Over the past several years, we have watched security spend migrate from hardware appliances toward cloud-delivered and subscription models. In this blog, I outline three predictions for 2026 that describe how that pattern solidifies into a durable template: security budgets increasingly split between cloud-delivered security services at the edge and an AI-infused, centralized SecOps layer that looks a lot like “next-gen SIEM.”
On the edge, SASE/Security Service Edge (Secure Access Service Edge/SSE) and cloud Web Application Firewalls (WAFs) become the default way to protect users and applications. In the middle, distributed cloud networking quietly supplies the connective tissue. At the center, next-generation Security Information and Event Management (SIEM) platforms fuse SIEM, Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), observability, and Cloud-Native Application Protection Platform (CNAPP)-style cloud visibility into a single, service-delivered control surface.
Prediction 1 – Edge security spend consolidates around SASE/SSE and cloud WAF
From a budget perspective, the branch and user edge is already moving decisively toward as-a-service delivery. SASE, particularly the SSE half of that equation, has been growing at a solid double-digit rate, while legacy access routing and on-premises secure web gateways have been shrinking. WAF has also emerged as one of the most dynamic parts of the network security landscape as more applications and APIs are exposed directly to the Internet.
Put simply, enterprises are standardizing around two cloud-delivered edge controls:
- SASE/SSE for user and branch access, combining secure web gateway, CASB, ZTNA, and firewall-as-a-service capabilities delivered through globally distributed points of presence.
- Cloud WAF for Internet-facing web and API traffic as part of secure application delivery platforms.
The immediate drivers are familiar: hybrid work, SaaS adoption, and a steady shift away from private WAN circuits and appliance-based security toward Internet-centric architectures. However, there is also a deeper architectural undertow. Underneath SSE and cloud WAF, distributed cloud networking and early WAN-as-a-service offerings are emerging to connect branches, clouds, and security service edges over a programmable fabric rather than static routers.
In 2026, we expect security and networking teams to budget less for discrete “boxes” at the branch and more for recurring spend on SASE/SSE, WAF, and the underlying cloud connectivity. Physical access routers and appliance SWGs will continue to shrink as a share of branch networking and security spend, reinforcing that the edge is now a service, not a rack of gear.
Prediction 2 – “Next‑gen SIEM” becomes the gravitational center of SecOps
If SASE/ SSE and WAF are where packets are inspected, next-gen SIEM is where evidence is assembled and acted upon. We use “next‑gen SIEM” here as a SecOps solution construct, not a product SKU. In this view, a next-gen SIEM is a SecOps solution that combines:
- Classic SIEM for log and event aggregation.
- SOAR or extended orchestration, automation, and response (XOAR) for workflow and playbook automation.
- XDR for cross‑control point detection and response.
- Observability and digital experience monitoring (DEM) for performance and user‑experience telemetry.
- CNAPP for configuration, identity, and cloud workload context.
A reflection of enterprises’ pivot in this direction is the recent explosive growth of the CNAPP market. In our analysis, the CNAPP market grew nearly 40% in 2024. Cloud-native security tool consolidation, end-to-end coverage, and DevSecOps integration are the core buying drivers.
Architecturally, next-gen SIEMS are a response to the collision of two worlds:
- Traditional SecOps built around monolithic apps, north-south traffic, and data center-centric logging.
- Modern app environments built on containers, microservices, and hybrid cloud
In 2026, we expect more RFPs to converge on this next-gen SIEM pattern. Buyers will look for a single SaaS platform that can ingest logs, telemetry, and cloud data; power AI-assisted investigations; and orchestrate responses across SASE/SSE, WAF, endpoint, and on-premises and cloud controls.
Prediction 3 – Security budgeting finishes its shift from capex to opex
The common thread between cloud-delivered edge controls and next-gen SIEM is not just architecture—it is the commercial model. Both are overwhelmingly sold as subscription services.
Across SASE, CNAPP, and broader network security, vendors are leaning into subscription licensing because it lets them monetize more features, deliver updates continuously, and smooth revenue over time. Our forecasts assume a continued shift from perpetual licenses and hardware-heavy deals toward SaaS and virtual consumption, with subscription models explicitly called out as a structural assumption for both network security and distributed cloud networking.
For CIOs and CISOs, this shows up in the budget spreadsheet as:
- Smaller, more targeted hardware refresh projects.
- Growing multi-year SaaS commitments for SASE/SSE, WAF, CNAPP, and next-gen SIEM.
- Increased financial scrutiny of overlapping subscriptions, driving consolidation toward integrated platforms (for example, single-vendor SASE or a single primary analytics plane for SecOps).
We believe 2026 is the year this shift becomes the default assumption rather than a trend to watch. New initiatives will start life in opex, and capex-heavy proposals will increasingly be the exception that must be justified.
Net‑net for 2026
Security budgets will increasingly organize around two SaaS pillars—cloud-delivered security at the edge (SASE/SSE and WAF) and a centralized, AI-infused next-gen SIEM that absorbs CNAPP and traditional SecOps functions. Everything else, from distributed cloud networking to legacy appliances, will be evaluated on how well it supports or can be subsumed into those two spend templates.
