Cybersecurity ETFs: AI’s Promise and Peril

Cybersecurity ETFs: AI’s Promise and Peril

The artificial intelligence race for cyber control is on and the stock market is watching closely.

Reviewed by: Lisa Barr
Edited by: Lisa Barr

AI is a double-edged sword for the cybersecurity industry as it oozes into society’s every nook and cranny.  

In the short term, it means new threat profiles, more work and less profitability as hackers deploy ultra-nuanced phishing, key encryption breaks and deepfake identity theft at a mass scale. In the longer term, however, it means far more corporate spending on the sector, as it affects every corner of American life.  

The Biden administration last week announced its “U.S. Cyber Trust Mark” program, a new certification that will place a shield logo on the consumer devices that offer the best protection. Among them are smart refrigerators, health trackers, home heating systems and other utilities and devices. A day later, GPT Zero founder Edward Tian was on CNBC, describing how his AI detection tools will help banks and schools keen on distinguishing meaningful work from fraud.  

Whether it is your business data, your Fitbit or your sixth grader’s social studies paper, the AI race for cyber control is on, and the stock market is assessing the opportunity.  

Cybersecurity ETFs 

The effect is already evident. Year to date, the five cybersecurity ETFs that represent the “pure play” bets on the industry are all up substantively. They are the First Trust NASDAQ Cybersecurity ETF (CIBR), the WisdomTree Cybersecurity Fund ETF (WCBR), the Global X Cybersecurity ETF (BUG), the ETFMG Prime Cyber Security ETF (HACK) and the iShares Cybersecurity and Tech ETF (IHAK)



This is because the topline gains of many cybersecurity firms are breathtaking: Zscaler has seen its revenue jump 500% since 2020, while CrowdStrike’s is up 870% during the same period.  

That growth is enticing, but it also attracts competition—both from big tech (see Microsoft’s recent Entra Verified ID announcement) and startups like Netskope Inc., Wiz and Snyk. These new entrants will pressure incumbents with higher research and development spending, although they are unlikely to overtake them. In fact, the new era of high interest rates and market saturation could make them rollup targets for the existing players. 

Despite the likelihood of some eventual shakeout, cybersecurity is here to stay. McKinsey estimates that, based on the escalation of AI-enabled attacks, the global costs of cybercrime could hit $10.5 trillion by 2025.  

Top-notch security is non-negotiable. 

Cybersecurity ETFs Holdings 

With more than $5.1 billion in AUM, CIBR is the biggest of the funds, with ample liquidity and a tight bid/ask. Following the Nasdaq CTA Cybersecurity Index, a modified liquidity-weighted index, the ETF is stacked with older profitable companies like Fortinet, Palo Alto Networks Inc., Broadcom Inc. and Cisco Systems Inc.  

HACK, in contrast, follows Solactive’s Prime Cyber Defense Index, which caps tickers at 5% and welcomes even tiny companies with a $95 million market cap.  




WCBR’s WisdomTree Team8 Cybersecurity Index offers the most interesting methodology: It weights all selections based on focus and growth scores, privileging those with measurable “broad focus” and revenue CAGR of 20% or higher.  

This explains why its top holding is Datadog, a cloud monitoring player and a ticker that does not even show up in the top 10 of the other ETFs. Datadog has a B2B SaaS observability platform much beloved by engineers. It was upgraded recently by Wolfe Research due to its “AI tailwinds” (i.e., AI helps to expedite threat emergence recognition). It has delivered a revenue CAGR of 66% since 2017.  

Cybersecurity is a niche sector of tech, and these pure-play ETFs generally share a select number of companies. BUG, for example, has only 24 holdings, the top 10 of which comprise 58% of the fund, while HACK tops out at 57 tickers.  




Most firms included in all five funds are engaged in the two biggest, ongoing trends within the industry: 1) the transition from on-premises firewall and endpoint protection to off-premises cloud servicing; and 20 the rollout of zero-trust strategies.  

On-premises titans such as Broadcom and Cisco are feeling pressure from Zscaler’s expertise in secure web gateway and VPN/ZTNA. Established firewall companies like Fortinet, SentinelOne Inc. and Palo Alto are now exploring software-defined wide area networks, while CrowdStrike distinguishes itself with one of the few 100% cloud-based architectures.  

The new zero-trust model focuses on internal threats, such as hackers stealing someone's security credentials. Eighty percent of illicit computer access stems from phishing.  

This is now exploding, as generative AI gives hackers “mass personalization” tools and quantum computing provides far easier “encryption key busting.” In this effort, Darktrace offers its Enterprise Immune System product, while Okta Inc. and CyberArk provide very high-end identity management tools.  

In hindsight, the time to have bought the cybersecurity ETFs was Jan. 5, 2023. All five ETFs had topped out on Nov. 10, 2021, and proceeded to lose 32% to 51% of their value in the ensuing 14 months: 




The ETFs are still down from their all-time highs, but the problem with the sector is how lofty the prices have become. CIBR’s price-to-earnings ratio of 22.3 is not high for this group of funds: HACK’s is 61.52, IHAK’s 172.46; and the big positions in not-yet-profitable firms like CrowdStrike have BUG and WCBR with negative P/E ratios (-147.02 and -59.78 respectively). With companies like Datadog having a P/E of 98 and Zscaler with a P/E of 95, they may be simply too expensive to justify.  

One can argue that Microsoft was only technically cheap for about eight days during the entire decade of the 1990s. Those who bet most broadly (via ETFs) on the digitization of work 30 years ago received great rewards. 

Corporate spending on cybersecurity is clearly galloping, with the market expected to grow 13.8% a year this decade and reach $424 billion by 2030. A ubiquitous digital economy means ubiquitous digital crime, and the race to contain its new generative AI manifestations will be vastly profitable for a few companies in this industry.  

Sean Daly writes on ETFs, biotech and wealth management. He was educated at Columbia University and has taught international finance, computing and financial risk management at Pace, Tulane and Princeton. Follow him on Twitter (X) via @Sean_Daly_.