Cohesity

1.1 Identity, Platform, and Current Positioning

Cohesity is a private San Jose, California data-security software company founded in 2013. Its current corporate pitch centers on Cohesity Data Cloud, a single platform for protecting 1,000+ workloads across on-premises, cloud, and SaaS environments while also making protected data usable for AI. The company page now claims 13,000+ customers, 70% of the Global 500, and 200+ exabytes of protected data, which is directionally above the 12,000-customer / hundreds-of-exabytes scale disclosed when the Veritas combination closed in December 2024. Customer references such as Nasdaq and Conagra show the product being used in regulated enterprise SaaS backup and operationally sensitive environments rather than only in small IT backup niches. The 2026 product narrative also broadens the story beyond classic backup: Cohesity's March 2026 Enterprise AI Resilience launch and April 2026 Google Cloud award both emphasize governed enterprise data, agent-risk recovery, and cloud-native cyber resilience. The identity to carry into later chapters is therefore not a point backup appliance vendor but a private cyber-resilience platform vendor trying to convert protected data and partner integrations into a broader AI-era control plane.[CO001, CO002, CO003, CO004, CO027, CO028]

1.2 Leadership, Governance, and Founder-to-Operator Transition

Leadership has clearly shifted from founder-led to operator-led. Mohit Aron was still described as CEO and founder in the March 2021 valuation announcement, but current official materials identify Sanjay Poonen as President and CEO, and independent coverage ties his August 2022 arrival to a deliberate plan to consolidate the fragmented data-protection market. Governance also expanded with the Veritas transaction. Official combination materials said Greg Hughes would stay involved as a board member and strategic advisor, while Brian Sheth (Haveli), Patrick McCarter (Carlyle), and Sandesh Patnam (Premji) gained board or observer roles. The current leadership page additionally shows Kevin Mandia as an independent board member and highlights a board structure mixing independent and investor representation. That mix gives Cohesity scale-governance benefits, but it also creates visible key-person dependence. Public launches, partner announcements, and integration messaging still orbit Sanjay and a relatively small named executive set. If growth, integration, or IPO preparation stumbles, the business has limited public redundancy in its leadership narrative, even if third-party directories imply the internal bench is broader than the website individually profiles.[CO005, CO006, CO007, CO008, CO009, CO010]

1.3 Capital Base, Shareholder Signals, and Disclosure Limits

Cohesity's capital story has two distinct phases. First, the company reached a $3.7 billion valuation in March 2021 via a $145 million non-dilutive tender offer led by STEADFAST, after disclosing nearly 90% year-over-year ARR growth, net expansion above 130%, and more than 2,300 customers. Reuters-linked coverage later reported that the company confidentially filed for a U.S. IPO in December 2021, but the listing did not happen as software market conditions weakened. Second, Cohesity chose scale-through-M&A rather than a standalone listing. In February 2024 it announced the Veritas enterprise data protection combination at an approximate $7 billion combined valuation, then closed the transaction in December 2024 with disclosed pro forma revenue above $1.7 billion, ARR of $1.5 billion, and 28% adjusted cash EBITDA margin for the combined entity. The investor roster around that transaction is strategically important: Haveli led the Series H financing, Carlyle rolled into the cap table through Veritas, and long-time backers such as SoftBank, Sequoia, Wing, and Premji remained part of the story. What is still missing is the real cap-table math—exact post-close ownership percentages, liquidation stack, and debt sizing were not publicly disclosed.[CO012, CO013, CO014, CO015, CO016, CO017]

1.4 Milestones, Partnership Momentum, and Diligence Risks

The milestone record from 2021 to 2026 shows a company moving from high-growth private backup vendor to scaled platform consolidator, but the same record also surfaces diligence risks. The February 2024 deal thesis rested on low customer overlap, broader global coverage, and a roadmap that preserved both the Cohesity and Veritas product lines. TechCrunch later reported less than 5% customer overlap and described a unified sales motion designed to capture synergies without immediate sales layoffs. That is positive for cross-sell logic, yet the same article points out the classic consolidation downside: less competition can raise pricing power even if no pricing or contract changes were announced at close. Official 2026 launches deepen the strategic shift by tying Cohesity to sovereign cloud, agent-risk recovery, Google integrations, and AI data activation, which helps explain why management increasingly talks about cyber resilience rather than backup alone. Even so, there are still important blind spots for investors: current headcount is not publicly verified, precise debt terms are undisclosed, and post-merger pricing behavior has not been pressure-tested through public customer references. Those are not thesis breakers, but they are the highest-value diligence follow-ups before using the 2024 close metrics as a valuation anchor.[CO020, CO024, CO025, CO026, CO028, CO029]

