Huntress

1.1 Identity and Business Model

Huntress is a privately held managed security platform headquartered in Columbia, Maryland (originally Ellicott City, MD). Founded in 2015 by former National Security Agency (NSA) cyber operators, the company occupies a distinctive niche: delivering enterprise-grade cybersecurity to the "Fortune 5,000,000"—the vast underserved universe of small and mid-sized businesses that represent 99% of US companies by count but have historically been priced out of best-in-class security tooling. Huntress operates a subscription SaaS model distributed primarily through a channel of 4,000+ managed service providers (MSPs), who in turn protect 120,000+ SMB end-customers. The company's platform integrates managed endpoint detection and response (EDR), identity threat detection and response (ITDR), a newly launched security information and event management (SIEM) product, and security awareness training (acquired via Curricula). Every product tier is backed by a 24/7 human-led Security Operations Center (SOC) staffed by elite threat hunters, a differentiator Huntress calls "human-augmented security." This positions Huntress between pure product vendors like CrowdStrike and full-service MSSPs, delivering managed outcomes at SMB-accessible price points. As of September 2024 the company had crossed $100M ARR and achieved unicorn status ($1.5B+ valuation) following its June 2024 Series D round—the last private round before a targeted IPO. [CO001, CO002, CO003, CO004, CO005]

1.2 Founders, Leadership, and Governance

Huntress was co-founded by Kyle Hanslovan (CEO), Chris Bisnett (CTO), and John Ferrell (VP Engineering), all former NSA Tailored Access Operations (TAO) cyber operators. Their offensive-security backgrounds inform the company's threat-hunting philosophy: understanding attacker tradecraft deeply before building defenses. Hanslovan serves as the public face and strategic leader, regularly appearing at security conferences and in industry press. He emphasizes that Huntress occupies a market others shunned—a conviction that took until Series B to win over institutional investors. The current board includes representatives from all major investors: Kleiner Perkins, Meritech Capital, Sapphire Ventures, ForgePoint Capital, and JMI Equity. Headcount grew from approximately 360 at the time of the Series D announcement (June 2024) to an estimated 400+ by year-end 2024. Leadership depth beyond the three founders has expanded with the addition of a VP of Channels and Alliances (Tuan Nguyen, hired in 2025) as Huntress pursues distribution partnerships beyond the MSP channel. Key-person risk is elevated given Hanslovan's prominent public role, but the founding team's continued presence reduces single-person dependency relative to solo-founder models. [CO006, CO007, CO008, CO009, CO010]

1.3 Funding History and Capital Structure

Huntress has raised approximately $308–$310M in total funding across multiple rounds. The company bootstrapped early before securing institutional capital, which it pursued against investor skepticism about the SMB market. By the Series B (completed c. 2021), Huntress had convinced institutional backers of the SMB thesis. The Series C positioned Huntress to transition from a single-product company to a multi-product platform. The June 2024 Series D of $150M—led by Kleiner Perkins and Meritech Capital with participation from existing backer Sapphire Ventures—more than doubled the company's prior valuation to above $1.5B, marking unicorn status. Prior investors ForgePoint Capital and JMI Equity remain on the cap table. Per CEO Hanslovan, the Series D is intended to be the final private raise before an IPO; approximately half the proceeds are earmarked for R&D and M&A, with the remainder for go-to-market expansion. The company also acquired Curricula (security awareness training) and Level Effect (threat detection) as complementary capability buys. Total raised is sometimes cited at $268M (pre-full-round accounting) and other times at $308M+ depending on source methodology; the post-Series D figure of $308–$310M appears most consistent across multiple independent sources. [CO011, CO012, CO013, CO014, CO015]

1.4 Scale Metrics and Milestones

Huntress reached $100M ARR on September 16, 2024—a milestone termed "centaur status" in SaaS parlance—after sustaining over 70% year-over-year revenue growth for two consecutive years. At that date the platform secured more than 3 million endpoints, protected more than 1 million identities, and defended 120,000+ businesses via 4,000+ MSP partners. Huntress has expanded geographically into APAC and EMEA and entered new vertical markets including healthcare, state and local government, and financial services. The company's healthcare exposure notably includes 14,000 healthcare companies, many relying on the United/Change Healthcare network. Product breadth expanded substantially post-Series C with the launch of ITDR (Microsoft 365 and Google Workspace identity protection), acquisition of Curricula for security awareness training, and the 2024 launch of a managed SIEM product. Huntress ranked 149th on the 2025 Deloitte Technology Fast 500™, confirming its sustained hypergrowth trajectory. G2 ranked Huntress #1 in endpoint detection and response for 9 consecutive quarters as of Summer 2024. The company holds no public adverse regulatory, litigation, or sanctions records as of the research date. [CO016, CO017, CO018, CO019, CO020, CO021]

