Dragos, Inc.

1.1 Company Identity and Market Position

Dragos, Inc. is a privately held cybersecurity company headquartered in Hanover, Maryland (Washington, DC area), operating with a singular mission: to safeguard civilization from those trying to disrupt the industrial infrastructure we depend on every day. Founded in 2016 by practitioners who had spent careers in government and military cyber operations, Dragos has built the most widely recognized purpose-built platform for operational technology (OT) and industrial control systems (ICS) cybersecurity. The Dragos Platform provides industrial organizations with asset visibility, OT network monitoring, vulnerability management, threat detection, and incident response capabilities—all powered by the Dragos Intelligence Fabric, which integrates over a decade of OT-specific threat intelligence directly into the software. Dragos serves customers across electric utilities, oil and gas, manufacturing, water, transportation, mining, pharmaceutical, food and beverage, and government sectors globally. In March 2026, Gartner named Dragos a Leader in the 2026 Magic Quadrant for CPS Protection Platforms for the second consecutive year, recognizing the company for both its Ability to Execute and Completeness of Vision. Dragos also earned the #1 Innovation ranking in Frost & Sullivan's FrostRadar: OT Cybersecurity Solutions, 2025, and appeared on the Deloitte Technology Fast 500 for the fifth consecutive year. The OT security market that Dragos addresses is large and growing rapidly: MarketsandMarkets projects the global OT security market will expand from $23.5 billion in 2025 to $50.3 billion by 2030, representing a compound annual growth rate of 16.5%. Primary competitors include Claroty—which focuses on cyber-physical systems across industrial, healthcare, and commercial environments—and Nozomi Networks, which emphasizes OT and IoT security with AI-powered threat detection. Dragos differentiates on its depth of OT threat intelligence, practitioner heritage, and the breadth of its threat group research, tracking 26 named OT threat groups globally as of the 2026 OT/ICS Cybersecurity Year in Review.[CO001, CO002, CO003, CO004, CO016, CO017]

1.2 Founders, Leadership, and Governance

Dragos was founded in 2016 by a team of cybersecurity practitioners with deep government and military backgrounds. CEO and co-founder Robert M. Lee served as a U.S. Air Force Cyber Warfare Operations officer and worked for the National Security Agency (NSA) before founding Dragos. Lee and his co-founders were drawn to industrial cybersecurity through direct operational experience investigating major ICS attacks—including the 2015 and 2016 Ukraine power grid attacks, and the TRISIS and CRASHOVERRIDE malware campaigns—that most of the industry had no framework to address. Lee has testified before Congress multiple times on the security of critical energy and water infrastructure, establishing Dragos as a trusted voice with policymakers. The executive leadership team as of mid-2026 includes Jodi Schatz (Chief Product Officer), Eric Cross (Chief Revenue Officer, appointed August 19, 2025), and Dawn Mitchell (Chief People Officer). Cross brought more than 20 years of enterprise GTM experience from Reltio, Appian, Google Cloud, and Salesforce, with a track record of scaling revenue organizations through IPO and acquisition events. On January 31, 2024, Dragos expanded its board of directors with the appointments of William J. 'Bill' Fehrman and Ekta Singh-Bushell. Fehrman previously served as President and CEO of Berkshire Hathaway Energy (BHE) and remains involved in critical infrastructure cybersecurity policy. Singh-Bushell held executive roles at the Federal Reserve Bank of New York and Ernst & Young (EY), and brings board-level experience with audit, risk, compliance, and security. Key-person risk is elevated given Robert M. Lee's singular prominence as the face of Dragos and the industrial cybersecurity practice he built—his departure or diminished role would materially affect brand equity, customer relationships, and the company's ability to attract talent in a mission-driven culture. Dragos is privately held, and its governance structure is not subject to public disclosure requirements.[CO001, CO002, CO005, CO006, CO007, CO008]

1.3 Funding History and Capital Structure

Dragos has raised approximately $440 million in total capital across multiple private rounds. The marquee event was the October 28, 2021 Series D: a $200 million raise at a $1.7 billion valuation, the largest round and highest valuation achieved by any OT cybersecurity company at the time. The Series D was co-led by Koch Disruptive Technologies (an investment arm of Koch Industries) and funds and accounts managed by BlackRock. The investor syndicate for the Series D included Emerson, Hewlett Packard Enterprise (HPE), Allegis Cyber, Canaan, DataTribe, Energy Impact Partners, National Grid Partners, Schweitzer Engineering Labs, Rockwell Automation, and Global Reserve Group—a strategically curated group of industrial operators and infrastructure-focused investors who are also customers or potential customers of Dragos. This strategic investor alignment is a structural advantage: it provides Dragos with distribution leverage, co-marketing opportunities, and credibility signals when selling to other industrial enterprises. The Series D was subsequently extended by $74 million, bringing the total Series D round to $274 million and total funds raised across all rounds to approximately $440 million. This extension was announced alongside Dragos's January 2024 board appointments, signaling continued investor confidence. Dragos remains privately held as of May 2026, with no IPO or M&A transaction announced. The lack of public filings means key financial metrics—including revenue, ARR, burn rate, and gross margin—are not independently verifiable. Earlier funding rounds established the foundation: DataTribe, a startup studio focused on national security technologies in the Baltimore-Washington corridor, was an early backer and co-location partner. Canaan Partners participated in earlier institutional rounds. The progression of investors from national-security-focused early backers to major strategic industrial conglomerates reflects Dragos's evolution from a government-adjacent startup to a commercial enterprise platform.[CO013, CO014, CO015, CO016, CO030, CO031]

1.4 Financial Scale and Customer Traction

As a private company, Dragos does not publicly report revenue, ARR, customer count, headcount, or profitability metrics. The most reliable proxy for financial scale comes from the Series D announcement (October 2021), which disclosed over 100% year-over-year growth in platform recurring revenue for the period ending September 30, 2021—a signal of strong commercial momentum at the time of fundraising. Since then, Dragos has disclosed several qualitative and operational scale metrics. The Neighborhood Keeper program—an anonymized information-sharing network offered free to all Dragos Platform customers—had been adopted by 84 utilities representing over 70% of electric utility customers in the United States through a joint initiative with NERC's Electricity Information Sharing and Analysis Center (E-ISAC), a remarkable community penetration metric cited at the Series D. Through partnerships with the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) and the Downstream Natural Gas Information Sharing and Analysis Center (DNG-ISAC), Dragos extends collective defense to energy sector stakeholders beyond the electric grid. Globally, Dragos has established offices across North America, EMEA (including Europe, UK, and Middle East), and APAC (including Japan through a partnership with Macnica and Singapore through an MOU with Singapore's Digital and Intelligence Service). The company established an OT Cybersecurity Center of Excellence in the UAE. Dragos's global customer base includes many of the world's largest industrial organizations across electric, oil and gas, manufacturing, water, transportation, and mining sectors. The company's 2026 OT/ICS Cybersecurity Year in Review—its 9th annual report—tracked 119 ransomware groups impacting 3,300 industrial organizations in 2025, a 49% increase from the prior year, underscoring growing market urgency that supports Dragos's commercial positioning. The Dragos 2025 OT Security Financial Risk Report (published with Marsh McLennan's Cyber Risk Intelligence Center) estimated worst-case global OT cyber losses of up to $329.5 billion annually, another compelling market-development asset.[CO019, CO020, CO021, CO022, CO023, CO025]

1.5 Risks and Adverse Considerations

Dragos faces several material risks that diligence must assess carefully. First, the 2023 staff reduction: in June 2023, Dragos laid off approximately 9% of its workforce amid a cooling of the cybersecurity market and slower-than-anticipated enterprise budget growth in the OT sector. SiliconAngle and Axios reported the reduction, with Robert M. Lee acknowledging the difficulty of the decision. This adverse event demonstrates that Dragos is not immune to macroeconomic headwinds and raises questions about revenue predictability and budget cycle vulnerability. Second, as a private company Dragos provides no publicly verifiable financial data—current revenue, ARR, churn, and burn rate are unknown, making valuation assessment dependent on the $1.7 billion Series D price established in October 2021. Market conditions have changed materially since then, including rising interest rates, multiple public cybersecurity company devaluations, and a cooling of private-market multiples. The actual current valuation could be materially different from the 2021 anchor. Third, key-person risk: Robert M. Lee's personal brand is tightly intertwined with Dragos's corporate identity, thought leadership, and policy relationships. His departure would represent a significant disruption. Fourth, competition from well-funded peers: Claroty—backed by prominent investors and serving broader cyber-physical markets—and Nozomi Networks—with AI-powered OT/IoT analytics and deep ecosystem integrations—both compete directly and are expanding their platform capabilities and global footprints. Fifth, customer concentration and market maturity: the OT cybersecurity market, while growing, is still nascent in many segments. Smaller critical infrastructure operators (water utilities, rural electric co-ops) have limited cybersecurity budgets, and the free Community Defense Program—while mission-aligned—limits commercial monetization in that segment. The reliance on large industrial enterprises for revenue creates customer concentration risk.[CO037, CO028, CO029, CO030, CO033, CO034]

