discover morgan stanley's top 2 cybersecurity stock picks poised for growth in the booming software market. learn which companies stand out for investment in cutting-edge digital security.
Posted on by Franck F.

Morgan Stanley Highlights Top 2 Cybersecurity Stocks to Invest in the Soaring Software Market

Morgan Stanley’s software team recently spotlighted two cybersecurity stocks as tactical priorities within a software market that is shifting toward platformization and defensive IT spending. The note frames cybersecurity as one of the fastest-growing scaled segments inside software, driven by expanding attack surfaces, AI-driven vectors and increased regulatory scrutiny. Investors watching software growth are therefore being steered toward identity and zero‑trust leaders that combine cloud-native architectures with AI-aware controls.

The following analysis breaks down the rationale behind those picks, a technical look at product strategies, relevant financial signals, and a practical playbook for portfolio positioning. Each section examines a specific angle — market sizing, Okta’s identity stack, Zscaler’s platform and acquisition strategy, macro tailwinds and risks, and concrete portfolio construction tactics — with a recurring case study of a mid-sized industrial firm, Atlas Manufacturing, to anchor real-world implications.

Morgan Stanley Cybersecurity Picks: Why Okta and Zscaler Lead Software Growth

The Morgan Stanley research team framed cybersecurity as a roughly $270 billion market expected to grow at about a 12% compound annual rate from 2025 through 2028. This projection places security ahead of many IT categories and supports the bank’s tactical focus on companies enabling platform-level security. The thesis is simple: as enterprises adopt multi-cloud, edge and AI-enabled workflows, exposure grows and security spend must take a larger share of IT budgets.

Analysts cite several quantitative and qualitative drivers. CIO surveys show cybersecurity budgets expanding roughly 50% faster than overall software spend, and market momentum is magnified by the need to secure non-human identities, generative AI pipelines, and hybrid environments. The bank’s emphasis on “platformization” favors vendors that can consolidate controls across identity, network, workload and endpoint vectors.

Key criteria that informed Morgan Stanley’s picks

The following list summarizes the criteria that helped the bank prioritize Okta and Zscaler over a broad field of vendors such as Palo Alto Networks, CrowdStrike, Fortinet, SentinelOne and Check Point Software.

  • Platform breadth: ability to unify controls across workforce, customer and workload identities.
  • AI-readiness: integrations that secure agentic AI and data flow for GenAI applications.
  • Recurring revenue scale: high ARR growth and predictable subscription economics.
  • Execution track record: consistent beat-and-raise history and disciplined go-to-market.
  • Addressable market expansion: penetration into adjacent categories such as PAM, workload security or SASE.

To help readers compare the landscape, the table below consolidates metrics for the two highlighted names and selected peers. It summarizes ARR/growth signals, notable technology advantages, and the analyst stance that underpinned Morgan Stanley’s recommendations.

Company Core Focus Recent Revenue Signal Growth/ARR Notable Strategic Moves Morgan Stanley View
Okta Identity (workforce + customer) Fiscal 2Q26 revenue ~$728M, +13% YoY Expanding ACV in OIG/PAM; AI integrations Okta AI, Auth0 for developers Overweight; $123 PT (tactical buy)
Zscaler Zero Trust / SASE Fiscal 4Q25 revenue ~$719M, +21% YoY ARR ~$3.02B, SASE penetration tailwind Red Canary acquisition; AI threat management Overweight; $320 PT
Palo Alto Networks Network & cloud security Large-scale platform acquirers Market leader in platformization Acquisitions like Protect AI Favored platform peer
CrowdStrike Endpoint & cloud workload security Strong cloud-native momentum High growth trajectory Cloud intelligence & EDR leadership Peer leader in telemetry

Investors should note the implied trade-off: platform winners may face higher multiples but offer durable revenue expansion through cross-sell and higher lifecycle values. Morgan Stanley’s emphasis on Okta and Zscaler is therefore as much about durable ARR expansion and AI-era relevance as it is about near-term beats.

  • Actionable takeaway: prioritize vendors with platform hooks into AI workflows and non-human identity controls.
  • Risk checklist: watch macro-driven software budget pullbacks and execution slippage on product integrations.
  • Context note: larger network and endpoint vendors such as Palo Alto Networks and CrowdStrike remain critical peers that can pressure share via acquisition and bundling moves.

Key insight: Morgan Stanley’s picks favor platform players that combine recurring revenue scale with AI‑aware controls, a thesis that holds when attack surface expansion is persistent and regulatory scrutiny increases.

