Claroty

1.1 Identity, mission, and operating model

Claroty describes itself as the cyber-physical systems (CPS) protection company. Its mission is to safeguard mission-critical infrastructure by securing the technology that underpins society's most important operations. The company's platform spans four principal solution pillars: exposure management, network protection, secure access, and threat detection, delivered either as a cloud-based SaaS offering (Claroty xDome) or as an on-premise deployment (Claroty Continuous Threat Detection, CTD). Both deployment modes are supported by the Claroty CPS Library, an AI-powered asset catalogue launched alongside the Series F round that provides granular visibility into CPS assets and vulnerability attribution. The company targets four verticals: industrial (manufacturing, oil and gas, utilities), healthcare (connected medical devices), commercial buildings, and public sector (critical infrastructure and defense). The unified platform approach is deliberate: Claroty argues that fragmented point solutions cannot address the ownership gap between IT and OT teams, the skills shortage in cyber-physical security, or the absence of a maturity model. By providing a single platform that converges OT, IoT, and medical IoT security, the company positions itself as the consolidating force in a market that peers such as Nozomi Networks (acquired by Mitsubishi Electric for roughly $1 billion in 2025) and Armis (acquired by ServiceNow for $7.75 billion in 2025) exited through strategic sale. Claroty's stated intention as of early 2026 is to pursue an independent IPO rather than a strategic sale. The company was incubated inside Team8, the Israeli cyber foundry that has produced several enterprise cybersecurity companies. Claroty was formally founded in 2015, headquartered in New York City, and maintains a global footprint across North America, Europe, the Middle East, Africa, and Asia-Pacific with over 700 employees in 27 countries as of mid-2025. [CO001, CO002, CO003, CO004, CO005, CO006]

1.2 Founders, leadership, and governance

Claroty was co-founded in 2015 by Galina Antova, Amir Zilberstein, and Benny Porat inside the Team8 cyber foundry. Antova and Zilberstein continue to serve on the board of directors, providing founder-market fit continuity in a company led by an external CEO. Yaniv Vardi has served as Chief Executive Officer since joining from outside the founding team and is the primary public face for strategic announcements including the Series F round and IPO commentary. The executive leadership team as of May 2026 includes Yaniv Vardi (CEO), Udi Bar Sela (CFO/COO), Grant Geyer (Chief Strategy Officer, previously CPO), Yoram Gronich (Chief Product Officer, appointed June 2024), Gil Gur Arie (CPO hired in January 2026 from Ford Motor Company's AI function), Upa Campbell (CMO), and James Love (CRO). The dual CPO appointment reflects a transition in product leadership: Gronich was hired in June 2024 from Tufin/Symantec/Check Point backgrounds, while Gil Gur Arie joined to lead the AI-oriented CPS Library initiative. The press release announcing the Series F also notes the appointment of retired U.S. Air Force Colonel Jen Sovada to lead the public sector team. The board of directors is chaired by Dave DeWalt, founder and CEO of NightDragon, who assumed the chairman role in November 2025. DeWalt brings more than 20 years of cybersecurity operating experience including the Intel acquisition of McAfee for $7.7 billion. Additional board members confirmed in public filings and press releases include co-founders Galina Antova and Amir Zilberstein, David Cowan (Bessemer Venture Partners), Amit Lubovsky (SoftBank), Yuval Shachar (Team8), Robert Tuchscherer (Golub Capital), Meir Ukeles (MoreVC), Rossa Shanks (Istari), Peter Marturano (Standard Investments), and John Miller (Rockwell Automation). The breadth of strategic board members — a defense/government-oriented investor (Istari), an industrial automation vendor (Rockwell), and a late-stage growth equity firm (Golub) — reflects Claroty's multi-vertical strategy and pre-IPO capital structure. [CO009, CO010, CO011, CO012, CO013, CO014]

1.3 Funding history and capitalization

Claroty's funding history shows a company that has raised approximately $885 to $900 million in total disclosed capital since its 2015 founding. The Series D round of $140 million, closed in June 2021 and led by existing investors, brought the cumulative total to approximately $235 million at that point and was accompanied by the acquisition of Medigate, a healthcare IoT security company that nearly doubled Claroty's size and expanded its addressable market. By March 2024, at the time of a $100 million strategic growth financing, Claroty reported having raised $635 million cumulatively, implying a Series E of approximately $400 million occurred between mid-2021 and early 2024. The January 2026 Series F of $150 million, led by Golub Growth with up to $50 million of additional participation from existing investors, brought the cumulative total to approximately $885 million per CRN or roughly $900 million per SecurityWeek. Golub Growth is an affiliate of Golub Capital and is known as a late-stage pre-IPO lender, making its lead position a material signal about Claroty's trajectory. The company has never publicly confirmed its valuation. Calcalist reported a valuation of approximately $3 billion following the Series F, representing an approximately 20% increase from the previously reported $2.5 billion post-money mark from March 2024. SecurityWeek noted that Claroty confirmed an 80% increase in valuation since March 2024, which is mathematically inconsistent with a $3 billion estimate if the March 2024 baseline was $2.5 billion — suggesting either a higher actual valuation or that the March 2024 reference figure was overstated. This discrepancy is unresolved and is a material diligence item. CEO Yaniv Vardi told Calcalist that Claroty aspires to go public and could pursue an IPO as early as 2027 if market conditions align. Key investors include Bessemer Venture Partners (David Cowan), SoftBank (Amit Lubovsky), Team8 (Yuval Shachar), Golub Capital (Robert Tuchscherer), NightDragon (Dave DeWalt), Standard Investments (Peter Marturano), MoreVC (Meir Ukeles), Istari (Rossa Shanks), and Rockwell Automation (John Miller). The investor mix signals both financial return orientation and strategic alignment with Claroty's industrial and defense customer base. [CO017, CO018, CO019, CO020, CO021, CO022]

1.4 Scale, traction, and market recognition

As of January 2026, Claroty reports more than 1,000 customers globally deployed at thousands of sites, including 24 Fortune 100 companies — up from 20 Fortune 100 customers cited in the March 2024 press release and from 300% customer growth since 2020 reported at that time. Named customers from the 10-year anniversary press release (June 2025) include General Motors, BHP, Noble Energy, Britvic, Yale New Haven Health System, Boar's Head, South Tees Hospitals NHS Foundation Trust, BW Offshore, Port Authority of New York and New Jersey, and Haleon. The company has over 700 employees across 27 countries. Annual recurring revenue exceeded $100 million in 2023 per the March 2024 press release; current ARR is not publicly confirmed. Team82, Claroty's in-house threat intelligence and vulnerability research team, had disclosed more than 650 CPS vulnerabilities as of January 2026 per the Series F announcement. The team is a reputational asset that differentiates Claroty's platform with proprietary threat intelligence and drives enterprise decision-making and regulatory engagement. Third-party analyst and industry recognition is consistent and current. Gartner named Claroty a Leader in the Magic Quadrant for CPS Protection Platforms in both 2025 (the inaugural edition) and 2026 (second consecutive year), positioning highest for Ability to Execute and furthest for Completeness of Vision in the 2025 report. KLAS Research awarded Claroty Best in KLAS for Healthcare IoT Security for five consecutive years (2021–2025) with a score of 95.4 out of 100. Forrester named Claroty a Leader in The Forrester Wave: IoT Security Solutions, Q3 2025. Forbes named Claroty to the Cloud 100 list for the fourth consecutive year in 2026. Deloitte named the company to its Technology Fast 500 list for three consecutive years. [CO026, CO027, CO028, CO029, CO030, CO031]

1.5 Milestones, competitive context, and adverse events

Claroty's milestone chronology shows a company that has scaled rapidly from a Team8 incubator spin-out in 2015 to a late-stage pre-IPO market leader in 2026. The acquisition of Medigate in 2021 was the single most consequential structural move: it nearly doubled headcount, added healthcare IoT as a distinct market, and enabled the xDome SaaS platform that now anchors the company's cloud deployment strategy. The FOCUS partner program, expanded in 2024 to include a global integrator and reseller ecosystem, and the xCelerate partner program reinforce the company's channel-driven GTM. The competitive landscape shifted materially in 2025. Nozomi Networks, previously Claroty's closest peer in pure OT security, agreed to be acquired by Mitsubishi Electric for approximately $1 billion in September 2025. ServiceNow announced plans to acquire Armis, a broader IoT security platform, for $7.75 billion in December 2025. These exits represent both validation of the CPS security category and a reduction in Claroty's publicly traded comparable set — a double-edged dynamic for IPO valuation. Claroty management has characterized the consolidation as an opportunity to take market share from customers who may not want their OT security embedded inside a larger industrial or enterprise vendor. Adverse and risk items identifiable from public sources include: (1) valuation opacity — Claroty has never publicly confirmed a valuation, and the 80% increase claim from the company is mathematically inconsistent with the $3 billion third-party estimate if the March 2024 baseline was $2.5 billion; (2) ARR ambiguity — the company last confirmed ARR above $100 million as of 2023, and more recent figures are not publicly disclosed; (3) IPO dependency — the IPO narrative assumes 2027 market conditions that cannot be guaranteed; and (4) leadership transition risk in the CPO function, with Yoram Gronich and Gil Gur Arie both holding the CPO title simultaneously in early 2026. None of these items are individually disqualifying, but each represents a diligence ask for later chapters. [CO034, CO035, CO036, CO037, CO038, CO039]