1.6 Exhibits

2.1 Market Boundary and Substitutes

Dragos addresses the operational technology (OT) and industrial control systems (ICS) cybersecurity market—a category distinct from IT security in its protocols, risk profile, deployment constraints, and procurement dynamics. The included spend encompasses: asset visibility and inventory management for SCADA, DCS, PLC, historian, and HMI systems; OT network monitoring and anomaly detection; ICS-specific threat detection and behavioral analytics; OT vulnerability management and risk scoring; industrial incident response services; and threat intelligence purpose-built for OT adversary groups and ICS attack tactics. The market operates on industrial protocols (Modbus, DNP3, EtherNet/IP, Profinet, OPC-UA, BACnet) that IT security tools cannot parse without specialized decoders, creating a natural product differentiation boundary. Excluded from Dragos's primary market are IT-domain security categories (endpoint detection and response, identity and access management, cloud workload protection, web application firewalls), consumer IoT security, building management systems absent critical infrastructure designation, and medical device cybersecurity unless operated within an industrial OT environment. The critical distinction between OT security and IT security is that OT risk is fundamentally operational and safety-driven—a successful OT attack can cause physical damage, production outages, environmental incidents, or loss of life—whereas IT security risk centers on data confidentiality and availability. This different risk profile justifies purpose-built tooling rather than extension of IT security platforms. Status-quo substitutes and incumbents vary by segment. Electric utilities historically relied on manual air-gap maintenance and NERC CIP compliance checklists; oil and gas operators used proprietary OEM security monitoring from Honeywell Forge, GE Predix Security, and Siemens OT security tools; manufacturers deployed IT security vendors extending capabilities to OT (Claroty, Nozomi Networks, Microsoft Defender for IoT); smaller water utilities and rural electric co-operatives often had no OT security tooling at all. The transition from status-quo substitutes to purpose-built OT security platforms represents Dragos's primary TAM expansion opportunity. [CM001, CM002, CM003, CM004, CM005]

2.2 TAM, SAM, and SOM Sizing

Market sizing for OT/ICS cybersecurity varies by analyst scope definition, creating a range of estimates that must be triangulated rather than accepted at face value. MarketsandMarkets projects the global OT security market at $23.5B in 2025, growing to $50.3B by 2030 at a 16.5% CAGR—the most-cited figure in Dragos's own market positioning materials and cited in the Microsoft-Dragos partnership announcement of February 2026. This estimate likely encompasses the broadest definition including network security hardware, services, and cloud OT security adjacencies. Gartner's CPS (Cyber-Physical Systems) Protection Platforms market is a narrower analyst lens focused specifically on the platform software category where Dragos, Claroty, and Nozomi Networks compete—this market is substantially smaller in dollar terms but is the relevant benchmark for platform valuation multiples. Frost and Sullivan's FrostRadar: OT Cybersecurity Solutions 2025 ranked Dragos #1 in Innovation among OT security vendors, providing qualitative market leadership validation. The 2025 OT Security Financial Risk Report (jointly produced by Dragos and Marsh McLennan's Cyber Risk Intelligence Center) provides an important demand-side sizing lens: worst-case global OT cyber losses are estimated at $329.5B annually, with $172.4B from business interruption alone. This financial risk magnitude—more than 14× the $23.5B platform market—indicates that the OT security market is dramatically under-capitalized relative to the financial exposure it protects against, suggesting substantial long-term growth runway. The SANS 2025 ICS/OT Cybersecurity survey identifies the top three SANS Five Critical Controls by adoption: Incident Response Planning (18.5%), Defensible Architecture (17.09%), and ICS Network Visibility (16.47%)—all core capabilities in the Dragos Platform, indicating product-market alignment with practitioner priorities. A serviceable addressable market (SAM) for OT platform software and services is estimated at $7–10B globally in 2025 after excluding security hardware, OEM-bundled tools, and IT-only security spend from the broader MarketsandMarkets total. Dragos's serviceable obtainable market (SOM) cannot be precisely quantified without disclosed revenue, but at the $1.7B Series D valuation (October 2021) and typical growth-stage SaaS multiples of 10–15× ARR, Dragos's ARR at the time of fundraising was implicitly approximately $113–170M. If that growth has continued at even 30% annually, current ARR (unverified) could be in the $200–350M range—representing roughly 2–5% of the estimated $7–10B SAM and indicating substantial headroom. [CM005, CM006, CM007, CM008, CM009, CM010]

2.3 Buyer and User Segmentation

OT cybersecurity procurement is driven by sector-specific regulatory requirements, threat exposure, and operational risk tolerance rather than by generic enterprise IT buying patterns. Electric utilities represent Dragos's deepest-penetrated segment: NERC CIP compliance is mandatory for bulk electric system assets, creating a regulatory forcing function for OT security investment. Dragos's Neighborhood Keeper program had been adopted by 84 utilities representing more than 70% of U.S. electric utility customers through the E-ISAC partnership at the time of the Series D—a remarkable penetration metric in a market that is itself highly concentrated. The TSA Pipeline Security Directives (for oil and gas pipeline operators) and API RP 780 cybersecurity guidelines drive OT security investment in the midstream segment; upstream exploration and downstream refining have historically lower regulatory pressure but elevated nation-state targeting risk. Manufacturing customers (discrete, process, and hybrid) represent a large segment by organization count with more heterogeneous regulatory pressure—ISA/IEC 62443 is the primary standard but adoption is voluntary. Water and wastewater utilities are mandated by AWIA 2018 to conduct cybersecurity risk assessments every five years and develop emergency response plans, but budget capacity is highly limited in smaller systems serving fewer than 10,000 customers. Dragos addresses this through the Community Defense Program (free OT security resources for under-resourced organizations) and OT-CERT, allowing community presence without commercial monetization. Mining, pharmaceutical, food and beverage, and transportation (maritime, rail) represent emerging segments with growing OT security awareness but less mature procurement. The primary buyer persona is the OT Security Engineer or CISO at a large utility or industrial enterprise, with budget authority resting at the VP of Operations or VP of Engineering level in operational contexts and at the CISO or CTO in security-forward organizations. The user persona is typically a small OT security team (2–10 analysts) at a large operator, or a managed security service provider (MSSP) operating on behalf of multiple smaller operators. Enterprise deal size is estimated at $100K–$500K+ annually depending on asset count, with multi-year contracts common in the utility sector. [CM014, CM015, CM016, CM017, CM018, CM019]

2.4 Growth Drivers and Adoption Constraints

The primary demand driver for OT cybersecurity is escalating threat activity. Dragos's 2026 OT/ICS Cybersecurity Year in Review tracked 119 active ransomware groups affecting industrial organizations in 2025, a 49% increase from the prior year, with 3,300 industrial organizations impacted globally. Nation-state-linked threat groups represent the most sophisticated demand driver: Dragos tracks 26 named OT adversary groups—including VOLTZITE (China-nexus, targeting electric and telecommunications infrastructure), CHERNOVITE (created PIPEDREAM/INCONTROLLER malware capable of attacking multiple industrial safety systems), and ELECTRUM (Ukraine grid attacks)—with 11 groups assessed as actively targeting operational technology environments in 2025. This threat landscape is materially different from IT-domain threats and creates strong demand for ICS-specific detection and threat intelligence. Regulatory tailwinds are accelerating adoption across multiple sectors. CISA's Cross-Sector Cybersecurity Performance Goals provide a voluntary but increasingly cited framework for critical infrastructure protection. NERC CIP-015-2 Internal Network Security Monitoring (INSM) requirements specifically mandate network visibility and monitoring capabilities for bulk electric system assets that are core to the Dragos Platform. The Transportation Security Administration (TSA) Pipeline Security Directives require pipeline operators to implement OT security programs. The EU's NIS2 Directive creates compliance urgency across European critical infrastructure operators. AWIA 2018 mandates water utility cybersecurity assessments. This multi-sector, multi-jurisdiction regulatory accumulation is a structural demand driver that reduces the sales cycle by converting discretionary OT security spending into compliance-required procurement. Digital transformation of OT environments—Industry 4.0 connectivity, IIoT sensor deployment, cloud historian integration, remote access expansion—continuously expands the OT attack surface and creates new monitoring requirements that incumbents cannot address without purpose-built OT tooling. This structural driver benefits Dragos disproportionately because the new connectivity patterns require ICS-specific behavioral baselines. Adoption constraints are material. OT security budget immaturity remains the largest constraint: many industrial organizations are still in early stages of OT security awareness, and OT security budgets compete with capital infrastructure projects for the same operational budget. The IT/OT skills gap—very few practitioners understand both OT environments and cybersecurity—limits self-service adoption and makes Dragos's professional services component critical for initial deployments. Brownfield OT environments with legacy PLCs, proprietary protocols, and no change management tolerance make deployment complex and time-consuming. Enterprise sales cycles of 12–24 months at large utility and energy companies limit revenue velocity. Smaller operators (water utilities, rural electric co-operatives) often have annual cybersecurity budgets below $50K—too small for commercial Dragos Platform deployment—limiting the commercial TAM. [CM022, CM023, CM024, CM025, CM026, CM027]

2.5 Exhibits

3.1 Competitive Landscape Overview

The OT/ICS cybersecurity platform market in 2026 is a three-tier competitive structure. Tier 1 (pure-play OT specialists): Dragos, Claroty, and Nozomi Networks collectively dominate the Gartner Magic Quadrant CPS Protection Platforms Leader quadrant and compete in the same enterprise utility and energy prospect pool. All three were founded between 2012 and 2016 by practitioners from government or OT engineering backgrounds, and all three compete primarily on platform breadth, threat intelligence quality, professional services, and integration ecosystem. Claroty (founded 2015, team of over 100 researchers in Team82, approximately $635M raised) has the broadest cyber-physical systems scope, explicitly including healthcare (medical device security) and commercial building OT alongside industrial OT. Nozomi Networks (founded 2013, acquired by Hg Capital for approximately €600M+ in 2023) differentiates on AI-native passive OT/IoT monitoring depth and real-time anomaly detection without the threat intelligence overlay that Dragos emphasizes. Tier 2 (IT platform extensions): Microsoft Defender for IoT represents the most disruptive competitive force because it is bundled into Microsoft Defender for Cloud and integrated with Azure Sentinel, creating a compelling IT-OT cost consolidation argument for existing Microsoft enterprise customers. Microsoft acquired CyberX in June 2020 for approximately $165M and rebuilt the product as Defender for IoT, which now covers both Enterprise IoT (IT-adjacent devices) and Operational Technology (industrial SCADA, DCS, PLC) environments. The integration with Microsoft Sentinel's SIEM/SOAR capabilities, Purview, and Azure Arc creates a platform adjacency that pure-play OT vendors cannot replicate. Palo Alto Networks Strata OT Security and CrowdStrike Falcon for OT represent similar extension plays from the endpoint and network security stacks. These vendors trade OT depth for IT integration breadth and consolidated licensing. Tier 3 (OEM-native and specialist vendors): Honeywell Forge Cybersecurity, Siemens OT Security, and GE Vernova cybersecurity offer OT security tooling deeply integrated with their own automation hardware installed base—relevant in captive customer situations but rarely competitive in open-market evaluations. Tenable.ot (Indegy acquisition, 2019) competes on vulnerability management depth. Armis (generalist IT/OT/IoT/medical asset management, $4.3B valuation 2023, $547M raised) and Forescout compete on broader asset visibility and NAC integration rather than OT threat detection. TXOne Networks (Trend Micro OT security spinout) and Otorio focus on segmentation and OT security assessment respectively. [CP001, CP002, CP003, CP004, CP005, CP006]