1.5 Exhibits

2.1 Market Boundary and Included Spend

Cohesity’s market should not be framed as a narrow backup-appliance niche. The reviewed evidence points to a layered market definition: a core data replication and protection software category, a cyber-recovery overlay that adds integrity and clean-recovery requirements, and adjacent data-security / data-management workloads that vendors use to enlarge TAM. The cleanest bounded layer is IDC’s data replication and protection software market, which the Veritas combination materials peg at roughly $12.2-$12.3 billion in 2024 vendor sales. That core layer clearly includes enterprise backup, replication, recovery, and related software revenue. It does not by itself capture every adjacent workload vendors now sell under cyber resilience, SaaS protection, or data-security posture language. The surrounding spend that Cohesity and peers want investors to count includes cyber-recovery tooling, SaaS protection breadth, security-driven recovery workflows, and some managed or partner-delivered services. IDC’s own MarketScape language supports this broader framing by distinguishing cyber-recovery from traditional DR and SaaS protection from native app tooling. At the same time, that does not make every adjacent security or storage budget part of Cohesity’s real market. Pure network security, endpoint security, generic storage hardware, and unrelated cloud administration tools remain outside this chapter’s working boundary. The relevant status-quo substitutes are incumbent backup suites, native point tools, and MSP-delivered recovery services, not a single unified buyer budget.[CM001, CM002, CM003, CM004, CM005, CM006]

2.2 Sizing Lenses and Contradictory TAM Estimates

Public TAM language around Cohesity is directionally useful but not internally consistent. The February 2024 Veritas transaction announcement used a TAM of over $30 billion and explicitly said that the $12.2 billion IDC data replication and protection software market was one component of that number. By the December 2024 close, the official framing had widened again to $40+ billion while citing a slightly higher $12.3 billion IDC core market estimate. Rubrik’s April 2024 S-1 used a different lens again: a $36.3 billion 2024 platform TAM growing to $52.9 billion by 2027. None of these should be collapsed into one “true TAM.” They use different category boundaries, vendor agendas, and time frames. The better read is that Cohesity operates inside a real and sizeable core software market, but management’s investable story depends on expanding outward into broader cyber-resilience and data-security budgets. IDC’s market-shares abstract and Blocks & Files’ summary also show why market size alone does not settle the thesis: the category remains fragmented and sticky, with no single vendor commanding share. That fragmentation supports consolidation upside, but it also means the serviceable market for a post-Veritas Cohesity is still constrained by installed-base inertia, migration risk, and buyer willingness to adopt broader platform bundles. Public evidence is therefore strong enough to size the outer range, but not to isolate Cohesity’s actual SAM or near-term SOM.[CM007, CM008, CM009, CM010, CM011, CM012]

2.3 Buyer, User, Payer, and Channel Map

The visible buyer set for Cohesity-class platforms is still IT-led. IDC repeatedly describes “IT buyers” rather than business-function owners and tells them to weigh complexity, breadth, services, price, and incumbency. Gartner Peer Insights roles surfaced by Cohesity reinforce that framing: backup-administration leads, system engineers in banking, and CIOs are the public-facing operators and evaluators. Rubrik’s filing adds that large-enterprise purchases can become organization-wide decisions with lengthy testing and education cycles, while public-sector motions require dedicated federal, state, and local sales coverage. In practice, the user is often the backup, infrastructure, or security operations team; the buyer is usually the infrastructure or cyber leader; and the payer appears to sit in the same technical budget family, though public sources do not give enough segment-level pricing or signer detail to be definitive. Channel structure matters because Cohesity does not need to win every workload through a pure direct-software motion. Veritas’ close materials highlight a wide partner ecosystem across VARs, systems integrators, cloud providers, MSPs, and OEMs, while 11:11 Systems shows the category can also be sold as managed backup, replication, recovery, DRaaS, and cyber-vault services. That matters most in public sector and operationally lean midmarket accounts, where compliance gates, service depth, and procurement support can outweigh product feature deltas. The result is a market in which route-to-market design is part of the product, not just a sales wrapper.[CM014, CM015, CM016, CM017, CM018, CM019]

2.4 Growth Drivers, Adoption Triggers, and Constraints

Demand drivers for this market are concrete rather than speculative. CISA’s ransomware guidance makes offline, encrypted, and tested backups a baseline control, while GAO documents the impact of ransomware across critical infrastructure and the still-incomplete adoption of leading practices. Cohesity’s own survey evidence points in the same direction: only 39% of organizations say they use a single platform across hybrid and multicloud environments, fewer than half follow 3-2-1 or use immutability, and only 6% qualify as truly risk-ready. IDC’s abstract language adds a macro read-through: the market remains resilient because it now sits at the intersection of AI initiatives, ransomware defense, and infrastructure optimization. Public-sector demand is not theoretical either; Cohesity’s government guide says 72% of states planned backup-and-recovery upgrades within 12 to 18 months, while GAO highlights healthcare, transportation, energy, and manufacturing as active ransomware-risk sectors. The same evidence also shows why adoption does not automatically convert into fast revenue. Buyers face incumbency drag, complicated evaluation cycles, certification requirements, public-sector budget timing, and the need for cleanroom-style recovery capabilities that many organizations still have not operationalized. IDC explicitly says price and incumbency matter, not just features, and Rubrik’s filing warns that government funding authorizations and certification requirements can slow or derail demand. Cohesity therefore benefits from strong secular demand, but valuation still depends on whether it can turn that demand into faster migrations, larger cross-sell bundles, and repeatable channel-assisted conversions without relying on over-broad TAM language.[CM026, CM027, CM028, CM029, CM030, CM031]