1.5 Adverse and Risk Signals

No material litigation, regulatory enforcement actions, or sanctions have been publicly reported against Huntress as of May 2026. The company's SOC team publishes detailed transparency reports through quarterly and annual threat intelligence publications, positioning it as a credible voice on SMB threat landscape rather than a target. One noted risk factor is the company's healthcare customer concentration: 14,000 healthcare clients (a disclosed figure from CEO comments) means exposure to healthcare sector disruptions. During the 2024 Change Healthcare ransomware incident, Hanslovan publicly acknowledged that many of his healthcare clients were impacted by the billing disruption—not by breaches of Huntress systems. Investor dilution risk is present given substantial venture funding, but the company's consistent growth trajectory and move toward IPO mitigates concerns about forced recapitalization. The burn ratio was reported at 0.6 as of 2024, indicating capital efficiency ahead of most SaaS peers. Headcount data from third-party databases (LATKA) suggests rapid hiring toward 815 by 2025, which if confirmed would imply ARR per employee declining from $278K to ~$147K—a standard growth-phase dynamic but worth monitoring for cost discipline. The 0.7% false positive rate on alerts, cited by independent analysts, is a quality signal but is a company-promoted figure not independently audited. [CO022, CO023, CO024, CO025]

1.6 Exhibits

2.1 Market Boundaries and Definitions

Huntress operates in a market bounded by three nested categories: (1) global SMB cybersecurity spending, which encompasses all security products and services purchased by businesses with fewer than 500 employees; (2) the managed security services / MDR subset, where a vendor provides human-led continuous monitoring, detection, and response rather than software licenses alone; and (3) the MSP-mediated cybersecurity channel, in which managed service providers bundle security into their IT services stack for SMB clients. Excluded from Huntress's directly addressable market are: pure enterprise security (Fortune 500 / large enterprise contracts requiring minimum 300+ endpoint deployments and enterprise procurement cycles), consumer security products (antivirus for individuals), and standalone firewall or network-perimeter hardware. The status-quo substitute for Huntress is a fragmented stack of point products (antivirus + endpoint agent + manual SOC monitoring) managed by an underfunded in-house IT generalist or a bare-bones MSP—a substitute that provides substandard protection but exists at zero incremental cost to the customer. Adjacencies include SIEM (now a Huntress product), security awareness training (addressed via Curricula acquisition), identity and access management (IAM), and vulnerability management. Huntress is actively expanding into all of these adjacencies, enlarging its SAM. [CM001, CM002, CM003]

2.2 Market Sizing and Growth Trajectories

Market sizing for the SMB cybersecurity space varies substantially by analyst methodology. Growth Market Reports estimates the global SMB cybersecurity market at $39.8 billion in 2024, growing at a 13.2% CAGR to reach $110.2 billion by 2033. Techaisle projects global SMB IT security spending at $90 billion for 2024, a 9.4% year-over-year increase. Analysys Mason sizes the SMB cybersecurity sub-market more conservatively at $52 billion by 2028. These estimates diverge because of scope differences: "SMB IT security spend" (Techaisle) counts broader IT budget, while "SMB cybersecurity market" estimates from Growth Market Reports and Analysys Mason focus on dedicated security products and services. The MDR sub-market, Huntress's most direct category, is sized by Mordor Intelligence at $4.19 billion in 2025, growing at a 21.95% CAGR to $11.3 billion by 2030. This is a narrower category than total SMB security but captures the human-led managed service premium that Huntress commands. Techaisle data shows Managed Detection and Response is the single fastest-growing security category for SMBs and midmarket firms, with a projected 112% adoption increase—the highest of any security category. Huntress's current $100M ARR implies a market share of approximately 2.4–2.5% of the MDR sub-market ($4.2B, 2025 estimate) and less than 0.3% of the broad SMB cybersecurity TAM ($39.8B, 2024 estimate). Both figures underscore substantial headroom. The company's $1.5B valuation at approximately 15x ARR implies investor expectation of material market share gains in the MDR and SMB security segments over the next 5 years. [CM004, CM005, CM006, CM007, CM008, CM009]

2.3 Buyer, User, and Payer Segmentation

Huntress's go-to-market operates through a two-tier channel structure: (1) MSP partners as direct buyers and payers (they purchase Huntress licenses per endpoint/identity and mark up or bundle into their service fee), and (2) SMB businesses as end-users who experience the product indirectly through their MSP. This creates a compound buyer dynamic: the MSP's primary decision is whether to standardize on Huntress within their security stack, while the SMB's role is primarily as the end-consumer whose outcome drives retention. By customer segment, Huntress targets: - Healthcare SMBs (14,000 healthcare clients): Medical practices, clinics, specialty healthcare providers—regulated, breach-sensitive, often running legacy systems. - State and local government (SLED): Underfunded IT departments with mandatory compliance requirements and rising ransomware targeting by nation-state actors. - Financial services SMBs: Community banks, credit unions, independent advisors—subject to state and federal financial regulation and cyber insurance requirements. - General SMBs (majority of base): Professional services, retail, hospitality, manufacturing with 10–250 employees, relying entirely on MSP for IT support. Budget ownership lies with the MSP's vCISO or account manager in most partner-led deals. For direct SMB deals, the decision maker is typically the IT director, CEO, or CFO. Adoption triggers include: (1) a near-miss ransomware event or actual breach at a peer business, (2) cyber insurance renewal requiring endpoint detection evidence, (3) MSP upsell motion during contract renewal, and (4) regulatory compliance audit requirement. [CM010, CM011, CM012, CM013, CM014]

