Snapshot
Government cybersecurity vendors sell software, appliances, and advisory services that protect federal networks, military systems, and classified infrastructure from intrusion. The "product" is a contract — typically multi-year, paid in annual subscription fees or time-and-materials billings — under which the vendor monitors, detects, and responds to cyber threats across an agency's endpoints, cloud workloads, and network perimeter. The US federal government budgeted roughly $13.2 billion for cybersecurity in FY2026, up ~12% year-over-year. DoD's zero-trust deadline (September 2027) requires every military network to adopt new architectures. The broader global government and public-sector cybersecurity market was an estimated $84.6 billion in 2026. est.
$13.2B
US federal cyber budget, FY2026 (+12% YoY)
$84.6B
Global gov/public-sector cyber market, 2026 (est.)
Sep 2027
DoD zero-trust implementation deadline
$5B+
Zero-trust subcontracting market alone (est.)
312
FedRAMP-authorized offerings (up 17% since 2024) (est.)
~700K
Vacant cybersecurity positions globally (est.)
Of the four tickers listed for this sub-sector, one — MNDT (Mandiant) — is no longer publicly traded. Google acquired Mandiant for $5.4 billion in September 2022; the capability now lives inside Google Cloud Security. The remaining three — PANW, CRWD, BAH — are the investable set.
Mordor Intelligence (2026 gov cybersecurity market estimate); FY2026 President's Budget / OMB (federal cyber budget); DoD Zero Trust Strategy (Sep 2027 mandate); FedRAMP.gov; NIST/BCG 2024 cybersecurity workforce report.
The product & how money is made
Three different business models sit under the "government cybersecurity" umbrella:
- Platform cybersecurity software (PANW, CRWD): Vendors sell subscriptions to cloud-delivered security platforms. CrowdStrike's Falcon platform and Palo Alto's Cortex / XSIAM / Prisma products run on the customer's endpoints and cloud, streaming telemetry back to AI-driven detection engines. Revenue is recognized ratably over the subscription term (1–5 years). CrowdStrike reported 97% gross retention and 115% net dollar retention as of FY2026. Government agencies access these through vehicles like GSA schedules and SEWP contracts, typically via resellers such as Carahsoft. FedRAMP authorization (a compliance certification that a cloud service meets federal security standards) is required for civilian agencies. IL5/IL6 authorization (Impact Level 5/6 — DoD classifications for Controlled Unclassified Information and classified national-security data, respectively) is required for military and intelligence customers.
- Government consulting and systems integration (BAH): Booz Allen Hamilton sells cleared labor — people with security clearances who build, operate, and advise on cybersecurity programs inside government agencies. Revenue is billed as time-and-materials or cost-plus-fixed-fee against multi-year task orders. BAH's defense revenue was $6.07B and intelligence revenue was $1.90B in FY2026 (fiscal year ending March 2026); cybersecurity is embedded across both segments but not broken out separately. Backlog was $38 billion at March 2026.
- Incident response and threat intelligence (formerly MNDT, now inside GOOG): Mandiant's business was investigating breaches and publishing threat-intelligence reports on nation-state actors. Google acquired it for $5.4B in September 2022 and folded it into Google Cloud's security division. The capability still serves government customers but is no longer a standalone equity.
CrowdStrike FY2026 annual results (Jan 2026); Palo Alto Networks Q3 FY2026 earnings (Apr 2026); Booz Allen Hamilton FY2026 annual results (Mar 2026); Google Cloud blog (Sep 2022 Mandiant close).
Demand
Contracted and appropriated
- $13.2 billion — US federal cybersecurity budget for FY2026, up ~12% YoY. contracted
- $2B+ ceiling — CISA's CDM Defend program for zero-trust deployment across civilian agencies. contracted
- $500M+ — Booz Allen Hamilton's contracted zero-trust advisory and implementation work for DoD. contracted est.