1.6 Exhibits

2.1 Market Boundary — CPS / XIoT / OT Security

The addressable market for Claroty is best defined as Cyber-Physical Systems (CPS) security, the category formalised by Gartner's CPS Protection Platforms Magic Quadrant (2025). It spans three converging segments: Operational Technology (OT) / Industrial Control Systems (ICS) security — protecting PLCs, RTUs, DCS, SCADA, and field devices in energy, manufacturing, water, and transportation; Healthcare OT (HTM) security — securing medical devices, clinical networks, and building management systems in hospital settings; and Extended IoT (XIoT) — enterprise-grade IoT devices that sit at the intersection of IT and OT, including smart building controllers, logistics sensors, and connected industrial equipment. Excluded from this definition is generic enterprise IT security (endpoint detection, SIEM for IT traffic, traditional firewalls without OT protocol awareness) and consumer IoT. The status-quo substitute for dedicated OT security tooling is manual inventory spreadsheets, periodic physical audits, and standard IT security tools applied without OT-specific protocol intelligence — all of which leave critical infrastructure systematically blind to active asset exposures. CISA oversees 16 critical infrastructure sectors, almost all of which include OT or CPS components. NIST SP 800-82 Rev.3 (2023) is the authoritative federal guide for securing these environments, and ISA/IEC 62443 provides the global consensus standard for industrial automation cybersecurity, endorsed by the United Nations and applied across 20+ industries. This regulatory scaffolding is a primary demand signal, not just a compliance checkbox: organisations that lack an ISA/IEC 62443-aligned security programme face increasing procurement, insurance, and regulatory risk. [CM001, CM007, CM008, CM011, CM012, CM013]

2.2 Market Sizing — Multiple Lenses with Explicit Caveats

Third-party analysts project the OT/ICS/CPS security market with materially different numbers depending on scope definition. MarketsandMarkets (April 2025 report) estimates the global OT Security market at approximately $25 billion in 2025, growing to $50.29 billion by 2030 at a CAGR of 16.5%. This covers network security, asset discovery, vulnerability management, IAM, data security, and managed services for OT environments across all verticals. The US sub-market is sized at $4.64 billion in 2025 growing to $9.37 billion by 2030 (CAGR 15.1%); Europe at $5.70 billion growing to $11.93 billion (CAGR 15.9%). SNS Insider (cited via news aggregator) puts the ICS Security market at $41.82 billion by 2033, implying a tighter product scope than the OT Security umbrella but still a double-digit CAGR. Precedence Research projects "OT Security" at $122.22 billion by 2034 using a broader definition that likely captures adjacent network and cloud security spend for OT environments. Analysts do not consistently include or exclude managed detection and response, IT/OT converged platforms, or government-sector spend, making direct comparison unreliable. A bottom-up SAM construction for Claroty would narrow from the global TAM to: (1) sectors where CPS platforms have meaningful penetration — energy, manufacturing, healthcare, water, transportation; (2) geographies where Claroty has regulatory and channel reach; and (3) organisations large enough to justify a platform purchase. This author-estimated SAM is approximately $10–15 billion by 2030, with a SOM in the $3–5 billion range depending on competitive share and expansion of the XIoT platform. These estimates carry low confidence and should be validated against Claroty's ARR trajectory and vertical win data. [CM001, CM002, CM003, CM004, CM005, CM006]

2.3 Vertical Segments — Threat Exposure and Regulatory Pressure by Industry

Energy and utilities represent the most mature and heavily regulated OT security segment. NERC CIP standards mandate cybersecurity protections for bulk electric system (BES) assets across North America, creating a compliance-driven budget floor. Nation-state threat actors — including Russian APT groups flagged by Latvia's SAB and documented by CISA advisories — actively target grid infrastructure, transforming compliance spend into genuine security investment. MarketsandMarkets covers this sector with a dedicated ICS Security in Energy and Power report, indicating analyst recognition of sector-specific market dynamics. Manufacturing faces a different threat profile dominated by ransomware: operational disruption, supply-chain extortion, and insurance requirements are the dominant adoption triggers. The Purdue model of network segmentation is increasingly inadequate as OT environments connect to ERP systems and cloud analytics. Healthcare OT is the fastest-growing regulated segment. HHS has issued HIPAA-aligned cybersecurity guidance requiring covered entities to address medical device and clinical network security. FDA's medical device security guidance further strengthens the compliance driver, while patient-safety consequences of a compromised infusion pump or MRI controller elevate organisational willingness to pay. Water and wastewater operators, despite smaller individual budgets, face active threats documented by WaterISAC (Water Information Sharing and Analysis Center) and EPA guidance. Transportation, including maritime and rail OT, is subject to TSA cybersecurity directives: the US Coast Guard mandated cybersecurity training for all IT/OT personnel by January 2026. [CM014, CM015, CM016, CM024, CM025, CM026]

2.4 Buyer, User, and Payer Landscape

Buying authority for OT security platforms varies by vertical and by the maturity of the buyer's security organisation. In energy and utilities, the CISO and VP of Operations jointly evaluate solutions, with procurement typically routed through an IT security or technology capital budget. In manufacturing, the plant manager or IT manager often drives the evaluation, with the CFO or CTO approving spend. Healthcare buyers are typically CISOs working alongside Biomedical Engineering or Healthcare Technology Management (HTM) teams, with hospital CFOs controlling approval. Water utilities and municipalities often have a single IT director wearing security responsibility, with funding tied to infrastructure grants and utility board approval cycles. Users of OT security platforms are OT security analysts, plant engineers, or SOC operators — staff who may have limited cybersecurity background but deep process-domain expertise. The tension between OT domain knowledge and security expertise is a structural adoption constraint: the same SANS 2026 survey found that 60% of organisations cite skills gaps as the primary OT cybersecurity challenge, and 42% say those gaps prevent adoption of new security technologies. Payers are therefore not purely motivated by security ROI. Compliance mandates, cyber insurance requirements, and operational resilience objectives are the dominant budget justifications. Professional services revenue — integration, deployment, and managed detection — often exceeds software licence value in early-stage OT security engagements, reflecting the brownfield complexity of the environments. [CM019, CM020, CM035, CM036, CM037, CM039]

2.5 Growth Drivers and Adoption Constraints

The primary growth driver is the accelerating frequency and severity of attacks on critical infrastructure. Google's Cybersecurity Forecast 2026 warns that ICS/OT risks are escalating from both cybercrime and nation-state actors. Maritime OT cyberattacks surged 150% in 2025 per Cydome research. CISA's Known Exploited Vulnerabilities catalog regularly includes OT/ICS product CVEs, driving urgency in asset owners. Regulatory tailwind is a compounding driver: NERC CIP, the EU NIS2 Directive, TSA cybersecurity directives, FDA medical device guidance, and CISA's Secure by Demand guidance for OT asset procurement are collectively raising the compliance floor for every critical infrastructure vertical. SANS 2026 data shows regulatory influence on OT security hiring surged from 40% to 95% of organisations in one year — a leading indicator of budget allocation. IT/OT convergence is the structural driver: as industrial environments adopt IIoT, cloud analytics, and remote access for maintenance, the OT attack surface expands dramatically, requiring purpose-built security rather than IT tools adapted for OT protocols. The dominant constraint is a structural OT security skills shortage. SANS 2026 reports 27% of organisations have experienced breaches directly linked to capability gaps, and 42% say those gaps prevent adoption of new security technologies. This simultaneously creates demand for managed OT SOC services and slows self-operated platform deployments. Long procurement cycles (12–36 months in critical infrastructure), operational risk aversion during deployment, and budget competition between IT and OT security programmes further constrain adoption velocity. [CM019, CM020, CM021, CM023, CM024, CM025]

2.6 Exhibits

3.1 Competitive Landscape Overview

The OT/CPS security market presents Claroty with a layered competitive field. At the core, three pure-play CPS security vendors—Claroty, Dragos, and Nozomi Networks—compete directly in asset discovery, threat detection, and vulnerability management for industrial control systems and OT environments. A second tier of adjacent-platform players—Armis (IT/OT/IoT/medical convergence), Tenable (exposure management), and Palo Alto Networks (network security + OT)—brings broader multi-domain coverage but typically shallower OT protocol depth. A third tier of niche and automation-embedded players—Cisco Industrial Threat Defense (network-native), Verve/SecureOT by Rockwell Automation (manufacturer-for-manufacturers), and Radiflow (MSSP/SIEM integration focus)—addresses specific buyer segments or channel motions. Buyers evaluating a CPS security platform must also weigh the status-quo alternative of managed OT security services from consultancies (Accenture, Deloitte, EY) and the build-versus-buy calculus of deploying SIEM or IT XDR tools extended to OT assets. The overall competitive intensity is rising as the Gartner Magic Quadrant for CPS Protection Platforms formalized in 2024 and now names multiple leaders, legitimizing enterprise budget allocation and accelerating RFP activity. [CP001, CP002, CP003, CP004, CP005]