2.4 Growth Drivers and Adoption Constraints

The primary demand drivers accelerating SMB cybersecurity adoption in 2024–2026 are: Ransomware surge and SMB targeting: SMBs now constitute 46% of all cybersecurity breach incidents (Verizon DBIR), and 82% of SMBs reported falling victim to ransomware in 2021 (Huntress/MVP research). Average SMB breach cost rose from $2.92M in 2022 to $3.31M in 2023. The threat is no longer theoretical, which is the most powerful demand accelerant. AI-powered attack scaling: Threat actors now use AI to automate phishing at scale, produce convincing business email compromise (BEC), and accelerate credential stuffing. The 2025 Huntress Cyber Threat Report documents proliferating remote access trojans (RATs), sub-17-hour ransomware deployment windows, and living-off-the-land techniques that bypass traditional AV. Each new attack capability increases the value of human-led MDR. Cyber insurance requirements: Insurance underwriters increasingly mandate verified EDR deployment as a precondition for coverage. This creates a non-discretionary adoption trigger that MSPs can use to standardize their customer base on security products like Huntress. Regulatory pressure: HIPAA (healthcare), state-level data breach notification laws, and emerging federal cybersecurity frameworks create compliance-driven demand especially in healthcare and SLED segments where Huntress is expanding. Adoption constraints include: SMB budget sensitivity (average monthly IT security budget for a 25-employee SMB may be $200–$500, limiting per-seat spend); MSP channel fragmentation (an individual MSP's ability to standardize on Huntress depends on their own security maturity); switching costs from incumbent AV/EDR vendors that are already deployed; and "good enough" perception—many SMBs feel existing AV provides adequate protection until they experience a breach. [CM015, CM016, CM017, CM018, CM019, CM020]

2.5 Sizing Gaps and Methodological Caveats

Significant methodological variation exists across the market sizing estimates used in this analysis. Key caveats: The Techaisle $90B figure includes all SMB IT security spend categories (endpoint, network, cloud, identity, email) and may double-count spend that flows through platform deals. The Growth Market Reports $39.8B is more conservative and includes only dedicated security product/service revenue. Neither figure has been independently audited for this report. The MDR market size of $4.19B (Mordor Intelligence, 2025) counts the global market across enterprise and SMB—the SMB-specific MDR sub-segment is not separately published. Huntress competes primarily for the SMB slice of MDR, which may be 30–40% of the total MDR market based on SMB share of security spending (~62% of total cybersecurity spend per Analysys Mason projection for 2028), but the SMB MDR figure is an estimate, not directly reported. The MSP-channel cybersecurity sub-market ($7B–$10B, 2022–2028 per Analysys Mason) is the most relevant addressable market for Huntress given its distribution model, but this figure is paywalled and cannot be independently verified in this report. [CM021, CM022, CM023]

2.6 Exhibits

3.1 Competitive Landscape Overview

The competitive landscape for Huntress spans four categories: (1) MSP-focused MDR peers operating at the same price point and channel model (Blackpoint Cyber); (2) enterprise MDR/EDR platforms with partial SMB reach (Arctic Wolf, CrowdStrike Falcon Complete, SentinelOne Singularity); (3) traditional endpoint protection vendors at the AV/light-EDR tier (Malwarebytes/ThreatDown, Sophos, ESET); and (4) the status-quo "no managed security" substitute (Windows Defender + manual IT support). The most important competitive dimension for Huntress is the MSP-mediated channel. Vendors that require direct enterprise procurement cycles or complex deployment are effectively excluded from most of Huntress's MSP-managed SMB addressable market. This structural filter significantly narrows the field of effective direct competitors. In the MSP channel, Blackpoint Cyber is the most comparable alternative; Arctic Wolf competes at the MSP midmarket tier but is more enterprise-oriented. Vendor comparison platforms (G2, Gartner Peer Insights, PeerSpot) consistently rank Huntress #1 in the SMB MDR category. On G2, Huntress has achieved the #1 EDR ranking for 9+ consecutive quarters as of mid-2024, with a 4.9/5 rating across hundreds of reviews. PeerSpot user reviews specifically cite Blackpoint Cyber as the primary point of comparison for MSPs evaluating Huntress alternatives. Industry reviews note Huntress's strong SOC responsiveness (users report sub-60-second response times) and competitive per-endpoint pricing. [CP001, CP002, CP003]