3.2 Feature and Capability Comparison

Dragos Platform 3.0 is the core competitive product, emphasizing three capabilities that Dragos claims no competitor matches at equivalent OT depth: (1) Detection content with 2,900+ behavioral analytics mapped to MITRE ATT&CK for ICS techniques, developed from active incident response casework in industrial environments; (2) OT-native threat intelligence tracking 26 named adversary groups with tactical-level TTP mapping, campaign correlation, and early warning reporting; and (3) Neighborhood Keeper — an anonymized threat sharing overlay network covering 84+ utilities representing over 70% of U.S. electric customers. The MITRE ATT&CK Evaluations for ICS (Dragos demonstrated detection of simulated XENOTIME/TRITON and related ICS-targeted attacks) provide a third-party validation of detection efficacy that competitors have not replicated at the same depth. Claroty's primary platform (Claroty Platform / xDome for OT, Medigate for healthcare) has a broader cyber-physical asset scope: OT, healthcare (medical devices), and commercial building OT systems. Team82 researchers have published over 50 CVEs and their research spans OT, medical, and commercial building protocols—giving Claroty a broader vulnerability research footprint than Dragos (OT-only). Claroty's integration with healthcare-specific workflows (Medigate for clinical asset management) creates a differentiator that Dragos explicitly does not compete in. Nozomi Networks' Vantage platform differentiates on real-time AI/ML anomaly detection in passive monitoring mode, claiming lower false-positive rates through machine learning baseline modeling. Nozomi also integrates with Azure Sentinel, Splunk, and IBM QRadar for SIEM convergence— an integration set similar to Dragos. Hg Capital's acquisition provides balance sheet strength for additional M&A (Nozomi has not disclosed the enterprise or growth post-acquisition). Microsoft Defender for IoT uniquely integrates OT device discovery and monitoring directly into the Microsoft 365 Defender portal and Azure Sentinel, enabling unified IT+OT alerting within the same SIEM workflow for enterprises that are already Microsoft shops. This workflow integration is the feature that most threatens Dragos's position with IT-centric enterprise buyers who want to consolidate security tooling. However, Microsoft Defender for IoT has shallower OT detection content and no equivalent to Dragos's threat group intelligence or Neighborhood Keeper community. The key feature gap Dragos maintains over all competitors: industrial incident response brand credibility. When VOLTZITE, CHERNOVITE, or ELECTRUM attack a utility, Dragos is the response vendor of record in major disclosed incidents. This brand association reinforces platform retention and generates inbound deal flow from utilities that have read Dragos advisories. [CP008, CP009, CP010, CP011, CP012, CP013]

3.3 Pricing, Packaging, and Go-to-Market Positioning

Dragos competes exclusively in the enterprise segment with no self-serve, freemium, or SMB offering. Pricing is asset-count-based (per-device/per-node), and deals are structured as multi-year subscriptions with professional services attached for deployment, tuning, and ongoing IR retainers. This creates high average contract values and low initial churn (multi-year lock-in) but limits market velocity and makes competitive displacement difficult mid-contract. Claroty also competes enterprise-only with asset-count-based platform licensing. Team82 research is provided free publicly to build brand, while the platform licenses at enterprise deal sizes comparable to Dragos. Claroty has invested aggressively in channel partnerships—VAR/MSSP—and integration with Cisco, Rockwell Automation, and Schneider Electric partnerships for embedded OEM sales motions. Claroty's healthcare expansion (Medigate) creates a separate Magnet for hospital system CISOs who need unified medical device and OT security, a buyer segment Dragos does not address. Nozomi Networks uses a similar asset-count licensing model and has built channel partnerships with integrators (Accenture, Deloitte, IBM). Post-Hg acquisition, Nozomi appears to be investing in geographic expansion (EMEA, APAC) and potential M&A adjacency rather than competing on product differentiation against Dragos. Microsoft Defender for IoT is bundled within Microsoft Defender for Cloud Plans 2 and integrated with Azure Arc for on-premises deployment, effectively making OT monitoring a feature of existing Microsoft enterprise licensing rather than a standalone budget item. For large enterprises that are 100% Microsoft shops, this bundling creates a very difficult competitive dynamic for Dragos because the OT monitoring cost may appear zero against existing Microsoft licensing. Microsoft's GTM is an account-led motion through enterprise account teams rather than a specialist OT channel. Dragos's primary competitive moats: (1) NSA/ICS-CERT founding credibility that translates to government and defense-critical infrastructure customer trust; (2) OT-CERT and Community Defense Program as market development and goodwill assets that create inbound pipeline from first-time OT security buyers; (3) 26 named adversary group intelligence producing uniquely actionable threat alerts that alternatives cannot replicate; (4) MITRE ATT&CK for ICS evaluation performance records providing third-party validation; (5) Microsoft partnership (February 2026) for Microsoft Sentinel integration that partially co-opts the Microsoft bundling threat by making Dragos available within the Microsoft security ecosystem. [CP015, CP016, CP017, CP018, CP019, CP020]

3.4 Moat Durability and Competitive Risk

Dragos's competitive moats are durable but face increasing structural pressure on two fronts: platform bundling by IT security giants and scope expansion by Claroty into adjacent verticals. The Microsoft competitive threat is the most strategically significant. The February 2026 Microsoft-Dragos partnership—which integrates Dragos threat intelligence into Microsoft Sentinel and Dragos Platform into Azure Marketplace—represents Dragos's bet that co-opetition (Dragos as an OT depth layer within the Microsoft stack) is better than head-to-head competition with Microsoft's bundled OT monitoring. This is a reasonable strategic response to the bundling threat, but it reduces Dragos's pricing power with Microsoft enterprise customers who may expect Dragos pricing concessions in exchange for Azure marketplace delivery. Claroty's vertical expansion represents a scope risk rather than a direct OT threat. By pursuing healthcare (medical device security) and commercial buildings, Claroty addresses a broader cyber-physical systems TAM. If hospital system CISOs adopt xDome/Medigate for healthcare and default-extend Claroty to their industrial OT environments, Dragos loses the primary OT security evaluation at those accounts. This cross-sell risk is real in verticals like pharmaceutical manufacturing (both OT and healthcare device environments) and integrated health systems with utility plant operations. Dragos's ICS threat intelligence library—the most comprehensive public OT adversary taxonomy in the industry at 26 named groups—creates a replication barrier because it is built from years of active incident response engagements and cannot be purchased or reverse-engineered. Competitors can build threat research capabilities (Claroty's Team82, Nozomi's research team) but cannot retroactively match Dragos's depth of OT-specific adversary TTPs without the same incident response footprint. The practitioner founding team's government background (NSA, ICS-CERT) further validates the intelligence credibility with U.S. government and defense-critical infrastructure buyers. The AWS Manufacturing and Industrial Competency designation (first achieved by Dragos) and the AWS-Dragos partner relationship create a cloud-native deployment pathway that extends the platform's addressable base to organizations deploying OT systems on AWS infrastructure. Similar relationships with CrowdStrike (Falcon integration) and Palo Alto Networks extend the ecosystem footprint and reduce the risk that those vendors displace Dragos at existing customers. Identified competitive risks in order of assessed severity: (1) Microsoft bundled OT monitoring pricing displacement; (2) Claroty healthcare-led account expansion into OT; (3) Nozomi PE-backed consolidation M&A; (4) Commoditization of basic OT asset visibility as features of broader IT security platforms; (5) Talent competition for OT-qualified practitioners limiting Dragos's IR services scale. [CP022, CP023, CP024, CP025, CP026, CP027]

3.5 Exhibits

4.1 Revenue Streams and Business Model

Dragos operates a multi-component revenue model anchored by platform subscription software, with threat intelligence and professional services as significant adjacent revenue streams. The platform subscription revenue (recurring ARR) is the primary value driver for investors: at the Series D, Dragos reported >100% year-over-year platform recurring revenue growth for the fiscal year ending September 30, 2021. This figure is the only verified revenue growth metric available. The platform is priced per device or per node (ICS asset) under annual subscription contracts that include software license, content updates (behavioral analytics), and cloud-based threat intelligence integration for subscribed customers. Threat Intelligence subscriptions are sold separately or bundled with platform licenses, covering Dragos's proprietary adversary group reporting (Activity Group reports, Year in Review), Watch Notifications for early warning of adversary campaigns targeting specific sectors, and access to the Threat Intelligence Management portal. This intelligence product has no direct competitor equivalent—no other OT security vendor maintains a comparable named-group taxonomy— creating pricing power separate from platform competition. Professional Services revenues encompass: (1) incident response retainers (annual retainer contracts, on-call IR for OT environments); (2) OT/ICS security assessments (architecture review, vulnerability assessment, NERC CIP compliance gap assessments); (3) workforce development and ICS training (Dragos Academy partnerships); and (4) managed OT security services through MSSP channel partners (managed detection, managed IR). Professional services revenues are likely episodic rather than fully recurring, subject to the lumpy nature of IR engagements and assessment project timing. The Community tier—OT-CERT (free ICS/OT security resources), Community Defense Program (free tools and threat intelligence for under-resourced critical infrastructure operators), and Neighborhood Keeper (free community threat-sharing for eligible electric utilities via NERC E-ISAC)—generates no direct revenue but creates pipeline for commercial platform adoption among operators who mature their security programs, and builds brand credibility with government and regulatory stakeholders. The AWIA-mandated water utility assessments, CISA community engagement, and NERC E-ISAC partnership all flow through this community tier. Revenue geography: North America (primarily United States) is the core market. International expansion is evidenced by the UAE OT Cybersecurity Center of Excellence, the Macnica Japan partnership, the Singapore Digital and Intelligence Service MOU, and the 16-country European operator forum—suggesting meaningful international revenue growth investment, though no international revenue breakout is publicly available. [CI001, CI002, CI003, CI004, CI005, CI006]