- $120M — GDIT contract for Air Force Next Gen Gateway zero-trust architecture covering 187 bases and 1M+ users. contracted
- $99M through 2030 — Anduril Thunderdome zero-trust network architecture for Air Force. contracted
- DoD zero-trust mandate: All DoD components must reach "target level" zero-trust architecture by September 30, 2027. Every military network not yet compliant must purchase and deploy zero-trust products in the next ~15 months. contracted
- RPO/backlog: PANW total RPO was $18.4B at Q3 FY2026 (Apr 2026), up 36% YoY — all-customer, not government-only. CrowdStrike does not break out RPO publicly. BAH backlog was $38 billion at March 2026 — all-government, not cybersecurity-only. contracted
Forecast demand drivers
- Nation-state attack escalation: 47% of critical-infrastructure intrusions traced to state actors (Mordor Intelligence, citing 2025 data). est. China, Russia, and Iran are the primary threat actors against US government networks.
- AI arms race in cyber: Offensive AI tools are accelerating attack speed. Defensive AI (CrowdStrike's Charlotte AI, Palo Alto's XSIAM) is the counter-response. XSIAM ARR passed $600M and is growing 100%+ YoY. Charlotte AI received FedRAMP High authorization in late 2025.
- Expanding attack surface: Each AI system, cloud migration, and IoT device deployed across government adds endpoints to defend. The Pentagon's $13.4B AI budget creates new assets requiring cybersecurity. est.
- Global government cyber market: Estimated to grow from $84.6B (2026) to $153.4B (2031), a 12.6% CAGR. est.
Market-size and growth figures are third-party estimates, not live-verified. Company financials are from most recent public filings.
Mordor Intelligence gov cyber market report (2026); FY2026 President's Budget; DoD Zero Trust Strategy; PANW Q3 FY2026 earnings; CrowdStrike FY2026 earnings; BAH FY2026 annual results; fed-spend.com contract database.
Supply
Who can sell to the US government
Three barriers limit the vendor pool:
- FedRAMP authorization: A cloud service must complete a security audit (typically 12–18 months and $1–5M in costs est.) to receive FedRAMP certification. As of 2026, there are 312 authorized offerings across all categories — up 17% since 2024 est.. Defense and intelligence customers require the higher IL5/IL6 authorization.
- Security clearances: Personnel who touch classified systems need TS/SCI clearances. Processing takes an average of 287 days est.. This bottleneck constrains services firms like BAH — delivery cannot outpace clearance processing.
- Contract vehicles: Sales flow through specific procurement vehicles (GSA Schedule, SEWP, BPAs). Getting on-contract takes years of relationship-building and compliance documentation. CrowdStrike flows primarily through Carahsoft as a reseller.
Capacity of the current suppliers
- PANW — Q3 FY2026 total revenue run-rate of ~$12B annualized. Government-specific revenue not disclosed. FedRAMP authorized, IL5 authorized. XSIAM has 740 customers and >$600M ARR. Organic next-gen security ARR of $6.5B growing 28% YoY.
- CRWD — FY2026 total revenue $4.81B, ARR $5.25B. FedRAMP High authorized (Falcon platform and Charlotte AI). Reports 43 US states use Falcon. Federal revenue not disclosed separately.
- BAH — FY2026 revenue $11.2B (down 6.4% YoY, driven by a $922M decline in civil segment, partly from DOGE contract cancellations). Defense + intelligence segments grew to $7.97B combined. Headcount fell from 35,800 to 31,500 (–4,300). Book-to-bill 1.1x TTM. Backlog $38B. BAH's capacity scales linearly with headcount — it sells cleared labor.
The bottleneck
For software vendors (PANW, CRWD), the constraint is the sales cycle: procurement vehicles, FedRAMP certification, and government buying timelines (6–18 months). For services firms (BAH), the constraint is cleared labor supply. Roughly 700,000 cybersecurity positions are vacant globally est., and cleared personnel are a subset of that. BAH cut headcount by 4,300 in FY2026.
PANW Q3 FY2026 earnings; CRWD FY2026 annual results; BAH FY2026 annual results; FedRAMP.gov; NIST/BCG 2024 workforce report.
