Newsletter · · Ashutosh Agarwal
Macquarie Calls Zscaler a Buy While Okta Arms for Agents - Enterprise Software, SaaS & Cyber in the AI Era - Week of June 30, 2026
Enterprise software, SaaS and cyber podcast recap for the week of June 30, 2026. Macquarie planted the first hard sell-side flag on beaten-up Zscaler, Okta and SentinelOne put executives on record in the agent-identity land grab, and FortiBleed went internet-scale even as Fortinet led the chart.
Enterprise Software, SaaS & Cyber in the AI Era
Week of June 30, 2026: Macquarie Calls Zscaler a Buy While Okta Arms for Agents
TL;DR
- Macquarie's Steve Koenig stamped an outperform and a $172 target on Zscaler, down more than 40% YTD, calling it the zero-trust "alternative to Palo Alto." First hard sell-side number on the group in weeks.
- The agent-identity land grab got operator voices: Okta's AI-security chief and SentinelOne's CEO both went on record. Last week Arora stood alone; now it's a chorus.
- FortiBleed metastasized, from 74,000 exposed Fortinet boxes to a 110-million-credential campaign hitting Oracle, Chevron, FedEx and NATO contractors. Yet a chart desk just called Fortinet "the best-looking cybersecurity name." Read that twice.
What's New
Zscaler finally got its number. Macquarie's Steve Koenig planted a flag on the group's most beaten-up name: an outperform and a $172 target on Zscaler, "down over 40% just this year alone." The logic is structural, it "haven't really benefited this year from the positive cybersecurity trade," yet remains "an important platform provider, kind of an alternative to Palo Alto when it comes to securing your apps and securing your network in a zero-trust environment" (Schwab Network, Koenig: Software Valuation Reset Offers Opportunity, ZS Strong in Cybersecurity, Steve Koenig, Macquarie (pundit).
Okta says the new perimeter has a brain. Okta's AI-security lead Harish Peri gave the cleanest articulation yet of the non-human-identity thesis, and a direct shot at Arora's network-choke-point pitch. "Software doesn't have a brain. Agents have a brain," he said; that non-determinism makes governing an agent's access "a lot higher" a bar. The demand is inbound: "this is one of the few cases where the market came to us overwhelmingly," with customers arriving roughly eight months ago saying "we know that there is a security risk, please help us." His framing matters for the PANW-vs-OKTA debate: it's "an authorization problem... that very much lives in that application layer more so than in the network layer" (The Road to Accountable AI, Harish Peri (Okta)), Harish Peri, VP of AI Security, Okta (operator).
"Software doesn't have a brain. Agents have a brain." Harish Peri, Okta
SentinelOne's CEO put metrics on the agentic SOC. Tomer Weingarten gave the week's most concrete operator datapoint: Purple AI shrinks alert triage "from hours and days to literally minutes" at accuracy that "mirrors... an experienced human team," clearing a 100-alert daily backlog "inside the same day." His warning is the bull case in disguise, the next attack surface is the agents: "you don't necessarily need a zero-day exploit to actually convince or change or inject instructions into a running autonomous AI workload," and each one "can go rogue in any given moment." Automation only pays at scale on consolidated data, the incumbents' pitch exactly (Tech Disruptors, SentinelOne CEO on Security Changes, AI Agents), Tomer Weingarten, CEO, SentinelOne (operator).
FortiBleed went from incident to indictment of the appliance model. The campaign we flagged a week ago at ~74,000 devices is now internet-scale: this week's reporting put it at 430,000+ Fortinet devices and ~110 million harvested credentials. Network Break cited exposure at Oracle, Chevron, FedEx and NATO contractors, with the blunt read that "all of your security vendors are going to be major targets." A structural argument against perimeter appliances, and quietly for Zero Trust (Network Break, Brute Force Password Attack Bleeds Fortinet, Scott Robohn (pundit); and Cybersecurity Today, FortiBleed: Fortinet Says It's Not a Bug, David Shipley (pundit).
