The Public Company Landscape
The conventional story goes like this: elite military intelligence training creates a pool of technical talent, that talent spins out into startups, and those startups eventually list on NASDAQ or get acquired by American giants. The story is directionally true. According to data from the Israel National Cyber Directorate, the country has over 400 cybersecurity companies — an astonishing number for a population of under 10 million.
But "over 400 companies" tells you almost nothing useful as an analyst. Most are private. Many are tiny. Some will never produce meaningful revenue. What we can actually analyze are the publicly-listed ones — the firms required to file detailed financial disclosures. And here, the universe shrinks dramatically.
Check Point — Still the Anchor, But Growth Has Flattened
Check Point Software Technologies (NASDAQ: CHKP), founded in 1993 by Gil Shwed, remains the original Israeli cyber giant. Its 2024 annual report filed with the SEC shows approximately $2.4 billion in annual revenue, making it by far the largest publicly-listed Israeli cyber firm. The company is profitable. It generates strong cash flow. It pays a modest dividend.
But the growth story has cooled. Revenue growth has been in the low single digits for several years. The company's 10-K filings show a business that is mature, well-managed, and increasingly reliant on share buybacks to drive earnings-per-share rather than organic top-line expansion. That's not a criticism — it's what mature software companies do. But if you're looking for the hyper-growth Israeli cyber narrative that dominates tech media, Check Point's actual SEC filings tell a different story: a steady, conservative, cash-generative enterprise that happens to be Israeli.
One thing that does stand out in Check Point's disclosures is its geographic revenue mix: roughly 45% Americas, 40% Europe, 15% Asia-Pacific and rest of world. The company is genuinely diversified in a way that shields it from regional economic downturns — a structural advantage that matters more than most investors realize.
CyberArk — The Quiet Compounders
CyberArk (NASDAQ: CYBR) has followed a different trajectory entirely. Where Check Point is broad-based network security, CyberArk dominates a narrow but essential niche: privileged access management (PAM). When a hacker compromises a system administrator's credentials, they've effectively got the keys to the kingdom. CyberArk's entire product suite is built around preventing that scenario.
And the numbers reflect this focus. The company's 2024 10-K filing shows revenue growing at roughly 25% year-over-year, with subscription ARR growing even faster as the company transitions customers from perpetual licenses to SaaS. Gross margins hover around 80%. The operating margin story is less clean — CyberArk has been investing heavily in sales and marketing, and the GAAP operating income line has been negative in some quarters — but the underlying unit economics are healthy.
CyberArk also illustrates something important about Israeli cyber companies that doesn't get enough attention: the power of a narrow beachhead. Rather than trying to build a platform that does everything, CyberArk owned PAM so thoroughly that it became the default choice. When identity security became a board-level priority after high-profile breaches at SolarWinds and Colonial Pipeline, CyberArk was perfectly positioned. The lesson: focus beats breadth in cybersecurity, at least until you've truly won a category.
Wiz and the Cloud Security Land Grab
You can't discuss Israeli cybersecurity in 2025 without addressing Wiz — even though Wiz is still private. Founded in 2020 by former Microsoft cloud security architects, Wiz reached a $12 billion valuation faster than almost any enterprise software company in history. In 2024, it reportedly turned down a $23 billion acquisition offer from Google.
Since Wiz doesn't file public financial statements, we can't verify its numbers. But the signals from the broader market are useful. Wiz's rapid ascent tells you that (a) cloud security has become a massive, urgent category, and (b) the market believes Israeli teams have a structural advantage in building for this space. Wiz competes directly with Palo Alto Networks' Prisma Cloud and CrowdStrike's Falcon Cloud Security — both American platforms — and the fact that it's winning significant enterprise deals against those incumbents suggests the product quality is real.
However, here's what the public data doesn't tell us about Wiz: revenue, gross margin, customer count, net retention rate, burn rate, path to profitability. Until it files an S-1, we're all operating on partial information. The same caution applies to other prominent private Israeli cyber firms like Orca Security, Aqua Security, and Cyera. Their PR is excellent. Their numbers are invisible.
What the Numbers Show: A Sector-Level View
When you aggregate data from the public filings of the largest Israeli cyber companies, patterns emerge. The table below compares key financial metrics drawn from the most recent annual SEC filings and quarterly reports available as of early 2025.
| Company | Approx. Annual Revenue | YoY Rev Growth | Gross Margin | Op. Income Margin |
|---|---|---|---|---|
| Check Point (CHKP) | ~$2.4B | ~4% | ~88% | ~43% |
| CyberArk (CYBR) | ~$750M | ~25% | ~80% | ~-2% (GAAP) |
| SentinelOne (S) | ~$700M | ~35% | ~74% | ~-28% (GAAP) |
| Radware (RDWR) | ~$260M | ~-5% | ~82% | ~-8% |
Source: SEC EDGAR filings — 10-K annual reports and most recent 10-Q quarterly reports for each company. Figures approximate, rounded for readability. See References section for direct filing links.
What jumps out: only two of four are showing meaningful revenue growth, and only one — Check Point — is posting significant GAAP operating profits. SentinelOne's growth rate is the highest, but it's also burning the most cash. CyberArk sits in an interesting middle ground: growing fast, close to breakeven on a non-GAAP basis, but still investing heavily in sales capacity.