4.2 Unit Economics and Monetization

Dragos's unit economics cannot be precisely quantified without disclosed CAC, LTV, gross margin, or net revenue retention figures. However, the structural characteristics of the business allow for analytical frameworks that bound the possible range. The platform subscription model with per-device pricing and multi-year contracts creates structurally high LTV: a utility customer with 500+ monitored OT assets under a $300K/year platform subscription and a 3-year initial term represents approximately $900K in contract value before expansion, renewal, or professional services attach. Industrial OT security has high deployment stickiness—switching costs include sensor reconfiguration, protocol decoder retraining, SOC workflow reconfiguration, and OT staff re-training—suggesting that net revenue retention (NRR) is likely above 100% for mature platform customers, driven by asset count expansion as OT environments grow. Professional services attach rate is a critical determinant of blended gross margin. Pure SaaS subscription gross margins are typically 75–85%; professional services margins run 30–50%. If Dragos's professional services represent 25–35% of total revenue (a likely range given the deployment-heavy enterprise OT market and the company's stated commitment to practitioner-driven IR), blended gross margin would be in the 55–70% range—below pure SaaS benchmarks but sustainable for an enterprise security company. This has implications for terminal value multiples at exit. Customer acquisition cost structure is dominated by an enterprise direct sales motion with long evaluation cycles (12–24 months) and high technical evaluation requirements (proof of concept deployments, site surveys, protocol analysis). This implies high CAC per customer relative to SMB SaaS, but average contract value that justifies the CAC at scale. Dragos's community programs (OT-CERT, Community Defense Program, Year in Review reports) function as content-led demand generation that reduces inbound CAC for customers who self-identify through community engagement before entering a commercial evaluation. The June 2023 layoffs (approximately 9% of workforce) signal that Dragos was burning capital faster than revenue growth justified in the post-2021 rate environment. The Series D was raised at peak growth-capital valuations (2021), and the 2023 market correction forced a headcount adjustment. No subsequent round of financing has been publicly announced since the January 2024 extension of the Series D to $274M total. The absence of a Series E announcement through May 2026 (approximately 30 months post-extension) raises questions about whether Dragos is approaching profitability, actively pursuing strategic alternatives, or considering a delayed IPO or M&A exit. [CI008, CI009, CI010, CI011, CI012, CI013]

4.3 Capital Structure and Funding History

Dragos has raised approximately $440M in venture and growth equity across multiple rounds, with strategic investors including Koch Disruptive Technologies, BlackRock Alternative Capital, Rockwell Automation, Emerson Electric, and Hewlett Packard Enterprise alongside lead financial investors including National Grid Partners, AllegisCyber Capital, DataTribe, and 1011 Ventures. The October 2021 Series D of $200M at a $1.7B post-money valuation was the company's largest single round; the January 2024 extension brought the total Series D tranche to $274M, suggesting Dragos drew on committed-but-undeployed capital rather than completing a separate round—a common mechanism to extend runway without triggering a new valuation mark. Strategic investor profile reflects Dragos's dual commercial and national security positioning. Koch Industries (Koch Disruptive Technologies) brings energy and industrial operator customer introductions. BlackRock provides access to critical infrastructure asset owners through its real assets platform. Rockwell Automation is a top-tier industrial automation vendor with an installed base of PLCs and control systems that are natural Dragos Platform deployment contexts. Emerson Electric similarly provides OT environment access across process industries. HPE provides edge computing and infrastructure integration context. These strategic investors are not passive: the Rockwell Automation partnership and the Macnica Japan distribution partnership are both products of investor relationships. Total capital raised ($440M) at $1.7B peak valuation implies a post-Series D ownership dilution structure that, at typical SaaS exit valuations of 5–15× ARR for private equity or strategic acquirer exits, would require an ARR in the $300M–$700M range for investor returns to exceed the $1.7B valuation mark. If Dragos's ARR is in the $200–350M analyst-estimated range (unverified), the current operating ARR may not yet support Series D investors breaking even at 2021 valuation. This creates a financial dynamic that may favor a strategic acquisition at a premium to public market comps (where Dragos's government credibility and OT threat intelligence have premium strategic value to a defense contractor, national security acquirer, or IT security platform seeking OT depth) over an IPO at current SaaS multiples. No outstanding debt facilities, convertible notes, or credit lines are publicly disclosed. Dragos's Deloitte Technology Fast 500 recognition for five consecutive years (through 2024) and consistent analyst recognition (Gartner Leader, Frost & Sullivan FrostRadar #1 Innovation) suggest healthy revenue growth momentum, but without financial disclosure the burn rate and runway implications of the $440M raised are unquantifiable. [CI016, CI017, CI018, CI019, CI020, CI021]

4.4 Financial Transparency Gaps and Diligence Questions

Dragos is among the least financially transparent major private cybersecurity companies at its scale. The combination of (1) a five-year-old valuation anchor ($1.7B, October 2021), (2) no ARR or revenue disclosure since 2021, (3) a January 2024 Series D extension rather than a new round (suggesting either runway extension or inability to achieve a higher valuation in the post-2021 multiple compression environment), and (4) no IPO S-1 or public M&A transaction creates a severe financial due diligence challenge. The only independently verifiable financial data points are: Series D funding rounds (disclosed), the >100% YoY platform recurring revenue growth metric (disclosed, 2021), the June 2023 workforce reduction (approximately 9%, publicly reported), and Deloitte Fast 500 rankings (multi-year). Financial diligence for any investment or M&A scenario would require access to Dragos's audited financials—at minimum ARR disaggregated by product line (Platform, Threat Intelligence, Professional Services), gross margin by product line, net revenue retention, customer count by contract size, and current burn rate and runway. The >100% growth figure from 2021 was likely off a small absolute base; the current growth rate (if below 50%) would represent meaningful deceleration from the Series D disclosure. CISA's cybersecurity advisories (jointly with Dragos on multiple critical OT threats) serve as indirect validation of Dragos's market position and government trust—but provide no financial data. The CISA advisories co-authoring relationship is a product quality and brand signal, not a financial metric. The IPO/exit timing question remains open. The cybersecurity IPO market recovered partially in 2025 (several security companies completed IPOs or SPAC mergers), but OT-focused pure-play vendors face public market valuation compression risk from questions about market size specificity, professional services margin drag, and long sales cycles. A strategic acquisition by a defense contractor (Leidos, SAIC, Booz Allen), an IT security platform (Palo Alto Networks, CrowdStrike, Cisco), or an industrial automation vendor (Rockwell Automation, Honeywell, Emerson already investors) would be more likely exit paths than an IPO in the 2026–2028 window, absent significant valuation recovery. [CI023, CI024, CI025, CI026, CI027, CI028]

4.5 Exhibits

5.1 Dragos Platform 3.0 — Product Portfolio and Module Architecture

Dragos Platform 3.0, launched September 23, 2025, is the company's flagship OT cybersecurity software suite. It delivers four integrated capabilities — asset visibility, OT network monitoring and threat detection, vulnerability management, and incident response — from a unified interface purpose-built for industrial control system (ICS) and operational technology (OT) environments. The platform is sold to asset owners across electric, oil and gas, manufacturing, water, transportation, and chemical sectors, and is deployed by security teams responsible for protecting SCADA systems, PLCs, HMIs, and the engineering workstations that control physical processes. The centerpiece of the 3.0 release is the Insights Hub, which consolidates risk-weighted vulnerability, asset, and threat alerts into a single prioritized view, replacing the need to manually correlate disparate tool outputs. Expert-authored playbooks accompany every alert, so analysts at any experience level receive clear guidance on what to investigate and how to respond. Dragos's stated goal is to compress mean-time-to-triage by eliminating alert fatigue from uncontextualized notifications. Hardware innovation in Platform 3.0 includes the STS-50 sensor — a smaller footprint appliance enabling deployment at distributed and remote OT sites that previously lacked the rack space or power budget for full-size sensors. Alongside the STS-50, Dragos introduced a combined Sensor/SiteStore form factor for smaller environments and expanded Active Collection mode, which uses polling-based queries to extend asset discovery to air-gapped and intermittently connected sites where passive-only monitoring would leave coverage gaps. Beyond the platform software, Dragos offers OT Watch managed services in two tiers. OT Watch provides 24/7 expert threat hunting and high-confidence alert escalations. OT Watch Complete adds proactive security hardening, platform tuning, and expert management of the full detection-to-investigation lifecycle. Both tiers are staffed by OT-trained analysts rather than repurposed IT SOC personnel, which Dragos cites as a material differentiator from IT security vendors entering the OT space. [CE001, CE002, CE003, CE006, CE007, CE008]

