Google could become a major security player in the next few years
It could become a viable alternative to Microsoft's security business
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
I’ve intentionally made all of my posts free and without a paywall so that my content is more accessible. If you enjoy my content and would like to support me, please consider buying a paid subscription:
I’ve spent the last few weeks writing about the “Efficiency Reckoning” and why the next generation of security companies might fail. The common thread is that point products are being cannibalized by platforms, and the traditional “per-seat” revenue model is collapsing under the weight of AI-driven headcount reduction.
But as we see this "Software Apocalypse" unfold, an interesting consolidation opportunity is emerging. While many investors are chasing "sexy" AI-security startups, there is a massive, defensible business to be built by gathering the "boring" but essential IT security tools, such as SSO, EDR, and email security, into a single infrastructure platform.
I’ve been tracking the performance of the most recent security IPOs, like Netskope, which debuted in late 2025. While it saw a brief 18% pop, the broader narrative is clear: it’s not a great time to be a traditional security company. To truly succeed in this market, every tool now requires a fundamental AI angle.
In general, SaaS has had a rough showing in the public market. Even previously hot companies like Figma, which rolled out an aggressive AI suite, including Figma Make and Synapse analytics at Config 2025, have seen their shares struggle, trading at a steep premium while the broader sector remains volatile.
It seems that companies enabling AI infrastructure are doing better. But how do you do this as a security company? This gave me the thought that there are a lot of underrated or "subtle" security companies like Cloudflare, which are core to security, their identity isn’t that of a traditional security company.
Microsoft is the other key example. They have a robust and thriving security business, and they’ve done an incredible job of bundling it into the Office 365 ecosystem. It’s honestly quite impressive how they have adapted to the cloud.
This got me thinking: which company can secretly become a more relevant security player in the next few years without anyone realizing it? The title gave it away, but I believe it’s Google. They are the dark horse that could quietly build the foundational security infrastructure for the AI era.
An alternative to Microsoft
Microsoft’s security tools are powerful and well-integrated, but they are often hard to use and specific to companies with employees who have spent their lives in Windows. Much like Salesforce, their usage is predicated on specialized experience rather than intuition. They are built for the legacy IT administrator who wants a turnkey solution, even if it’s proprietary and non-intuitive. There’s still a market for this, and it’s an important one. It was what they had to do to adapt to the cloud and changing enterprise landscape.
But today’s security engineers are builders. They want to use a tool to solve a problem and then move on. They don’t want to lose track of the mission while fighting a complex UI or navigating a “walled garden.” There is a deep, growing desire for a neutral alternative that focuses on problem-solving rather than tool administration.
Today’s AI engineers and security generalists don’t want to “stitch together” closed products; they want to customize on top of a stable infrastructure. Google, by virtue of its software-first heritage, is perfectly positioned to provide this. It also helps that most of the AI engineers grew up using Google products rather than Hotmail (yes!) and Windows.
Efficiency reckoning: scaling without people
We’ve reached a point where security can no longer justify scaling with headcount. As threat surfaces expand exponentially due to AI-driven development, the traditional 1:1 ratio of “more risk = more people” has broken. Security must now scale like an AI company: with code, agents, and highly leveraged generalists.
This is the end of the “tool babysitter.” In the AI era, the value is in problem-solving intuition and the ability to orchestrate agents to remediate risk at machine speed. Data from the 2025 IBM Cost of a Data Breach Report shows that organizations using AI and automation extensively shortened their breach lifecycles by 80 days and lowered costs by $1.9 million compared to those who didn't. To succeed, security teams will need to hire more engineers and move away from manual “click-ops.”
Google’s advantage
This is where Google has a massive advantage: vertical integration. Like Microsoft, Google owns the cloud (GCP), the productivity suite (Workspace), and a world-class AI model (Gemini). They don’t have to worry about cloud economics in the same way a point-product startup does. They can afford to provide the “Security Plumbing” as a baseline infrastructure utility.
Think of Google’s security strategy like Vanta for the enterprise. Vanta became a one-stop shop for “good enough” tools to get you what you need without a dedicated compliance person. Google can do this for IT security. By providing a consolidated stack of “boring” tools (SSO, EDR, Email), they allow a lean, understaffed team to focus on high-level risks like AppSec and CloudSec.
The Wiz acquisition, now fully approved, is a declaration that Google is serious about enterprise cloud security.
Wiz as the “Security Graph”: Wiz provides the baseline visibility, the “Security Graph”, that developers can actually build on top of. If Google allows Wiz to operate as a neutral infrastructure layer, it becomes the foundation for the 80% of new companies that already start on Google Workspace.
The Gemini Catalyst: While Microsoft has the enterprise footprint, Google has the Gemini model. For a builder-engineer, Gemini is a far more intuitive and flexible catalyst for customizing workflows and automating remediation than the more rigid implementations found elsewhere.
I’m not sure if they thought this when they bought Wiz, especially given how behind Gemini was compared to ChatGPT at the time. Here’s my article assessing the deal.
I believe this is a mixture of Theory 1 and Theory 3. However, it didn’t account for how Gemini could be a boost here.
Transitioning to an infrastructure business
Google’s historical failure in the enterprise was a “focus issue.” They weren’t built for enterprise DNA, but AI and the usage-based pricing shift give them a second chance.
Usage-Based Infrastructure: Google can lead the shift from “per-seat” to infrastructure-based pricing, aligning with their cloud heritage. This removes the “per-head” efficiency tax and makes security a utility rather than a discretionary SaaS expense.
Acquiring Cachet: To complete the roll-up, Google should acquire a few more builder-focused startups with real cachet. This gives the builder persona everything they need in one intuitive, API-first platform. Some ideas are Material Security for email security, SentinelOne for EDR (this was something Wiz was already exploring), and Okta or Teleport for identity. Google currently lacks strong capabilities and technologies in this area.
Conclusion
The “Software Apocalypse” will consume the point products that can’t justify their headcount. But it will also create a new giant: a platform that understands that the next generation of security leaders isn’t administrators — they are engineers.
Google secretly has a chance to be the most interesting security company of the decade. By catering to the builders and providing a vertically integrated, neutral infrastructure, they will build a parallel and thriving security business similar to what Microsoft did after it focused on the cloud, except they are doing it in the AI era.