2.5 Exhibits

3.1 Landscape, Peer Set, and Substitute Paths

Cohesity’s competitive set is broader than the four direct peer names most often cited in investor shorthand. Independent 2025 market coverage still clusters Rubrik, Veeam, Commvault, Cohesity, Dell, and Druva at the top of the enterprise backup-and-data-protection category, but the practical buying field also includes Microsoft and AWS native services, IBM’s long-standing protection stack, and the residual Veritas footprint that many enterprises still understand operationally. The result is a multi-layer landscape: direct platform peers that compete for large consolidation programs, incumbents that defend existing estates, and hyperscaler-native substitutes that can satisfy narrower cloud-resident workloads without a full control-plane rip-and-replace. That structure matters because buyers do not choose between only two neatly bounded products. A large enterprise can keep Veeam for broad VM coverage, use Azure Backup or AWS Backup for cloud-native workloads, rely on IBM or Dell for retention-heavy or estate-tied use cases, and still evaluate Cohesity, Rubrik, or Commvault for cyber recovery and orchestration. In other words, the real alternative set includes both full-platform challengers and enough status-quo tooling to keep multi-homing alive. Cohesity’s advantage is that post-Veritas breadth now belongs in the top tier of this wider landscape, but that same breadth also exposes it to more fronts of competition at once.[CP001, CP002, CP003, CP004, CP005, CP006]

3.2 Direct Competitor Profiles, Deployment Models, and Pricing Opacity

The direct peer comparison is no longer just about backup performance. Rubrik’s pitch is a cloud-native SaaS control plane built around data and identity security, sold through a land-and-expand motion that increasingly leans on ecosystem leverage. Commvault is the closest breadth analogue to Cohesity because it explicitly spans hosted SaaS, customer-managed software, integrated appliances, and partner-delivered models while packaging cyber recovery into modular tiers. Veeam’s 2026 story is roadmap-heavy: broader hypervisor support, automated AD Forest Recovery, and a unified operating surface that tries to reduce migration friction. Druva stays differentiated by going the other direction—fully managed SaaS, no infrastructure for customers to secure directly, and automation-centered ransomware response. Pricing is materially less transparent than marketing copy suggests. Official public pricing is easiest to find from hyperscaler-native services and from Druva’s pricing brief, which explicitly mentions common plans plus enterprise and volume discounts. Commvault’s packaging page is useful for feature packaging but still pushes buyers toward a conversation rather than a posted enterprise rate card. Reviewed Rubrik and Veeam sources likewise show architecture, roadmap, and ecosystem depth without exposing a clean public list price that would let investors or buyers benchmark apples-to-apples economics. That means procurement strength, discounting behavior, and installed-base leverage remain important competitive variables even before feature comparisons begin.[CP013, CP014, CP015, CP016, CP017, CP018]

3.3 Distribution Power, Cloud Adjacency, and Switching-Cost Logic

Route to market is one of the biggest reasons this category does not collapse into a pure feature shootout. Rubrik emphasizes resellers, technology partners, service delivery partners, and a deep Microsoft tie-in that matters in Azure and Microsoft 365 estates. Commvault’s partner language is even broader, explicitly naming cloud partners, global systems integrators, distributors, and managed service providers, with NetApp framing the 2026 alliance as joint go-to-market expansion. Veeam’s long-standing partner-first motion and Druva’s alliance ecosystem create similar distribution leverage from a different starting point. These channel structures matter because data protection is often sold alongside infrastructure, cloud migration, security services, or managed operations rather than as a purely stand-alone software purchase. Switching cost is therefore uneven rather than absolute. Veeam’s mixed-hypervisor portability can reduce lock-in to any one virtualization vendor, but it also makes Veeam easier to keep beside other tools rather than forcing a full-platform conversion. Azure Backup and AWS Backup create the opposite dynamic: they are easy to adopt inside existing cloud spend because pricing is usage based and procurement already exists, yet they do not solve the full heterogeneous enterprise control-plane problem. IBM and Dell remain relevant when customers want continuity with existing retention or infrastructure patterns. For Cohesity, the implication is clear: it must win not only on features but on whether consolidation genuinely saves operational time relative to keeping several specialized tools in place.[CP024, CP025, CP026, CP027, CP028, CP029]

3.4 Moat Durability, Multi-Homing, and Commoditization Risk

Independent commentary points to a tightly packed leader set rather than a runaway winner. Rubrik and Veeam still edge the main Gartner axes, but Commvault and Cohesity sit close enough that execution quality, not only architecture, will decide share shifts. The most favorable outside read for Cohesity is that the Veritas combination gives it unmatched workload breadth, with only Commvault near it on coverage. The least favorable read is that the same merger creates execution chaos risk, and that peers can exploit any integration drag while customers continue to multi-home. That risk is real because Blocks and Files notes Veeam often coexists with other backup products, which is exactly the pattern that keeps switching costs from becoming permanent moat. More broadly, the category is converging around the same high-level promises: immutable protection, clean recovery, AI-assisted operations, identity resilience, and SaaS or hybrid control planes. Rubrik leans into simplicity and data-security narrative, Commvault into breadth and add-on depth, Veeam into portability plus identity recovery, Druva into SaaS simplicity, and cloud-native substitutes into low-friction procurement. Those are meaningful differences, but they are differences inside a common cyber-recovery frame rather than isolated product categories. For Cohesity, moat durability rests on whether post-Veritas breadth converts into easier enterprise execution, stronger partner-led distribution, and better win rates than adjacent clouds and platform peers—not on the idea that other vendors cannot copy cyber-recovery feature checkboxes.[CP035, CP036, CP037, CP038, CP039, CP040]

