🔒 THE SECURITY STACK

Your weekly dose of what's actually happening in cybersecurity

November 27, 2025

☕ WHAT YOU NEED TO KNOW TODAY

The Big Story: CFOs just became the most powerful people in cybersecurity—and they're not here to buy more software.

After diving through Palo Alto Networks and Elastic's latest earnings calls (Nov 19 and Nov 21, respectively), one thing became crystal clear: The era of "best-of-breed" security tools is over. Welcome to the age of platformization, where having 12 different security vendors isn't a badge of honor—it's a liability your CFO is actively trying to eliminate.

The numbers that matter:

• PANW closed a $100M deal with a U.S. telecom specifically to consolidate point products

• Elastic landed two $20M+ security wins by proving their platform could replace multiple incumbents

• PANW's platformization deals more than doubled year-over-year

Translation: If you're selling (or buying) standalone security tools, you're playing last year's game.

💰 THE CFO FILTER: WHY YOUR CISO'S BOSS JUST BECAME YOUR BIGGEST COMPETITOR

Here's what changed: Security budgets aren't shrinking—they're just getting more skeptical.

When Palo Alto's CEO Nikesh Arora told analysts that "Customers are moving from managing vendor sprawl to demanding superior demonstrable security outcomes through platformization," that wasn't just corporate-speak—it was a market signal.

Source: Palo Alto Networks Q1 FY2026 Earnings Call, Nov 19, 2025

The new math:

• 3 SIEM vendors = 3 renewal cycles + 3 support contracts + endless integration headaches

• 1 platform = Single relationship + 60% faster response times + actual ROI you can show your board

Real talk: Arora revealed that "Over 60% of our deployed XSIAM customers have reduced their MTTR or median time to respond from days or weeks down to minutes." That's not a feature—that's a "why didn't we do this sooner" moment that gets CISOs promoted.

What the consolidation looks like in practice:

Arora explained the spend capture strategy: "We do capture at least what the incumbent is – the customer is spending on the incumbent. But in the process of delivering XSIAM, we're able to consolidate multiple products. So not only do we get the incumbent spend of the SIEM provider, but you have UEBA, you have other carriers."

Source: Palo Alto Networks Q1 FY2026 Earnings Call, Nov 19, 2025

What this means for you:

• If you're buying: Next time a vendor says "best-of-breed," ask them what their integration tax is

• If you're selling: Stop leading with features. Start with "here's how much money you're wasting on vendor management"

🏗️ PLATFORMIZATION ISN'T A STRATEGY ANYMORE—IT'S A MANDATE

The infrastructure reality nobody's talking about:

Arora laid out why fragmentation is now a technical liability, not just a budget problem: "This reality necessitates a paradigm shift in the industry. We must move away from today's fragmented security landscape and towards platformization. AI requires a seamless cyber data strategy… Fragmentation creates friction, which in turn causes latency. Latency is a critical enemy of real-time cybersecurity."

Source: Palo Alto Networks Q1 FY2026 Earnings Call, Nov 19, 2025

What this actually means: Your adversaries are using AI to attack at machine speed. If your security tools can't talk to each other without introducing latency, you've already lost.

The proof point: PANW closed approximately 60 platformization deals in Q1 alone—more than double the year-over-year rate. These aren't upsells. These are displacement plays where customers are actively ripping out 3-5 tools and consolidating.

🤖 AI AGENTS: THE INSIDER THREAT NOBODY SAW COMING

Plot twist: The AI revolution everyone's excited about? It's also creating the next generation of security nightmares.

The wake-up call: Arora warned analysts about a recent real-world incident: "As many of you saw last week, with one of the major AI platforms, AI hackers aren't a future threat, they're here now. This was the first reported case of an AI agent autonomously conducting a large-scale nation-state cyber attack."

Source: Palo Alto Networks Q1 FY2026 Earnings Call, Nov 19, 2025

Not "AI-assisted." Not "AI-enhanced." Fully autonomous.

Arora's prediction: "AI agents will become a problematic insider threat if not secured."

Think about it: You're giving AI agents access to customer data, financial systems, and code repositories—with minimal oversight. That's not innovation. That's an unaudited liability waiting to explode.

The market response: PANW launched Prisma AIRS 2.0 (their AI security platform) and AgentiX (AI agents for security) to address this exact problem. They're not alone in seeing this opportunity.

🏛️ WHEN THE GOVERNMENT PICKS SIDES, EVERYONE ELSE FOLLOWS

Federal validation is the new currency in cybersecurity.

Win #1: Elastic takes CISA

Elastic CEO Ashutosh Kulkarni told analysts about their breakthrough federal deal: "Actually, both of our – the 2 largest deals this quarter were both $20-plus million security wins. And what this highlights is just the level to which our security offering has evolved… And you're seeing an organization like CISA, the cybersecurity and infrastructure security agency of the United States… choosing Elastic to offer a SIEM as a service on Elastic Cloud is an unbelievable endorsement."