3.2 Direct and Nearest-Peer Competitor Profiles

BLACKPOINT CYBER (nearest direct competitor): Founded 2014, headquartered in Annapolis, MD (15 miles from Huntress's Columbia, MD HQ). MSP-focused MDR with a CompassOne platform that unifies EDR, identity protection, and SOC. Raised $190M in a Francisco Partners-led Series C in May 2023—the largest single funding round for an MSP-focused cybersecurity company at that time. Channel model is nearly identical to Huntress's: per-endpoint licensing sold through MSP partners with a white-label-friendly interface. Blackpoint claims traditional EDR misses 72% of attacks, and differentiates on real-time SOC action before the alert. The CompassOne rebrand (2024–2025) represents an expansion from pure MDR toward a broader security platform. Funding level ($190M) is lower than Huntress ($310M), and the company has not publicly disclosed ARR or customer count equivalents to Huntress's $100M ARR and 120,000+ businesses metrics. PeerSpot user reviews specifically name Blackpoint as an alternative, with one user recommending "evolving from EDR to MDR, like Blackpoint." ARCTIC WOLF (midmarket MDR): Founded 2012, headquartered in Eden Prairie, MN with operations in San Antonio, TX. Service-first MDR with Concierge Security Team model and Aurora Superintelligence Platform. Scale: 10,000+ customers globally, 1,000+ security engineers, 200+ platform integrations. Raised $401M Series F in 2021 at $4.3B valuation; has explored IPO multiple times (delayed 2022, 2024). Aurora Agentic SOC (2025) uses AI to automate threat investigation while keeping humans in the loop for decisions. Performs 202+ Security Posture in-Depth Reviews (SPiDRs) per day. Claims to reduce attack frequency by 90% and impact by 90%. Arctic Wolf targets mid-market and enterprise customers more than SMBs; its pricing is typically higher than Huntress and it does not emphasize the MSP channel to the same degree. It is a category validator and potential future M&A competitor rather than a primary day-to-day competitive threat for Huntress's SMB base. [CP004, CP005, CP006, CP007, CP008]

3.3 Enterprise and Platform Competitor Profiles

CROWDSTRIKE (enterprise incumbent): Nasdaq-listed (CRWD), market cap ~$70B+ as of mid-2024. Falcon platform encompasses EDR, XDR, MDR (Falcon Complete), Next-Gen SIEM, identity protection, and cloud security. ARR exceeded $3.7B in FY2024. Enterprise-focused: Falcon Complete MDR is priced for large enterprise deployments (typically 300+ endpoint minimums, $8–$15+/endpoint/month range). The July 2024 CrowdStrike outage—when a faulty sensor update caused a global IT disruption affecting millions of Windows systems—was a material reputational event. For MSPs, the outage reinforced concerns about over-dependence on a single enterprise vendor's kernel-level agent. Huntress's agent-light, kernel-safe approach is a direct competitive positioning point against this risk. CrowdStrike does have SMB reach via resellers but is not optimized for the sub-50-employee SMB served by Huntress's typical MSP partner. SENTINELONE (AI-first XDR): NYSE-listed (S), market cap ~$15B+ as of late 2024. Singularity platform: AI-driven EDR with autonomous response (patented 1-click rollback), Purple AI natural language queries, and Vigilance MDR service. ARR ~$720M+ (FY2025). More automation-first philosophy than Huntress's human-led SOC. Expanding channel via MSPs for SMB reach. 1-click rollback is a strong technical differentiator vs. manual remediation. Pricing is mid-tier (~$6–$10/endpoint/month for managed tiers), making it competitive with Huntress for budget-sensitive MSPs. SentinelOne's broader enterprise focus and platform complexity may limit penetration into micro-SMB (<25 employees) where Huntress excels. MALWAREBYTES / THREATDOWN (AV-tier status-quo competition): Malwarebytes serves small businesses (Teams product, 20+ endpoints) and has rebranded ThreatDown for the B2B market. ThreatDown bundles include Core (next-gen AV), Advanced EDR, and optional add-ons. No full-stack 24/7 SOC or human-led threat hunting is included. Price point: approximately $4–$6/device/year at entry level (significantly lower monthly than Huntress). Malwarebytes competes primarily as a status-quo incumbent whose customers upgrade to Huntress after a near-miss incident or cyber insurance requirement. It is not a feature-competitive MDR alternative but a pricing-based substitute at the lower end. [CP009, CP010, CP011, CP012, CP013]