3.5 Exhibits

4.1 Legacy Standalone Metrics Versus Combined Pro Forma Scale

The public record supports two very different financial lenses. The legacy standalone lens is strongest in 2021, when Cohesity disclosed an annualized revenue run rate above $300 million, ARR growth above 70 percent, net expansion above 130 percent, and roughly 2,600 customers by July 31, 2021. The March 2021 tender announcement and contemporaneous coverage also showed that investors were willing to support a 3.7 billion dollar valuation through a non-dilutive employee liquidity event, which indicates real demand for the standalone business before the software-market reset. But the underwriting problem is that this lens effectively stops there. By 2024 and 2025, the company’s most useful scale disclosures are no longer standalone Cohesity metrics. Instead, the announcement and close materials for the Veritas combination provide combined-entity pro forma revenue, ARR, and adjusted cash EBITDA figures. The February 2024 announcement framed the business at more than $1.6 billion of revenue, $1.3 billion of ARR, and 27 percent adjusted cash EBITDA margin, while the December 2024 close updated those metrics to more than $1.7 billion of revenue, $1.5 billion of ARR, and 28 percent adjusted cash EBITDA margin. Those are powerful scale markers, but they cannot be read as audited standalone Cohesity economics.[CI001, CI002, CI003, CI004, CI005, CI006]

4.2 Monetization, Pricing Opacity, and Unit Economics Proxies

Cohesity’s revenue quality appears better than its disclosure quality. Official materials from both the 2021 standalone period and the 2024 close repeatedly emphasize a subscription-led recurring model, and the legacy net-expansion figure above 130 percent is the cleanest public evidence that the product historically expanded within existing accounts rather than depending only on new logos. Public materials also imply several monetization buckets: software subscriptions or term licenses, support and maintenance renewals, DMaaS or SaaS offerings such as DataProtect delivered as a service, and services or partner-delivered implementations. What is missing is the exact mix between those streams, which matters because inherited Veritas maintenance dollars are economically different from net-new Cohesity software ARR. The pricing picture is even more opaque. Reviewed materials do not expose realized customer pricing, discount levels, or CAC and payback metrics, so the best public unit-economics read comes from proxies and public peers. Rubrik’s filing and earnings releases show how a cyber-resilience peer discloses ARR, gross margin, free cash flow, and contribution margin. Commvault’s annual report and fiscal 2026 results show what mature public disclosure looks like for revenue, ARR, gross margin, and cash generation. That contrast strengthens the view that Cohesity’s core engine is probably recurring and enterprise-heavy, but still not disclosed at a level that supports bottom-up underwriting.[CI003, CI008, CI009, CI013, CI014, CI015]

4.3 Capital Structure, Financing Dependency, and IPO Path

The capital stack is visible in outline but not in debt detail. At signing, Cohesity and Veritas said the transaction would be funded with both equity and debt, and they explicitly referenced exchange offers or similar transactions tied to existing Veritas debt. By close, the company had narrowed the equity side of that story: a Haveli-led Series H provided the majority of transaction equity, Coatue, Sapphire Ventures, and Dragon Fund also participated, Carlyle rolled into the combined company through Veritas ownership, and marquee backers such as Sequoia, SoftBank, Wing, Premji, and Madrona were named as supporters. J.P. Morgan arranged and committed financing, which gives comfort that the debt was real and institutional, but neither the close release nor the reviewed independent coverage disclosed the amount, pricing, maturity, or leverage ratio of that debt package. That omission matters more because management is already telling the market to think about IPO readiness. CRN quoted Sanjay Poonen on delaying the IPO to complete and prove the Veritas combination, while CNBC later reported that Cohesity wants a full year of combined results before going public, potentially in 2026. The bullish read is that financing bought scale and time. The harder read is that investors still cannot see the debt burden, cash runway, or whether a mid-30s Rule of 40 target is enough to offset macro volatility in the IPO window.[CI017, CI018, CI019, CI020, CI021, CI022]

4.4 Public-Company Context, Disclosure Gaps, and Financial Verdict

Public peers make Cohesity’s disclosure gaps impossible to ignore. Rubrik’s S-1 showed fiscal 2024 revenue of $627.9 million, Subscription ARR of $784.0 million, and negative free cash flow before the IPO. One year later, Rubrik’s fiscal 2026 results showed $1.32 billion of revenue, $1.46 billion of subscription ARR, 80.1 percent GAAP gross margin, $237.8 million of free cash flow, and $1.68 billion of cash and short-term investments. Commvault’s 2024 annual report already gave investors revenue, cash, and ARR growth, and its fiscal 2026 results extended that with $1.184 billion of revenue, $1.122 billion of total ARR, 81.2 percent GAAP gross margin, and $237 million of free cash flow. Against that backdrop, combined Cohesity looks bigger on disclosed revenue and ARR than either public comp, which is strategically valuable. But the comparison is still imperfect because Cohesity’s headline profitability metric is adjusted cash EBITDA on a combined pro forma basis, not a public-company style GAAP or standardized non-GAAP bridge. The financial verdict is therefore positive on scale and recurring revenue quality, but cautious on underwriteability. Until investors can see standalone financials, debt terms, pricing realization, and post-merger retention, the company remains easier to admire at a top-line level than to value with conviction.[CI008, CI009, CI031, CI032, CI033, CI034]