Okta Identity Security and AI Integration: Technical and Financial Analysis

Okta’s identity-first architecture addresses both human and machine identities, a capability that becomes strategically important as firms deploy agentic AI and automated services. The Okta Platform secures access for employees, contractors and partners, while Auth0 supports customer identity and developer workflows. Okta AI layers data-driven responses onto those identity signals, enabling real-time actions and bot mitigation.

See also  CompTIA unveils an upcoming cybersecurity certification tailored for professionals in operational technology

From a technical standpoint, Okta’s value proposition covers multiple axes: authentication and authorization flows, identity governance and administration (IGA), and privileged access management (PAM). Integration points such as fine-grained authorization for retrieval-augmented generation (RAG) align Okta with GenAI governance requirements for correct and auditable data retrieval.

How Okta secures AI-driven interactions

Okta’s product evolution has been deliberately oriented to secure non-human identities and AI agents. The company’s Auth for GenAI primitives allow developers to implement authentication for agentic processes and to enforce policies that limit data exposure. Benchmarks cited by Okta show significant mitigation of automated threats — for example, a 90% reduction in bot traffic in 90 days and a 79% block rate for automated login attempts in controlled deployments.

  • Authentication primitives: OAuth2/OIDC flows adapted for machine agents.
  • Fine-grained authorization: policy evaluation to prevent over-exposure in RAG systems.
  • Agent telemetry: monitoring non-human identity interactions for anomalous tasks.
  • Developer empowerment: Auth0 tools to speed secure app launches while keeping privacy controls.

Atlas Manufacturing provides a practical example. The company adopted Okta to centralize workforce access across ERP, SCM and IoT dashboards. As Atlas integrated a GenAI assistant to summarize sensor data, Okta’s Auth for GenAI managed token issuance and restricted the assistant’s data retrieval scope. The result was fewer false positives during anomaly triage and a lower risk of leaked IP in generated responses.

Financially, Okta’s fiscal 2Q26 results highlight the combination of product traction and margin discipline. Revenue of roughly $728 million beat estimates and grew 13% year-over-year, while non-GAAP EPS came in above consensus. Management’s near-term guidance remained slightly above Wall Street expectations, indicating continued commercial momentum.

  • Analyst sentiment: Morgan Stanley’s Keith Weiss rates Okta Overweight with a $123 price target, citing expansions in OIG and early-stage PAM as key upsell opportunities.
  • Street consensus: a Moderate Buy with multiple buy and hold recommendations.
  • Comparative note: Okta’s identity focus differentiates it from broad platform vendors such as Microsoft (Azure AD) which compete on scale but take different go-to-market approaches; integration with Microsoft and other clouds remains a win-win for many enterprises.

Technical challenges remain: identity sprawl across hybrid cloud and legacy systems complicates rollouts, and integration with enterprise governance processes can be slow. Practical rollout guidance for organizations like Atlas includes phased pilot scopes, strong IAM governance, and orchestration with SIEM/SOAR tools such as Splunk to centralize logs and incident playbooks.

  • Pilot steps: start with a critical web application and expand to privileged accounts.
  • Governance: codify roles and access reviews aligned with compliance frameworks.
  • Telemetry: route identity events to centralized analytics for threat hunting.

Further reading on AI implications and authentication patterns is available in technology briefs and whitepapers exploring agentic AI security and the broader role of AI in cybersecurity.

Key insight: Okta’s identity platform is directly positioned to monetize the expansion of non-human identities and GenAI access controls; execution on OIG and PAM penetration will be the decisive variable for sustained upside.

For more context on AI and security innovations relevant to identity, resources such as discussions of agentic AI security and the role of AI-driven search in customer experiences can provide technical background and risk framing.

Relevant reads: agentic AI webinar, AI-driven search for customers, and discussions on the broader role of AI in cybersecurity policy.

Zscaler Zero Trust, Red Canary Acquisition and Platformization Strategy

Zscaler’s zero-trust architecture removes implicit trust from network topologies and instead verifies each access request based on identity, device posture and policy. This approach fits modern hybrid and cloud-first enterprise designs. Zscaler’s SASE (Secure Access Service Edge) platform converges network security, workload protection and data controls into a unified plane that scales across IoT and OT environments.

The strategic thesis that underpins Zscaler’s appeal is platform consolidation. Organizations historically stitched together disparate firewalls, VPNs and proxies; Zscaler’s cloud-native services provide consistent policy enforcement and reduce operational overhead. For heavy industrial customers like Atlas Manufacturing, Zscaler’s platform simplifies secure access for remote maintenance engineers and isolates operational technology from corporate assets.