3.4 Comparative Differentiation and Switching Economics

Huntress's primary differentiation across the competitive set rests on four dimensions: 1. MSP-native design: Huntress was built from day one to serve the MSP distribution model with white-label-friendly interfaces, per-endpoint pricing, RMM integration, and partner success resources. Competitors like CrowdStrike and SentinelOne retrofitted channel programs onto enterprise products; their per-seat minimums and complexity often exclude micro-SMBs. 2. Human-led SOC at SMB price: Huntress provides 24/7 human threat hunters for ~$3–$5/endpoint/ month, a price point that enterprise MDR vendors typically cannot match. PeerSpot reviewers repeatedly cite "Huntress helped reduce the need for expensive security tools or to hire expensive security analysts" as the primary value driver. 3. Threat intelligence flywheel: With 4M+ endpoints as of early 2025, Huntress accumulates threat telemetry across a large SMB-specific dataset. Threat actors who target SMBs create detectable patterns that Huntress SOC analysts see first, enabling faster-than-vendor-average detection of campaign-level attacks. 4. Non-kernel agent: Huntress's agent does not operate at kernel level, contrasting with CrowdStrike's kernel-level approach that contributed to the July 2024 global outage. This architectural choice reduces endpoint stability risk. Switching costs are moderate: MSPs standardize their security stack and train their team around a specific toolset; retraining and reconfiguring for a new MDR vendor is a 2–4 month effort. However, no proprietary data lock-in exists (logs, endpoint data are not uniquely controlled by Huntress). An MSP that chooses Blackpoint could transition within a single contract cycle. Multi-homing is relatively low; MSPs typically pick one MDR platform, creating winner-take-most dynamics within a given MSP's stack. [CP014, CP015, CP016, CP017, CP018]

3.5 Moat Durability and Commoditization Risk

The primary commoditization risk for Huntress is AI-driven MDR automation. As AI models improve at threat detection and autonomous remediation (evidenced by SentinelOne's Purple AI, Arctic Wolf's Aurora Agentic SOC, and CrowdStrike's Charlotte AI), the human-labor cost advantage of Huntress's SOC could erode. If AI can automate 80%+ of the SOC analyst workflow, the per-endpoint economics for AI-first platforms will compress, potentially enabling CrowdStrike or SentinelOne to offer competitive managed response at lower price points. A secondary risk is MSP consolidation: if large MSPs are acquired by or merge with direct security vendors (e.g., a CrowdStrike acquisition of an MSP platform), Huntress's channel could be disrupted. This risk is currently low (no major MSP acquisitions by primary security vendors) but warrants monitoring. Counterarguments to commoditization: (1) Attack complexity is also increasing with AI, meaning human judgment remains valuable for novel threats; (2) Huntress's SMB threat intelligence dataset is specific—enterprise AI models trained on Fortune 500 telemetry may perform poorly on SMB-specific attack patterns; (3) Huntress's own AI investments (reported in 2025 product roadmap) may preserve parity. Huntress's channel relationship depth (7,000+ MSP partners who have integrated Huntress into their stack) represents a sticky retention advantage that pure product features cannot easily replicate. [CP019, CP020, CP021, CP022]

3.6 Exhibits

4.1 Revenue Streams and Business Model Architecture

Huntress generates revenue exclusively from subscription contracts sold through its MSP channel. The MSP licenses Huntress on a per-unit basis and marks up or bundles the cost into their managed service fee to SMB end-customers. Revenue is recognized ratably over the subscription period (monthly or annual), producing highly predictable, recurring ARR. There is no material professional services, implementation, or consulting revenue disclosed. The company does not operate a marketplace or transactional model. The product portfolio generates revenue across four distinct units: (1) Managed EDR/endpoint protection: per-endpoint/month; the primary revenue driver. (2) Identity Threat Detection (ITDR): per-identity/month; growing add-on for M365/Google Workspace customers; 1M+ identities as of Sep 2024, 2M+ as of early 2025. (3) SIEM: launched 2024; per-event or per-tenant pricing model (specific pricing not publicly disclosed); early-stage contribution to ARR. (4) Security Awareness Training (SAT via Curricula): per-user/month; expanded platform TAM. Revenue concentration risk: the MSP channel is Huntress's sole distribution channel. The loss of top-20 MSP partners would represent a material revenue event. No customer concentration disclosures are available. International revenue: described as early stage or minimal based on available disclosures. The Series D announcement cited international expansion as a use-of-funds priority, suggesting international ARR contribution is <10% of total as of 2024. [CI001, CI002, CI003, CI004]