4.5 Exhibits

5.1 Platform scope and product-line map

Cohesity now presents a broad cyber-resilience stack rather than a single backup appliance story. The public surface spans DataProtect for core enterprise backup, NetBackup continuity for the inherited Veritas estate, FortKnox or Alta Recovery Vault for isolated recovery copies, cloud services for SaaS and cloud-native protection, and Gaia for AI activation on top of backup data. The product-doc index reinforces that sprawl by listing Helios, Security Center, Threat Protection, Data Classification, RecoveryAgent, FortKnox, Gaia, and NetBackup Web UI as separate documented surfaces. That breadth is strategically attractive because it lets Cohesity sell backup, vaulting, DSPM, identity recovery, and AI context from one portfolio. The caveat is that the public packaging is broader than the publicly readable technical detail, so buyers should treat the module count as real but avoid assuming uniform maturity across every named surface.[CE001, CE002, CE003, CE004, CE007, CE012]

5.2 Customer workflow and operating architecture

At a workflow level, Cohesity starts with broad workload capture, adds centralized policy and search, then layers vaulting and orchestrated recovery on top. DataProtect is the clearest expression of that pattern on the Cohesity side: single management, immutable snapshots, fast search, instant restore, and optional backup as a service. NetBackup extends the same story into the inherited Veritas estate, especially for appliances, Kubernetes, and high-scale enterprise recovery. The most important architecture signal after the combination is the control-plane story. Helios provisioning shows that NetBackup management is being folded into the Cohesity plane, but the onboarding sequence still depends on manual ticketing and can take up to two business days. That is good enough to prove continuity, but not yet elegant enough to remove all integration friction. The architecture is therefore plausible and enterprise-grade, yet still visibly mid-integration rather than fully harmonized.[CE003, CE004, CE007, CE008, CE009, CE010]

5.3 Trust, security, and recovery controls

The product evidence is strongest on resilience controls. DataProtect, NetBackup, Alta Data Protection, Alta Recovery Vault, and the broader cyber-resilience framework all repeat the same design pattern: immutable copies, role-based access, multifactor controls, anomaly detection, malware scanning, clean recovery recommendations, and orchestrated blueprints. Cloud Services adds partner-backed trust signals such as immutable storage, privileged-access controls, and SOC 2 Type II language, while Microsoft positions Cohesity as a Microsoft 365 Backup Storage partner with policy-context restores and geographic redundancy. Those are meaningful signals, but the trust picture is not fully clean. Critical hardening guidance for NetBackup still sits on a legacy Veritas support property, and deeper product docs for DataProtect, Helios, and NetBackup are discoverable but not publicly readable. That means the control story is credible, yet the detailed evidence base remains fragmented across marketing, partner, and authenticated documentation surfaces.[CE005, CE008, CE010, CE017, CE024, CE025]

5.4 Developer surface and ecosystem integrations

Cohesity has a real extension surface, but it looks more integration-led than platform-native in the polished SaaS sense. The developer portal pushes APIs, custom workflows, and app building, and the app-build docs show an actual app framework based on Docker containers, AppSpec, and SDKs that can publish into the Cohesity Marketplace. GitHub activity in May 2026 across community automation samples, the Ansible collection, the PowerShell module, and the Terraform provider also proves that the platform is actively extended by engineering teams. At the same time, multiple repos warn that scripts and integrations are best-effort rather than officially supported, which matters for buyers planning heavy automation. The ecosystem story is strongest where partner distribution exists: ServiceNow has a listed app, Splunk has an add-on, Microsoft and AWS carry Cohesity marketplace offers, and the Marketplace itself highlights partner-developed extensions such as Cisco XDR. The surface is real, but support boundaries are not always enterprise-clean.[CE016, CE017, CE018, CE019, CE020, CE021]

5.5 Maturity, migration path, and likely technical debt

The core underwriteable conclusion is that Cohesity has breadth and genuine product momentum, but technical coherence still lags portfolio ambition. Gaia is the best example: the page is substantive on semantic search, vector indexing, RBAC-preserving context injection, and named integrations with Copilot, Gemini, and Glean, yet it also admits that Gaia Catalog is still coming soon. Likewise, the combined estate clearly has continuity for NetBackup, but public evidence still points to separate version cadences, multiple management surfaces, and legacy Veritas support properties. The single adverse customer review is not enough to call the platform unreliable, yet it does reinforce that support speed, cloud console connectivity, and cost can still frustrate real users. The likely risk after the Veritas combination is therefore not missing capability; it is the operational complexity of stitching together broad packaging, mixed branding, gated docs, and partially community-supported automation into a consistently excellent day-two experience.[CE014, CE019, CE020, CE028, CE029, CE030]