Red Canary acquisition: strengthening AI threat management

Earlier in the year, Zscaler announced and completed the acquisition of Red Canary, integrating exposure management and agentic AI threat detection into its stack. Red Canary’s telemetry and threat detection workflows augment Zscaler’s ability to detect AI-driven attack patterns and to orchestrate automated containment. This acquisition is consistent with the bank’s emphasis on platform winners that can absorb adjacent capabilities through targeted M&A.

  • Security consolidation: Red Canary brings detection & response capabilities into Zscaler’s platform.
  • AI-specific telemetry: better modeling of agentic threat behavior and automated mitigation playbooks.
  • Customer impact: faster incident response and fewer policy violations across cloud workloads.
See also  Data Breach News: Uncovering the Latest Cyber Incidents in 2023

Financially, Zscaler reported fiscal 4Q25 revenue around $719.2 million, a 21% year-over-year increase, and ARR crossed $3.02 billion. These figures indicate both healthy expansion and successful enterprise adoption. Management’s execution on sales and product delivery supports a premium relative valuation narrative, yet Morgan Stanley highlights continued runway in the SASE market, which research suggests could expand rapidly as organizations replace legacy network controls.

Competitive dynamics must be considered. Vendors such as Palo Alto Networks are pursuing similar platform narratives via acquisitions (for example, moves to acquire Protect AI and bolster cloud controls). CrowdStrike and SentinelOne compete more directly on endpoint telemetry, but cross-vendor integrations are common — many buyers prefer best-of-breed detection paired with centralized network enforcement.

  • Market positioning: Zscaler targets network and workload security simultaneously.
  • Execution strengths: cloud-native scaling, strong enterprise references (GE, Siemens) and operational telemetry at scale.
  • Execution risks: integration complexity and potential margin pressure from acquisitions.

An operational vignette: Atlas Manufacturing’s digital transformation included migration of its monitoring workloads to the cloud and adoption of a zero-trust model for contractor access. Zscaler’s platform eliminated VPN complexities and reduced lateral movement risks. After integrating Red Canary features, Atlas reported faster mean-time-to-detect for anomalous automation scripts affecting PLC interfaces.

Investors should also contextualize valuation multiples. Morgan Stanley’s $320 price target for Zscaler reflected confidence in SASE expansion and improved AI-led detection capabilities. The firm noted that SASE penetration was still incomplete across organizations and that the Red Canary deal enhanced Zscaler’s position to capture a larger share of security budgets.

  • Practical takeaway: prioritize platform names that combine SASE scale with detection & response capabilities.
  • Watchpoints: M&A integration timelines and channel execution will materially affect near-term returns.
  • Peer tracking: follow Palo Alto Networks’ acquisitions and CrowdStrike’s cloud telemetry expansions.

Key insight: Zscaler’s zero-trust and SASE architecture, bolstered by Red Canary’s detection capabilities, positions the company to capture platform-level security spend as enterprises standardize on cloud-native enforcement and AI-aware threat management.

Macro Drivers, AI Risks, Regulation and Competitive Landscape

The macro environment for cybersecurity in 2025 is shaped by three converging forces: accelerated AI adoption, regulatory tightening, and geopolitical risk. AI expands the attack surface by enabling more sophisticated automation and by increasing the value of data-driven insights. Meanwhile, regulators and standards bodies are catching up with new guidance for AI governance and security controls, producing both risk and opportunity for vendors that can demonstrate compliance-enabling features.

Microsoft’s emphasis on integrating advanced models into security workflows — for example, platform-level AI defenders and detection agents — amplifies the need for vendors to interoperate with major cloud providers. References and implementation guides highlight how cloud providers and security specialists must coordinate to defend generative systems and data stores.

  • AI-driven threats: adversarial testing and model poisoning escalate the cost of inadequate controls.
  • Regulatory momentum: new guidelines from bodies focused on AI security demand traceability and controls.
  • Geopolitical exposures: supply chain and data sovereignty concerns push enterprises toward multi-cloud resilience.

Regulatory and standards resources such as NIST’s AI security frameworks and CISA protocols are rising in influence. These frameworks create practical control requirements — audit trails, provenance of training data, and controls to prevent unauthorized model access — that security vendors must support. Morgan Stanley’s note highlights the defensive nature of security spend in this environment; budgets tend to be stickier when threats increase and when compliance mandates grow.

Attack surface expansion due to AI is not hypothetical. Real incidents involving data exfiltration, model abuse and supply chain compromise have underscored the need for vendor and enterprise controls. For deeper reading on incidents and the evolving threat picture, resources explore AI security risks, high-profile breaches, and responses from law enforcement and regulators.