Source: Elastic Q2 FY2026 Earnings Call, Nov 21, 2025

Win #2: PANW displaces SASE incumbent

Arora revealed: "One example was a $33 million SASE deal with a U.S. cabinet agency securing 60,000 seats. This agency displaced a major SASE incumbent as they needed a platform to provide unified visibility across both their firewall estate and remote endpoints."

Source: Palo Alto Networks Q1 FY2026 Earnings Call, Nov 19, 2025

Why this matters: When the agency that sets cybersecurity standards for the entire federal government switches vendors, that's not just a customer win—it's a market signal.

The ripple effect:

• Financial services CISOs asking: "If it's good enough for federal agencies, why are we still using Legacy Vendor X?"

• Healthcare compliance teams: "The government just validated this meets Zero Trust requirements"

• Manufacturing buyers: "Show me why your solution is better than what federal agencies are using"

🎯 THE DETECTION GAUNTLET: PUT UP OR SHUT UP

The new sales motion: Prove it or lose it.

Kulkarni explained how Elastic won one of their largest deals: "These increasingly larger commitments are exemplified by an 8-figure new logo deal where Elastic Security was chosen by one of the largest chemical manufacturers in the world. The company initiated a competitive search to replace [incumbent]… We demonstrated superior capabilities by detecting threats overlooked by all other solutions."

Source: Elastic Q2 FY2026 Earnings Call, Nov 21, 2025

Not "we have more features." Not "our UI is prettier."

They found actual threats. In production. That the incumbent was blind to.

Kulkarni's framing: "This is a consolidation onto our platform. This is us taking share."

This changes everything:

• No more selling on PowerPoints

• No more "trust us, we're better"

• Buyers are demanding proof-of-concept bake-offs to see the gap between what you promise and what you deliver

Translation: If your security product can't win a head-to-head detection challenge, you're about to get comfortable competing on price. And that's a race to zero.

📊 BY THE NUMBERS

Deal velocity signals (spoiler: budgets aren't frozen)

Elastic Q2 FY2026 (Nov 21, 2025):

• 5 deals over $10M total contract value

• 2 deals over $20M (a new quarterly record)

• Over 30 commitments valued over $1M in annual commitment value

• 1,600+ customers spending >$100K annually

• Revenue: $423M (up 16% YoY)

Palo Alto Networks Q1 FY2026 (Nov 19, 2025):

• $100M telecom consolidation deal

• $33M federal SASE displacement

• Revenue: $2.47B (up 16% YoY)

• NGS ARR: $5.85B (up 29% YoY)

• SASE ARR: $1.3B (up 34% YoY)

• ~60 platformization deals (more than doubled YoY)

The consumption shift:

• 44% of PANW's product revenue now from software (vs. 38% last year)

• Seat-based pricing is dying; usage-based models are taking over

🎮 THE THREE-MOVE CHECKMATE

If you're a security vendor, here's your 72-hour action plan:

Move 1: Audit your top 50 accounts for "fragmentation risk"

If they're using 5+ security tools, they're already in-market for consolidation—whether they realize it or not. Arora's playbook: "We're able to consolidate multiple products" into single platform deals.

Move 2: Build the "Platformization ROI Calculator"

Stop selling features. Start selling math: "Here's what you're spending across 7 vendors. Here's what it costs on our platform. Here's the $1.5M you can reinvest."

Move 3: Get AI-native or get left behind

Every product must answer: "How does this secure agentic AI?" Arora's warning was clear: "The only effective countermeasure against hacker AI will be our own AI agents, purpose-built for advanced security detection and remediation."

If you can't answer that question, you're selling last-gen architecture in a next-gen market.

🔮 THE BOTTOM LINE

The cybersecurity market is bifurcating into two camps:

Camp 1: Platforms (Palo Alto, Elastic)

• Unified data strategy ✅

• AI-native architecture ✅

• Demonstrable TCO reduction ✅

• Federal validation ✅

Camp 2: Everyone Else

• Defending on price

• Fighting integration battles

• Hoping "best-of-breed" makes a comeback

Prediction: The next 6 months will determine who survives the platformization wave. If you're in Camp 2, your renewal cycles just became existential.

💬 WATER COOLER WISDOM

"Fragmentation creates friction, which in turn causes latency. Latency is a critical enemy of real-time cybersecurity." — Nikesh Arora, Palo Alto Networks CEO (Q1 FY2026 Earnings Call, Nov 19, 2025)

Translation: If your security stack looks like a SaaS graveyard, you're already losing to attackers who move at machine speed.

SOURCES:

• Palo Alto Networks Q1 Fiscal Year 2026 Earnings Call (November 19, 2025)

• Elastic N.V. Q2 Fiscal Year 2026 Earnings Call (November 21, 2025)

Got thoughts? Hit reply. We read every response (seriously).

Know someone drowning in security vendor sprawl? Forward this their way.

Until next time, The Security Stack Team

P.S. — If your security vendor can't explain how they're handling agentic AI threats, it might be time for that awkward renewal conversation.

BriefBites is an independent newsletter analyzing cybersecurity market trends based on publicly available earnings calls and financial disclosures. Not investment advice. Do your own research.