Identity is the breach, made explicit. TokenCore CEO Kevin Surace tied the demand thesis to a hard stat: roughly 90% of successful intrusions in Palo Alto's Unit 42 data "hacked identity, and almost all of those were MFA and auth apps." His point: MFA and authenticator apps are 20-year-old plumbing, and only now, once Salesforce and Microsoft started forcing them, are attackers industrializing against them with AI-built, "pixel perfect" phishing relays. "Every major hack is being done basically the same way. And it's all about attacking identity" (The ITSPmagazine Podcast, The Identity Gap Behind Nearly Every Breach), Kevin Surace, CEO, TokenCore (operator).
The Debate
Bull frame. AI expands the security TAM (more attack surface, more agents, more data to inspect) and entrenches platform leaders because automation only pays off at scale with consolidated data. PANW, CRWD, ZS get larger wallets, not smaller.
Bear frame. AI-native upstarts and free/bundled hyperscaler tooling collapse per-seat economics. Why pay $X per endpoint when an agentic SOC and a Microsoft E5 bundle do 80% of the job? Budget consolidation cuts the legacy stack first, not the new one.
Where I land this week: lean bull, but the tape disagrees and that's the tell. The fundamentals point one way, a buy on ZS, two operators confirming the agent-identity wallet is opening, FortiBleed doing free demand-gen for Zero Trust. Yet a chart desk called breached Fortinet "the best-looking cybersecurity name" because it "busted out on earnings," while "Palo Alto and CrowdStrike sort of fell on earnings" (Stock Market Today With IBD, pundit). When the breached appliance vendor leads the chart and the consolidators lag, platform consolidation is real but not yet priced as consensus, exactly the gap Koenig is pointing at.
Stocks in Play
PANW. Bull: Okta's "app-layer authorization" framing concedes PANW owns the network layer; Unit 42 is still the data everyone quotes. Bear: silent from operators, "fell on earnings." Watch: agentic-gateway traction as a number next print.
CRWD. Bull: identity-is-the-breach pulls Falcon identity-protection attach. Bear: no operator commentary; a post-earnings laggard. Watch: net-new ARR and any Charlotte AI / Falcon Flex datapoint.
ZS. Bull: fresh Macquarie outperform, $172 target, the zero-trust alternative to PANW with FortiBleed as a live billboard. Bear: down 40% YTD, lagged the cyber trade all year. Watch: net-new ARR re-acceleration.
OKTA. Bull: its own exec says agent-identity demand "came to us overwhelmingly," TAM converting from theory to inbound. Bear: turf war with PANW and CyberArk over who meters agents. Watch: non-human identity framing and Auth0 cross-sell into next earnings.
FTNT. Bull: chart leader of the group despite the breach. Bear: 430,000 devices and 110M credentials exposed is a reputational tax on the appliance model. Watch: credential-reset cycle, refresh catalyst or churn trigger.
Read-Throughs
SentinelOne (S). Positive: CEO put hard numbers on Purple AI's agentic SOC, reinforcing the data-scale moat.
Fortinet (FTNT). Mixed: breach went internet-scale, yet the stock is the technical standout, a rare fundamentals-vs-tape split.
Cloudflare (NET). Neutral: featured on bot-takeover, edge-AI and anti-scraping identity tokens, adjacent to identity, not core to the thesis.
CyberArk (CYBR). No direct mention, but agent/machine-identity and identity-is-the-breach are squarely its turf, read-through positive.
Hyperscalers (MSFT/GOOGL/AMZN). Quiet on bundles; the only signal cut the other way, LLMs as "complementary to the major platform vendors," co-opetition over displacement.
What Changed vs Last Week
Three shifts. The operator bench deepened, last week Arora carried the bull case alone; this week Okta and SentinelOne put executives on record, while PANW went quiet. The bulls got a number, Macquarie's $172 ZS outperform, the first concrete sell-side call in weeks. And FortiBleed roughly 6x'd in scope (74,000 to 430,000 devices) yet the stock leads the chart, sharpening rather than resolving the split. New bucket: post-quantum cryptography went live, with a federal rule requiring contractors to meet NIST post-quantum standards by Dec 31, 2030 (Fastest 5 Minutes) and a "harvest now, decrypt later" deep-dive urging crypto-agility (CISO Tradecraft #290, Marcus Sachs).