3.2 Pure-Play OT/ICS Security Leaders — Dragos and Nozomi

Dragos is Claroty's most technically credible direct rival. Founded by ex-NSA ICS security practitioners and headquartered in the Washington DC metro area, Dragos has built its reputation on threat intelligence—its WorldView feed tracks 26 industrial threat groups (11 active in 2025), produces the annual OT Cybersecurity Year in Review report, and operates the free OT-CERT resource program and the Community Defense Program for small utilities. Dragos was named a Gartner Magic Quadrant Leader for CPS Protection Platforms for the second consecutive year in March 2026. The Dragos Platform centers on passive asset visibility, a proprietary "Now, Next, Never" vulnerability prioritization model that claims only 3–6% of ICS vulnerabilities require immediate action, and contextual response playbooks. Dragos's OT Watch managed detection and response service extends the platform as a managed offering. Dragos's principal weakness relative to Claroty is its narrower asset coverage—it focuses heavily on pure ICS/OT environments and does not match Claroty's XIoT breadth across BAS, medical devices, and enterprise IoT. Nozomi Networks is the other pillar of the pure-play OT/ICS tier. Founded in 2013 and Swiss in origin, Nozomi reports monitoring over 115 million OT, IoT, and IT devices across more than 12,000 worldwide installations, and claims 100% customer retention. Nozomi's differentiation rests on AI-powered analysis, a particularly deep partner ecosystem (Schneider Electric, ABB, Siemens, Mandiant, GE, Honeywell, IBM Security, Hitachi), and endpoint-to-network visibility combining wired and wireless sensors. Nozomi targets critical infrastructure at scale and is regularly certified by strategic industrial partners to deliver security alongside their OT automation products, giving it a distinctive co-sell channel. Nozomi's weakness versus Claroty is a comparatively thinner medical-device and BAS coverage and historically less aggressive analyst recognition in the CPS Protection Platform category. [CP006, CP007, CP008, CP009, CP010, CP011]

3.3 Adjacent Platform Competitors — Armis, Tenable OT, Palo Alto Networks

Armis competes with Claroty primarily in the IoT, BAS, and medical-device security segments, and increasingly in broader CPS exposure management. Armis Centrix™ is an agentless, cloud-delivered cyber exposure management platform spanning IT, OT, IoT, and medical device security. Armis's named customer base is notably diversified—Colgate-Palmolive, United Airlines, Takeda Pharmaceuticals, Mondelēz, DocuSign—demonstrating strong enterprise IT-adjacent penetration, but its OT depth and ICS protocol coverage are shallower than Claroty's or Dragos's. Armis is positioned more as a CAASM (cyber asset attack surface management) vendor than a pure OT security platform, which reduces head-to-head overlap in energy and water utility accounts but creates real competition in connected-enterprise and healthcare environments. Tenable, via Tenable One OT Exposure, brings its vulnerability management leadership into the OT space by unifying IT and OT asset inventories under a single exposure management platform. Tenable's differentiating elements include "Safe Active Query" (non-disruptive OT device interrogation in native protocols), AI-powered remediation guidance, and its industry-leading Vulnerability Priority Rating (VPR) scoring that contextualizes CVSS scores with real-world exploitability. Tenable supports cloud, on-premises, and hybrid deployments and maps compliance automatically to NERC CIP, IEC 62443, NIST, and PCI DSS. However, Tenable is weaker in OT-specific threat intelligence and response playbooks compared to Dragos and Claroty. Palo Alto Networks competes through its Industrial OT Security product line, which uses NGFW-based OT protocol inspection to provide real-time asset inventory and risk management embedded within existing Palo Alto network infrastructure. Named enterprise customers include BorgWarner and Grupo Bimbo. PANW's key competitive advantage is bundles into an existing Palo Alto enterprise security spend—buyers that are already Palo Alto customers can activate OT security at marginal incremental cost, creating a powerful displacement vector in mid-market and enterprise accounts with mature IT security stacks. [CP016, CP017, CP018, CP019, CP020, CP021]

3.4 Niche and Industrial Automation Players — Cisco, Verve/SecureOT, Radiflow

Cisco competes via Cisco Industrial Threat Defense, a suite anchored by Cisco Cyber Vision (OT/ICS asset visibility and behavioral analysis), Cisco Secure Equipment Access (zero-trust remote access for OT), Cisco Secure Firewall for industrial DMZ, and Cisco Identity Services Engine for zone and conduit enforcement under ISA/IEC 62443. Cisco's competitive advantage is its installed base of industrial network switches and routers, which become passive sensors for Cyber Vision without additional hardware deployments. This "network as sensor and enforcer" approach dramatically lowers the deployment friction for Cisco-centric industrial environments—Cisco Validated Designs provide reference architectures and bill-of-materials reducing implementation risk. Cisco integrates with Cisco XDR and Splunk for unified IT/OT threat correlation. Its weakness is limited OT-specific threat intelligence and a less specialized OT security go-to-market motion than Dragos or Claroty. Verve Industrial Protection, now rebranded as SecureOT by Rockwell Automation, positions itself as "built by a manufacturer for manufacturers." The SecureOT solution suite combines a vendor-neutral OT-specific asset inventory and risk management platform (the former Verve Security Center) with professional and managed security services including 24/7 OT SOC and NOC capabilities. Rockwell's ownership adds significant manufacturing-sector credibility and a deep relationship with Rockwell Automation's installed control-system base. SecureOT's strategy is end-to-end services rather than competing on platform technology alone, differentiating through deployment support, NIST CSF maturity uplift case studies, and operational integration with Rockwell equipment. Radiflow is an Israeli OT security vendor serving over 20,000 sites globally, with particular strength in MSSP and SIEM integration contexts. Radiflow offers non-intrusive, non-destructive OT network monitoring with Smart Collectors enabling bandwidth-efficient telemetry from remote sites to a central SOC. Radiflow integrates with IBM security products and targets industries where IEC 62443 compliance and MSSP-delivered security are the preferred delivery model. Its market footprint is significantly smaller than the top three pure-play players, and it lacks the platform breadth and threat-intelligence depth of Claroty, Dragos, or Nozomi, but it remains a reference vendor in SIEM-centric OT security architectures. [CP026, CP027, CP028, CP029, CP030, CP031]

3.5 Competitive Moats and Displacement Risk

Claroty's most durable competitive advantages are its XIoT platform breadth and the depth of its asset knowledge graph. By covering OT, IoT, BAS, and medical devices in a unified platform, Claroty creates switching costs that are higher than single-domain vendors: a healthcare organization that has mapped its IV pumps, building automation, and industrial process equipment through Claroty faces multi-layer re-deployment complexity to replace it. The Team82 threat research function and the Global CPS Research Report serve as continuous brand reinforcement with security practitioners, operating analogously to Dragos's WorldView and annual year-in-review as earned-media and analyst currency. Claroty's partner program (MSSPs, SIs, technology partners) and healthcare-sector depth also represent distribution advantages that pure-play rivals Dragos and Nozomi have not yet fully replicated. The most credible displacement risk comes not from direct OT security rivals but from large-platform security vendors. Palo Alto Networks and Cisco can offer OT security as a bundled capability within enterprise security renewal conversations, where CISOs can solve OT visibility with existing vendor relationships and reduce procurement complexity. Tenable's cross-sell to its existing vulnerability management install base—especially in regulated industries already running Tenable for IT scanning—poses a real upsell risk in accounts where OT security is treated as an extension of vulnerability management rather than a distinct program. Multi-homing risk is moderate: buyers with Dragos or Nozomi for OT threat detection may add Claroty specifically for medical device or BAS coverage without full replacement, generating co-deployment scenarios rather than zero-sum competition. The 2026 Dragos Year in Review confirmed a 64% year-over-year increase in ransomware attacks against industrial entities, intensifying urgency for dedicated OT security budgets and benefiting all vendors in the segment. [CP035, CP036, CP037, CP038, CP039, CP040]

3.6 Exhibits

4.1 Capital formation history and round-by-round chronology

Claroty has assembled approximately $885–900 million in total disclosed institutional capital since its 2015 founding inside the Team8 cyber foundry. The capital formation trajectory spans six publicly acknowledged rounds, though the company has never published a complete financing timeline, and SEC EDGAR records indicate the existence of special-purpose vehicles around a December 2021 funding event that the company did not announce independently. The earliest identifiable institutional capital traces to the company's incubation within Team8, documented by an SEC Form D filing for Team8 – Claroty, L.P. (CIK 0001754014) dated October 2018. That filing registers a $5 million exempt offering by a Cayman Islands fund, confirming Team8's structured equity holding dating to the founding era. The Series D, closed in June 2021, raised $140 million co-led by Bessemer Venture Partners and Standard Industries' 40 North platform, and at that time represented the largest single investment ever made in the industrial cybersecurity sector. The cumulative total at Series D close was approximately $235 million. Between June 2021 and March 2024, Claroty raised an additional approximately $400 million that was never publicly announced as a standalone round. SEC EDGAR records two Form D filings in early 2022: Team8 – Claroty II, L.P. (CIK 0001903605, filed January 2022) and Marker-Claroty Series E LP (CIK 0001908673, filed February 2022, initial offering amount $7.3 million for an SPV). CB Insights records a December 2021 institutional round on this basis. The cumulative funding reported at the March 2024 Series E-II close was $635 million, implying a Series E of approximately $400 million between mid-2021 and early 2024. This is the largest disclosure gap in Claroty's financing history and a primary diligence item. The March 6, 2024 Series E-II raised $100 million in "strategic growth financing" led by equity investor Delta-v Capital, with participation from AB Private Credit Investors at AllianceBernstein, Standard Investments, Toshiba Digital Solutions, SE Ventures, Rockwell Automation, and SVB. The structure included both equity and private credit, as indicated by the AllianceBernstein private credit participation — an unusual feature for a pure venture round that may affect cap table seniority. No SEC Form D was filed for this round. The January 22, 2026 Series F raised $150 million led by Golub Growth, an affiliate of Golub Capital, with up to $50 million of additional confirmed participation from existing investors, bringing the total to as much as $200 million at full close and cumulative disclosed capital to approximately $885–900 million. Golub Growth specializes in flexible debt and equity capital for B2B SaaS companies in the pre-IPO phase. No SEC Form D was filed for the Series F. The company confirmed an 80% increase in valuation since the March 2024 round but declined to disclose an absolute figure. CRN reported total funding as "at least $885 million"; SecurityWeek reported "approximately $900 million." [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 Revenue model, pricing architecture, and ARR disclosure