5.2 Dragos WorldView Threat Intelligence and Adversary Tracking

Dragos WorldView is the company's OT-exclusive threat intelligence product, delivering adversary research, ICS malware analysis, vulnerability insights, and strategic intelligence to security analysts and executive stakeholders. WorldView is the only commercial threat intelligence service focused exclusively on operational technology; IT threat intelligence vendors such as CrowdStrike and Mandiant cover ICS tangentially but do not maintain dedicated OT adversary tracking teams of comparable scale or depth. As of the February 2026 annual report release, Dragos tracks 26 named OT threat groups worldwide, 11 of which were active during 2025. Three new groups were identified during the year: SYLVANITE, which acts as an initial access broker handing off footholds to VOLTZITE for deeper OT intrusions; AZURITE, which conducts long-term OT data exfiltration targeting engineering workstations and shares technical overlaps with Flax Typhoon; and PYROXENE, which conducts supply chain compromises in the aviation, aerospace, defense, and maritime sectors with IRGC-CEC overlaps. KAMACITE systematically scanned U.S. infrastructure control loops throughout 2025, while ELECTRUM deployed wiper malware against Polish energy systems, demonstrating adversary progression from reconnaissance to attempted operational effects. Intelligence is operationalized through weekly Knowledge Packs pushed automatically to the Dragos Platform, containing updated detections, OT-specific vulnerability scoring, and playbooks aligned to current adversary tactics. This intelligence-to-platform feedback loop means customers continuously receive updated threat coverage without manual analyst intervention. WorldView is available as a standalone portal subscription and is embedded in platform-tier customers' deployments. The 2026 annual report found that ransomware groups targeting industrial organizations increased 64% year-over-year, with 119 groups active against 3,300 organizations globally. Dragos also identified that 25% of ICS-CERT and NVD vulnerability advisories carried incorrect CVSS scores in 2025, and 26% had no patch or mitigation guidance — illustrating the value of Dragos's OT-corrected vulnerability intelligence beyond generic public advisories. [CE004, CE011, CE012, CE013, CE014, CE016]

5.3 Technology Architecture — OT-Native, Passive-First, Intelligence-Powered

Dragos Platform's core architectural principle is OT-nativeness: it was built for industrial environments from the ground up, not adapted from IT security tools. The platform uses passive network monitoring as its primary data collection mode, deploying sensors that perform deep packet inspection of network traffic using proprietary parsers for 600+ industrial protocols including MODBUS, DNP3, EtherNet/IP, IEC 61850, OPC-UA, Profinet, and dozens of vendor- specific protocols. This passive approach requires no agents installed on OT devices — a critical design choice because many ICS devices run on proprietary firmware that cannot support agent software, and unplanned software changes on PLC or HMI systems can trigger safety shutdowns. The Dragos Intelligence Fabric sits at the center of the platform's AI and knowledge architecture. It integrates adversary tracking data, OT telemetry from customer environments, asset and protocol expertise, vulnerability research, and frontline incident response observations into a continuous feedback loop. This proprietary dataset, built over nearly a decade of OT incident response and threat hunting, powers both the platform's AI-enhanced vulnerability analysis and new natural-language querying capabilities introduced in 2025-2026. Analysts can query their OT environment in plain English and receive answers grounded in the Intelligence Fabric rather than general-purpose AI models. Cloud and integration architecture expanded significantly with the February 2026 Microsoft partnership. Beginning Q1 2026, the Dragos Platform supports SaaS deployment on Microsoft Azure in addition to the existing on-premises and hybrid models. OT-specific telemetry, threat intelligence, and asset context now flow directly into Microsoft Sentinel, enabling unified IT/OT detection, investigation, and response for organizations that already operate Sentinel as their SIEM. Customers can procure Dragos through Microsoft Marketplace and apply Azure consumption commitments, lowering procurement friction for enterprise buyers. AWS integration predates the Microsoft partnership. Dragos achieved the AWS Manufacturing and Industrial Competency as the first partner with an OT Security designation in January 2023. Koch Industries deployed the platform on AWS and reported previously unachievable visibility into ICS/OT assets as a result. [CE002, CE015, CE016, CE017, CE018, CE019]

5.4 Professional Services — Incident Response, Assessment, and Managed Monitoring

Dragos's professional services portfolio complements the platform and represents a separate revenue stream that also feeds intelligence back into product development. The services organization is staffed by OT security practitioners with government and military cyber backgrounds — the same profile as the founders — providing credibility that IT-trained consultants cannot match in ICS incident response engagements. The Rapid Response Retainer provides organizations with pre-cleared contracts, reducing the mobilization time during an active OT incident. Retainer customers receive onboarding workshops to evaluate their existing IR plans and tabletop exercises to identify gaps before a real incident occurs. Burndown options allow organizations to draw down retainer hours for training and exercises rather than waiting for an incident. This model is analogous to legal retainers in crisis management and creates recurring services revenue alongside platform subscriptions. Assessment services include OT Cybersecurity Assessments (evaluating network design and security controls), Network Vulnerability Assessments, Penetration Testing of OT environments, and Purple Team exercises that test both defensive detection and offensive simulation simultaneously. Architecture Reviews are particularly relevant for NERC CIP compliance, as they evaluate whether segmentation and monitoring configurations meet regulatory requirements. OT Watch and OT Watch Complete extend managed services to organizations that lack internal OT security staff. OT Watch delivers 24/7 expert monitoring and escalation; OT Watch Complete manages the full detection-to-investigation lifecycle including proactive security hardening. Both tiers integrate with the platform's Insights Hub and benefit from weekly Knowledge Pack updates. The managed services model also creates stickiness: customers that adopt OT Watch are less likely to churn from the underlying platform subscription because the service team is embedded in their operations. [CE007, CE008, CE009, CE022, CE023]

5.5 Community Defense — Neighborhood Keeper, CDP, OT-CERT, and ISAC Partnerships

Dragos's community defense strategy differentiates it from any IT security vendor and most OT security competitors. The company has built three distinct community programs that create network effects — each participant makes all participants more secure — and serve as a long-term customer acquisition funnel for smaller utilities that may upgrade to paid platform subscriptions as they mature. Neighborhood Keeper is a free opt-in anonymized threat intelligence sharing network available to all Dragos Platform customers. It uses double anonymization: no organization ID is mapped to the connection certificate, so participants share threat telemetry without revealing which organization generated the data. Knowledge Packs are automatically distributed to all participants, ensuring that a threat indicator observed at one utility can be blocked at all 84+ participating utilities within hours. Neighborhood Keeper partners include the North American Electric Reliability Corporation's E-ISAC for the electric sector, the ONG-ISAC for oil and natural gas, and the DNG-ISAC for downstream natural gas. OT-CERT (OT Cyber Emergency Readiness Team) is Dragos's free community for under-resourced ICS/OT operators. As of March 2025, OT-CERT had over 2,400 members in 64 countries, receiving free how-to guides, tabletop exercise templates, training materials, and interactive working sessions. OT-CERT is free to join and represents Dragos's broadest top-of-funnel community engagement. The Community Defense Program (CDP) is the most targeted of the three. It provides perpetually free access to the Dragos Platform software, Neighborhood Keeper, and OT-CERT membership to qualifying US and Canada-based water, electric, and natural gas utilities with under $100M USD in annual revenue. Launched in the US in December 2023 and expanded to Canada in March 2025, the CDP is enabled by a partnership with Elastic, which provides Elasticsearch at no charge to support the platform deployment. These small utilities are often the softest targets for ransomware and nation-state reconnaissance; the CDP serves the mission while building brand loyalty with operators who may become decision-makers or references as their organizations grow. [CE025, CE026, CE027, CE028]

5.6 Ecosystem, Partner Program, Compliance Support, and Platform Gaps

Dragos's go-to-market ecosystem includes over 100 channel partners spanning managed security service providers, system integrators, and technology resellers. The Dragos Global Partner Program, launched June 2023, is the only OT channel program offering technology, threat intelligence, professional services, and training under a single program. It earned a 5-Star CRN Partner Program rating in 2024 and named Dragos's VP of Channel as a 2024 CRN Channel Chief. Partners include global firms such as Booz Allen Hamilton, Optiv, and CyberCX as well as specialized OT firms such as 1898 & Co. and ABS Group. Strategic technology integrations extend beyond Microsoft and AWS. The platform includes SIEM connectors for major platforms and integrates with security orchestration tools. The Dragos Platform MCP Server, introduced in 2025-2026, enables enterprise AI tools to connect directly to platform data, allowing organizations to use their existing AI environments for OT queries without requiring users to learn a new interface. NERC CIP compliance is a material use case for electric utility customers. The Dragos Platform's passive monitoring approach aligns with NERC CIP-015 internal network security monitoring requirements, and the platform generates event logs and alerts compatible with CIP audit documentation. Architecture Reviews by the Dragos services team help customers map their deployments to CIP control requirements, reducing compliance overhead. Key platform gaps include the absence of confirmed FedRAMP authorization as of May 2026, which prevents Dragos from competing for US federal agency OT security contracts without additional procurement workarounds. The company has not published a FedRAMP roadmap or timeline. Additionally, while AI-enhanced vulnerability analysis and natural-language querying are available in Platform 3.0, the accuracy and enterprise adoption of these AI features at scale remain unproven. Finally, no public SOC 2 Type II or ISO 27001 certification for Dragos platform operations has been confirmed, which may be a procurement gate for some enterprise security buyers. [CE019, CE020, CE021, CE024, CE029, CE033]

