The state of the cybersecurity stack in 2026

The cybersecurity stack is more fragmented than ever. Cloud, SaaS, web apps, APIs, endpoints, each a discipline of its own with its own tools, alerts, and dashboards. The midmarket is feeling that complexity more than anyone, with lean teams but the same threats as enterprises twice their size.

In our Security Middle Child report we surveyed 500 senior security decision-makers at companies with 400-6,000 employees across the US and UK to find out what the cybersecurity stack actually looks like in 2026, and how well it’s serving their teams.

What does a modern cybersecurity tech stack look like?

Our survey covered 14 categories of security tooling. This is what the stack looks like, ranked from most to least adopted across midmarket organizations:

1. Cloud Security Posture Management (CSPM) - 55%
2. Security Information & Event Management (SIEM) - 47%
3. Web Application Firewall (WAF) - 47%
4. Data Security Posture Management (DSPM) - 44%
5. Endpoint Detection & Response (EDR/XDR) - 43%
6. SaaS Security Posture Management (SSPM) - 43%
7. Vulnerability Management (VM) - 42%
8. Application Security (SAST/DAST) - 41%
9. AI Penetration Testing - 41%
10. Attack Surface Management (ASM) - 35%
11. Security Orchestration, Automation and Response (SOAR) - 34%
12. Breach and Attack Simulation (BAS) - 31%
13. Continuous Threat Exposure Management (CTEM) - 29%
14. Compliance Automation - 27%

CSPM is the most adopted tool of the stack, for two likely reasons: compliance and headcount. SOC 2, ISO 27001, and HIPAA increasingly require evidence of cloud security controls, and CSPM is the most efficient way to produce it. For lean teams, manually auditing dozens of cloud accounts is incredibly time consuming. Continuous, automated cloud configuration checks are the most efficient way to get the work done.

What also stands out are the low adoption rates for ASM and CTEM. When asked about their top challenges, 28% of respondents cited lack of visibility into what's exposed, yet the two solutions most directly designed to address it rank 10th and 13th for adoption. It suggests teams are investing in solutions that don't always map to their most pressing problems, while the tools that would actually close the visibility gap remain underdeployed.

Compliance automation at the bottom is surprising. Given the regulatory pressure midmarket teams operate under, you'd expect adoption to be higher, a sign that security compliance is still largely a manual process.

How many companies are using AI pentesting?

41% of midmarket security teams report using AI pentesting. That puts it in the top half of the stack, ahead of more established categories like ASM (35%), SOAR (34%), and BAS (31%). Given the category only emerged 12-18 months ago, it's unclear whether teams are using true AI pentesting or applying the term more loosely. But the intent is clear: nearly half (49%) cite AI and automation as their top investment priority for 2026, suggesting security leaders are looking to AI to help them do more with less.

The Security Middle Child

How midmarket security teams are managing growth, complexity, and risk

get the report

How does the security stack differ by industry?

CSPM appears in the top five tools across all seven industries we surveyed (financial services, fintech, healthcare, manufacturing, professional services, retail, and SaaS), but below that the stacks diverge significantly. 

What does the financial services security stack look like?

• CSPM - 51%
• DSPM - 51%
• Vulnerability Management - 50%
• SIEM - 44%
• WAF - 43%

Financial services is the only sector where a dedicated data security tool (DSPM) makes the top five. The rest of the stack does a lot to protect data, but financial services goes a step further. When your entire business runs on regulated personal and financial data, knowing exactly what you're protecting and where it is is a top priority.

What does the fintech security stack look like?

1. CSPM - 56%
2. WAF - 53%
3. AI Penetration Testing - 47%
4. SIEM - 43%
5. ASM - 40%

Fintech has one of the highest rates of AI penetration testing adoption at 47%. As a sector that's digital-native and less weighed down by legacy infrastructure, it's perhaps no surprise it's among the earliest adopters of emerging security tools.

What does the healthcare security stack look like?

1. CSPM - 68%
2. SAST/DAST - 50%
3. WAF - 49%
4. EDR/XDR - 49%
5. SIEM - 49%

Healthcare has the highest adoption of CSPM at 68%, 12 points more than the next highest sector. HIPAA's strict requirements around evidencing how protected health information is managed in the cloud are almost certainly a big part of why.

What does the manufacturing security stack look like?

1. SIEM - 62%
2. CSPM - 49%
3. Vulnerability Management - 46%
4. DSPM - 46%
5. AI Penetration Testing - 46%

Manufacturing is the only sector where SIEM leads the stack. With factory floor systems, legacy IT, and cloud infrastructure all generating their own alerts and logs, a single place to monitor and detect threats across all of them becomes critical.

What does the professional services security stack look like?

1. CSPM - 56%
2. EDR/XDR - 49%
3. WAF - 47%
4. SIEM - 47%
5. DSPM - 44%

At 49%, professional services has one of the highest EDR/XDR adoption rates in the survey, perhaps unsurprising for firms handling confidential client data across legal, consulting, and agency work.

What does the retail security stack look like?

1. WAF - 54%
2. CSPM - 51%
3. EDR/XDR - 49%
4. AI Penetration Testing - 48%
5. SIEM - 45%

Retail's top tool is WAF at 54%, which checks out for a sector where so much of the business runs through public-facing websites and APIs.

What does the SaaS security stack look like?

1. CSPM - 56%
2. SSPM - 56%
3. DSPM - 49%
4. WAF - 48%
5. SAST/DAST - 46%

SaaS leads on SSPM adoption at 56%. When your business runs inside tools like Slack, GitHub, and Salesforce, misconfiguration is one of your biggest risks.

Do companies have too many security tools?

The data from our report points to yes. 26% cite navigating too many tools as a top challenge, 24% are drowning in alerts with poor prioritization, and 20% can't measure or report on cyber hygiene. The stack isn't just complex, it's actively getting in the way. And with 33% planning to add more tools this year, fragmentation is set to get worse before it gets better.

The vendor market is part of the problem. 46% of midmarket teams say enterprise platforms assume more staff, budget, and complexity than they have, and 29% say SMB tools no longer meet their needs. Midmarket teams aren't failing to choose the right tools - the right tools largely haven't existed for them.

There's a lot more in the data

The full report goes further into the state of midmarket security: how confidence varies across seniority, where investment is flowing in 2026, how cyber risk is (and isn't) reaching the boardroom, and how growth in digital estates is outpacing the headcount asked to defend them. 

The Security Middle Child

How midmarket security teams are managing growth, complexity, and risk

get the report