4.2 Revenue Traction and Growth Profile

Huntress has publicly disclosed ARR milestones at three points: - $70M ARR at some point in 2023 (inferred from growth trajectory) - $100M ARR as of September 2024 (confirmed by ForgePoint Capital and company statements) - 70%+ year-over-year ARR growth for three consecutive years At $100M ARR with 70% YoY growth, Huntress grew from approximately $59M ARR (12 months earlier) to $100M. The Rule of 40 score (growth rate + estimated FCF margin) is favorable assuming a growth rate of 70% partially offset by negative free cash flow at current burn. An unverified third-party estimate (LATKA) suggests ARR of ~$120M in 2025, implying deceleration to ~20% YoY growth—a material change in trajectory that requires diligence scrutiny but is unverified and inconsistent with the company's disclosed 70%+ trend. The company has 120,000+ businesses defended (Sep 2024), 4M+ endpoints (early 2025), and 7,000+ MSP partners. Average revenue per endpoint at $3.50/month yields implied annual endpoint revenue of approximately $168M/year (4M endpoints × $3.50 × 12)—which exceeds the disclosed $100M ARR, suggesting either endpoint count is conservative, pricing varies widely, or not all endpoints are billed at the average rate. This gap is a diligence item. Deloitte Technology Fast 500 (2025): Huntress ranked 149th, confirming sustained high revenue growth relative to its technology peer set across the 2021–2024 period. [CI005, CI006, CI007, CI008, CI009]

4.3 Cost Structure and Margin Drivers

Huntress's cost of goods sold (CoGS) is primarily SOC labor (24/7 security analysts), cloud infrastructure (endpoints reporting to the Huntress cloud), and threat intelligence operations. Unlike pure software companies, the human-led SOC is a meaningful variable cost that scales with endpoint count. Industry benchmarks for comparable managed security companies (Arctic Wolf, Deepwatch, eSentire) suggest gross margins in the 60–75% range. Key cost structure assumptions (all unverified / estimated): - SOC labor: estimated 25–35% of revenue (primary CoGS item); includes 24/7 analyst staff, shift coverage, training, and incident response capacity. - Cloud infrastructure: estimated 5–10% of revenue; endpoint data telemetry is infrastructure-intensive. - Sales and marketing: per-MSP partner acquisition and enablement costs; typical for high-growth SaaS companies at 30–40% of revenue at growth stage. - R&D: product development for SIEM, ITDR expansion, and AI tooling; estimated 25–35%. - G&A: corporate overhead; estimated 10–15%. Headcount: approximately 360 employees as of June 2024, estimated 400–450 by end-2024. At $100M ARR and ~400 headcount, the ARR/FTE ratio is approximately $250K—below pure-SaaS benchmarks (~$400K+) but reasonable for a company with a significant SOC services component. Gross margin expansion path: as the product platform expands from pure MDR to SIEM + ITDR + SAT, the software-only layers (SIEM, ITDR) carry higher gross margins than the human-services MDR layer. Platform mix shift toward software could expand gross margins from a current estimated 65–72% toward 75%+ over 3–5 years. [CI010, CI011, CI012, CI013, CI014]

4.4 Capital Adequacy, Burn, and Runway

Funding history by round (chronological; funding amounts rounded): - Seed: ~$10M (2018, ForgePoint Capital) - Series A: undisclosed (2020, ForgePoint Capital) - Series B: ~$40M (2021, JMI Equity + ForgePoint) - Series C: ~$60M (2022, JMI Equity) - Series D: $150M (June 2024, Kleiner Perkins lead, Meritech Capital + Sapphire Ventures) - Total raised: ~$310M Burn and runway: Huntress has not publicly disclosed burn rate or cash position. Industry analysts (MVP analysis) estimated a burn ratio of approximately 0.6 (burn/new ARR), which at 70% growth on $100M ARR base implies annual ARR adds of ~$70M and an estimated burn of ~$42M/year. At this burn rate, $150M from Series D would provide ~3.5 years of runway from June 2024. However, the burn ratio is a secondary-source estimate and is not verified. Use of Series D proceeds: Huntress CEO Kyle Hanslovan cited three primary uses—(1) SIEM product development to democratize access for MSPs, (2) international market expansion, and (3) vertical market expansion into healthcare, SLED, and financial services. IPO timeline: As of September 2024, the company targeted an IPO within 18–24 months (late 2025 to mid-2026). As of May 2026, no S-1 has been publicly filed. The IPO timeline may have been delayed by public market conditions or organizational readiness. This is a significant capital markets risk. Debt: No public credit facilities, revenue-based financing, or venture debt disclosures found during research. Company appears equity-funded only. [CI015, CI016, CI017, CI018, CI019]