Claroty's revenue model is centered on recurring software subscriptions delivered through two primary product lines: Claroty xDome, a cloud-native SaaS platform, and Claroty Continuous Threat Detection (CTD), an on-premise software deployment. Both products cover the same four functional pillars — exposure management, network protection, secure access, and threat detection — but target different customer IT/OT architecture preferences. The SaaS (xDome) product is expected to command a higher gross margin and longer-term net revenue retention, while the on-premise CTD product provides access to air-gapped environments where cloud connectivity is not permitted. Claroty added a third distinct offering in early 2026: the CPS Library, an AI-powered asset catalogue billed as the "first in the industry" to provide cross-vendor visibility into cyber-physical assets and vulnerability attribution. The CPS Library represents a potential new subscription revenue stream layered on top of the core platform, targeting enterprise security teams that need aggregated OT/IoT asset intelligence beyond their own deployed Claroty sensors. Revenue is primarily enterprise-contracted, typically multi-year agreements negotiated with Fortune 500 and critical infrastructure operators. Pricing is believed to be asset-based (per-device or per-site subscription) with professional services for deployment and ongoing support at list. No published pricing exists; Claroty competes on platform breadth and OT-specific domain expertise rather than price, consistent with the company's positioning as a premium enterprise vendor. The only publicly disclosed ARR milestone is that the company surpassed $100 million in annual recurring revenue during 2023, announced in the March 6, 2024 Series E-II press release. CB Insights estimates 2026 ARR at approximately $200 million based on secondary market data. A Forbes profile references $300 million in ARR "over the past three years," which appears to be cumulative or may reference a different metric from the company's own $100 million 2023 milestone — this figure is conflicting and unreliable as a point-in-time ARR reference. The current ARR and revenue growth rate are not disclosed. Geographic revenue breakdown, channel mix, and revenue concentration by vertical are all undisclosed. [CI011, CI012, CI013, CI014, CI015, CI016]

4.3 Unit economics, cost structure, and financial opacity

Claroty has not publicly disclosed any of the core unit economics metrics that would be required for a complete financial diligence assessment: gross margins, net revenue retention, gross churn, customer acquisition cost, payback period, average contract value trend, or average revenue per account. This is consistent with the company being a late-stage private company in the 12–24 months before a contemplated IPO, during which disclosure is typically deferred to the S-1 filing. Industry benchmarks for comparable enterprise SaaS cybersecurity companies provide rough context: software gross margins for established SaaS security platforms typically range from 70 to 85 percent, with on-premise software deployments typically 5 to 10 points lower. If Claroty achieves margins in this range and has approximately $150–200 million in ARR (blending the 2023 milestone and CB Insights estimate), the implied gross profit pool would be approximately $105–170 million annually. This is a rough estimate without verifiable backing and should not be treated as authoritative. Employee count is approximately 700+ across 27 countries as of mid-2025, per company press releases. At approximately $200 million ARR, this implies roughly $285,000 in ARR per employee — a reasonable productivity metric for an enterprise SaaS company, though headcount mix between R&D, sales, and services is not disclosed. The Medigate acquisition in early 2022, which nearly doubled company headcount at the time, was completed at an undisclosed price, preventing any analysis of acquisition multiples or goodwill impact on the balance sheet. Capital intensity is notable: Claroty has consumed approximately $882 million in disclosed fundraising to produce $100+ million in ARR (2023 milestone), implying a capital-to-ARR ratio of approximately 8–9x at the time of the Series E-II. While common for security platforms that invest heavily in R&D and enterprise sales prior to reaching scale, this ratio is elevated compared to more capital-efficient peers and underscores the need for post-IPO operating leverage improvement. The absence of any profitability disclosure — no EBITDA, no operating cash flow, no burn rate guidance — means that burn analysis is entirely speculative. [CI018, CI019, CI020, CI021, CI022, CI023]

4.4 Capital adequacy, valuation context, and IPO trajectory

The January 2026 Series F provides Claroty with fresh capital for global expansion. Golub Growth's lead role is significant for interpreting strategic intent: Golub Capital is a late-stage growth credit and equity platform that has historically positioned itself in the 12–36 month window before portfolio company IPOs, using flexible debt and equity structures to provide pre-IPO capital while managing dilution for existing shareholders. The Series F being structured as equity (rather than revenue-based financing or convertible debt) suggests the company's governance and cap table are being prepared for public market standards. CEO Yaniv Vardi stated publicly, via Calcalist and reported by CRN, that Claroty could pursue an initial public offering as early as 2027, conditional on market conditions. This places the company in a 12–18 month IPO preparation window from the Series F close. For context, Armis raised its last private round (at a $4.6 billion valuation) in 2022 before being acquired by ServiceNow for $7.75 billion in 2025; Nozomi Networks raised capital before being acquired by Mitsubishi Electric for approximately $1 billion in 2025. Claroty is currently the primary large-scale, independent pure-play CPS/OT security company in the market. On valuation, the company confirmed an 80% increase from its March 2024 baseline. The March 2024 round was widely reported to have valued the company at approximately $2.5 billion post-money (per CRN, which cited "previous reports"). An 80% increase from $2.5 billion implies a current valuation of approximately $4.5 billion. However, Calcalist reported the Series F valuation at approximately $3 billion — a figure that SecurityWeek explicitly identified as mathematically inconsistent with the 80% growth and $2.5 billion baseline combination. This discrepancy requires direct verification with the company; it suggests either that the March 2024 $2.5 billion figure was overstated, that Calcalist's $3 billion is underestimated, or that the 80% growth figure applies to a lower baseline than $2.5 billion. No SEC Form D filings have been identified for either the 2024 Series E-II or the 2026 Series F. This absence is consistent with use of Cayman Islands or other non-U.S. fund structures (as seen in the 2022 Form D filings for Team8-Claroty II and Marker-Claroty), or with debt/structured credit instruments that do not constitute equity securities subject to Form D filing requirements under Regulation D. The AllianceBernstein private credit participation in the Series E-II supports the hypothesis that at least a portion of these rounds involve structured instruments. [CI026, CI027, CI028, CI029, CI030, CI031]

4.5 Financial verdict and primary diligence blockers

Claroty's financial profile is consistent with a well-capitalized, late-stage private company targeting a 2027 IPO. The confirmed $100 million ARR milestone (2023) and the Series F led by a pre-IPO-oriented investor suggest the business has achieved subscription revenue scale, though current ARR, growth rate, and unit economics remain unverified. The total capital raised ($882–900 million) against disclosed ARR ($100M+ as of 2023) reflects a capital-intensive growth model typical of enterprise security platforms, with expectations of operating leverage improvement post-IPO. The primary financial diligence blockers are: (1) the approximately $400 million funding gap between Series D and Series E-II with no public disclosure of the intervening round's terms, investors, or structure; (2) the mathematically irreconcilable valuation figures — 80% growth from a $2.5 billion baseline implies $4.5 billion, while Calcalist reported $3 billion — suggesting at least one published figure is incorrect; (3) the complete absence of margin, retention, burn rate, and unit economics data, which prevents cash runway estimation; and (4) the structured credit component of the Series E-II (AllianceBernstein private credit) whose terms, covenants, and seniority are unknown. Positive signals include: the Golub Growth Series F lead as an implicit IPO readiness endorsement; the 80% valuation increase confirming meaningful enterprise value creation since 2024; the 1,000+ customer base anchored by 24 Fortune 100 companies; and the dual analyst recognition as a Gartner Magic Quadrant Leader and Forrester Wave Leader. The addressable market context from MarketsandMarkets (OT security market growing to $44.8 billion by 2030 at 17.6% CAGR) provides a large tailwind for ARR growth. Acquiring analysts and investors evaluating Claroty will need to independently verify: current ARR (and growth rate), net revenue retention, gross margin by product line, burn rate and cash balance, cap table seniority structure (especially the private credit instruments), and the nature and terms of the undisclosed 2021-2022 Series E. These cannot be resolved from public sources. [CI033, CI034, CI035, CI036, CI037]

