In today’s AI economy, raw compute is rapidly becoming a commodity. Thanks to Moore’s law and its GPU-era equivalent, the cost-performance of hardware keeps improving roughly 30–40% per year. In practical terms, a GPU’s FLOPS/$ doubles roughly every 2–2.5 years. Cloud providers and enterprises enjoy this exponential gain, which quickly drives prices down to bare metal costs (power, depreciation) unless a vendor controls unique data or IP.
Key forces:
- Moore’s-law economics: FLOPS-per-dollar is inexorably rising. Any compute-intensive workload gets cheaper each year. Without protected IP or datasets, vendors must match tight marginal-cost pricing.
- Cloud fungibility: AI models trained in one environment can migrate to another. AWS vs. Azure vs. Google quickly price-align on equivalent compute. AI-development frameworks are widely adopted. However, there is differences in scaling mechanisms, APIs, etc..
- Open-source diffusion: Breakthrough models commoditize fast. Any transient edge (say, a proprietary model or custom accelerator) erodes as open projects catch up. Specialized performance gaps narrow within months.
- Accounting quirk: Efficiency gains from AI often show up as cost avoidance or improved output quality – not new revenue. Internal demand-forecasting or ops-optimization projects still look like savings, not “sales,” which limits how much organizations can monetize raw compute.
The result: Generic compute is a commodity. Economic rents shift up the stack to software, data, and mandated workflows. In other words, the profits go to the “picks and shovels” – not the silicon.
Why Cybersecurity Captures the Surplus
By contrast, cybersecurity vendors escape the commodity trap. Security inherently ties AI and compute spending to business risk and compliance, creating durable demand. Key advantages include:
- Regulatory mandate: New rules (EU’s NIS-2, SEC cybersecurity disclosure requirements, U.S. critical-infrastructure/TSA directives, etc.) force enterprises to spend on security and reporting. These are non-discretionary budgets, not elastic toy projects.
- Board-level risk aversion: After high-profile breaches, executives and boards allocate extra budget to avoid liability and fines. The negative externalities of weak security (breach costs, reputation loss) justify spending, even as compute costs fall.
- Data network effects: Security is a “network” business. Every new endpoint and sensor adds telemetry that improves the collective defense. More devices mean better detection for everyone, entrenching large platforms.
- High switching costs: Security products integrate deeply (agents, SIEMs, cloud connectors) and often come with 3–5 year contracts. Once a customer deploys a security platform, migration is arduous. As a result, top security vendors see net retention well above 100%. (CrowdStrike reported ~147% net-dollar retention in FY2019)
- Usage-based SaaS models: Many security platforms charge per endpoint or per data ingested. This means revenue grows faster than compute cost as customers expand usage. Customers pay more with every new device or gigabyte of logs, even if the unit compute cost is tiny.
Monetization tactics: Security vendors bundle and tier features tightly to lock in customers. For example:
- Per-endpoint / per-GB fees: Next-gen endpoint protection is often sold per device-year (CrowdStrike’s Falcon tiers start around $60-$185 per device/year depending on featurescrowdstrike.com). Log analytics and threat intelligence are billed by data volume or “credits.”
- Tiered analytics SKUs: Products like Palo Alto’s Cortex XSIAM sell data analytics capacity in blocks (“credits”) – a model that scales with usage but is insulated from raw GPU cost.
- Managed Detection & Response (MDR): Clients pay for expertise and service; the incremental cost is staffing, not GPUs.
- Cross-sell flywheels: Broad platforms enable upselling. For instance, CrowdStrike’s single agent feeds multiple modules. Each additional module (EDR, identity protection, IT hygiene, etc.) adds license revenue without duplicating the endpoint footprint.
Outcome: Security vendors peg revenue to compliance and risk mitigation, not raw FLOPS. Consequently they sustain very high gross margins – typically 75–80% or more. In other words, even as GPU prices tumble, security companies keep most of each dollar they earn.
Welfare-Heavy Compute Use-Cases
By comparison, many AI/compute applications struggle to directly monetize their gains:
- Consumer AI (images, translation, search): End-users enjoy huge benefits (free chatbots, free translation) but monetization is indirect (ads or optional fees). The consumer surplus is high; direct revenue per FLOP is very low.
- Enterprise decision-support AI (forecasting, optimization): These projects often yield cost savings or efficiency. Savings accrue to the business but rarely show up as new revenue. Moreover, any firm that develops a useful model may find it easily replicated or bought open-source, so there’s little capture of that value.
- “Table stakes” AI features (spell-check, transcription): Basic AI features in productivity apps or communication tools are generally bundled or free, serving only to “defend” the core product. Companies give away these features to retain customers, not as premium revenue streams.
In short, when AI “welfare” (broader utility) is large, direct monetization is hard. Compute-intensive features become defensive or free add-ons, not profit centers.
Reframing Cyber Investment: Risk, Compliance, and Platform Leverage
The real value in cyber lies in risk reduction and regulatory alignment. Winning security strategies are driven by business outcomes. To succeed in today’s environment, cybersecurity leaders must realign investments and partnerships around five hard truths:
- Risk reduction first.
Tie every major cyber initiative — from detection to response to posture management — to tangible risk reduction or regulatory requirements (NIS-2, SEC rules, critical infrastructure standards). - Leverage telemetry and data moats.
AI-powered defense improves with more data. Vendors that aggregate global signals (endpoints, threat feeds, identity anomalies) build compounding advantages — but so can enterprises that actively curate and analyze their internal security telemetry. - Control your cyber risk to control your cyber spend.
In this market, customers who lower their own cyber risk also shrink the pricing latitude vendors have. Many security contracts scale with usage, asset count, or perceived risk. Reducing exposure — hardening endpoints, segmenting networks, improving hygiene — gives CISOs direct negotiating leverage on renewal terms and SaaS consumption fees. - Exploit platform dynamics intelligently.
Security vendors push aggressively toward platform consolidation — endpoint, identity, cloud security modules bundled into cross-sell packages. This creates stickier vendor relationships, but it also creates negotiating leverage for buyers. The marginal cost for vendors to add extra modules is low, which means savvy customers can extract better terms when expanding footprint within a platform. - Price to business impact, not to compute cycles.
Demand pricing models that reflect risk reduction outcomes, not raw data ingestion or analytics compute. Vendors increasingly tier their offerings around risk profiles, depth of ML analysis, or compliance guarantees — these are where value-based negotiations should focus.
Drive your AI and cybersecurity investments into risk and compliance domains.
This is where compute expenditures translate into durable enterprise value — regulatory resilience, risk mitigation, and sustainable cost control. In cybersecurity, the compute itself is the free lunch; what truly matters — and what commands premium margins — is the peace of mind and proof of control you deliver to boards, regulators, and shareholders.
In short: In cyber, you don’t just buy protection — you buy regulatory cover, lower downside volatility, and strategic leverage. Those who master this dynamic will control not just their cyber defenses, but their entire security cost curve.