Lead
Evercore's research note published on March 27, 2026 (reported by Investing.com) cautioned that cybersecurity stocks are likely to undergo a protracted and uneven bottoming process. The bank highlighted valuation compression and decelerating revenue growth as the principal drivers that will force a multi-quarter re-rating for a cohort of large-cap pure-play vendors. Market participants have already priced in some of that risk: according to Bloomberg data, the leading cyber ETF (ETFMG Prime Cyber Security ETF, ticker HACK) was down roughly 18% year-to-date through March 26, 2026, underperforming the broader Nasdaq 100 in the same window. Evercore’s diagnosis reframes recent weakness not as a uniform sector collapse but as a sequenced reset where winners and laggards diverge on execution, contract cadence, and margin resilience.
The note arrives at a moment when investors are reassessing growth premium multiples across high-growth software subsectors after tighter macro conditions in 2025–26. While headline spending on cloud security and zero-trust architecture remains elevated, pockets of demand have shown volatility tied to macro-driven project delays and a shift from opportunistic proof-of-concepts to procurement discipline. Evercore explicitly warned that the trough is likely to be "bumpy," meaning episodic downdrafts tied to missed guidance or elongated sales cycles could produce pronounced relative underperformance for names priced for perfection. The research is consequential because it signals that credit and equity analysts are adopting a more granular bottom-up approach to fundamental differentiation inside a previously consolidated thematic trade.
Investors and allocators should parse Evercore’s view in the context of objective market signals. Selling pressure has concentrated in names that outperformed most in 2021–23, and there has been observable divergence between security infrastructure incumbents and newer endpoint/cloud-native software providers. Corporate results released in the last two quarters indicate continuing revenue growth but decelerating sequential expansion for many vendors; this dynamic is consistent with Evercore’s expectation of a multi-quarter digestion period. For institutional portfolios that have ridden thematic allocations to cybersecurity, the Evercore note represents a prompt to re-evaluate exposure sizing, benchmark tracking, and liquidity considerations, while avoiding binary assumptions that the sector will bottom uniformly.
Context
The cybersecurity sector’s rapid appreciation from 2020 through 2023 was built on a structural narrative: digital transformation, remote work, and the asymmetric economics of cyber risk created durable demand for subscription-based, cloud-delivered security software. That narrative remains intact; global cybersecurity spending was estimated to exceed $180 billion in 2025 by some industry trackers, up from roughly $150 billion in 2023, reflecting steady multi-year increase in total addressable market. Yet the market’s tolerance for execution variance has narrowed: when revenue growth decelerates from 30%+ to mid-teens, multiples compress quickly, and sentiment shifts can accelerate re-rating. Evercore’s March 27, 2026 note (Investing.com) posits that many names are still priced on stretched growth assumptions, which makes near-term earnings and billings cadence pivotal.
Institutional investors should also place Evercore’s warning alongside macro and capital market dynamics. The Federal Reserve in 2025 signaled a slower pace of disinflation and maintained higher-for-longer real rates, which raise discount rates used to value long-duration software earnings streams. Secondary effects include tighter corporate budgets and longer approval cycles for large security deployments, particularly for multi-year, enterprise-wide rollouts. Capital markets liquidity for smaller cybersecurity IPOs or high-growth secondary financings has also been episodic; deals reprice, and secondary transactions can reset comparable valuations. The confluence of these factors creates the environment Evercore describes: a bumpy path to a sustainable trough rather than a clean V-shaped rebound.
Historically, similar re-rating processes have occurred when secular growth narratives meet macro tightening: examples include the cloud infrastructure pullback in late 2018 and parts of the SaaS drawdown in 2022. Those episodes show that the eventual recovery often disproportionately rewards companies that preserve gross margin, maintain net retention, and demonstrate durable ARR expansion. Evercore’s note implicitly signals that investors should triangulate across contract metrics — ARR growth, net retention rate, gross margin profile, and billings visibility — to distinguish between resilient franchises and more cyclically exposed vendors. This granular lens explains why the bottoming process will be staggered: not all business models react the same way to weaker new business demand.
Data Deep Dive
Evercore’s observation is supported by several measurable market trends. First, relative performance: the cyber-focused ETF HACK fell about 18% YTD through March 26, 2026 versus the Nasdaq 100’s smaller decline in the same period (Bloomberg LP), indicating meaningful sector-specific pressure. Second, valuation compression: consensus enterprise-value-to-sales multiples for a cross-section of large-cap cyber names have contracted by an estimated 25% from recent peaks, according to aggregate sell-side data compiled in March 2026. Third, guidance slippage: in Q4 2025 and Q1 2026 earnings seasons, a material subset of cyber vendors issued guidance that was either conservative or below prior expectations, prompting multiple intra-quarter downdrafts.
Beyond headline performance, unit economics and billings patterns are illuminating. Several vendors have reported sequential deterioration in new logo acquisition rates and elongating average sales cycles, particularly for deals above $1m ACV. That pattern is consistent with Evercore’s point that procurement discipline, not a lack of need, is delaying near-term revenue recognition. Gross margin trends have also diverged: companies with higher embedded services exposure or heavy on-premise components have seen margins compress faster than cloud-native peers, which supports a discrimination-based approach to bottoming.
Finally, M&A and strategic flows reveal investor behavior: M&A activity in cybersecurity slowed in late 2025 versus 2024, with private equity and strategics re-pricing bid levels. Deal volumes in 2025 were lower by a mid-single-digit percentage versus 2024 in dollar terms, per sector transaction trackers, suggesting an appetite asymmetry where only high-certainty assets command strategic valuations. That cautious approach by acquirers aligns with Evercore’s view that the sector’s bottom will be uneven, with acquisition interest concentrated on businesses that demonstrate durable cash generation and predictable renewal economics.