5.1 Platform Scope and Deployment Architecture

The Claroty Platform is an enterprise cyber-physical systems (CPS) protection suite organized around six pillars: asset inventory, exposure management, network protection, secure access, threat detection, and operational efficiency. It is delivered through two primary products: Claroty xDome, a cloud-native SaaS offering targeting organizations that prioritize fast deployment and low infrastructure overhead; and Claroty Continuous Threat Detection (CTD), a robust on-premises deployment built for air-gapped industrial environments with strict data residency or latency requirements. Both products share the same detection engine, analytics framework, and CPS Library integration, so customers choosing either path receive functionally equivalent coverage. A third component, Claroty xDome Secure Access (formerly branded Claroty SRA), provides zero-trust remote access for internal and third-party OT personnel without requiring traditional VPN infrastructure or shared credentials. Claroty Edge extends the platform's reach as a zero-infrastructure edge-data collector. It runs on existing Windows-based infrastructure — on-premises or in the cloud — with no network sensors or physical footprint, allowing organizations to discover assets in remote sites, air-gapped zones, and distributed environments that cannot support full CTD deployments. The platform supports four discovery methods: passive monitoring (non-intrusive traffic inspection), Safe Queries (low-impact active queries tuned for fragile OT systems), Project File Analysis (offline PLC/DCS project file parsing), and Ecosystem Enrichment (ingesting data from firewall, switch, and CMMS integrations). Across these methods the platform claims coverage of 450+ industrial protocols, which Claroty presents as the deepest protocol library in the industry. The CPS Library, launched in November 2025, is an AI-powered asset catalog that uses LLMs and statistical inference modeling to resolve fragmented device identifiers into a canonical, vendor-verified record. The library addresses a systemic OT data-quality problem: Claroty's own Team82 research found that 88% of CPS assets do not transmit an exact product code and 76% transmit product names that differ from the vendor's official record. OEM partnerships with Rockwell Automation and Schneider Electric underpin the accuracy of the repository. An MCP Server layer allows generative AI tools to query the CPS asset inventory, accelerating incident response and enabling teams to use their preferred AI assistant on top of CPS security data.[CE001, CE002, CE003, CE004, CE005, CE006]

5.2 Product Modules, Use Cases, and Verticals

Claroty segments its go-to-market around four verticals — industrial, healthcare, commercial buildings, and public sector — each with a tailored solution overlay on the common platform. The industrial vertical (manufacturing, oil and gas, utilities, pharma) is the company's largest and relies on CTD or xDome for deep OT asset visibility plus xDome Secure Access for engineer and vendor remote access. The healthcare vertical is addressed via Claroty xDome for Healthcare, a modular SaaS solution that adds clinical-context enrichment for Internet of Medical Things (IoMT) devices: IV pumps, patient monitors, infusion systems, smart HVAC, and other connected clinical assets. Healthcare-specific differentiators include integration with Computerized Maintenance Management Systems (CMMS), support for MDS2 (Manufacturer Disclosure Statement for Medical Device Security), SBOM, and VEX (Vulnerability Exploitability eXchange) files from medical device OEM partners, and a Siemens Healthineers technology partnership that adds manufacturer-curated vulnerability and mitigation guidance directly within xDome workflows. The commercial buildings vertical targets data centers, retail, hospitality, and campus environments where Building Management Systems (BMS), HVAC, and physical access controllers create an often-overlooked CPS attack surface. Claroty's public sector overlay adds specific compliance mappings for NERC CIP (electric utilities), CISA BOD 26-02 (edge device replacement in federal networks), NIST CSF, and other federal frameworks, and includes an xDome for Government variant. In all verticals, the compliance and reporting module automates evidence collection and generates audit-ready reports for frameworks including NIS2, NERC CIP, IEC 62443, HHS Section 405(d), and NIST CSF. The xDome Secure Access module (formerly Claroty SRA) delivers zero-trust remote access into OT/ICS networks. It enforces granular per-device access policies, session recording, just-in-time credential vaulting, and multi-factor authentication — compensating controls for environments where unpatched legacy PLCs cannot natively enforce authentication. The Gartner 2026 Market Guide for CPS Secure Remote Access named Claroty a Representative Vendor, confirming market visibility in this segment. However, a critical authentication bypass vulnerability (CVE, October 2025) was discovered and patched in the SRA product, underscoring that the access layer itself has been a target and requires rigorous security assurance.[CE009, CE010, CE011, CE012, CE013, CE014]

5.3 Team82 Threat Research and Developer Surface

Team82 is Claroty's in-house cybersecurity research unit and is positioned as a proprietary competitive moat. The team has disclosed more than 750 ICS vulnerabilities — more than any other OT security vendor or research group — and publishes coordinated disclosures under a formal Coordinated Disclosure Policy with a public PGP key for secure vendor communication. Recent disclosures include multiple CVEs in Trane Tracer SC/SC+/Concierge building controllers (March 2026) and Schneider Electric Modicon M241/M251/M262 PLCs (March 2026). In its March 2026 report "Analyzing CPS Attack Trends," Team82 analyzed 200+ verified incidents over 12 months and found that 82% of attacks leveraged remote access protocols and 66% targeted HMIs and SCADA systems — research that directly supports Claroty's product messaging around SRA and monitoring. Team82 maintains a GitHub organization at github.com/claroty with 10+ public open-source research tools including: Arya (pseudo-malicious file generator for YARA testing), EtherNet/IP & CIP Stack Detector (identifies specific vendor firmware stacks in OT networks), OPC UA Fuzzer and OPC UA Exploit Framework, MMS Stack Detector, BusyBox AFL fuzzing harnesses, netunnel (HTTP/S network tunnel tool), WinCE-Debugger, and PCOM-Tools. The organization has 145 GitHub followers, reflecting niche but genuine practitioner engagement within the OT/ICS security research community. These tools are used by defenders and other researchers, establishing Claroty as an upstream contributor to open OT security tooling. The dual role of Team82 — generating threat intelligence that feeds back into the platform's detection rules and providing public-good vulnerability research that builds brand credibility — is a differentiated investment few OT vendors can replicate at scale. Team82's research directly accelerates the protocol library and detection engine updates; the EtherNet/IP stack detector and protocol-specific fuzzers have driven new coverage for protocols that would otherwise require months of reverse-engineering. The Vulnerability Disclosure Dashboard (publicly accessible on claroty.com/team82) provides real-time tracking of all Team82 CVEs, with vendor attribution and CVSS scores.[CE016, CE017, CE018, CE019, CE020, CE021]

5.4 Integration Ecosystem and Technology Alliances

Claroty's integration strategy follows a "CTAP" (Claroty Technology Alliance Program) certification framework. Integration categories cover: SIEM/SYSLOG export (IBM QRadar, Microsoft Sentinel, Splunk, ArcSight), SOAR/ticketing (ServiceNow, PagerDuty, Jira), firewall and NAC (Palo Alto Networks, Fortinet, Cisco, Claroty segmentation policies), endpoint/EDR (CrowdStrike Falcon, Microsoft Defender for Endpoint — used for OT asset enrichment), vulnerability management (Tenable, Rapid7), and OEM-level device enrichment (Rockwell Automation AssetCentre, Schneider Electric, Siemens Healthineers). The xDome platform embeds in-app orchestration for EDR, cloud, and SNMP integrations, and is configurable from the same recommendations page used for visibility scoring. The Rockwell Automation integration is a flagship example: Rockwell customers gain Claroty's vulnerability and threat intelligence enrichment within Rockwell's FactoryTalk AssetCentre, enabling OT teams to act on security recommendations without switching consoles. Schneider Electric contributed device data to the CPS Library at launch. The Siemens Healthineers partnership for healthcare xDome gives xDome users access to manufacturer-curated MDS2, SBOM, and VEX remediation guidance. Claroty classifies these relationships as CTAP Certified and notes that the integration is "built and supported by" either Claroty or the partner, providing clarity on support ownership. On the discovery and data-collection side, xDome integrates with CMMS systems in healthcare, Active Directory/LDAP for user identity attribution, and endpoint agents via EDR integrations (CrowdStrike Falcon, Microsoft Defender) to enrich OT asset profiles with process-level context. The CPS Library's MCP Server enables generative AI tools (customer-selected large language models) to query CPS security data using natural-language interfaces, positioning Claroty ahead of most OT peers in enterprise AI workflow integration. The Claroty xDome platform also integrates with Cisco industrial switches and firewalls for active network traffic visibility and policy enforcement points.[CE022, CE023, CE024, CE025, CE026]

5.5 Key Strengths and Differentiators

Claroty's primary technical differentiators are protocol depth, research investment, and platform breadth. The 450+ protocol library — built over a decade and continuously extended through Team82's reverse-engineering work — is the most consistently cited moat in analyst and customer evaluations. Gartner Peer Insights for the CPS Protection Platforms market showed a score of 4.9/5 based on 119 ratings with a 97% "Would Recommend" score as of March 2026, reflecting strong implementation satisfaction. The company was named a Leader in the 2026 Gartner Magic Quadrant for CPS Protection platforms (second consecutive year) and a Representative Vendor in the 2026 Gartner Market Guide for CPS Secure Remote Access. The Forrester Wave for IoT Security Solutions Q3 2025 similarly placed Claroty in the Leader band. The CPS Library and AI-powered asset identification pipeline represent the most differentiated recent product investments. By embedding LLM-RAG and statistical inference modeling, Claroty converts fragmented OT protocol broadcasts into deterministic, vendor-verified device identities at scale — solving a problem that has historically required weeks of manual reconciliation per site. The platform's coverage of all four major CPS verticals (industrial, healthcare, commercial, public sector) with vertical-specific compliance mappings and partner integrations is also difficult for point-solution vendors to replicate quickly. Team82's open-source toolchain and coordinated disclosure discipline reinforces the technical credibility of the platform's detection capabilities.[CE027, CE028, CE029, CE030]