5.6 Exhibits

6.1 Customer mix: broad scale claims exist, but named proof is the higher-quality lens

Cohesity has both a broad-count story and a named-proof story, and they should not be blended. The broad-count story comes from company materials: about 2,600 customers in fiscal 2021 and more than 12,000 customers after the Veritas combination closed in December 2024. Those numbers matter for scale, but they do not prove that the same platform, buyer, or cohort quality sits behind every logo. The named-proof story is more valuable for this chapter because it shows where Cohesity is actually being trusted with live workloads. Public examples span pediatric healthcare, municipal IT, state shared services, Japanese hospital systems, Icelandic payment rails, capital-markets backup, food production operations, and large European retail IT. That mix suggests Cohesity can sell into central infrastructure teams that protect regulated or operationally critical data, not just generic backup buyers. The caveat is that public proof remains curated: it says more about vertical breadth and workload seriousness than about revenue concentration, renewal depth, or average account size.[CU001, CU003, CU027, CU028, CU042, CU044]

6.2 Deployment patterns skew toward regulated hybrid environments and cyber-resilience workflows

The public deployments in this chapter cluster around hybrid, compliance-sensitive environments where recovery speed matters more than backup marketing. Detroit uses Cohesity across municipal workloads, Microsoft 365, and Google services; Maryland uses it for shared-service NAS backups across roughly 40 agencies on Cisco UCS with a cyber-vault design; Musashino uses it for patient-care and hospital operations under Japan’s business-continuity expectations; RB uses it for national payment systems under DORA and PCI DSS; and Nasdaq uses it to protect both Microsoft 365 and remaining on-premises Exchange while keeping data in jurisdiction-specific regions. That is a coherent pattern: Cohesity lands where recovery, immutability, and sovereign-placement controls matter, then adds vaulting, cloud, or compliance automation. Federal evidence reinforces that pattern. The AWS GovCloud listing, DISA approval memo, and JITC certification show that government suitability is not just a marketing page claim. Public-sector penetration therefore looks real, though exact federal revenue and contract flow are still opaque.[CU013, CU015, CU017, CU018, CU020, CU023]

6.3 Named customer proof is strongest when the case study includes operational metrics, not just a logo and quote

The best public proof does more than say a customer exists; it shows what changed after deployment. Maryland and Detroit are the cleanest public-sector examples because they disclose restore-time and labor or cost improvements, not just satisfaction language. Musashino offers the strongest healthcare metric with 500 GB recovered in 20 seconds during a business-continuity drill, while RB provides the clearest financial-infrastructure proof with a 30-40 TB Oracle database restored in under eight hours and automated weekly testing. Nasdaq is valuable because it links backup to concrete SaaS governance and data-sovereignty workflows at scale. Bethany and Conagra add mission criticality even where the metrics are thinner, while Schwarz IT broadens European enterprise relevance despite light quantitative detail. Put differently, named proof is real and multi-vertical, but quantified outcomes are concentrated in a subset of stories. That makes reference-call selection important: some stories demonstrate hard operating leverage, while others mainly demonstrate category fit and brand credibility.[CU012, CU014, CU016, CU019, CU021, CU024]

6.4 Durability signals are positive but incomplete; expansion is visible through modules, hyperscalers, and regulated workloads

Cohesity’s public durability evidence is directionally positive but still incomplete for the merged entity. The strongest historical signal remains legacy Cohesity’s net expansion above 130 percent in 2021. More recent public evidence comes from review and reference surfaces rather than hard renewal disclosure: Gartner Peer Insights recognition for an eighth time in 2026, plus generally strong Capterra and G2 aggregates, indicate continuing customer satisfaction. Yet the same review surfaces also surface real friction around training, reporting, restore-from-cloud speed, governance of remote interfaces, and support responsiveness. Expansion logic is easier to see than retention math. Public stories repeatedly show backup deployments expanding into FortKnox, Microsoft 365, Google workloads, SaaS delivery, Gaia, or broader cyber-resilience programs. On the channel side, AWS, Google, Microsoft, SHI, WWT, and Presidio all appear in recent partner materials, implying that growth is not purely direct-led. The missing piece is cohort transparency: public sources still do not show current NRR, GRR, churn, or renewal economics for the combined customer base.[CU002, CU004, CU005, CU006, CU007, CU008]

6.5 Post-merger switching risk is more about execution and renewal behavior than explicit forced migration

Public post-merger materials do reduce one obvious fear: forced customer displacement. The roadmap PDF, Veritas “better together” page, WWT-published open letter, and Cohesity close materials all repeat the same message that products will be supported for years, migrations are voluntary, and customers can stay on their preferred platform. That lowers acute churn risk for inherited NetBackup and Alta accounts. But it does not remove the execution risk that matters most for underwriting. The same materials frame migration tooling as something to be built and streamlined, not something publicly proven at scale. Review platforms also show the kinds of issues that can complicate renewals in a broad product estate: uneven reporting, support or training gaps, setup complexity, and governance concerns around management surfaces. The result is a balanced conclusion. Cohesity does not look like a company about to force disruptive migrations on day one, but public evidence still cannot show how smoothly inherited customers renew, convert, or expand once roadmap promises meet real operational complexity.[CU034, CU035, CU036, CU037, CU038, CU039]