5.7 Exhibits

6.1 Customer Base and Industrial Vertical Segmentation

Dragos serves industrial asset owners and operators in nine publicly confirmed verticals: electric utilities, oil & gas, manufacturing, water and wastewater, chemical, pharmaceutical, food & beverage, transportation, and mining. Buyer personas cluster into three segments. The enterprise commercial tier consists of large industrial organizations with dedicated OT security budgets (e.g., national utilities, global manufacturers, Fortune 500 energy companies) that purchase the full Dragos Platform plus WorldView intelligence and professional services. The mid-market and specialist tier includes mid-size industrials and public-sector operators who procure through channel partners, managed service providers, or national cybersecurity programs. The community tier — comprising Community Defense Program (CDP) members, OT-CERT members, and Neighborhood Keeper participants — receives free or heavily subsidized access as part of Dragos's collective defense mission. The electric sector is Dragos's most publicly documented vertical. The company holds a joint collective defense initiative with the North American Electric Reliability Corporation's E-ISAC covering 84+ utilities representing more than 70% of US electric utility customers. Oil & gas buyers benefit from the ONG-ISAC Neighborhood Keeper partnership, extending sector-wide threat visibility to all member companies in the North American petroleum sector. Manufacturing is also confirmed: Koch Industries' Georgia-Pacific subsidiary (160+ locations) and Boston Beer Company are named production customers. Water sector coverage is addressed through the CDP, which prioritizes under-resourced water utilities that cannot afford commercial pricing. Geographic coverage spans North America (primary), the United Kingdom (25 FTEs by July 2023), continental Europe (16-country engagement at the inaugural European Forum), the UAE (OT Cybersecurity Centre of Excellence established March 2026), Japan (Country Manager appointed April 2026), and Australia/New Zealand. The Middle East (GCC, Saudi Arabia) is covered through direct engagement referenced in the Series D funding announcement. Channel partners — 100+ firms including Booz Allen Hamilton, Optiv, and CyberCX — extend reach beyond direct Dragos headcount in all regions. [CU001, CU002, CU003, CU004, CU005, CU006]

6.2 Named Customer Proof — Enterprise Deployments and Public Testimonials

Dragos's most substantive named customer evidence comes from the October 2021 Series D funding announcement, which included direct testimonials from four customers who are also strategic investors: Georgia-Pacific, Koch Industries, Rockwell Automation, and National Grid. This investor-customer overlap provides corroborated deployment proof but requires careful interpretation — the commercial relationship may be influenced by the investment relationship. Georgia-Pacific LLC, a Koch Industries subsidiary with 160+ global locations and brands including Dixie, Angel Soft, and Brawny, deployed the Dragos Platform for OT visibility, threat detection, and incident response across its manufacturing and chemical operations. CISO Francis Cioffi stated the platform provides "visibility, detection, and response capabilities we need to secure our operations and protect the business." This is a high-quality reference: a named CISO from a large, identifiable company with a specific operational outcome statement. Koch Industries deployed the Dragos Platform on AWS at its 500+ global manufacturing and processing facilities, achieving "previously unachievable visibility into ICS/OT assets," per the AWS Industrial Competency announcement. Byron Knight, Managing Director and COO of Koch Disruptive Technologies (the investment arm), stated that Koch has "quickly proven to be a key partner" and that the platform "plays a key part in managing risk across our enterprise." Koch's repeated investment in Dragos (multiple rounds) further corroborates sustained platform adoption. National Grid plc — one of the world's largest investor-owned utilities — invested in Dragos in 2018 following its initial subscription to Dragos's OT threat intelligence service. CTIO Lisa Lambert confirmed that Dragos's "visibility into ICS threats brought value for both our UK and US businesses" as of the 2021 UK expansion announcement. This provides multi-year deployment proof with a named executive at a critical infrastructure operator. Rockwell Automation, a leading industrial automation vendor, invested in Dragos as a strategic partner and customer. VP and GM of Global Services Rachael Conrad confirmed that "Dragos's industrial cybersecurity platform helps our customers protect their operational environments and maximize the value of their digital transformation." Boston Beer Company is listed as a named manufacturing customer on Dragos's industry page without a published case study or executive quote; this is logo-level proof. [CU008, CU009, CU010, CU011, CU012, CU013]

6.3 Community Defense Tier — Neighborhood Keeper, OT-CERT, and CDP

Dragos operates three community programs that together serve a large non-commercial customer base and create a long-term acquisition funnel for the commercial platform. These programs are operationally significant: they provide real OT threat telemetry that improves the Intelligence Fabric for all Dragos customers (network effect), establish Dragos's brand in the under-resourced utility segment, and seed future commercial relationships as small utilities grow or consolidate. Neighborhood Keeper is the foundational collective defense network. Available as a free opt-in to all Dragos Platform customers, it uses double anonymization to aggregate and distribute threat indicators at machine speed. As of October 2021, 84+ utilities participated in the E-ISAC joint initiative — representing more than 70% of electric utility customers in the US — and the ONG-ISAC integrated Neighborhood Keeper for the North American oil and natural gas industry. The DNG-ISAC participates for downstream natural gas operators. These ISAC partnerships mean that Neighborhood Keeper's collective visibility extends to entire industry sectors, not just Dragos platform customers. OT-CERT (OT Cyber Emergency Readiness Team) is Dragos's free community for under-resourced ICS/OT operators, providing how-to guides, tabletop exercise templates, vulnerability disclosures, and interactive working sessions. As of March 2025, OT-CERT has over 2,400 members in 64 countries. OT-CERT functions as a brand engagement layer for organizations that cannot afford commercial Dragos products but benefit from the company's threat intelligence and practitioner community. The Community Defense Program (CDP) provides perpetually free access to the Dragos Platform software, Neighborhood Keeper, and OT-CERT membership to qualifying US (since December 2023) and Canada-based (since March 2025) water, electric, and natural gas utilities with under $100M USD (~$140M CAD) in annual revenue. The CDP is enabled by an Elastic partnership providing Elasticsearch at no charge to support platform deployments at scale. Canadian channel partner VARS Corporation (Montreal) is delivering the CDP to qualifying utilities in that country. CDP customers do not generate platform revenue but contribute threat telemetry and represent potential future paid customers. [CU015, CU016, CU017, CU018, CU019, CU020]

6.4 Geographic Customer Presence and International Expansion

Dragos's geographic expansion strategy follows a hub-and-spoke model: establish direct presence in high-value markets, partner for coverage in adjacent markets, and leverage community programs to seed brand awareness ahead of direct commercial sales. North America remains the primary commercial market. The UK office, established October 2021, had grown to 25 full-time employees across Europe by July 2023, led by AVP Tony Atkins (UK/Europe), Chief of Staff Phil Tonkin (23 years in energy sector), IR Director Kai Thomsen (ex-Audi, steel industry), and Technical Director Magpie Graham (ex-Microsoft intelligence). The inaugural Dragos European Forum in London (June 2022) drew approximately 150 OT asset owners and operators from 16 countries — confirming practitioner demand in the region but reflecting an early community stage rather than a mature commercial footprint. The UAE OT Cybersecurity Centre of Excellence (CoE), established in partnership with the UAE Cyber Security Council under the "Make it in Emirates" forum (announced March 2026), gives Dragos a physical presence in the GCC region. The CoE provides real-world OT attack and defense scenarios for practitioners, serving as both a training venue and a customer acquisition asset for regional critical infrastructure operators in energy, petrochemicals, and utilities. Japan expansion accelerated in April 2026 with the appointment of Kaori Nieda as Dragos's first Japan Country Manager, building on the existing Macnica distribution partnership (which covers Japan's critical infrastructure and manufacturing sectors). Dragos also maintains commercial presence in Australia and New Zealand, referenced in the Series D announcement and organizational materials. Key geographic diligence gaps: Dragos does not publicly disclose revenue or customer count by region. European operations are 25+ employees by 2023 but the commercial customer base size is undisclosed. The Middle East presence is referenced in the Series D announcement but no specific customer names or commercial metrics are public. [CU021, CU022, CU023, CU024, CU025]

6.5 Channel Partners, ISAC Ecosystems, and Investor-Customer Overlap

Dragos's 100+ channel partners — including Booz Allen Hamilton, Optiv, CyberCX, 1898 & Co., and ABS Group — extend sales and delivery reach for OT security assessments, platform deployment, and managed services in regions and sectors where Dragos's direct team is limited. The Dragos Global Partner Program (launched June 2023) is the only OT channel program spanning technology, threat intelligence, professional services, and training under a single structure, and it earned a 5-Star CRN Partner Program rating in 2024. ISAC partnerships create sector-wide channel relationships. The E-ISAC (electric), ONG-ISAC (oil and gas), and DNG-ISAC (downstream natural gas) collectively cover the largest OT buyer segments in North America. These partnerships make Neighborhood Keeper the de facto collective defense layer for US critical infrastructure ISACs, positioning Dragos as an embedded industry infrastructure layer rather than a transactional vendor. The Dragos-Axio OT cyber risk quantification partnership (announced 2024) expands the buyer contact from OT security teams to CFOs and risk committees, who can now quantify potential OT cyber losses in financial terms. The February 2026 Microsoft Azure marketplace integration enables enterprise buyers to procure Dragos through existing Microsoft EA agreements, lowering procurement friction significantly for the enterprise segment that is already Microsoft-aligned. Investor-customer overlap (Koch Disruptive Technologies, National Grid Partners, Emerson, Rockwell Automation, HPE, Schweitzer Engineering) creates a unique reference base but introduces a diligence ambiguity: are these deployments driven by commercial merit or investment alignment? The quality of individual testimonials (named CISOs, specific operational outcomes) suggests genuine commercial adoption, but independent corroboration from non-investor customers would strengthen the evidence. [CU026, CU027, CU028, CU029, CU030]