5.6 Technical Risks and Limitations

Several technical risks merit scrutiny. First, the SRA authentication bypass CVE (patched October 2025 per Dark Reading reporting) demonstrated that the most critical access-control component of the platform had a high-severity vulnerability. While patched, SRA's position as a gateway into OT networks means any future SRA vulnerability could become a highly attractive attack vector; continuous security assurance processes for SRA are a key diligence item. Second, the passive-first discovery philosophy — while operationally safe — means that assets not broadcasting on monitored segments, air-gapped equipment, and firmware-only devices may remain invisible without supplementary Safe Queries or Edge deployments. Customers managing heterogeneous, multi-site environments frequently find that achieving complete asset inventory requires combining all four discovery methods, adding deployment complexity. Third, the platform's SaaS (xDome) mode requires cloud connectivity that some OT environments with strict data residency requirements cannot accommodate; CTD on-premises fills this gap but has higher TCO. Fourth, Claroty's CPS Library AI accuracy depends heavily on OEM partnership coverage — devices from vendors outside the Rockwell/Schneider/Siemens-Healthineers consortium may receive lower-quality attribute resolution until additional partnerships are onboarded. Fifth, the breadth of the integration catalog (SIEM, SOAR, EDR, NAC, vulnerability management) is technically sound but requires dedicated implementation effort; customers without mature IT security operations teams may find the integration surface overwhelming rather than additive. Finally, with 145 GitHub followers and niche tool engagement, the broader developer community is smaller than IT-native security vendors, limiting crowd-sourced feedback loops that could accelerate feature roadmap validation.[CE031, CE032, CE033, CE034, CE035]

5.7 Exhibits

6.1 Customer Base and Vertical Mix

Claroty serves over 1,000 customers globally—a milestone reached in 2023—with its Claroty xDome SaaS platform and on-premises Continuous Threat Detection (CTD) deployed at more than 8,000 sites worldwide. Twenty-four of the Fortune 100 are named customers, establishing Claroty as the dominant vendor in the largest-enterprise tier of the cyber-physical systems (CPS) protection market. Operations span North America, EMEA, and Asia-Pacific, supported by more than 700 employees in 27 countries. The company addresses four primary verticals: (1) Healthcare—led by Claroty xDome for Healthcare, covering IoMT, connected medical devices, and OT building management systems in hospital environments; (2) Industrial/OT— serving energy, oil and gas, utilities, manufacturing, food and beverage, and chemicals; (3) Public Sector —covering federal civilian, Department of War (DoW), intelligence community, SLED agencies, and critical infrastructure operators; and (4) Commercial/Retail—targeting retailers, logistics companies, warehousing, and data center operators. The vertical diversity limits concentration risk compared to OT-only vendors such as Dragos, though the healthcare vertical appears the deepest given the five-year KLAS recognition streak. Each vertical has a dedicated web presence, solution set, and partner ecosystem. Claroty's commercial page reports 40+ verticals supported, 450+ OT/IoT protocols covered, and 8,000+ sites protected—signaling broad protocol coverage as a competitive moat against narrower rivals. [CU001, CU002, CU003, CU005, CU006]

6.2 Named Customer Proof and Case Studies

Claroty publishes more than 40 named and anonymized case studies across verticals, with production deployments confirmed for eight publicly named customers examined in this chapter. The Port Authority of New York and New Jersey (PANYNJ)—one of the largest US transportation agencies managing major airports, bridges, tunnels, the World Trade Center complex, and a major bus terminal—deployed Claroty CTD and Enterprise Management Console (EMC) after an exhaustive 265-question technical evaluation in which only three vendors responded and none matched Claroty's depth of coverage. The initial implementation for hundreds of ICS composed of thousands of assets took approximately two years, with the bulk of the most critical systems onboarded within the first 8–10 months. South Tees Hospitals NHS Foundation Trust deployed all xDome modules across 6 facilities serving 1.5 million people in the UK, integrating with Fortinet FortiNAC for network access control and leveraging AWS cloud for scalability. Britvic (beverages, UK) deployed CTD hybrid with SRA, demonstrated compliance and OT visibility, then expanded to xDome with new sites in France and Brazil—an explicit land-and-expand pattern. Coop Switzerland (retail/wholesale) achieved 100% OT/ICS/IoT asset visibility across logistics, warehousing, and production sites, with network segmentation enforced and retail store rollout underway. In pharma, Phlow Corp.—a US pharmaceutical CDMO with Virginia-based cGMP facilities—deployed xDome for real-time monitoring, microsegmentation, and lab/manufacturing/warehouse visibility. A major European airport (50M+ passengers/year) deployed CTD, Secure Access, and EMC across cargo systems and building infrastructure, enabling managed third-party vendor access and full OT profiling. Yale New Haven Health System, Connecticut's largest healthcare provider, uses Claroty for enterprise-wide IoMT and IoT asset risk scoring with a Cisco ISE network segmentation project underway. The diversity of sectors and geographies in publicly named case studies, combined with multi-year production tenure, constitutes high-quality reference proof by industry standards. [CU007, CU008, CU009, CU010, CU011, CU012]

6.3 Healthcare Vertical Depth and KLAS Validation

Healthcare is Claroty's deepest, most independently validated vertical. The company has been recognized as Best in KLAS for Healthcare IoT Security by KLAS Research for five consecutive years (2021–2025) and received a Top Performer designation in the 2026 Best in KLAS Awards with an overall score of 92.5 out of 100—the second-highest score among all evaluated vendors and the highest number of customer reviews (35 unique healthcare organizations) in its category. KLAS also selected Claroty as one of only 30 vendors included in its "Consistent High Performers 2025" report measuring three-year rolling customer satisfaction—the only healthcare IoT security vendor on the list. Customer quotes published by KLAS indicate strong loyalty: a hospital CTO (December 2025) stated "We would absolutely purchase Claroty's system again"; a hospital manager (May 2025) described xDome as "our backbone when it comes to creating segmentation around medical devices… Claroty was the only answer for us." Named healthcare case studies include South Tees Hospitals NHS Foundation Trust (UK), Yale New Haven Health System (US), and Ohio State University Wexner Medical Center (US). Claroty's healthcare platform addresses regulatory pressures from HHS Section 405(d), HIPAA Security Rule, EU NIS2, and NHS Data Security and Protection Toolkit (DSPT), giving it compliance-driven stickiness. The breadth of healthcare customer evidence—five independently scored KLAS surveys, 35 evaluating organizations, named production deployments, and multi-year renewal signals—positions healthcare as Claroty's anchor vertical for revenue durability. [CU019, CU020, CU021, CU022, CU023, CU035]

6.4 Channel, Partner, and Public Sector Reach

Claroty's go-to-market relies heavily on a channel-partner model through its xCelerate Partner Program, which enables resellers, value-added resellers (VARs), managed security service providers (MSSPs), technology alliances, and distributors to sell, deploy, and support the platform. In April 2026, Claroty appointed John Ryan—formerly VP Worldwide Channel at Orca Security and Illumio—as Vice President of Worldwide Partner Ecosystem to accelerate this strategy. The CRN Security 100 and CRN IoT 50 designations in 2026 underscore channel credibility. For the US public sector, Claroty and Carahsoft Technology Corp. announced a distribution partnership in May 2026, making the Claroty platform available through Carahsoft's NASPO ValuePoint Master Agreement (#AR2472) to Federal, state, local, education, and healthcare (SLED) agencies. Carahsoft's extensive reseller network provides Claroty with coverage across agencies it would struggle to reach directly. The partnership with Mission IT (December 2025) resulted in Claroty CTD achieving an Authority to Operate (ATO) at multiple military missile defense sites under the Department of War (DoW) and an ATO for a classified Intelligence Community (IC) Facility Related Control System (FRCS), enabling ICD 503 and UFGS-25 05 11 compliance. At the missile defense site, Mission IT discovered a device footprint several times larger than previously documented— demonstrating Claroty's core value proposition of asset discovery in classified environments. With 40+ partners in its ecosystem and dedicated public sector general manager Jen Sovada leading government expansion, Claroty's channel reach substantially extends its direct sales capacity. The Carahsoft NASPO ValuePoint contract removes procurement friction that historically slowed government adoption. [CU024, CU025, CU026, CU027, CU028, CU029]

6.5 Retention, Expansion, and Customer Satisfaction Signals

While Claroty does not publicly disclose its Net Revenue Retention (NRR) or gross churn rate—a gap that limits quantitative diligence—multiple qualitative signals point to high retention and meaningful expansion. The KLAS 2026 score of 92.5/100 from 35 evaluating organizations, the KLAS three-year "Consistent High Performers" inclusion, and multi-year KLAS Best in KLAS designations are proxy retention indicators for the healthcare segment. Expansion is documented in case studies: Britvic migrated from on-premises CTD to cloud xDome and extended the deployment to new manufacturing sites in France and Brazil; Coop Switzerland completed core logistics/warehousing deployments and is expanding Claroty to in-store retail locations. South Tees NHS deployed all xDome modules and added Fortinet integration, increasing platform depth and switching costs. The typical land-and-expand motion starts with a single-site CTD or xDome deployment for asset visibility, then expands to secure access, threat detection, exposure management, and network protection modules as customer confidence grows. The average of 8 sites per customer (8,000+ sites / 1,000+ customers) suggests meaningful multi-site adoption. The 24 Fortune 100 accounts represent high-value, difficult-to-churn relationships given the depth of OT network integration required. Missing evidence: no public disclosure of NRR, contract length, cohort retention, or specific ARR per cohort—all are standard private-company withholding. Investors and prospective acquirers should request these metrics in any due-diligence process. [CU003, CU014, CU015, CU022, CU023, CU034]