4.5 Financial Diligence Blockers and Revenue Quality Assessment

Revenue quality drivers (positive): - 100% recurring subscription revenue with monthly/annual terms reduces revenue concentration risk - MSP channel creates natural expansion mechanism: each new MSP adds multiple SMB clients - Net Revenue Retention (NRR) not disclosed but expected to be high (>115%) based on per-endpoint expansion as MSPs add clients and products - Annual contract value (ACV) not disclosed; per-MSP ACV estimated at $10K–$100K depending on size of partner's customer base Revenue quality risks: - No disclosed NRR, GRR, or customer churn rate - No disclosed ACV by product line - Endpoint-to-ARR implied math gap (see SI002) requires diligence - LATKA unverified ARR estimate of ~$120M for 2025 implies potentially significant growth deceleration from 70%+ to ~20% if accurate; must be verified against company disclosures - International revenue contribution not disclosed; international expansion creates currency and regulatory complexity - SOC labor scalability is the key gross margin risk: if ransomware incident volume surges, SOC overtime costs could temporarily compress margins without corresponding ARR growth Critical diligence blockers: - No audited financial statements publicly available (private company) - Gross margin not disclosed; estimated 65–72% but unverified - Burn rate not disclosed; estimated via burn ratio proxy only - NRR/GRR not disclosed - Customer-level cohort data (ARR by vintage MSP partner cohort) not available [CI020, CI021, CI022, CI023]

4.6 Exhibits

5.1 Platform Product Portfolio Overview

Huntress has evolved from a single-product EDR vendor into a multi-product "Agentic Security Platform" targeting the SMB/MSP security stack. As of May 2026 the platform includes six primary product lines: (1) Managed EDR—the flagship, covering Windows, macOS, and limited Linux endpoints with persistent-footholds detection and 24/7 ThreatOps human triage; (2) Managed ITDR—identity threat detection for Microsoft 365 and Google Workspace; (3) Managed SIEM—log management and compliance reporting launched September 2024; (4) Managed Security Awareness Training (SAT)—phishing simulation and behavior-based coaching acquired through the Curricula purchase; (5) Managed ISPM—Microsoft 365 identity security posture management, developed in under four months after the November 2025 Inside Agent acquisition; and (6) Managed ESPM—endpoint security posture management. ISPM and ESPM are in Early Access as of March 2026, with General Availability planned for Summer 2026. All products share a cloud-native, multi-tenant architecture hosted on AWS, expose a unified partner portal, and feed threat telemetry into the centralized 24/7 SOC for human-augmented analysis. The company also makes the platform available at no charge for MSPs' own internal security use, reducing adoption friction in the channel. [CE001, CE002, CE022, CE024, CE026, CE038]

5.2 Core EDR — Persistent Footholds, Agent Architecture, and ThreatOps

Huntress Managed EDR is built around the concept of "persistent footholds"—the registry keys, scheduled tasks, service entries, startup items, and living-off-the-land binary (LOLBin) invocations that attackers use to maintain hidden presence on Windows and macOS systems after initial access. Unlike preventative AV, Huntress's approach begins from the assumption that attackers may already be inside; its agent performs a deep survey of persistence mechanisms immediately on installation and continuously thereafter. The core agent (HuntressAgent.exe) is written in Go with no external dependencies, communicates over TLS 1.2/1.3 to Huntress cloud infrastructure on AWS, and consumes approximately 1% CPU and 20MB RAM under normal conditions (surveying conditions can spike to 5–10% CPU temporarily). A second agent, HuntressRio (Rio EDR), handles behavioral telemetry and process monitoring; it typically uses ~400MB RAM and is adaptive under load. The platform supports Windows 10/11 and Server 2016+ as first-class citizens; macOS support covers Ventura 13 through Tahoe 26 (macOS 16), added in May 2024 with active remediation capabilities. Linux support covers Ubuntu 22.04+, Debian 11+, RHEL 8.6+, CentOS Stream 9/10, SUSE 12/15, and Fedora 41/42 on kernel 5.14.50+ (64-bit); this coverage remains limited relative to Windows—SIEM syslog ingestion for Linux is listed as "coming soon" and feature parity with Windows is incomplete. The agent also includes Ransomware Canaries (lightweight decoy files triggering immediate alerts), External Recon (open-port scanning), and Managed Antivirus (centralized Microsoft Defender management on Windows). On macOS, Huntress can read XProtect and Defender telemetry but cannot apply configuration changes or manage exclusions—a noted limitation vs. Windows capability. ThreatOps analysts in the 24/7 SOC review all automated alerts, achieving a company-reported false positive rate below 1% across 3M+ monitored endpoints. [CE003, CE004, CE005, CE006, CE007, CE008]

