The software sector’s bruising first quarter of 2026 had little to do with how these companies are performing right now. Goldman Sachs Research traced the selloff to something harder to price: long-term doubt. As AI applications multiply, investors have started asking uncomfortable questions about whether today’s software business models can survive, and whether the moats protecting them are as deep as everyone assumed.
Goldman Sachs software analyst Gabriela Borges thinks there’s a way through, and she points to an unlikely model. Cybersecurity companies have spent a decade fending off existential threats from adversaries who don’t take days off. That experience, she argues, has produced exactly the kind of adaptive muscle the rest of the software industry now needs. US cybersecurity stocks are trading at a 24% premium to the broader software sector this year, measured by enterprise value to forward sales as of April 15. That gap isn’t accidental.
“Over the last 10 years, cybersecurity firms have been dealing with existential threats,” Borges says. “Now they show what good innovation and durable moats look like over time. They set a good bar for the larger software industry.”
What follows is a conversation with Borges on what the security sector gets right, how technical debt became an investor concern, and what it means when a moat stops working.
Why are cybersecurity companies better equipped than most to absorb a shock like AI?
The core difference is that R&D in cybersecurity is more revolutionary than evolutionary, by necessity. You’re not building against a static target. There’s an active adversary on the other side, constantly probing for weaknesses, constantly trying to make your product irrelevant. You can’t iterate your way out of that. A security tool that’s slightly faster than last year’s version doesn’t protect anyone.
SaaS companies, for the most part, haven’t operated in that kind of environment. They’ve had the luxury of building incrementally. Security firms haven’t had that luxury, which means when a genuinely disruptive force arrives, they already know how to respond. They’re battle-tested in a way that most software companies simply aren’t.
How do they actually stay ahead?
The best platforms have learned to be honest about the limits of their own roadmaps. Rather than assuming they can develop every capability in-house, they watch the startup pipeline closely, identify what they can’t build quickly enough on their own, and acquire it.
But the acquisition itself is only half the work. What separates the leading firms is how they integrate. I follow one company that spent 18 months absorbing a business that was generating just $10 million in revenue. Eighteen months sounds slow. By the time they launched the integrated product, it scaled immediately. Customers understood what it did and trusted it from day one. Five years on, that acquired capability sits at the center of a business generating more than $500 million. That’s what disciplined integration looks like, and it’s very different from bolting a startup onto your platform and hoping the seams hold.
Should software companies follow the same playbook?
Yes, and I’d take it a step further. For most software companies, it makes more sense to let the venture capital ecosystem fund next-generation innovation rather than try to build everything internally. Let the startups take the early risk. Then leadership teams can identify what’s actually working, acquire the best of it, and do the integration properly.
What else needs to change?
The first thing any software company should do is get honest about its technical debt.
For anyone not steeped in engineering culture, what does that actually mean?
Technical debt is what accumulates when a company’s codebase becomes a patchwork. It happens through acquisitions that never get fully absorbed, through internal teams that weren’t talking to each other, through the kind of shortcuts that make sense under deadline pressure but compound over time. The result is a platform where different pieces were written in different ways, held together by workarounds rather than architecture.
Think of it as the difference between a two-year renovation done properly and a two-month job where someone just painted over the problem. The platform looks functional until you try to build something sophisticated on top of it.
That’s exactly the situation facing companies that want to integrate AI tooling. You cannot build reliably on a foundation that isn’t coherent. Managing technical debt is moving up the list of things investors are actually scrutinising now.
There’s a recurring argument that AI will make the SaaS model obsolete. Is that overstated?
Mostly, yes. The traditional model, pricing software by seat count, isn’t disappearing. What’s changing is that seat-based licensing is being combined with outcome-based pricing. The companies getting this right are offering bundled pricing that folds AI functionality in, while giving customers some flexibility in how they use it. Pricing will be disruptive at the margins, but I don’t think it’s the central threat investors are treating it as. Competition is the real concern.
In what sense?
This correction is different from previous ones because the underlying business metrics, churn, demand signals, core KPIs, haven’t meaningfully deteriorated. What’s changed is the question investors are asking about the future: will today’s software architectures actually support AI, and are these companies’ competitive positions as durable as they look?
The LLM landscape is shifting quickly. The bar for offering a genuinely differentiated product keeps rising. Every company in the space is being asked, often for the first time, to justify its differentiation on first principles. Why is this product better? What makes that advantage last?
**How will investors tell the difference between companies that can answer those questions and those that can’t?**
We’ve been framing it as good sticky versus bad sticky. Good sticky is what you have when customers stay because they genuinely want to, because the product is improving, because it makes their work better, because they’d miss it if it were gone. Bad sticky is something else entirely. The customer is locked in, not loyal. They’re staying because migration is painful, because the software has absorbed too many of their internal policies and protocols to walk away from easily. They’re not happy. They’re just trapped.
What AI is doing is dissolving bad sticky faster than anyone expected. New entrants don’t carry legacy constraints. They start from scratch, which in this environment is an advantage. A clean architecture can absorb AI tooling far more readily than a platform held together by years of accumulated compromises.
Can the incumbents compete with that?
That’s the question they need to answer with results, not reassurances. The incumbents have real advantages: years inside specific industries, deep familiarity with how enterprises actually operate, relationships built over decades. That knowledge is genuinely valuable. But saying you have domain expertise and proving it through better products are two different things.
If those advantages are real, use them to build something a new entrant can’t. Solve the AI integration question, and the pricing debate becomes secondary. Solve it badly, and no amount of installed base is going to protect you.