6.6 Customer Concentration, Adverse Evidence, and Deployment Risk

The primary customer risk is the opacity of NRR and churn data. Claroty's private status means formal retention metrics are unavailable, forcing reliance on proxy signals (KLAS, case study expansion, KLAS three-year rolling metric). G2 reviewers—albeit a small panel (4.7/5, 6 reviews as of October 2024) —flag meaningful deployment friction: "a significant amount of fine-tuning is required to deploy," "software bugs, which can make incident handling cumbersome," "complexity of the initial setup might be challenging," and "needs an expert team to install." These signals suggest that time-to-value can be longer than marketed, that deployment requires skilled OT security personnel (a scarce resource), and that customers without in-house expertise may face higher total cost of ownership. Customer concentration is unknown at the revenue level: the 24 Fortune 100 accounts likely represent disproportionate ARR, and loss of even one large account could be material. Public-sector sales cycles are long and procurement-gated, making the Carahsoft and Mission IT partnerships necessary but not sufficient for rapid government revenue ramp. Healthcare vertical concentration, while validated, could become a liability if hospital M&A consolidates the customer base or if reimbursement pressures reduce cybersecurity spending. No public churn incidents, failed deployments, or major customer complaints have been identified in this research; however, the absence of adverse public evidence is partly explained by Claroty's non-disclosure norms and the sensitivity of OT customer incidents. [CU031, CU032, CU033, CU034, CU043, CU044]

6.7 Exhibits

7.1 Market, Competitive & Commercial Risks

Claroty's most acute near-term commercial risk is the rapid consolidation of the OT security market around megavendor platforms. ServiceNow's $7.75 billion acquisition of Armis in December 2024 embedded one of Claroty's principal competitors—a platform with overlapping CPS and OT asset management capabilities—inside the world's largest ITSM vendor. Mitsubishi Electric's approximately $1 billion acquisition of Nozomi Networks in September 2025 introduced a second consolidation event, giving a major industrial-automation conglomerate a vertically integrated OT security product that can be sold alongside SCADA, DCS, and ICS hardware in existing industrial relationships. Together these transactions have materially changed the competitive landscape in which Claroty must execute its 2027 IPO thesis. Structural sales-cycle friction compounds the competitive risk. OT buyers—plant engineers, process control managers, and operations vice presidents—prioritize production uptime above security posture. A typical enterprise OT security procurement spans 9–18 months from initial qualification to contract signature, requiring Claroty to sustain large deal pipelines to achieve predictable quarterly revenue recognition. This dynamic creates persistent revenue-at-risk and makes Claroty's ARR growth sensitive to macro-driven budget freezes in its energy, manufacturing, and water-utility customer segments. Platform-bundling pressure from Cisco, Palo Alto Networks, and now ServiceNow via Armis is compressing independent OT specialist positioning in large enterprise accounts. As these vendors extend native OT capabilities into their existing security and IT-management portfolios, they can present a single-vendor simplification argument to IT and security buyers that Claroty—as a dedicated best-of-breed specialist—cannot match on procurement simplicity, even if it retains technical depth advantages. This risk is particularly elevated in healthcare and government accounts where vendor consolidation is a stated procurement objective. The valuation context adds a specific execution pressure. Claroty's post-Series-F valuation is reported at approximately $3 billion, representing a multiple on undisclosed ARR that is consistent with premium SaaS valuations but leaves limited margin for growth deceleration in the 18 months leading into an IPO window. If win rates in new deals deteriorate due to competitive displacement, or if existing customers consolidate onto megavendor platforms at renewal, the achievable IPO multiple could compress materially. [CR001, CR002, CR003, CR004, CR005, CR007]

7.2 Product, Technical & Security Risks

Claroty's platform occupies a privileged network-visibility position inside critical-infrastructure OT environments. This positioning is both the source of its competitive value and its primary product-security liability: any vulnerability in Claroty's sensors, management servers, or cloud connectors that permits lateral movement into the underlying OT network would represent a severe breach of customer trust and an acute regulatory event. The most significant disclosed product-security incident to date is the authentication-bypass vulnerability in Claroty's Continuous Threat Detection product. This vulnerability, if exploited before patching, would have permitted unauthenticated administrative access to customer OT network visibility data. Claroty addressed the issue through its responsible-disclosure process, but the incident illustrates the category of risk that any OT security platform faces: the product designed to protect OT networks must itself be hardened against the adversaries it is designed to detect. Team82's proactive vulnerability research creates a secondary risk surface. While the research unit is a meaningful brand differentiator, its regular publication of third-party ICS vulnerability disclosures attracts attention from nation-state and criminal actors who monitor CVE publications to identify exploitable windows in legacy OT environments. CISA's Known Exploited Vulnerabilities catalog listed 1,592 actively exploited vulnerabilities as of May 2026, illustrating how consistently the gap between disclosed vulnerabilities and customer remediation capacity is exploited. A zero-day in a widely deployed component of Claroty's own platform would test whether the responsible-disclosure cycle protects customers or inadvertently expands the attack surface. Brownfield deployment complexity is an underappreciated operational risk. Many legacy ICS environments use outdated operating systems that cannot be patched, lack encryption or authentication protocols, and require weeks of professional-services effort before Claroty sensors can be deployed reliably. Failures in complex brownfield deployments—such as sensor incompatibilities, false-positive alert storms, or partial coverage gaps—extend sales cycles, delay ARR recognition, and create reputational exposure if the deployment failure occurs in a customer that subsequently experiences an OT security incident. Claroty has not publicly disclosed its deployment-success rate, time-to- value SLA, or the share of deployments that require escalated professional-services engagement. [CR009, CR010, CR011, CR012, CR013, CR014]

7.3 Regulatory & Legal Compliance Risks

Claroty's primary verticals—energy, manufacturing, healthcare, and government—are all subject to evolving OT cybersecurity mandates that create both demand and compliance overhead. The regulatory landscape is characterised by simultaneous tailwinds (mandates that incentivize OT security investment) and headwinds (compliance burden that diverts customer budgets and introduces certification friction into Claroty's sales cycles). The most significant near-term regulatory development is CIRCIA. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 mandates 72-hour incident reporting and 24-hour ransomware payment reporting for covered critical-infrastructure entities. As of May 2026, CISA's proposed rulemaking is pending final promulgation; the scope of covered entities, exact reporting thresholds, and the technical requirements for the reporting interface remain under NPRM review. The final rule is expected to expand covered-entity scope beyond the statutory minimum, potentially requiring Claroty's customers to build or procure reporting-automation capabilities. This could either benefit Claroty if it embeds CIRCIA-compliance reporting into its platform, or divert customer security budgets toward point-solution reporting tools if Claroty does not move quickly. NERC CIP standards provide the regulatory demand floor for Claroty's energy-sector business. The currently enforced CIP v5/v6 standards require BES Cyber System asset inventory, network segmentation, and patch-management controls that map directly to Claroty's platform capabilities. An upgrade to CIP v7 could require customers to re-demonstrate compliance against tightened asset-visibility and incident-detection requirements—creating a replacement-evaluation cycle in which Claroty's competitors can challenge incumbents. In Europe, the NIS2 Directive's October 2024 effective date elevated supply-chain risk management as a board-level obligation for essential entities. This creates an asymmetric dynamic for Claroty: as an OT security vendor, it benefits from NIS2-driven customer procurement activity, but it is also subject to NIS2 scrutiny as a supply-chain component within regulated operators' environments. EU customers may require Claroty to provide evidence of its own NIS2-compliant security practices, creating an additional certification and compliance overhead for European market expansion. On the legal side, the Export Administration Regulations administered by BIS present a latent but potentially material risk given Claroty's Israeli corporate domicile and the dual-use classification of cybersecurity software for critical-infrastructure protection. While no enforcement action has been publicly disclosed, the combination of Israeli origin, government-market focus, and intelligence-grade OT vulnerability research creates a fact pattern that warrants ongoing BIS counsel review. [CR016, CR017, CR018, CR019, CR020, CR021]

