Australia's $7.5B cybersecurity market: scale vs local split

Australian enterprises are on track to spend more than AU$7.5 billion on information security this year, a 9.5 percent increase that makes cybersecurity the hardest-to-cut line item in the corporate technology budget. “Despite an uncertain business environment, cybersecurity remains one of the top technology investment priorities for organizations in Australia this year,” Richard Addiscott, VP Analyst at Gartner, told the firm’s Sydney briefing in March. Persistent ransomware campaigns and AI-amplified phishing have made the spend non-negotiable. But so has something quieter: a regulatory environment that now treats cyber failure as a board-level governance problem, not an IT one.

Security software alone will grow 12.3 percent to AU$3.3 billion in 2026, the fastest-growing segment of the market. Gartner now projects that more than three-quarters of enterprises will be using AI-amplified cybersecurity products for most use cases by 2028, up from fewer than 25 percent in 2025. That adoption curve is reshaping which companies get the cheques. It is also obscuring a structural split in the market that the spending numbers do not capture.

CrowdStrike and Palo Alto Networks dominate the endpoint and network security segments respectively. CrowdStrike’s Falcon platform is the de facto EDR standard across Australian enterprise, and Palo Alto’s Prisma and Cortex suites have become the reference architecture for network detection and response. Zscaler has ridden the zero-trust wave into a growing roster of Australian cloud-first organisations that no longer want to backhaul traffic through a corporate data centre. Check Point and Cisco round out the top tier, though they increasingly compete on services wrappers rather than raw feature count.

That describes demand from the enterprise side.

Look at who runs penetration tests, staffs 24/7 SOCs, and triages incidents at 2 a.m., and the picture of who matters in Australian cybersecurity shifts. “AI accelerates reconnaissance, vulnerability discovery, and phishing generation,” Mohammed Khalil, cybersecurity architect at DeepStrike, wrote in a market overview published this year. “However, meaningful adversary simulation still requires manual exploit validation, contextual analysis, and business logic testing.” DeepStrike has built a PTaaS (Penetration Testing as a Service) model that integrates continuous testing into CI/CD pipelines — the kind of capability that a global managed-services contract typically prices out of mid-market reach.

KMTech, an MSSP serving more than 200 Australian organisations, has positioned similarly around depth over brand scale. KMTech operates a 24/7 SOC and has built its compliance practice around Essential Eight maturity — the company delivers Level 2+ alignment, the practical baseline for entities regulated under APRA CPS 234 and the Security of Critical Infrastructure Act. For mid-market enterprises that cannot justify a CrowdStrike-plus-Accenture budget, KMTech and Borderless CS — a boutique VAPT and SOC provider with ISO 27001:2022 and CREST ANZ accreditation — represent a credible alternative that does not outsource accountability offshore.

The market, however, is not a clean local-versus-global binary — and the biggest event of 2026 has scrambled the categories in ways that make the old taxonomy unusable.

CyberCX, the country’s largest pure-play cybersecurity firm with more than 1,400 staff and a government footprint that touched nearly every federal department, was acquired by Accenture in February in a deal reportedly worth north of AU$1 billion. The acquisition created a local-sovereignty debate that has not settled.

“Vertex remains a 100 percent Australian-owned and operated organisation,” Martin Boyd, founder of Vertex Cyber Security, wrote in a blog post that framed the consolidation wave as a sovereignty problem. Boyd previously led cybersecurity at Commonwealth Bank, and his argument carries weight in regulated sectors where supply-chain risk assessments now ask who ultimately controls the vendor. But it also serves a commercial purpose for a smaller local player, and the reality of how CyberCX operates post-acquisition is still unfolding.

Tesserent faces the same question. Acquired by French defence contractor Thales in 2023 and now branded Thales Cyber Services ANZ, it is CREST-accredited, IRAP-assessed, and aligned to ISO 27001 and PCI DSS — the default compliance-driven testing and advisory partner for regulated sectors. Thales ownership has not obviously degraded its delivery — the firm’s red-team exercises remain among the most rigorous in the market. But when the parent is a foreign defence contractor, the chain of control in a national-security incident is at best opaque.

That split defines the Australian cybersecurity market. On one side, global platforms and global services giants offer scale, R&D depth, and AI-amplified tooling that local firms cannot match. On the other, a cohort of Australian-owned and operated specialists argues that depth matters more than breadth — and that manual exploitation skill and local accountability beat a global dashboard.

Regulation makes this calculus sharper still. Taken together, the Australian Signals Directorate’s Essential Eight maturity framework, APRA’s CPS 234, the SOCI Act’s critical-infrastructure obligations, and the Privacy Act’s “reasonable steps” test collectively mean that buying cybersecurity in Australia is not a procurement decision so much as a compliance posture. A company that selects a vendor without IRAP assessment or Essential Eight alignment is not just taking a technical risk — it is creating an audit finding that the board must disclose. The ACSC’s recent ClickFix campaign warning and ASIC’s financial-sector cyber uplift push show the regulator is not waiting.

Orro launched a Continuous Threat Exposure Management service in April, built on Rapid7’s platform and layered with AI-powered vulnerability prioritisation across OT and IT environments. Named Rapid7’s APJ Partner of the Year for 2026, Orro is productising what consultancies have sold as bespoke engagements. The move blurs the line between the manual-specialist camp and the platform-scale camp — which is likely where the market resolves: not a winner-takes-all split, but a spectrum where the right provider depends on the organisation’s size, regulatory exposure, and threat profile.

The market is growing fast enough to support both approaches. Grand View Research pegs the Australian cybersecurity market at a 13.9 percent compound annual growth rate through 2035, reaching around US$9.1 billion by 2033. That trajectory has room for global platforms at the enterprise end and local specialists at the regulated mid-market — provided the local players can hold their talent against Accenture and Thales salaries.

None of this consolidation is finished. The Accenture-CyberCX deal has not been integrated long enough to assess whether the local delivery culture survives the parent-company operating model, and the Thales-Tesserent marriage is still bedding down three years in. If either integration stumbles — if key penetration-testing or incident-response talent walks — the local-specialist argument strengthens overnight. If both succeed, the sovereignty concern becomes harder to sustain against the evidence of competent delivery.

Australian enterprises are not going to spend less on cybersecurity. The budgets keep rising. The threat landscape — ransomware groups targeting essential services, state-linked actors probing critical infrastructure, AI-generated phishing that defeats legacy email filters — is not easing. The regulatory environment is tightening, not loosening. And the AI-amplified security tools that Gartner sees in three-quarters of enterprises by 2028 will shift the cost structure of detection and response, but they will not eliminate the need for people who can validate what the algorithms claim to have found.

For Australian buyers in 2026, the question is not whether to spend. It is where the accountability sits when something breaks.