---
title: "Cybersecurity Vendor 13Fs: PANW, CRWD, FTNT, S, ZS Reading"
type: learn
slug: cybersecurity-vendor-13f-panw-crwd-ftnt-sentinel-zs-reading
canonical_url: https://13finsight.com/learn/cybersecurity-vendor-13f-panw-crwd-ftnt-sentinel-zs-reading
published_at: 2026-05-15T08:56:31.775Z
updated_at: 2026-05-15T08:56:35.641Z
author: Sarah Mitchell
author_title: Education Editor
author_url: https://13finsight.com/authors/sarah-mitchell
word_count: 577
locale: en
source: 13F Insight
---

# Cybersecurity Vendor 13Fs: PANW, CRWD, FTNT, S, ZS Reading

> The AI cybersecurity threat cycle drives institutional positioning into Palo Alto Networks (PANW), CrowdStrike (CRWD), Fortinet (FTNT), SentinelOne (S), Zscaler (ZS). Morgan Stanley holds PANW at 0.34% portfolio. Jennison holds CRWD at 1.55% portfolio. Here's the framework.

The AI cybersecurity threat cycle has driven sustained enterprise cybersecurity spend acceleration. The five major US-listed pure-play cybersecurity vendors — Palo Alto Networks (PANW), CrowdStrike (CRWD), Fortinet (FTNT), SentinelOne (S), and Zscaler (ZS) — capture the majority of enterprise Next-Generation Firewall (NGFW), Endpoint Detection and Response (EDR/XDR), Secure Access Service Edge (SASE), and cloud-security spending. Institutional 13F positioning across these names reflects the structural enterprise cybersecurity tailwind. Morgan Stanley holds Palo Alto Networks at 0.34% portfolio. Jennison Associates holds CrowdStrike at 1.55% portfolio. Reading the cybersecurity-vendor sector requires understanding the AI-cycle context plus the specific vendor differentiation.The cybersecurity vendor landscapePalo Alto Networks (PANW)Dominant in Next-Generation Firewall (NGFW), XDR (Cortex), SASE, and cloud security (Prisma Cloud). Platform-consolidation strategy under CEO Nikesh Arora has driven multi-year share-take from point-solution competitors. Institutional positioning shows Morgan Stanley at 0.34% portfolio (1.6x index weight overweight) as the cleanest active conviction signal.CrowdStrike (CRWD)Dominant in cloud-native EDR/XDR with the Falcon platform. Post-2024 outage recovery has been the central operational narrative. Jennison Associates holds CRWD at 1.55% portfolio — the cleanest active conviction in cybersecurity.Fortinet (FTNT)Dominant in cost-effective NGFW plus SASE. Founder-led under CEO Ken Xie. Lower-multiple alternative to Palo Alto Networks for institutional positioning.SentinelOne (S)Pure-play EDR competitor to CrowdStrike. AI-driven endpoint detection thesis. Smaller market cap.Zscaler (ZS)Dominant in SASE — Secure Access Service Edge replacing legacy VPN and firewall infrastructure for cloud-first enterprises. Founder-led under CEO Jay Chaudhry.Why institutional managers concentrate in cybersecurity vendorsThree structural drivers:Structural enterprise spend acceleration. AI-driven threats plus regulatory-and-board mandates have shifted enterprise cybersecurity from a discretionary IT-budget item to a board-mandated requirement.Recurring-revenue platform economics. Cybersecurity vendors operate annual recurring revenue (ARR) models with 80%+ gross margins and high net-new-ARR growth rates.Consolidation through M&A. Palo Alto Networks acquires point-solution vendors to integrate features into a unified platform. CrowdStrike acquires complementary capabilities. The consolidation pattern produces multi-year operating leverage.The institutional positioning patternsPattern 1: Growth-equity concentrated overweightsJennison Associates' 1.55% CRWD concentration is the cleanest active growth-equity bet. Concentrated growth-and-quality managers (Jennison, PGIM-affiliated active funds, T. Rowe Price growth strategies) often run cybersecurity vendors at meaningful overweights.Pattern 2: Diversified active overweightsMorgan Stanley, Wellington, Capital Group, and other large diversified active managers run cybersecurity vendors at slight overweights versus index. The conviction is distributed rather than concentrated.Pattern 3: Market-maker inventory in high-options namesPANW, CRWD, and other high-options-volume cybersecurity names attract substantial Susquehanna, Jane Street, Citadel options-paired inventory. Filter for the market-maker tag before reading active conviction.How to read cybersecurity 13F positioningThree rules:Rule 1: Filter market-maker inventory firstHigh-options-volume cybersecurity names (PANW, CRWD) have substantial market-maker inventory in the top of the holder book. Filter for filer-type 'market_maker' tags to identify the active-conviction layer underneath.Rule 2: Watch for concentrated growth-equity overweightsJennison Associates at 1.55% CRWD, Morgan Stanley at 0.34% PANW, and similar single-fund concentrated active positions are the cleanest discretionary conviction signals.Rule 3: Cross-check against enterprise-cybersecurity-spend disclosuresEach vendor's quarterly earnings discloses net-new-ARR growth, customer concentration, and platform-consolidation progress. Cross-check 13F position changes against operational performance.What to trackQuarterly earnings. Net-new-ARR growth, platform-consolidation revenue mix, customer-retention rates for each vendor.Major cyber incidents. AI-enabled attacks on enterprises drive incremental cybersecurity-vendor revenue.Industry consolidation M&A. Palo Alto Networks and CrowdStrike continue to acquire complementary cybersecurity capabilities; each major deal affects competitive dynamics.Q2 2026 13F filings (due August 14, 2026). Watch Jennison, Morgan Stanley, Wellington positions for active conviction shifts. Track via the institutional signals feed.For real-time tracking of cybersecurity-vendor 13F activity, see the institutional signals feed. For related reading techniques on healthcare and exchange-operator cybersecurity exposure, see our healthcare cybersecurity decoder.