7.4 Financial, Organizational & Geopolitical Risks

Claroty's IPO execution risk is the single largest financial risk in its current profile. CEO Yaniv Vardi has publicly targeted a 2027 IPO, but that window depends on public-market conditions that have deteriorated since early 2024 for high-multiple, private-equity-backed software companies. With approximately $900 million raised and a reported $3 billion valuation, Claroty must demonstrate to public-market investors a durable ARR growth trajectory, credible path to profitability, and clean capitalization structure before an underwriter can price a successful offering. None of these elements is independently verifiable from public information. The valuation itself contains an unresolved discrepancy. Claroty's post-Series-F valuation has been reported at $3 billion, described as an approximately 80% increase from an April 2024 baseline of $2.5 billion. Arithmetically, 80% of $2.5 billion is $4.5 billion, not $3 billion. This inconsistency suggests either that prior market estimates were based on a lower implied baseline than the commonly cited $2.5 billion, or that the 80% figure reflects a calculation applied to a different valuation reference date. The discrepancy does not indicate fraud, but it does illustrate how private-company valuation opacity can produce conflicting market signals that complicate investor positioning ahead of an IPO. Geopolitical exposure from Claroty's Israeli founding adds a layered and often underappreciated risk dimension. SEC Form D filings confirm Israel as the registered domicile for fund vehicles associated with the Team8 founding syndicate. Claroty's Israel-based Team82 research unit represents a concentration of critical R&D and threat intelligence capability in a geography subject to periodic military escalation and civil-disruption risk. While the Company has not disclosed its business-continuity plan for R&D disruption, the precedent from other Israeli tech companies suggests that sustained conflict periods can impair hiring, retention, and operational continuity for Israel-based functions. Export-control risks compound geopolitical exposure: BIS EAR classification of Claroty's platform as dual-use cybersecurity software could affect government- procurement eligibility in certain jurisdictions or trigger license requirements for specific international sales. Key-person risk is concentrated in a small founding and executive team. CEO Yaniv Vardi is the institutional face of the IPO execution plan, serving as the primary point of contact for growth investors, strategic customers, and potential underwriters. Unplanned CEO departure would likely create a material delay in IPO execution and could trigger investor-rights clauses if present in the Series F terms. New CPO and CSO hires in 2025 indicate pre-IPO team strengthening, but also confirm prior gaps in those roles. Co-founder equity concentration and long-vesting R&D leadership create additional optionality risk as the IPO approaches and early-employee liquidity windows open. [CR023, CR024, CR025, CR026, CR027, CR028]

7.5 Partner, Channel & Concentration Risks

Claroty's go-to-market model depends heavily on channel intermediaries, technology alliances, and a small number of high-value distribution relationships. Unlike direct-sales SaaS peers, where ARR concentration in the sales organization is visible, channel-driven revenue concentration is harder to detect from public disclosures and can crystallize rapidly if a key partner relationship changes. The most material channel concentration risk is Claroty's US government distribution relationship with Carahsoft Technology. Carahsoft operates as Claroty's primary federal and SLED distribution partner, providing access to GSA schedule pricing and DOD-adjacent procurement vehicles. Carahsoft is an intermediary with significant leverage in the US public-sector market and has documented relationships with dozens of cybersecurity vendors simultaneously. A contract dispute, a GSA schedule audit, or a Carahsoft strategic realignment toward a competing OT platform could create an immediate and unforeseeable ARR air pocket in Claroty's government vertical without advance disclosure. Technology alliance concentration with Rockwell Automation creates a second category of channel dependency. The Rockwell co-sell alliance positions Claroty in manufacturing accounts where Rockwell maintains existing PLC, SCADA, and industrial-automation relationships. This is a valuable but non-exclusive arrangement. Rockwell's acquisition of a competing OT security vendor—or the development of an internally built security product for its industrial platform—would redirect partner investment and potentially convert a co-sell partner into a competitive channel. In the APAC and EMEA geographies, Claroty relies on regional value-added resellers and MSSPs for market development. The specific economics of these relationships—partner margins, quota commit obligations, and competitive exclusivity terms—are not publicly disclosed. Insufficient technical enablement investment by regional distributors can stall pipeline in high-growth markets, while competitive pressure from megavendors offering more comprehensive partner programs can induce partner churn. The broader platform-bundling dynamic described in the Market Risks section has a direct channel dimension: as Cisco, Palo Alto, and ServiceNow via Armis extend OT capabilities and push them through their own vastly larger partner ecosystems, they can offer resellers and MSSPs higher margin on a broader portfolio. This creates structural incentive pressure for channel partners to shift OT security deal sourcing toward megavendor platforms and away from specialist vendors like Claroty that require dedicated technical enablement investment. [CR034, CR035, CR036, CR037, CR038, CR039]

7.6 Exhibits

8.1 Recommendation and investment thesis

Claroty is investable on strategic importance but not yet on evidence completeness. The bull thesis is straightforward: the OT and broader cyber-physical security category is still growing at a double-digit rate, Claroty retains third-party analyst leadership, and the company now reports more than 1,000 customers including 24 Fortune 100 accounts. The Series F lead by Golub Growth also matters because it looks like late-stage positioning for a public-market process rather than an emergency rescue round. Those points support continued tracking and can justify a premium to slower, mature cyber platforms. The anti-thesis is just as important. Claroty still has not published a current ARR figure, any gross-margin or retention data, or the absolute valuation attached to its January 2026 financing. That means the valuation story depends on secondary reporting and inference. The recommendation is therefore conditional rather than enthusiastic: public evidence supports monitoring and potentially buying only with strict entry discipline, not paying any reported price as if it were fully verified. The right stance is research more, verify the cap table and ARR bridge, and only underwrite upside once valuation opacity narrows materially.[CV019, CV020, CV021, CV022, CV037, CV041]

8.2 Financing context, valuation discipline, and entry price

Claroty's disclosed financing history shows both strength and complexity. The 2021 Series D raised $140 million and took cumulative capital to roughly $235 million, while the March 2024 strategic financing added another $100 million and lifted cumulative disclosed capital to $635 million. The January 2026 Series F then added $150 million led by Golub Growth and brought disclosed funding to roughly $885 million to $900 million. That scale of capital can be interpreted positively, because it allowed Claroty to build a broad CPS platform and reach meaningful enterprise scale. It also creates a likely preference overhang, especially because the 2024 financing included private-credit participation rather than appearing as clean common equity. Entry discipline therefore matters more than the headline valuation. Independent coverage placed the Series F around $3 billion, yet Claroty only confirmed an 80% uplift from the prior round and never published the absolute mark. If the prior 2024 mark was really $2.5 billion, then the 80% math implies about $4.5 billion. That inconsistency means the public evidence does not support treating $3 billion as a verified clearing price. A disciplined investor should instead treat the reported mark as a diligence anchor, require proof of current ARR, and underwrite downside from the possibility that preferences and structured capital absorb more value than the headline enterprise number suggests.[CV001, CV003, CV004, CV006, CV007, CV008]

8.3 Scenario analysis and return math

The scenario range is driven less by debate about market demand and more by uncertainty around current revenue scale. Public evidence can support a base case in which Claroty has progressed beyond the >$100 million ARR milestone to something closer to $150 million to $160 million by 2027, allowing a $4 billion to $5 billion IPO or strategic value. That case works, but it does not make a $3 billion entry obviously cheap; it only makes it reasonable if current ARR is already moving above the stale public anchor. The bull case requires stronger evidence than is presently available. To support a $6 billion to $8 billion exit, Claroty would need premium growth, public-market timing, and a buyer or IPO audience willing to pay far above mature cyber-platform multiples. The bear case is easier to see from public evidence because it only needs one of three things to happen: ARR fails to inflect, the IPO window stays shut, or the preference stack proves heavy enough that common-equity returns remain poor even at a headline valuation close to today's reported mark. For that reason the return range is skewed: downside can be flat to negative at a $3 billion entry, while attractive upside still depends on disclosures the company has not yet made.[CV016, CV017, CV018, CV031, CV032, CV033]

8.4 Comparable valuation anchors

The comparable set is informative but imperfect. Armis is the clearest upside anchor because the announced $7.75 billion sale to ServiceNow shows what a strategic buyer will pay for a broad digital-and-physical risk platform. It is not a clean one-for-one comparable, however, because Armis spans a broader IT, OT, IoT, and cloud footprint than Claroty. Nozomi sits at the other end of the range: its roughly $1 billion sale to Mitsubishi Electric is highly relevant as a pure-play OT transaction, but likely understates Claroty's broader healthcare and public-sector reach. Tenable is the best public-market floor because it provides primary-filed revenue and customer metrics. At about $999 million of FY2025 revenue and roughly a $4.1 billion market value in mid-2025, Tenable traded near a 4x revenue multiple, which is far below the 25x-plus ARR math implied by a $3 billion Claroty mark on a $120 million working ARR case. That gap is not automatically a red flag because Claroty could still be growing faster and commanding scarcity value. But it does show that Claroty needs better-than-public-comp growth and disclosure quality to defend a premium entry. Dragos remains strategically relevant, yet its stale public pricing means the comparable table is necessarily partial rather than exhaustive.[CV024, CV025, CV026, CV027, CV028, CV029]

8.5 Exit readiness, thesis-breaks, and final diligence asks

Claroty looks operationally exit-ready. It has late-stage capital, analyst recognition, enterprise-scale customer logos, and a management team already talking publicly about a 2027 IPO. What it does not yet have is public-markets disclosure readiness. Investors still lack a current ARR bridge, current growth rate, gross-margin profile, retention data, and the cap-table details required to turn enterprise value into actual equity returns. That gap is exactly why the final diligence list is short but critical: verify revenue quality, verify the waterfall, verify any senior or structured instruments, and verify the board's actual IPO plan rather than relying on media paraphrase. The clearest thesis-breaks follow directly from those missing items. A financing below the 2024 mark, evidence that ARR is still close to $100 million, or a cap table showing common equity receives little value below a $4 billion exit would each materially weaken the case. So would a cybersecurity IPO market that remains effectively shut through 2027. Until those questions are answered, the best-supported conclusion is not that Claroty is overvalued at any price, but that the public record is too incomplete to justify paying a late-stage premium without stronger diligence rights.[CV009, CV010, CV035, CV037, CV038, CV039]