Hyperscalers’ Cybersecurity Power Grab: Why Cloud Platforms Could Upend the $30 Billion MDR Market

Introduction: Security Is Becoming a Cloud Feature

Cyber defence used to be a vendor-driven game. Independent specialists supplied threat-detection engines, endpoint agents and SIEM dashboards; cloud providers supplied the servers. Those days are numbered.

Google’s headline-grabbing US $32 billion purchase of Wiz signals a strategic shift: hyperscalers are turning security from a third-party add-on into a native feature of their platforms. Amazon GuardDuty, Microsoft Sentinel and Google Chronicle/Defender already ship with always-on threat monitoring, AI-powered identity controls and default encryption. Security is no longer a product line; it’s baked into the bill for compute and storage.

---

From Partnership to Predation: How We Got Here

Cloud giants have repeated the same playbook:

1. Encourage an ecosystem to validate a new need (back-ups, DBaaS, data lakes).

2. Observe product–market fit, then launch “good enough” native alternatives.

3. Bundle and subsidise to increase lock-in, squeezing external vendors on price and margin.

Security is the final—and potentially most lucrative—domain to undergo this gravitational pull.

---

AI: The Differentiator Outsiders Can’t Match

Hyperscalers possess three unique assets:

1. Petabytes of native telemetry (logs, API calls, authentication data) invisible to outsiders.

2. AI research budgets larger than the market caps of most security firms.

3. Integrated identity fabrics (e.g., Microsoft Entra, AWS IAM) that sit upstream of every workload.

These inputs train models that deliver real-time, adaptive defences—flagging anomalies before an MDR dashboard even ingests the data. Independent vendors can’t replicate that vantage point without root-level access to the cloud fabric.

---

Case in Point: Rapid7 and the MDR Squeeze

Rapid7—one of the few publicly traded MDR specialists—grew 9 per cent last year to US $844 million. Yet its share price plunged more than 40 per cent. Activist investor Jana Partners is clamouring for a sale or radical pivot. The market is effectively saying: growth is irrelevant if gross margins and retention erode when hyperscalers give similar functionality away for “free.”

---

What This Means for the Ecosystem

1. MSSPs and MSPs Must Reinvent Themselves

• Licensing arbitrage is dead. When sentinel-level tooling comes bundled with the hyper-cloud, there’s no margin left in reselling third-party licences.

• Value shifts to expertise. Regulatory mapping, zero-trust architecture and bespoke response playbooks become the new differentiators.

• Vertical depth beats breadth. An MSSP with deep healthcare or critical-infrastructure expertise can still command premium fees that the clouds won’t chase.

2. Private-Equity Portfolios Need Re-Underwriting

• Multiple compression is already visible in recent MDR roll-ups.

• Exit windows shrink as strategic buyers pause to gauge hyperscaler roadmaps.

• PE firms must push portfolio companies into sticky adjacencies—compliance-as-a-service, digital forensics, sovereign-cloud consulting—where bundled cloud offerings struggle to reach.

3. National Security Faces a Centralisation Paradox

The same cloud platforms that supply elastic compute to defence contractors now run their security telemetry and response mechanisms. That concentration:

• Reduces visibility for government watchdogs (provider is judge, jury and SIEM).

• Creates single points of systemic failure; one exploited update could ripple across logistics, energy and finance.

• Demands a new oversight model, potentially mandating independent auditing APIs or forcing critical workloads into sovereign or multi-cloud environments.

---

Regulatory Scrutiny Is Coming, but Will It Be Enough?

Tech antitrust cases in the U.S. and EU already target “self-preferencing” in search and ad-tech. The next front is security bundling. Key questions for regulators:

1. Are native security tools being cross-subsidised to crowd out rivals?

2. Do hyperscalers unfairly restrict API or log access that competitors need?

3. Should core detection and response features be subject to interoperability mandates?

Expect heightened lobbying from cloud vendors to frame bundled security as consumer protection rather than anti-competitive behaviour.

---

Five-Year Outlook: Adapt or Fade

---

Action Items for CISOs Today

1. Map overlap. Audit which third-party tools duplicate emerging native functionality in AWS, Azure or Google Cloud.

2. Negotiate EDP clauses. Use enterprise discount program renewals to lock in roadmap visibility and price protection.

3. Demand transparency. Insert contractual language for independent log export, continuous compliance evidence and notification of major architectural changes.

4. Plan a multi-provider fail-over. Assume one hyperscaler outage or breach could trigger a sector-wide incident.

5. Upskill teams on platform-native tooling—before sun-setting redundant licences.

---

Conclusion: The Clock Is Ticking

The consolidation of cybersecurity into hyperscale cloud platforms isn’t a distant possibility; it’s unfolding in real time. Google’s multibillion-dollar Wiz buyout is the clearest signal yet that security has become inseparable from cloud infrastructure—and the hyperscalers intend to own it.

Vendors, investors and policymakers have a narrow window—perhaps five years—to redefine where they add value. Those who pivot toward advisory depth, vertical specialisation and independent assurance will survive. Those who cling to tool-centric, licence-resale models risk becoming collateral damage in a silent, rapid realignment of power.

The future of cybersecurity will be cloud-native, AI-driven and platform-controlled. The question is whether the wider ecosystem can adapt before the next phase of consolidation locks them out for good.

Photo Credit: DepositPhotos.com