Cybersecurity Vendor 13Fs: PANW, CRWD, FTNT, S, ZS Reading

The AI cybersecurity threat cycle has driven sustained enterprise cybersecurity spend acceleration. The five major US-listed pure-play cybersecurity vendors — Palo Alto Networks (PANW), CrowdStrike (CRWD), Fortinet (FTNT), SentinelOne (S), and Zscaler (ZS) — capture the majority of enterprise Next-Generation Firewall (NGFW), Endpoint Detection and Response (EDR/XDR), Secure Access Service Edge (SASE), and cloud-security spending. Institutional 13F positioning across these names reflects the structural enterprise cybersecurity tailwind. Morgan Stanley holds Palo Alto Networks at 0.34% portfolio. Jennison Associates holds CrowdStrike at 1.55% portfolio. Reading the cybersecurity-vendor sector requires understanding the AI-cycle context plus the specific vendor differentiation.

The cybersecurity vendor landscape

Palo Alto Networks (PANW)

Dominant in Next-Generation Firewall (NGFW), XDR (Cortex), SASE, and cloud security (Prisma Cloud). Platform-consolidation strategy under CEO Nikesh Arora has driven multi-year share-take from point-solution competitors. Institutional positioning shows Morgan Stanley at 0.34% portfolio (1.6x index weight overweight) as the cleanest active conviction signal.

CrowdStrike (CRWD)

Dominant in cloud-native EDR/XDR with the Falcon platform. Post-2024 outage recovery has been the central operational narrative. Jennison Associates holds CRWD at 1.55% portfolio — the cleanest active conviction in cybersecurity.

Fortinet (FTNT)

Dominant in cost-effective NGFW plus SASE. Founder-led under CEO Ken Xie. Lower-multiple alternative to Palo Alto Networks for institutional positioning.

SentinelOne (S)

Pure-play EDR competitor to CrowdStrike. AI-driven endpoint detection thesis. Smaller market cap.

Zscaler (ZS)

Dominant in SASE — Secure Access Service Edge replacing legacy VPN and firewall infrastructure for cloud-first enterprises. Founder-led under CEO Jay Chaudhry.

Why institutional managers concentrate in cybersecurity vendors

Three structural drivers:

1. Structural enterprise spend acceleration. AI-driven threats plus regulatory-and-board mandates have shifted enterprise cybersecurity from a discretionary IT-budget item to a board-mandated requirement.
2. Recurring-revenue platform economics. Cybersecurity vendors operate annual recurring revenue (ARR) models with 80%+ gross margins and high net-new-ARR growth rates.
3. Consolidation through M&A. Palo Alto Networks acquires point-solution vendors to integrate features into a unified platform. CrowdStrike acquires complementary capabilities. The consolidation pattern produces multi-year operating leverage.

The institutional positioning patterns

Pattern 1: Growth-equity concentrated overweights

Jennison Associates' 1.55% CRWD concentration is the cleanest active growth-equity bet. Concentrated growth-and-quality managers (Jennison, PGIM-affiliated active funds, T. Rowe Price growth strategies) often run cybersecurity vendors at meaningful overweights.

Pattern 2: Diversified active overweights

Morgan Stanley, Wellington, Capital Group, and other large diversified active managers run cybersecurity vendors at slight overweights versus index. The conviction is distributed rather than concentrated.

Pattern 3: Market-maker inventory in high-options names

PANW, CRWD, and other high-options-volume cybersecurity names attract substantial Susquehanna, Jane Street, Citadel options-paired inventory. Filter for the market-maker tag before reading active conviction.

How to read cybersecurity 13F positioning

Three rules:

Rule 1: Filter market-maker inventory first

High-options-volume cybersecurity names (PANW, CRWD) have substantial market-maker inventory in the top of the holder book. Filter for filer-type 'market_maker' tags to identify the active-conviction layer underneath.

Rule 2: Watch for concentrated growth-equity overweights

Jennison Associates at 1.55% CRWD, Morgan Stanley at 0.34% PANW, and similar single-fund concentrated active positions are the cleanest discretionary conviction signals.

Rule 3: Cross-check against enterprise-cybersecurity-spend disclosures

Each vendor's quarterly earnings discloses net-new-ARR growth, customer concentration, and platform-consolidation progress. Cross-check 13F position changes against operational performance.

What to track

1. Quarterly earnings. Net-new-ARR growth, platform-consolidation revenue mix, customer-retention rates for each vendor.
2. Major cyber incidents. AI-enabled attacks on enterprises drive incremental cybersecurity-vendor revenue.
3. Industry consolidation M&A. Palo Alto Networks and CrowdStrike continue to acquire complementary cybersecurity capabilities; each major deal affects competitive dynamics.
4. Q2 2026 13F filings (due August 14, 2026). Watch Jennison, Morgan Stanley, Wellington positions for active conviction shifts. Track via the institutional signals feed.

For real-time tracking of cybersecurity-vendor 13F activity, see the institutional signals feed. For related reading techniques on healthcare and exchange-operator cybersecurity exposure, see our healthcare cybersecurity decoder.