## FAQ

### Which companies dominate US enterprise cybersecurity?

Five major US-listed pure-play cybersecurity vendors capture the majority of enterprise security spending: Palo Alto Networks (PANW) — NGFW, XDR, SASE, cloud security; CrowdStrike (CRWD) — cloud-native EDR/XDR via Falcon platform; Fortinet (FTNT) — cost-effective NGFW plus SASE; SentinelOne (S) — pure-play EDR; Zscaler (ZS) — SASE for cloud-first enterprises. Each operates recurring-revenue platform economics with 80%+ gross margins.

### Why does Jennison Associates hold 1.55% in CrowdStrike?

Jennison Associates is the active growth-equity arm of PGIM (Prudential Financial). The 1.55% CRWD portfolio concentration on a $166.6 billion 13F places CrowdStrike inside Jennison's top-30 global positions — a deliberate growth-equity overweight. The thesis includes structural enterprise cybersecurity spend acceleration, recurring-revenue platform economics, post-2024-outage recovery trajectory, and continued share-take from point-solution competitors.

### Why does Morgan Stanley overweight Palo Alto Networks?

Morgan Stanley holds $5.61 billion of PANW at 0.34% of its $1.675 trillion 13F — roughly 1.6x the PANW S&P 500 index weight. The position reflects Morgan Stanley's active equity teams' view that enterprise cybersecurity spend is structurally accelerating, PANW's platform-consolidation strategy extracts share from point-solution competitors, and operating leverage on the recurring-revenue business model produces multi-year margin expansion.

### How do market makers affect cybersecurity-vendor 13Fs?

High-options-volume cybersecurity names (PANW, CRWD) attract substantial market-maker 13F inventory. Susquehanna, Jane Street, Citadel options-paired exposure inflates the apparent institutional ownership without representing directional conviction. Always filter for filer-type 'market_maker' tags before reading active conviction. The active layer typically lives below the market-maker block in the holder table.

### What drives cybersecurity-vendor multi-year growth?

Three structural drivers: (1) Structural enterprise spend acceleration as AI-driven threats plus regulatory-and-board mandates shift cybersecurity from discretionary IT-budget to board-mandated requirement; (2) recurring-revenue platform economics with 80%+ gross margins and high net-new-ARR growth; (3) consolidation through M&A — Palo Alto Networks and CrowdStrike acquire point-solution vendors to integrate features into unified platforms, producing multi-year operating leverage.

### How do I track cybersecurity-vendor consolidation?

Watch four signals: (1) quarterly earnings for net-new-ARR growth and platform-consolidation revenue mix; (2) major cyber incidents driving incremental enterprise cybersecurity-vendor revenue; (3) industry consolidation M&A — Palo Alto Networks and CrowdStrike continue acquiring complementary capabilities, each major deal affects competitive dynamics; (4) Q2 2026 13F filings (due August 14, 2026) for active conviction shifts at Jennison, Morgan Stanley, Wellington.

---

Source: 13F Insight — https://13finsight.com/learn/cybersecurity-vendor-13f-panw-crwd-ftnt-sentinel-zs-reading
Author: Sarah Mitchell — https://13finsight.com/authors/sarah-mitchell
Last updated: 2026-05-15T08:56:35.641Z