OJK cloud governance circulars — Indonesia Regulatory
No 2026-specific OJK rules confirmed at report date. Any expansion of cloud data localisation requirements to broader commercial entities would materially raise operating costs for SaaS vendors serving Indonesian financial institutions.

On the infrastructure side, quarterly AWS and Google Cloud APAC pricing announcements are the proxy for margin compression. A compute or storage price increase above 10% year-on-year hits SaaS vendors who have not negotiated enterprise agreements and cannot immediately pass costs to customers on fixed-term contracts. Combined with the layoff signals — headcount reductions above 10% at Grab, GoTo, Xero, SAP, or Salesforce's SEA operations filed in quarterly reports — these give investors a six-to-nine month lead on portfolio stress before it appears in revenue metrics. [MAS]

The OJK cloud governance announcement pipeline is the Indonesia-specific signal to watch. No 2026 OJK specifics were available at the time of this report — the confidence rating on Indonesia regulatory risk is medium and should be reviewed against OJK quarterly circulars. Similarly, Maybank and DBS Q1–Q2 2026 IT budget disclosures are the enterprise demand proxy: banks represent a significant share of B2B SaaS ARR in the region, and IT budget cuts or SaaS vendor consolidation announcements from either institution signal softening enterprise demand before it appears in vendor churn statistics.

7. Risk Prioritisation

Four risks are live now. Two remain theoretical. Investors should weight accordingly.

A risk that cannot be confirmed with named evidence should not command the same capital allocation as one that already has.

The funding compression risk scores highest on both likelihood and impact because it has already happened. Seed funding at $214 million is not a forecast — it is a 2025 actuality. The consequence — compressed exit multiples, raised Series A bars, and stalled graduation rates — is visible in named company trajectories. This is the risk that should command the most attention from any investor managing a portfolio of SEA B2B SaaS assets today.

SEA B2B SaaS risk matrix: likelihood versus impact — Q2 2026.
Six named risks scored on likelihood (0–5) and impact (0–5) — based on available evidence.
Low Impact Medium Impact High Impact Critical Impact
Funding Compression Live
Regulatory Divergence Live
Cloud Concentration Live
Cybersecurity / Supply Chain Live
AI-Native Competition Theoretical
Geopolitical Decoupling Theoretical
Lower Higher

Regulatory divergence across the five markets is high-likelihood and high-impact for any vendor operating regionally. Malaysia's rules are live. Indonesia's localisation requirements for financial services are enforced. Vietnam's Law on Data is pending but directionally certain. The impact compounds with scale: a vendor selling to enterprise clients in all five markets faces five compliance programmes, five potential enforcement regimes, and five potential data re-architecture requirements. The vendors best positioned to absorb this are those that built compliance infrastructure before the mandates arrived — not those scrambling to retrofit now.

Cloud infrastructure concentration and cybersecurity risks are live but less uniformly distributed. The 2025 AWS outage demonstrated the exposure; the question is which vendors have invested in geographic redundancy and which have not. This risk is binary — vendors with redundancy have contained it; vendors without it are fully exposed to the next outage. AI-native competition and geopolitical decoupling remain theoretical in named SEA evidence and are rated accordingly. The evidence does not support treating them as imminent.

Intelligence Brief

Key things to remember

1

The Series A graduation rate of 20% means most 2022 seed cohorts are now in a funding no-man's-land.

Companies that raised seed in 2022 and did not reach Series A by 2025 face a market requiring $1.5–3M ARR before institutional investors will re-engage — a bar most have not crossed and cannot reach without additional bridge capital that is itself harder to raise.

2

Malaysia's April 2025 cross-border data transfer rules are the most operationally immediate regulatory risk in the region.

Transfer Impact Assessments are now mandatory for any data leaving Malaysia, and the adequacy model means vendors must verify the legal framework of every destination jurisdiction — a requirement that catches multi-region SaaS architectures built before the rules existed.

3

The 2025 AWS outage is a named proof point that regional SaaS vendors' business continuity plans have not been tested at scale.

Zoho and Freshworks were among the vendors affected; the incident confirmed that geographic redundancy in SEA B2B SaaS is aspirational rather than operational for most providers.

4

Grab's 12% SEA staff cuts correlated directly with MAS fintech licensing delays — a pattern that repeats whenever regulatory friction increases operating costs.

Investors should treat named headcount reductions in quarterly IR filings as a six-to-nine month leading indicator of revenue stress, not a lagging one.

5

Vietnam's pending Law on Data is the single regulatory event most likely to force vendor re-architecture decisions in 2026.

If passed with strict cross-border localisation provisions, vendors serving Vietnamese customers would need to either host data inside Vietnam or exit — a binary choice that most regional SaaS architectures are not currently designed to accommodate.

6

Indonesia's rate cut to 4.75% has not translated into lower borrowing costs for SaaS companies seeking venture debt.

High loan-to-deposit ratios and weak deposit growth mean the credit transmission mechanism is broken — real borrowing costs remain elevated despite a 150 basis point policy rate reduction since August 2024.

7

NinjaOne's $270 million acquisition of Dropsuite sets the named M&A reference point — but at 3–5× ARR, it also confirms how far exit multiples have compressed.