Revenue Quality vs. Quantity
Growth rate by itself is a blunt instrument. In cybersecurity, you need to separate product revenue from services revenue, and within product, you need to separate recurring subscription revenue from perpetual license sales. Services revenue — consulting, implementation, managed detection and response — tends to carry lower margins and is less sticky. Subscription revenue, in contrast, produces predictable, compounding growth if retention rates are high.
Check Point's disclosures show a relatively balanced mix. CyberArk has been aggressively shifting toward subscription, a transition that temporarily depresses reported revenue but builds a much more valuable revenue base over time. SentinelOne was born cloud-native, so its revenue is overwhelmingly subscription from day one — the flip side being that the company has never demonstrated it can operate profitably at scale.
The single most important number in any cybersecurity company's 10-K is net retention rate — how much existing customers expand their spending year over year. If that number is above 120%, the company has a product customers actually want more of over time. Below 100% and you're churning faster than you're expanding. Public companies don't always disclose this metric in a standardized way, which is frustrating, but when they do, it's worth more than any revenue growth headline.
The R&D Spend Question
Here's a pattern I've noticed across multiple Israeli cyber filings: R&D spending grows faster than revenue at the growth-stage companies, and it stays flat at the mature ones. CyberArk spent about 28% of revenue on R&D in its most recent fiscal year. SentinelOne spent closer to 35%. Check Point spent around 12%.
Is higher R&D spending good? It depends entirely on whether that spending produces products the market wants. If you're spending 35% of revenue on R&D and growing revenue at 35%, you're essentially reinvesting every dollar of growth back into the product — which is fine if you're building a durable platform. But if that 35% R&D ratio persists for five years without meaningful operating leverage, you have to ask whether the R&D is being deployed effectively. Cybersecurity is littered with companies that built impressive technology nobody bought in sufficient volume.
Competitive Dynamics Nobody Discusses
Most coverage of Israeli cybersecurity treats it as a standalone story — "Israel vs. the world" — which misses the messier reality on the ground. The actual competitive landscape is increasingly a free-for-all where Israeli firms compete as much with each other and with American platforms as they do with any specific national rival.
The Palo Alto Networks Shadow
Palo Alto Networks (NASDAQ: PANW) deserves special mention because it competes with almost every Israeli cyber company simultaneously. Its Prisma Cloud platform goes head-to-head with Wiz. Its Cortex XDR platform competes with SentinelOne. Its network security business competes with Check Point. And it has a $100 billion-plus market cap, which means it can outspend almost anyone on R&D and sales.
If you're analyzing any Israeli cyber company, the first question to ask isn't "how good is their technology" — it's "how do they differentiate from Palo Alto Networks?" The answer usually determines whether they thrive as an independent public company or eventually get acquired.
Consolidation — Who's Buying Whom
Cybersecurity consolidation has been accelerating, and Israeli firms have been prominent targets. In 2024 alone, multiple Israeli-founded security startups were acquired by U.S. platforms. The pattern is consistent: an Israeli company builds a best-in-class point solution, proves it in the market, and gets absorbed into a larger platform that needs that capability.
For public market analysts, this creates an interesting dynamic. A company like SentinelOne could either grow into a platform (competing with CrowdStrike and Microsoft) or become an acquisition target itself. Both paths have precedent. The problem is that the public filings don't tell you which path management prefers — you have to read between the lines of earnings call transcripts.
What Could Go Wrong
No honest sector analysis skips the risks. For Israeli cybersecurity specifically, there are a few that deserve attention.
Geopolitical instability. Nearly all of these companies have their primary R&D centers in Israel. While they maintain business continuity plans and distributed operations, a prolonged regional conflict could disrupt product development timelines. Public companies generally don't quantify this risk beyond generic language in their 10-K risk factors section, but investors should understand it exists.
Currency exposure. Israeli cyber companies pay most of their engineering salaries in shekels but report revenue in dollars. When the shekel strengthens against the dollar — as it has periodically — reported operating margins compress. Companies hedge some of this exposure, but not all of it. Check Point's filings provide the most detailed currency sensitivity disclosures among the group.
Talent competition. The same concentrated talent pool that makes Israeli cyber possible also makes it expensive. When Wiz raises at a $12 billion valuation, it can offer compensation packages that smaller public companies struggle to match. You can see this playing out in the R&D expense lines — wage inflation is a persistent headwind.
Concentration of value in private companies. The most interesting Israeli cyber stories — Wiz, Orca, Cyera — are not accessible to public market investors. If those companies eventually go public at valuations that already reflect years of expected growth, the public market returns may be muted. This isn't a risk to the companies themselves, but it's a risk to anyone analyzing the sector for investment purposes.
One more thing worth stating explicitly: cybersecurity is inherently adversarial. The threat landscape evolves. What works today might not work tomorrow. Regulatory frameworks like the SEC's cybersecurity disclosure rules (adopted in 2023) are still being interpreted by courts. And the NIST Cybersecurity Framework — the closest thing the industry has to a consensus standard — is itself a living document that gets updated as threats change according to the National Institute of Standards and Technology. Anyone who claims to have a permanent view on this sector is either overconfident or selling something.
Bottom line: Israel's cybersecurity sector is real, substantial, and likely to remain globally significant. But the public data shows wide variation in business quality. The companies generating consistent free cash flow (Check Point) look very different from the ones burning cash to capture cloud market share (SentinelOne), and both look different from the focused category leader reinvesting for growth (CyberArk). There's no single "Israeli cyber" story — just individual companies with individual numbers, and the SEC filings are the best tool we have for telling them apart.