7.1 Integration after the Veritas combination is the master risk

Cohesity’s biggest risk is not whether it can tell a continuity story but whether the merged operating system behind that story becomes boringly reliable. Public evidence shows real progress: the company launched a unified partner program, talked up RecoveryAgent as an early Veritas-derived output, and kept repeating that no customer would be left behind. The same evidence set also shows why execution risk remains elevated. Veritas partner infrastructure still showed transition notices, independent analysis said inherited customers were most concerned about pricing, support, and product direction, and there is still no public disclosure of conversion, churn, or renewal behavior for inherited NetBackup and Alta customers. That matters because the combined company is now large enough that ordinary friction can become material quickly. A merger of product lines, channel programs, support motions, and installed bases can fail slowly rather than theatrically, so this chapter treats integration as the central lens through which the rest of the risk stack should be read.[CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Cyber, legal, and sovereign requirements amplify normal software execution risk

Cohesity sells into environments where backup is not just infrastructure plumbing but regulated resilience infrastructure. That makes regulatory and sovereign risk higher than it would be for a generic enterprise-software vendor. Financial-sector customers face DORA, critical-sector operators face NIS2, federal buyers are shaped by OMB zero-trust requirements and CISA maturity models, and any future IPO would pull the company into SEC cyber-governance and incident-disclosure rules. None of these sources says Cohesity has failed them; the risk is that product, support, audit, and reporting maturity must keep pace with the regulated customers the company now targets. DOJ’s Georgia Tech settlement shows that cybersecurity-control failures in government work can become False Claims Act events, while FTC safeguards guidance shows that breach reporting and service-provider oversight continue to tighten. In practice, regulated wins raise the bar twice: the product must work, and the evidence package behind it must survive procurement, certification, and post-incident scrutiny.[CR013, CR014, CR015, CR016, CR017, CR018]

7.3 Competitive pressure and platform dependencies can turn small stumbles into renewal losses

Competitive pressure is not background noise here; it is an active source of migration and pricing risk. Rival vendors are openly framing Cohesity as the vulnerable side of post-Veritas change. Dell attacks the economics of scale-out architecture. Commvault explicitly tells buyers not to switch to Cohesity to fill Veritas gaps and pairs that message with migration services. Druva uses G2-derived comparisons to argue that Cohesity is more complex and weaker on support. At the same time, Rubrik, Commvault, and Veeam are all tying market leadership to cyber resilience, SaaS coverage, AI, and regulation-aware recovery workflows. This matters because Cohesity’s differentiation increasingly depends on ecosystems as much as core backup software. AWS-hosted DataHawk and FortKnox capabilities show real product depth, but they also show dependency on AWS services, partner distribution, and cloud economics. If competitors win trust faster on support, cleanroom recovery, or low-friction migration, Cohesity can lose renewals even without a dramatic product failure.[CR026, CR027, CR028, CR029, CR030, CR031]

7.4 Support quality and product migration risk sit between the roadmap and the renewal

Public customer sentiment is not catastrophic, but it is noisy in exactly the places that become dangerous during a broad platform transition. TrustRadius users point to license visibility, error clarity, and O365 workflow gaps. PeerSpot highlights reporting limitations, cloud recovery slowness, legacy integration needs, documentation gaps, and uneven support responsiveness. Cohesity’s own community is gated behind MyCohesity sign-in, which is normal for enterprise software but reduces outside visibility into issue volume or recurring defect patterns. None of this proves systemic failure. In fact, review surfaces still include meaningful praise for restore speed, simplicity, and savings. The risk is subtler: as more NetBackup and Alta customers decide whether to stay, convert, or expand, ordinary friction around reporting, restore performance, documentation, and support response times can compound into renewal hesitation. Product-support migration risk therefore sits between the technical integration story and the commercial retention story; it is where roadmap promises become operational truth or disappointment.[CR008, CR009, CR010, CR011, CR012, CR041]

7.5 Private-company opacity means investors need hard monitoring triggers

Cohesity remains a private company asking investors to underwrite a public-company-scale story with private-company disclosure. The investor-relations page is promotional and even notes that internal data shown there has not been independently verified. Media coverage suggests management wants a 2026 IPO only after it can present a full year of combined results, and the public narrative frames the Veritas combination as a risky pairing of a fast-growing but historically unprofitable Cohesity with a larger profitable asset base. That can be a strong strategic setup, but it also leaves real cap-table, debt, refinancing, and ownership questions unanswered in the public record. Investors should therefore treat financing optionality as conditional, not banked. The cleaner underwriting move is to anchor on monitorable triggers: support-signal deterioration, delayed disclosure readiness, adverse government-compliance events, or evidence that inherited customers are not renewing or converting smoothly. If those triggers move the wrong way, the thesis should be reevaluated quickly rather than averaged down on narrative.[CR034, CR035, CR036, CR037, CR038, CR039]