6.6 Retention Durability, Adverse Signals, and Concentration Risks

Dragos is a private company and does not disclose customer count, ARR, NRR, GRR, or cohort retention metrics. The only publicly disclosed growth metric is "over 100% year-over-year growth in platform recurring revenue for the period ending September 30, 2021" — now over four years old. Without more recent or disclosed metrics, retention and growth trajectory must be inferred from structural factors and qualitative evidence. Structural factors supporting high retention: OT security platform deployment requires significant engineering effort — sensor placement, protocol tuning, network integration, and team training — creating substantial switching costs. OT environments change slowly relative to IT environments, and once a platform is validated in a complex ICS environment, operators are reluctant to disrupt it. Multi-year contracts are standard for OT security given the deployment complexity and operational continuity requirements. Gartner Peer Insights reviews from OT practitioners consistently report high satisfaction with Dragos's threat intelligence depth and OT expertise. Adverse signals: In June 2023, Dragos laid off approximately 9% of its workforce following a failed fundraising attempt. The company had sought additional capital but did not achieve its target on favorable terms, suggesting that the 2021 valuation and growth assumptions did not hold through 2022-2023 market conditions. This does not definitively indicate customer churn, but it suggests that platform revenue growth slowed from the >100% rate reported in 2021 to a rate insufficient to support the company's burn rate and hiring plan without additional capital. Long OT sales cycles (typically 6-18 months due to engineering reviews, operational risk assessments, and multi-stakeholder approval) create revenue predictability but also extend the pipeline-to-revenue lag. Budget competition from IT security priorities, which consume the majority of most organizations' security budgets, is a persistent headwind: many OT asset owners lack dedicated OT security budget lines and must fund Dragos from IT budgets that IT teams would prefer to spend on IT-native tools. Concentration risk is difficult to assess given the absence of disclosed customer count or revenue distribution data. Named customer proof is concentrated in the energy/utilities sector and a small set of large industrial conglomerates with investor relationships. Customer proof across water utilities, pharmaceuticals, transportation, and food & beverage is limited to webpage references without published outcomes. [CU031, CU032, CU033, CU034, CU035, CU036]

6.7 Exhibits

7.1 Regulatory and Legal Risk

Dragos operates in a regulatory environment that is simultaneously a tailwind and a source of risk. NERC CIP (Critical Infrastructure Protection) standards CIP-002 through CIP-014 mandate that bulk electric system operators implement security controls for industrial control systems, and the failure to comply carries fines of up to $1M per violation per day. This mandate creates non-discretionary budget obligations for Dragos's primary customer segment. The CISA Volt Typhoon Advisory (AA24-057A, February 2024) and the PIPEDREAM joint advisory (AA22-103A) explicitly recommend OT-specific monitoring and detection capabilities. TSA Pipeline Security Directives (SD-02C, extended through 2025) similarly mandate OT security architecture changes for pipeline operators. The regulatory risk is not that requirements will disappear but that the pace of regulatory change creates buyer paralysis. When NERC CIP standards are updated (as CIP-013 was in 2022 for supply chain security), utilities may defer discretionary spending while compliance teams assess new requirements. Additionally, Dragos's threat intelligence publications carry liability exposure if any attribution or technical claim proves incorrect and a regulated entity relies on it during an incident response. Dragos has no material disclosed litigation as of May 2026. In May 2023, a cybercrime group gained access to a newly hired employee's account through social engineering and attempted to extort Dragos using downloaded sales intelligence reports. CEO Robert Lee disclosed the incident publicly on social media. NERC CIP-013 supply chain risk management requirements may require Dragos customers to conduct formal vendor security assessments at contract renewal. [CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Competitive and Market Risk

The OT cybersecurity platform market is intensifying rapidly. Dragos competes across three tiers: (1) dedicated OT security pure-plays -- Claroty ($635M total raised; Schneider Electric and Rockwell Automation as strategic investors), Nozomi Networks (Series D funded; IPO-track), and Armis ($4.3B valuation, 2023); (2) IT security vendors expanding to OT -- Microsoft Defender for IoT (free to Azure/Sentinel customers), Palo Alto Networks Industrial OT Security, and Fortinet OT capabilities; and (3) industrial automation vendors building native OT security -- Honeywell Forge, Siemens Eos.ii. Notably, Rockwell Automation is both a Dragos investor and a Claroty strategic investor -- a direct conflict of interest that could influence Rockwell's platform purchasing decisions. Dragos's primary competitive moat is ICS threat intelligence depth: the WorldView threat intelligence platform, named ICS threat groups only Dragos tracks (CHERNOVITE, ELECTRUM, VOLTZITE), and a 250+ ICS threat indicator catalog represent barriers that IT-native competitors cannot quickly replicate. However, the free tier of Microsoft Defender for IoT provides basic OT asset inventory at near-zero marginal cost for Azure/Sentinel customers, compressing the market for Dragos's entry-level product tier. The market education risk is material: a substantial share of industrial asset owners do not yet have dedicated OT security budgets. Converting these prospects requires 12-18 month sales cycles, in-person proof-of-value deployments, and sustained executive relationship building. This elongated sales cycle, combined with Dragos's dependency on a 100+ channel partner network, creates pipeline-to-revenue dynamics that are highly sensitive to macro headwinds. The 2022-2023 industrial software spending slowdown culminated in Dragos's failed fundraising attempt and June 2023 layoffs. [CR008, CR009, CR010, CR011, CR012, CR013]

7.3 Operational and Technical Risk

Dragos's platform delivery model is cloud-managed with on-premise sensor deployment, creating a dual operational dependency: cloud availability for the SaaS management layer and WorldView intelligence updates, and on-premise hardware uptime for Dragos Network Sensors at customer sites. A sustained cloud infrastructure outage would prevent customers from receiving updated threat intelligence, creating potential detection gaps during active OT threat campaigns. Dragos's incident response capacity represents a structural operational risk. The company is one of a very small number of vendors globally capable of credibly responding to complex ICS incidents. The simultaneous occurrence of two or more major ICS incidents could exhaust Dragos's IR team capacity and create service level failures. The WorldView threat intelligence flywheel creates a reinforcing dependency: its accuracy depends on active sensor telemetry from the deployed customer base, meaning that a stall in new deployments directly degrades the intelligence quality that is Dragos's primary differentiation. Dragos's distributed and remote-first workforce model covers 40+ US states and multiple international offices. While this reduces facilities concentration risk, it increases communication overhead. The company's technical workforce competes for senior OT security engineers with Booz Allen Hamilton, Accenture, and Deloitte, creating talent attrition risk compounded by the relative illiquidity of Dragos's pre-IPO equity compensation. [CR016, CR017, CR018, CR019, CR020, CR021]

7.4 Financial and Capital Risk

Dragos's most significant financial risk is the combination of funding opacity and the failed 2023 fundraising attempt. The company's last publicly confirmed financing event was the $200M Series D at a $1.7B post-money valuation in October 2021. Since then -- over 4.5 years -- no additional equity raise has been publicly disclosed. The June 2023 layoff of approximately 9% of the workforce was reported by The Register and Bloomberg to be a direct consequence of a fundraising attempt that did not achieve its target. This implies that either growth had decelerated sufficiently that investors declined to fund at the Series D valuation, or Dragos sought capital at a price investors considered unsupported. Without public financial disclosure, burn rate assessment is impossible from external sources. Cybersecurity companies at Dragos's estimated ARR range ($50-$150M, based on stage, team size, and market benchmarks) typically carry annual operating costs of $100-$200M+ including R&D, sales force, IR services, and intelligence operations. At an $80-$120M/year burn rate -- a reasonable assumption given disclosed team size -- the $200M Series D would have provided approximately 20-30 months of runway from October 2021, implying cash pressure began in mid-2023. Customer concentration amplifies financial risk. Three of Dragos's most visible named customers -- Koch/Georgia-Pacific, National Grid Partners, and Rockwell Automation -- are also Series D investors. If any of these anchor relationships weakened through contract non-renewal or platform consolidation to a competitor, the revenue impact would be disproportionate. The Rockwell conflict-of-interest adds a specific concentration risk vector that does not appear in public disclosures. [CR023, CR024, CR025, CR026, CR027, CR028]

7.5 Key-Person and Governance Risk

CEO and co-founder Robert M. Lee is the single most important non-financial asset at Dragos. Lee founded Dragos in 2016 after serving in US Air Force Cyber Command and NSA as an ICS/SCADA specialist, co-discovered the Industroyer/CRASHER malware that attacked Ukraine's power grid in 2016, and has become the primary thought leader in ICS cybersecurity globally. His public profile -- hosting the Control Loop podcast with CyberWire, speaking at S4, RSA, and Black Hat annually -- creates brand equity that cannot easily transfer to a successor. Dragos's board composition beyond investor representatives (Koch Disruptive Technologies, BlackRock, National Grid Partners, Rockwell Automation) is not publicly disclosed. The 2023 board expansion with Bill Fehrman and Ekta Singh Bushell added independent directors, but no audit committee structure, compensation committee details, or formal governance documents are publicly available. This opacity limits assessment of whether appropriate independent oversight exists for CEO compensation decisions, financial controls, and related-party transactions with investor-customers. The May 2023 social engineering incident adds a governance signal: a company that markets OT threat detection was itself successfully social-engineered. The transparent disclosure was a positive governance indicator, but the incident demonstrated operational security vulnerabilities in non-technical administrative functions. Competitors may leverage this in sales situations. [CR030, CR031, CR032, CR033, CR034, CR035]

7.6 Thesis-Break Triggers and Termination Criteria

The investment thesis for Dragos rests on three pillars: (1) the regulatory and geopolitical tailwind creates non-discretionary OT security budget for critical infrastructure operators; (2) threat intelligence depth (21+ named ICS threat groups, PIPEDREAM/Volt Typhoon expertise, WorldView platform) creates a defensible moat against IT-native competitors; and (3) the community funnel (OT-CERT, Neighborhood Keeper, CDP) creates a pipeline of future commercial customers that reduces CAC over time. Each pillar has a distinct termination criterion. For the regulatory tailwind: a reversal of NERC CIP enforcement posture or a CISA policy shift toward technology-neutral frameworks would reduce the urgency premium that drives Dragos's pipeline. This is low-probability given the geopolitical threat environment but structurally possible under significant political shifts. For the intelligence moat: if Microsoft, Palo Alto, or a government intelligence agency published equivalent OT threat intelligence in a freely accessible format, the WorldView subscription model would face severe pressure. For the community funnel: if OT-CERT, CDP, and Neighborhood Keeper fail to convert at commercially meaningful rates within 24-36 months, the community program costs become a drag without ARR benefit. The most actionable thesis-break criterion is financial: Dragos must raise a Series E at a valuation of at least $1.5B before its post-restructuring cash runway depletes. A down-round at less than $1.0B would represent a greater than 40% decline from the Series D entry point and would constitute a thesis-break for all existing investors. A secondary thesis-break criterion is a Volt Typhoon-attributed destructive ICS attack that simultaneously overwhelms Dragos's IR capacity and damages the company's reputation for preparedness. [CR036, CR037, CR038, CR039, CR040]