  • Incident references: case studies of data theft and ransomware highlight the operational impact on critical sectors.
  • Operational response: centralized playbooks, threat intelligence sharing, and cross-vendor telemetry are essential defenses.
  • Standards adoption: frameworks such as NIST and CISA provide roadmaps for compliance and risk reduction.
See also  Activists in Japan Accuse FANUC Corporation of Supplying Military Equipment to Israel

Strategic vendors integrate with cloud leaders (Microsoft, AWS, Google) to protect model training pipelines and operational data. For example, Microsoft’s initiatives to fold advanced language models and detection tools into cloud services demonstrate how security is being infused into the platform stack. Independent vendors that tightly integrate with these providers can add critical enforcement layers and decrease time-to-detection.

Selected reading links for context and incident tracking are available that cover AI security risk, Microsoft’s initiatives, and broader cyber policy and breach reporting. These pieces outline both the technical risk vectors and the regulatory momentum that underpin sustained security spending.

Key insight: AI and regulation are forcing a permanent uplift in enterprise security posture, making vendors that enable compliance, AI-aware controls and cross-cloud enforcement attractive allocation targets for growth-minded portfolios.

Portfolio Construction: How to Position Okta and Zscaler Among Peers

Allocating to Okta and Zscaler requires a pragmatic framework that balances conviction in platform adoption with risk controls for valuation volatility and execution risk. The following section outlines a technical allocation approach, rebalancing rules, and scenario-based risk management tuned to the cybersecurity sector.

Portfolio design starts with understanding correlations across the security cohort. Platform names (Okta, Zscaler, Palo Alto Networks) can have overlapping revenue drivers tied to security budget share increases. Endpoint specialists (CrowdStrike, SentinelOne) exhibit different exposure to telemetry and endpoint economics. Buyers should therefore blend platform exposure with specialist leaders to diversify product and go-to-market risk.

Suggested allocation framework for a security-focused sleeve

  • Core platform exposure (40–60%): names with platform momentum and high incremental cross-sell potential such as Okta and Zscaler.
  • Specialist growth exposure (20–30%): high-growth telemetry vendors like CrowdStrike and SentinelOne to capture endpoint and workload momentum.
  • Value/defensive exposure (10–20%): mature vendors with broad enterprise footprints such as Palo Alto Networks, Fortinet and Check Point Software for durability and cash generation.
  • Cash or hedges (0–10%): to manage market pullbacks or selective rebalancing opportunities.

Practical rules for position sizing and risk management:

  • Position cap: no single security >25% of the cybersecurity sleeve to avoid idiosyncratic risk.
  • Rebalancing trigger: rebalance on 15% relative outperformance or underperformance to maintain target exposures.
  • Event-driven adjustments: increase defensive allocation if macro indicators signal a software spend contraction or if regulatory risks escalate.

Valuation discipline must be enforced. Look at EV/revenue and forward growth multiples relative to execution quality. For example, Morgan Stanley expects Okta to expand into OIG and PAM, creating meaningful upsell opportunities, while it views Zscaler’s SASE penetration and Red Canary integration as proof points for platform ascendancy. These theses justify premium multiples only if cross-sell and churn metrics hold.

Constructing an implementation plan for Atlas Manufacturing’s treasury shows how an enterprise might transition from defensive cash holdings into security equities as part of a technology allocation strategy. Atlas’ CIO mandated that any security allocation out of excess cash must be staggered in tranches tied to delivery milestones (product roadmaps and M&A integrations). This reduces exposure to immediate market volatility while capturing long-term secular trends.

  • Tranche 1: allocate 30% on conviction triggers such as confirmed ARR growth and integration milestones.
  • Tranche 2: allocate 40% after successful product integration announcements (e.g., Red Canary synergies).
  • Tranche 3: allocate remaining 30% on sustained revenue beat cycles or regulatory tailwinds.

To diversify implementation, investors may also use exchange-traded funds focused on cybersecurity to complement single-stock positions, thereby smoothing idiosyncratic swings while maintaining exposure to the sector’s secular drivers. Monitoring tools and research feeds are essential; services that aggregate analyst views and execution metrics help identify when to overweight or trim individual names.

For additional context on investment research and industry tracking, see resources on investment ideas and sector trends that compile analyst recommendations and market sizing commentary.

Key insight: a blended allocation that emphasizes platform leaders (Okta, Zscaler) while maintaining exposure to endpoint and defensive peers offers a balanced way to capture cybersecurity’s secular growth while controlling idiosyncratic and macro risks.