The gap
| Measure | Demand side | Supply side |
| Federal cyber budget | $13.2B appropriated, growing ~12% YoY | 312 FedRAMP-authorized offerings (all categories, not just cyber) (est.) |
| Zero-trust mandate | All DoD networks must comply by Sep 2027; $5B+ subcontracting market (est.) | Handful of IL5/IL6-authorized vendors; 15-month countdown |
| Software platforms (PANW + CRWD) | Government is a fast-growing vertical for both | Software scales without proportional cost; sales cycle is the gating factor |
| Services capacity (BAH) | $38B backlog, book-to-bill 1.1x | Headcount fell 12% in FY2026; clearance processing averages 287 days (est.) |
| Workforce | Each new AI system deployed requires cyber protection | ~700K vacant positions globally (est.); cleared cyber talent especially scarce |
| Attack sophistication | AI-powered offensive tools accelerating threat pace | AI-native platforms (XSIAM, Charlotte AI) required to match speed; legacy tools lag |
Pricing direction: Subscription prices for government cyber software have been rising. PANW's XSIAM is growing ARR at 100%+ YoY while the platform approach consolidates point products into a single contract at higher total value. CrowdStrike's net dollar retention of 115% means existing customers spend 15% more each year. BAH's services margins face pressure from DOGE scrutiny on labor costs, but TS/SCI-cleared advisory work cannot be offshored or automated easily. The federal cyber budget is growing at 12% while the number of vendors who can serve it is limited by FedRAMP certification, clearances, and procurement timelines.
PANW Q3 FY2026 earnings; CRWD FY2026 annual results; BAH FY2026 annual results; DoD Zero Trust Strategy; Mordor Intelligence; FedRAMP.gov.
The players
| Ticker | Company | Model | Total rev (TTM) | Gov cyber exposure | Mkt cap | FCF (TTM) | Backlog / RPO |
| PANW | Palo Alto Networks | Platform subscription (firewalls, SASE, XSIAM, Cortex) | ~$9.9B (FY Jul-25); Q3 FY26 run-rate ~$12B | FedRAMP + IL5 authorized; gov % not disclosed | $229B | $4.1B adj (TTM) | $18.4B RPO |
| CRWD | CrowdStrike | Platform subscription (endpoint, cloud, identity, SIEM) | $4.81B (FY Jan-26) | FedRAMP High (Falcon + Charlotte AI); 43 states; gov % not disclosed | $190B | ~$1.4B (30%+ margin) | Not disclosed |
| BAH | Booz Allen Hamilton | Cleared labor: consulting, integration, managed services | $11.2B (FY Mar-26) | 100% gov; defense $6.1B + intel $1.9B; cyber not separated | $9.4B | $951M | $38B backlog |
| MNDT | Mandiant (now Google Cloud) | Incident response + threat intelligence | N/A — acquired by Google Sep 2022 for $5.4B | No longer a public equity | N/A | N/A | N/A |
PANW and CRWD sell software where the marginal cost of protecting one more endpoint is near-zero. BAH sells human expertise where capacity scales linearly with headcount. Margin profiles: PANW runs 38.5% adjusted FCF margins, CRWD runs 30%+, BAH runs 9.5% operating margins. BAH carries $3.9B in debt (2.6x net leverage); PANW has $4.5B cash against $459M debt; CRWD has $5.2B cash against $820M debt.
PANW Q3 FY2026 earnings; CRWD FY2026 annual results; BAH FY2026 annual results; yfinance market data (Jun 2026); Google/TechCrunch (Sep 2022 Mandiant acquisition).