7.6 Exhibits

8.1 Qualification Event and Valuation Reset

This chapter clears the qualification threshold because the completed December 2024 Cohesity-Veritas combination occurred after 2024-05-19 and was explicitly described by the company and Veritas as a transaction that valued the combined company at over $7 billion. That is not the same fact as legacy Cohesity’s March 2021 tender valuation of $3.7 billion. The 2021 event reflected a smaller, standalone business using a non-dilutive liquidity tender for employees; it came with a $145 million transaction, a revenue run rate just above $300 million, ARR growth above 70%, and net expansion above 130%. By contrast, the 2024 and 2025 debate is about a much larger combined company with over $1.7 billion of revenue, $1.5 billion of ARR, and a 28% adjusted cash EBITDA margin, but also with inherited Veritas economics and opaque debt. The analytical reset is therefore mandatory: the relevant valuation question is not whether Cohesity once deserved $3.7 billion, but whether the current combined entity deserves more than the official over-$7 billion anchor after adjusting for integration and capital-structure uncertainty.[CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Public Comp Benchmark and Underwriteability

The closest public anchors show why Cohesity cannot simply inherit Rubrik’s premium multiple. Rubrik’s fiscal 2026 results combined with May 2026 market data imply roughly 9.3x-9.8x EV-to-revenue and about 8.4x-8.8x EV-to-ARR, supported by 48% revenue growth, 80.1% GAAP gross margin, positive free cash flow, and a $1.68 billion cash balance. Commvault, by contrast, trades nearer 3.6x EV-to-revenue and about 3.8x EV-to-ARR with lower growth but similar gross margin and comparable free cash flow. Cohesity’s official close anchor, at at least about 4.1x revenue and 4.7x ARR, sits between those two public markers. That positioning is directionally reasonable for a scaled but opaque private company: larger than both peers on disclosed top-line scale, yet less underwriteable because investors cannot inspect leverage, preference stack, or native-versus-inherited ARR mix. The right conclusion is that the current official anchor is not obviously cheap, but it is also not obviously inflated if one assumes meaningful debt and disclosure discounts versus Rubrik.[CV028, CV029, CV030, CV031, CV032, CV033]

8.3 Scenarios and Range Discipline

Scenario work matters more than point estimates because the capital structure is hidden. The base case is the easiest to justify from public evidence: a combined-company value of roughly $7-$9 billion, which keeps Cohesity above Commvault-like mature-software trading but below Rubrik’s premium public multiple. That range effectively says the official close anchor is defensible but not obviously underpriced. The bull case stretches toward roughly $10-$13 billion, but only if investors see public-grade proof that the 28% adjusted cash EBITDA margin is durable, that combined growth holds in the mid-teens or better, that retention across inherited Veritas cohorts is solid, and that debt does not consume the equity upside. The bear case, roughly $4.5-$6 billion, becomes plausible if multiple compression, migration friction, or leverage risk drags the business toward lower-quality infrastructure comps or toward the model-based private mark visible on Yahoo/Forge. Because the downside case is driven by missing denominators rather than by obvious product weakness, entry discipline is more important than narrative conviction.[CV043, CV044, CV047, CV048, CV049, CV050]

8.4 Counter-Thesis, Thesis-Breaks, and Overhangs

The counter-thesis is not that Cohesity lacks scale or strategic relevance; the counter-thesis is that investors may be asked to pay for Rubrik-like public quality before they can observe Rubrik-like public disclosure. Management’s own argument for delaying the IPO was that Cohesity wanted to become the biggest fish before going public. That logic is strategically coherent, but it also admits that the business still needs proof. Dataconomy’s summary of macro volatility and the Yahoo/Forge-derived $4.69 billion estimate both point in the same skeptical direction: private and public markets may refuse to grant a premium simply because the company is larger after the Veritas deal. The thesis breaks if debt or share-class terms materially subordinate new equity, if legacy Veritas renewals prove less sticky than the headline ARR suggests, or if a future IPO filing seeks a Rubrik-like multiple without disclosing cohort retention, native-versus-inherited mix, and cash-flow conversion. In other words, the main valuation risk is hidden structure, not hidden growth.[CV020, CV021, CV022, CV023, CV024, CV054]

8.5 Diligence Path and Exit Readiness

The recommendation is therefore track or research-more, not because the business lacks quality, but because the underwriting package remains incomplete. A disciplined investor can already say what would change the call: full debt terms, cap-table waterfall, combined revenue and ARR bridge, retention by inherited and native cohorts, and a credible IPO-readiness pack showing that management can support Rubrik-style disclosure. Without those items, even a seemingly reasonable valuation entry can be misleading because enterprise value may not map cleanly to equity value. Exit readiness is similarly conditional. Management clearly wants the option to go public after a full year of combined results, but public-market success depends on proving more than size. The company must show that its headline scale survives integration, that its adjusted margin can be translated into public-market cash economics, and that the Veritas combination created a cleaner market leader rather than a larger but more complex capital structure. Until then, entry discipline should emphasize downside protection and information rights over speed.[CV051, CV052, CV053, CV055, CV056, CV057]