Sector Implications
For enterprise software benchmarks and active managers, Evercore’s note suggests a reweighting of the risk-return profile within cybersecurity allocations. Index and ETF investors will see headline performance continue to follow liquidity and sentiment swings, while active managers can exploit dispersion by overweighting names with strong gross margins, high net retention, and clear path to positive free cash flow. The incumbents that have diversified product portfolios and deep, multi-year contracts will likely show greater defensive characteristics than pure-play point-solution vendors that rely on a high-velocity sales model.
Vendor go-to-market strategies are also likely to adapt. Expect increased emphasis on land-and-expand economics, customer success investment, and packaging to shorten procurement friction. Pricing models may shift toward outcomes-based or consumption-tiered plans to lower initial integration friction for large enterprises. These operational changes align with Evercore’s emphasis on execution as the differentiator in a bottoming market: companies that can demonstrably improve renewal and upsell metrics will be rewarded first by the market.
On the buy-side, allocation committees need to revisit liquidity buffers and rebalancing triggers. The bumpy bottoming process Evercore describes implies episodic drawdowns that can stress concentrated thematic allocations; portfolio construction should incorporate tighter stop-loss discipline, staggered re-entry frameworks, or volatility-aware sizing. Passive exposure via ETFs will continue to reflect headline capital flows, which can amplify short-term volatility; thus active management and rigorous fundamental analysis are likely to outperform in an environment of dispersion.
Risk Assessment
Key risks to Evercore’s thesis are twofold: first, a sudden macro softening that materially reduces enterprise IT spend and, second, a geopolitical or large-scale cyber incident that either accelerates spending or creates winners and losers unpredictably. A material macro deterioration could push the bottoming process from bumpy to prolonged, while a systemic cyber shock (major nation-state attack or widespread worm) could re-accelerate demand and compress the bottoming window. Both outcomes underscore the asymmetric nature of sector risk — downside from valuation resets versus upside from demand shocks.
Data and sentiment risks also matter. If pauses in procurement are temporary and fill quickly, valuation multiples could retrace faster than Evercore anticipates. Conversely, if the near-term guidance cycle continues to deliver downside surprises, multiple compression could outpace fundamental deterioration and create valuation overshoot. For institutional investors, scenario analysis should include both timing and severity dimensions: probability-weighted stress tests that adjust ARR growth, retention, and multiple assumptions provide concrete quantification of portfolio impact.
Finally, liquidity risk for smaller, high-growth cyber names is non-trivial. Trading volumes can evaporate in negative windows, creating slippage for institutional-sized orders. The re-rating process can be non-linear, and model risk around terminal multiple assumptions remains a principal hazard for forward-looking valuations. Risk managers should incorporate execution-cost assumptions and potential holding-period extension into allocation decisions.
Outlook
Evercore’s core point — a bumpy, non-linear bottoming process — is the most probable near-term scenario given current data. For the next 6–12 months, expect ongoing dispersion: high-quality, cloud-native vendors with strong renewals and improving unit economics should outperform low-quality peers where growth is more discretionary. Market participants will likely continue to reward visible, recurring revenue and penalize dependency on large, lumpy transactions that are subject to procurement delays.
Longer term, the structural growth story for cybersecurity remains credible. Cyber risk is expanding with cloud migration, IoT proliferation, and generative AI adoption, which suggests a sizable addressable market over the coming decade. The interplay between secular demand and short-term macro and execution risks will govern near-term returns, creating a tactical environment where active selection and operational metrics matter more than broad thematic exposure.
Institutional investors should integrate Evercore’s timeline into portfolio playbooks: calibrate exposure based on conviction in execution metrics, stress-test for prolonged softness, and consider staggered deployment frameworks that take advantage of episodic dislocations. For deeper reading on related macro-technology themes, see Fazen Capital’s research on cloud infrastructure and SaaS valuation dynamics [topic](https://fazencapital.com/insights/en).
Fazen Capital Perspective
Fazen Capital’s analysis concurs that the cybersecurity sector will not bottom in a single, correlated event; however, we view the current environment as an opportunity for nearer-term alpha through selective active management rather than full-scale de-risking. Contrary to the prevailing narrative that treats the sector as uniformly high-risk, our screens show a subset of vendors with net retention rates above 120%, gross margins north of 70%, and free cash flow conversion improving sequentially — characteristics that historically precede outperformance post-re-rating. These operational metrics, more than headline revenue growth, are our primary signals for distinguishing durable franchises from momentum-dependent vendors.
We also believe M&A could re-emerge as a meaningful catalyst within 9–18 months for assets that demonstrate repeatable unit economics and predictable renewals. Strategic acquirers with strong balance sheets may opportunistically target market-share consolidators at discounted entry points; this dynamic could accelerate recovery for winners. Our view is informed by historical precedents in software consolidation cycles and is supported by the fact that strategic buyers often return when clarity around margins and retention is re-established. For more on our sector allocation framework and scenario-driven research, investors can consult our thematic research hub [topic](https://fazencapital.com/insights/en).
Bottom Line
Evercore’s March 27, 2026 note correctly highlights a heterogeneous, multi-quarter bottoming process for cybersecurity equities; the path to recovery will reward operational resilience and predictable revenue mechanics. Institutional allocations should emphasize active selection, incorporate scenario-driven stress tests, and prepare for episodic volatility.
Disclaimer: This article is for informational purposes only and does not constitute investment advice.