The price of exposure
| Metric | PANW | CRWD | BAH |
| Share price | $280 | $748 | $78.50 |
| Market cap | $229B | $190B | $9.4B |
| Enterprise value (EV) | $238B | $185B | $12.8B |
| EV / TTM revenue | ~24x | ~38x | ~1.1x |
| EV / adj FCF (TTM) | ~58x | ~115x | ~13.5x |
| Forward P/E (consensus) | ~69x | ~121x | ~11x |
| Price / book | ~21x | ~43x | ~8.5x |
| Revenue growth (latest) | +31% (Q3 FY26) | +22% (FY26) | -6.4% (FY26) |
| FCF margin | 38.5% | 30%+ | 8.5% |
| Net cash / (debt) | +$4.1B | +$4.4B | -$3.2B |
Implied math: For PANW's $229B market cap to represent a 25x-earnings company, it would need ~$9.2B of owner earnings per year — roughly its entire current annual revenue. At 38.5% adjusted FCF margins, that requires ~$24B in revenue, about 2.4x today's run-rate. For CRWD at $190B and a 25x target, it would need ~$7.6B of owner earnings — about 5x its current ~$1.4B FCF. BAH at $9.4B market cap and 11x forward P/E is priced for roughly flat earnings of ~$850M/year, approximately what it earned in FY2026.
None of these companies disclose government cybersecurity revenue as a standalone segment. PANW and CRWD report geographic segments (Americas, EMEA, JAPAC) and product categories, but not end-market verticals. BAH is 100% government but does not break cybersecurity out from defense/intelligence IT broadly. Owning any of these as a government-cyber play means accepting the whole business — commercial customers included — since the government cyber revenue stream cannot be isolated.
yfinance market data (Jun 2026); PANW Q3 FY2026 earnings; CRWD FY2026 annual results; BAH FY2026 annual results.
What to deep-dive next
- Government revenue mix: Neither PANW nor CRWD discloses federal, SLED, or defense revenue percentages. Channel checks through Carahsoft or GSA contract databases (SAM.gov, USAspending.gov) could produce a bottom-up estimate of government contract value.
- DOGE impact on BAH: BAH's civil segment dropped $922M in FY2026 and headcount fell 4,300. FY2027 revenue guidance ($11.2–$11.7B) suggests stabilization.
- CISA budget politics: The administration proposed cutting CISA by $491–707M in FY2027. Congress has historically restored or increased cyber funding.
- XSIAM vs Charlotte AI: Both PANW and CRWD are building AI-native security operations centers. XSIAM has 740 customers and $600M+ ARR; Charlotte AI is FedRAMP High authorized. Which platform wins government SOC consolidation determines share of zero-trust mandate spend.
- Zero-trust deadline execution: With 15 months until the September 2027 DoD deadline, contract awards should accelerate. Tracking FPDS for zero-trust-tagged obligations would show whether spending is flowing or stalling.
- Mandiant inside Google Cloud: Google Cloud's security revenue is not broken out, but Google is bidding for government AI and cloud contracts (JWCC, $800M agentic-AI contract). Mandiant's threat intelligence is a differentiator.
Sources & confidence
- Company filings (high confidence): Palo Alto Networks Q3 FY2026 earnings (May 2026); CrowdStrike FY2026 annual results (Mar 2026, fiscal year ending Jan 31 2026); Booz Allen Hamilton FY2026 annual results (May 2026, fiscal year ending Mar 31 2026). Revenue, FCF, RPO/backlog figures from these primary sources.
- Federal budget data (high confidence): FY2025/FY2026 President's Budget requests via OMB; CISA budget proposals via AFCEA reporting (May 2026); DoD Zero Trust Strategy (Nov 2022, mandate unchanged as of Jun 2026).
- Contract data (medium confidence): fed-spend.com contract analysis (H1 FY2026); specific contract values for GDIT/Anduril/BAH zero-trust programs sourced from government contract databases and trade press.
- Market sizing (lower confidence): Mordor Intelligence government cybersecurity market estimate ($84.6B 2026, $153.4B 2031); Fortune Business Insights global cyber market ($248B 2026). Third-party estimates, not primary data. The $13.2B US federal cyber budget figure is from budget documents and is higher-confidence.
- Mandiant acquisition: Google Cloud blog and TechCrunch (Sep 12 2022, $5.4B cash acquisition at $23/share).
- Market data: yfinance live prices and financial metrics, Jun 2026.
Market-size and growth figures are third-party estimates, not live-verified. Company financials are from most recent public filings.