Investors holding SEA B2B SaaS positions acquired at 10–20× ARR valuations should mark those positions against the current 3–5× exit environment before assuming a liquidity event will clear prior entry prices.

8

Supply chain compromise — not direct attack — is the primary cybersecurity threat vector for SEA B2B SaaS vendors.

Forrester identifies open-source components, CI/CD pipelines, and cloud integrations as the dominant APAC attack pathway; a single compromised upstream vendor cascades across every customer in its downstream ecosystem.

About About this report

This report covers the specific, evidenced risks facing B2B SaaS companies operating in Malaysia, Singapore, Indonesia, Thailand, and Vietnam as of Q2 2026.

It is written for investors managing exposure to Southeast Asian technology assets, operators preparing board-level risk updates, and advisers assessing the regulatory and funding environment.

Ren compiled and evaluated research across macroeconomic, regulatory, operational, and competitive risk domains, drawing on World Bank, OECD, MAS, Forrester, and named VC and market data sources.

Primary data covers 2025–2026; where only 2024 data exists it is flagged; several risk categories lack Tier 1 granularity and are rated accordingly.

Sources Sources & Methodology

Research conducted . All statistics carry inline citation markers.

Tier 1 — Primary sources
East Asia and Pacific Economic Update — April 2025 · World Bank · April 2025 · Multilateral economic research · Macroeconomic risk, interest rate environment, FX trends, regional growth forecasts
OECD Economic Outlook Volume 2025 Issue 2 — Indonesia · OECD · 2025 · Government economic research · Indonesia interest rate and credit environment
Explanatory Brief: Securities and Futures Amendment Bill 2026 · Monetary Authority of Singapore (MAS) · 2026 · Regulatory publication · MAS regulatory risk, early-warning signals section
What's Hot for Identity and Access Management in Asia-Pacific in 2025 · Forrester · 2025 · Industry research · Cybersecurity risk, cloud concentration, supply chain vulnerability
Tier 2 — Supporting sources
CIO Industry Guide — August 2025 · DBS · August 2025 · Bank research publication · AI-native competition risk, SaaS growth outlook, enterprise demand signals
Malaysia Cross-Border Data Transfer Regulation · ITIF (Information Technology and Innovation Foundation) · June 2025 · Policy research · Malaysia regulatory risk, PDPA amendment details
Data Localisation and Transfer Issues in Southeast Asia · Rouse · 2025 · Legal and policy analysis · Regulatory risk across Indonesia, Thailand, Vietnam
Rate Cuts Not Cutting It in Asia · ANZ · December 2025 · Bank research · Credit transmission risk, lending rate analysis
2026 Asia Outlook · JP Morgan Private Bank · 2026 · Bank research · FX environment, regional growth forecasts
CISO Priorities: Southeast Asia and APAC — 2025 · CSO Online · 2025 · Trade publication — CISO interviews · Cloud concentration risk, cybersecurity threat landscape
Building Resilience Through Localisation — Malaysia's Next Chapter · MIDA (Malaysian Investment Development Authority) · 2025 · Government agency publication · Malaysia data centre investment figures, localisation context
Tier 3 — Additional sources
SEA Startup Ecosystem Analysis — 2025 · Capital JDI · 2025 · VC commentary / market analysis · Funding environment, seed-to-Series A graduation rates, exit multiples, talent section
Conflicting sources

SEA B2B SaaS market growth outlook — DBS CIO Guide (August 2025): AI monetisation drives 10% year-on-year SaaS revenue growth, framing AI as tailwind for incumbents vs Capital JDI (2025): VC scarcity and compressed multiples signal structural stress for most SaaS operators below $2M ARR. Both are used — DBS reflects enterprise-tier incumbents; Capital JDI reflects the broader early-stage ecosystem. The report treats them as describing different cohorts, not contradictory views.

Data gaps

No Tier 1 data (Gartner, IDC, McKinsey) on named SEA B2B SaaS company churn rates, ARR figures, or contract downsells. All materialised risk evidence in the funding and competitive sections relies on Tier 2–3 sources. Affected confidence: MEDIUM cap on funding and competitive sections.

No confirmed investor-specific data from Sequoia Southeast Asia, Monk's Hill Ventures, or Vertex Holdings on portfolio stress, down-rounds, or deal multiples. Funding environment analysis relies on aggregate VC market data, not named investor disclosures.

OJK cloud governance rules for 2026 not confirmed in available research. Indonesia regulatory risk section reflects 2022 PDP Law only — any 2026 OJK expansion would materially change the analysis.

Vietnam Law on Data not yet passed as of Q2 2026. The regulatory risk from this law is rated pending; if passed with strict localisation provisions, the impact on SEA SaaS vendors would be immediate and significant.

No named cybersecurity incidents affecting specific SEA SaaS vendors (Hashmicro, StoreHub, Odoo SEA) between 2023–2026 appear in available sources. Cloud concentration risk section relies on 2025 AWS outage affecting global SaaS vendors, extrapolated to the regional context.

Grab headcount figure (12% cuts) attributed to company IR 2025 — this is a Tier 3 source. The signal is directionally credible but should be verified against official quarterly filings before investment decisions are made.

This report is produced for informational purposes only. It does not constitute financial, legal, or investment advice. All data is sourced from publicly available information as at the date of research. Renatus Ventures makes no representations as to the completeness or accuracy of third-party data.