Morgan Stanley delivered a lineup of five cybersecurity companies it considers well placed to benefit from rising demand for artificial intelligence security and identity protection. The conclusions follow direct discussions with company leadership and key observations from the RSA Conference, a major industry gathering.
The firms singled out by Morgan Stanley span platform incumbents and more-focused security vendors. Across those companies, the bank highlighted initiatives that treat AI agents as first-class security entities, investment in kernel-level telemetry and proprietary sensors, and new governance layers aimed at real-time policy enforcement for AI traffic.
Microsoft
Morgan Stanley said its view on Microsoft is incrementally positive after conversations with the company’s security leadership. Microsoft is positioning agent governance and extending identity protections to AI agents as core elements of its security strategy. The bank noted that Security Copilot has been integrated as embedded, workflow-native agents across key Microsoft security products including Defender, Purview, and Entra.
Microsoft’s security footprint remains sizable by Morgan Stanley’s account - roughly 1.6 million customers and an estimated $20 billion revenue run rate. The bank flagged Sentinel and identity services as crucial platform anchors, and it sees adoption of E5 licensing as a leading driver of security revenue growth.
Palo Alto Networks
Morgan Stanley described Palo Alto Networks as well positioned for the AI security transition. The firm is building a multi-faceted approach anchored by Prisma AIRS, which is focused on securing the agent lifecycle; Morgan Stanley reported more than 100 early customers for that offering. Palo Alto’s new AI Gateway is presented as a governance layer intended to enforce real-time policies on AI traffic.
On the security information and event management front, Palo Alto’s XSIAM product is designed to ingest deep telemetry - Morgan Stanley cited roughly 17TB per day - and serves more than 600 customers, with net revenue retention above 120 percent. The bank also noted several new product introductions from Palo Alto, including an updated Prisma Browser aimed at securing autonomous AI agents and a platform designed to automate digital certificate management.
CrowdStrike
Morgan Stanley upgraded CrowdStrike to a top pick, pointing to its proprietary telemetry and kernel-level visibility as competitive strengths. Management told the bank that a significant portion of SIEM data originates from CrowdStrike’s sensors. CrowdStrike highlighted Falcon AIDR for prompt-layer protection and the launch of Agentworks to boost analyst productivity.
The bank also noted traction for Falcon Flex, which is being used as a consolidation enabler and is associated with an average selling price uplift of roughly 48 percent in re-flex scenarios. CrowdStrike introduced the Charlotte AI AgentWorks Ecosystem to support custom AI security agents, with partnerships that include Amazon Web Services and NVIDIA. The company has also expanded collaboration with Intel to optimize its Falcon platform for AI-powered PCs.
SailPoint
Morgan Stanley views SailPoint as a near-term beneficiary of identity security buildouts tied to agentic AI. The bank reported that AI-oriented solutions accounted for 17 percent of SailPoint’s net new annual recurring revenue in the fourth quarter. It also highlighted a sizable migration opportunity: roughly $350 million in perpetual and term licenses that could convert at a two to three times uplift, implying about a $1 billion top-line opportunity over time.
SentinelOne
Morgan Stanley maintained a more cautious Equal-weight rating on SentinelOne. Company management emphasized kernel-level telemetry as a differentiator and expressed skepticism regarding traditional SIEM architectures. Guidance from SentinelOne was described as measured, with the midpoint of FY27 revenue growth near roughly 20 percent, although management pointed to improving pipeline trends as an indicator that growth could re-accelerate.
SentinelOne also announced an expanded multi-year collaboration with Google Cloud intended to build integrated security solutions, and it named Barry Padgett as its new president and chief operating officer.
The companies highlighted by Morgan Stanley collectively illustrate the market’s focus on governance for AI agents, identity protections, deep telemetry and sensor-driven security data. Morgan Stanley’s analysis draws attention to both platform trees - where identity and SIEM play anchoring roles - and point-solution strengths such as kernel-level visibility and agent lifecycle controls.
Investors and enterprise buyers considering exposure to AI-driven security demand will likely weigh Microsoft’s broad platform reach and E5 adoption dynamics against the more focused product and telemetry advantages emphasized at Palo Alto, CrowdStrike, SailPoint and SentinelOne.