7.7 Exhibits

8.1 Recommendation and Investment Thesis

Dragos presents a high-conviction market thesis in one of the fastest-growing, regulatory-driven segments of the enterprise security market. The investment thesis has four evidence-supported pillars: (1) Non-discretionary regulatory tailwind -- NERC CIP enforcement (fines up to M/day), CISA Volt Typhoon advisory (AA24-057A), and TSA Pipeline Security Directives create mandatory OT security budget obligations for Dragos electric utility, pipeline, and manufacturing customers. (2) Widest ICS threat intelligence moat -- 21+ named ICS threat groups (CHERNOVITE, ELECTRUM, VOLTZITE), the WorldView intelligence platform, and the proprietary sensor telemetry flywheel that feeds detection quality represent barriers that IT-native competitors cannot quickly replicate. (3) Community flywheel creating durable pipeline -- OT-CERT (2,400+ members), Neighborhood Keeper (84+ utilities), and CDP (launched December 2023) are reducing CAC for a segment of the market that typically has 12-18 month sales cycles. (4) OT-native specialization advantage -- Dragos Platform was built from the ground up for ICS environments; IT security vendors (Microsoft, Palo Alto, Fortinet) adding OT modules are adapting IT-native architectures to a fundamentally different operational technology environment. The anti-thesis is equally evidence-supported: (1) Financial opacity blocks valuation precision -- no ARR, burn rate, or growth rate disclosure in 4.5+ years; failed 2023 fundraising implies growth deceleration. (2) Microsoft Defender for IoT free tier compresses the entry-level TAM and forces Dragos to justify premium pricing entirely on intelligence depth. (3) Key-person concentration on Robert M. Lee -- the company's brand, investor relationships, and thought leadership equity are uniquely anchored to one individual with no disclosed succession plan. (4) Customer concentration among investor-customers -- Koch/Georgia-Pacific, National Grid Partners, and Rockwell Automation are simultaneously investors and customers, creating undisclosed related-party transaction risk. Recommendation is Research More / Conditional Track rather than Buy or Sell. The market position justifies continued attention and a defined entry discipline. But absent financial disclosure, a new position at or above the .7B reference price cannot be analytically supported. The diligence path is clear: require full financial disclosure as a condition of entry. If ARR is confirmed above 0M with 30%+ growth, the .0-2.5B base case valuation supports a reasonable entry at or slightly above the Series D price. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Financing Context and Valuation Anchors

Dragos's last confirmed valuation anchor is the October 2021 Series D: 00M raised at a .7B post-money valuation from Koch Disruptive Technologies, BlackRock, National Grid Partners, Rockwell Automation, and others. No subsequent equity raise has been publicly disclosed as of May 2026 -- a 4.5-year gap that is unusual for a venture-backed cybersecurity company at this stage. The June 2023 layoffs and failed fundraising attempt represent the only disclosed financial signal in this period. Using the OT cybersecurity market revenue-multiple framework: at the 2021 Series D moment, Dragos was valued at approximately .7B with reported growth over 100% YoY and a team of 800+ employees. The implied ARR at that valuation, using the 20-30x ARR multiples prevalent for high-growth cybersecurity SaaS in late 2021, would have been approximately 5-85M. Private market multiples for cybersecurity SaaS companies in the 30-50% growth cohort compressed by approximately 40-60% from 2021 peak to 2023 trough. This compression, combined with the likely growth deceleration implied by the 2023 events, suggests the .7B valuation may have been structurally challenged in 2023 -- consistent with the reported fundraising failure. Comparable private OT security transactions provide additional anchoring: Claroty raised 00M at an implied post-money of approximately .8-2.2B in November 2021 (similar timing to Dragos). Armis achieved a .3B valuation in 2023, but Armis addresses a broader IT/OT asset management TAM with a different revenue model. Nozomi Networks remains pre-IPO with an estimated private valuation of 00M-.2B based on Series D comparables. Tenable Holdings (TENB), which acquired Indegy (OT security) in 2019, trades at approximately 5-6x trailing revenue on a combined platform that includes OT capabilities -- suggesting that pure-play OT premiums erode upon platform integration with IT security. Our valuation range is anchored to an estimated ARR of 0-100M (no disclosure available) and applies a 20-25x forward ARR multiple (justified by regulatory tailwind durability and intelligence moat, discounted 30-40% from 2021 peak for multiple compression and growth deceleration risk). This yields a base case of .0-2.5B at 0M ARR growing 35%, bear case of .5-1.7B at 0M ARR growing 20%, and bull case of .5-3.5B at 00M ARR growing 40%+. [CV009, CV010, CV011, CV012, CV013, CV014]

8.3 Comparable Valuation Analysis

The comparable set for Dragos spans four groups: (1) private pure-play OT security companies (Claroty, Nozomi); (2) private IT/OT convergence platforms (Armis); (3) public cybersecurity companies with OT components (Tenable TENB, CrowdStrike CRWD emerging OT module); and (4) OT security M&A transactions (Tenable/Indegy 2019 at 8M, Armis/Aperio 2021, Rockwell investment in Claroty). The most relevant comparables are Claroty and Nozomi as direct pure-play OT security peers. Claroty's Series D (00M, November 2021) implied a post-money of approximately .8-2.2B -- comparable to Dragos's Series D at .7B two weeks earlier. Both companies have not disclosed post-2021 financials, making growth-adjusted comparable analysis difficult. Armis at .3B (2023) is a useful ceiling comparable, but Armis's TAM (IT and OT asset management for ITAM/CAASM use cases) is substantially larger than Dragos's more focused OT threat detection and IR market. For public company multiples: Tenable Holdings (TENB) trades at approximately 4.5-5.5x NTM ARR on a combined VM and OT security platform of approximately .0B ARR. CrowdStrike's OT security module is nascent (sub-0M ARR estimated) and not yet publicly broken out; CRWD trades at over 20x ARR but this multiple reflects the core Falcon EDR dominance, not the OT component. Using Tenable as the most relevant public proxy for an OT-capable platform at scale and applying a 15-25x multiple to Dragos's estimated ARR range of 0-100M yields a valuation range of bash.75B-.5B -- consistent with our bear to base scenario modeling. The comparable set confirms that the .7B Series D valuation is defensible under a base-case scenario (ARR approximately 0M, growth 30-40%, 20-22x forward multiple) but not obviously cheap. A new investor entering at the .7B reference price would need confidence in 25%+ ARR growth and a clear Series E or exit path within 24-36 months. [CV017, CV018, CV019, CV020, CV021, CV022]

8.4 Thesis-Break and Monitoring

The primary thesis-break for a Dragos investment is a Series E fundraise at below .0B valuation -- representing a greater than 40% decline from the Series D reference price and implying a fundamental revaluation of the business. Secondary thesis-break triggers include: a major IT security platform (Microsoft or Palo Alto Networks) launching an OT security bundle priced below Dragos's average contract value for enterprise customers; a Dragos headcount reduction without an announced new equity raise; or the departure of Robert M. Lee without a pre-announced transition plan. Monitoring indicators that would positively update the investment case: (1) A confirmed Series E at a valuation of .0B+ would validate the base case and justify position entry; (2) Any ARR disclosure (voluntary or via regulatory filing if Dragos pursues an IPO or direct listing) confirming growth above 30%; (3) A Dragos IPO announcement, which would require financial disclosure sufficient to resolve most evidence gaps; (4) A major enterprise OT security contract announcement at a Fortune 100 critical infrastructure operator not yet in the disclosed customer list. Monitoring indicators that would negatively update the case: (1) A second headcount reduction; (2) Departure of key executives (SVP Research, SVP Sales, CTO); (3) Claroty or Nozomi winning a named Dragos customer account. Conviction threshold for position entry: Require (a) confirmed ARR above 0M with trailing 12-month growth above 25%, (b) confirmed cash runway above 18 months or announced new financing, and (c) valuation at or below the base case of .0-2.5B before entering a half position. A full position requires resolution of the board governance opacity and the Rockwell investor-customer conflict of interest. [CV024, CV025, CV026, CV027, CV028, CV029]

8.5 Final Diligence Asks

The most critical unresolved diligence items for Dragos -- all of which would materially shift the recommendation from Research More to Buy or Pass -- relate to financial transparency and governance. First, financial disclosure: the company must provide its 2021-2026 ARR bridge, current annualized ARR, trailing 12-month growth rate, gross margin, burn rate by cost category, current cash balance, and any credit facilities or bridge financing. Second, valuation context: the specific terms of the 2023 failed fundraising attempt -- including the targeted valuation, which investors passed, and the reason given -- would provide critical triangulation for current enterprise value assessment. Third, capital structure: a full cap table showing preference stack, liquidation preferences, anti-dilution provisions, and investor rights agreements is essential for return modeling. Fourth, governance: a complete board member list, committee charters, and any existing recusal or conflict-of-interest policies for investor-board members with customer relationships (specifically Rockwell Automation). If financial disclosure confirms the bear case scenario (ARR approximately 0M, growth below 25%), the appropriate action is Pass or Monitor at below .5B entry. If disclosure confirms the base case (ARR approximately 0M, growth 30-40%), the appropriate action is Half Position at or below .0B. If disclosure confirms the bull case (ARR above 00M, growth above 40%), the appropriate action is Full Position at or below .5B. The recommendation framework is price-sensitive and evidence-sensitive: the quality of the Dragos market position does not independently support entry without financial validation. [CV031, CV032, CV033, CV034, CV035, CV036]

8.6 Exhibits