5.3 Identity Threat Detection & Response (ITDR)

Huntress Managed ITDR protects Microsoft 365 and Google Workspace identity environments with continuous 24/7 monitoring and human-validated automated response. The product detects account takeovers, session hijacking (token/cookie theft), impossible travel, privilege escalation, unauthorized inbox-forwarding rules, business email compromise (BEC) patterns, and rogue OAuth application consent grants. When a confirmed threat is detected, ITDR can automatically terminate active sessions, disable accounts, and revoke tokens. The mean time to respond for identity incidents is approximately 3 minutes—faster than EDR's ~8-minute MTTR because identity actions (session revocation) require less forensic confirmation than endpoint quarantine. Huntress has claimed to be the first vendor to deliver proactive OAuth application threat protection in Microsoft 365 environments, cataloguing abused OAuth/OIDC apps in its open-source RogueApps repository on GitHub. In April 2025, Huntress unveiled an enhanced ITDR solution with improvements to automated response and coverage for Entra (Azure AD) Conditional Access integration. Per the company's 2025 Managed ITDR Report, identity-based attacks represent approximately 40% of all tracked security incidents, underpinning the strategic importance of the product. ITDR coverage currently emphasizes Microsoft 365 and Entra ID; Google Workspace coverage is offered but considered secondary. Coverage of other SaaS identity providers (Okta, Ping, etc.) is not documented in publicly available materials and represents a diligence gap. [CE013, CE014, CE015, CE011, CE030]

5.4 SIEM, SAT, and Emerging Posture Products

Huntress Managed SIEM launched in September 2024, designed to disrupt the traditional all-or-nothing enterprise SIEM model by applying "Smart Filtering"—collecting only security-relevant logs rather than ingesting all data. Pricing is based on data sources (firewall, VPN, identity, endpoint count), not on data volume, eliminating the cost unpredictability that has historically deterred SMBs. The SIEM supports 20+ integrations including Fortinet, Palo Alto Networks, 1Password, Keeper, Duo, and others, with data retained up to seven years for compliance purposes. Compliance frameworks supported include PCI-DSS, SOC 2, HIPAA, CMMC Level 2, and the Australian Signals Directorate's Essential Eight. The SIEM feeds telemetry back into the Huntress SOC, improving threat correlation across endpoint, identity, and network data sources. Per CRN reporting from XChange 2025, Huntress leadership acknowledged the SIEM is still in "early development" relative to its eventual target capability but is on an accelerating improvement curve. Only 10% of MSPs using SIEM manage to deploy it across more than 10% of their client base—a problem Huntress aims to address with a simplified, scalable deployment model. Managed Security Awareness Training (SAT), acquired through the Curricula purchase, offers expert-managed phishing simulations using real attack scenarios from Huntress threat intelligence, just-in-time Phishing Defense Coaching, multi-channel simulation (email, SMS, voice, Slack/Teams), gamified training content, risk scoring per user, and automated compliance reporting. The SAT platform integrates with Microsoft (directory sync) and includes a Content Creator Tool for custom scenario building. Two new products—Managed ISPM (Identity Security Posture Management) and Managed ESPM (Endpoint Security Posture Management)—entered Early Access in March 2026. ISPM was built in under four months after Huntress acquired Inside Agent (a London-based M365 hardening specialist) in November 2025. ISPM performs 100+ environment checks against CIS Microsoft 365 Benchmark standards, covering Entra, Exchange, Intune, SharePoint, and Teams. ESPM integrates with Microsoft Defender for Endpoint for vulnerability management, blocks rogue RMM tools, and controls application execution on endpoints. [CE016, CE017, CE018, CE019, CE020, CE021]

5.5 ThreatOps SOC — Human-Augmented Security Operations

The Huntress ThreatOps team is the company's primary competitive differentiator. Staffed by former NSA Tailored Access Operations (TAO) cyber operators and elite security researchers, the SOC operates 24/7 with analysts distributed across the United States, United Kingdom, and Australia for follow-the-sun coverage. The total SOC headcount exceeds 100 threat experts as of 2024, though Huntress does not publish a precise analyst count. Operational metrics disclosed by Huntress for 2024 include: >78,000 confirmed high/critical endpoint incident reports sent; >8,000 high/critical identity incident reports; mean time to respond ~8 minutes for endpoint threats and ~3 minutes for identity threats; false positive rate <1%; and customer satisfaction score of 98.8%. The SOC follows a tier-1/tier-2/tier-3 escalation model: tier-1 analysts triage automated alerts, tier-2 confirms incidents and drafts remediation reports, and tier-3 conducts deep-dive threat hunting. Every verified incident triggers a custom incident report with actionable remediation steps delivered via the MSP portal or integrated PSA ticketing. The human SOC layer is what distinguishes Huntress from pure-automation EDR vendors that rely on self-service alert review. Huntress also contributes to community security research through its open-source GitHub presence (huntresslabs), including the RogueApps OAuth threat catalogue and the threat-intel repository with YARA signatures and IOCs from blog post research. Annual community CTF (Capture the Flag) events further demonstrate research capability and attract detection engineering talent. [CE009, CE010, CE011, CE012, CE031, CE032]

5.6 MSP Integration Architecture & Platform Infrastructure

Huntress is architecturally designed for multi-tenant MSP delivery. The unified partner portal provides per-client isolation with aggregated fleet views across all managed organizations. Agent deployment integrates with all major RMM platforms: Kaseya VSA, NinjaRMM (NinjaOne), Datto RMM, and others support PowerShell-based mass deployment scripts maintained in the huntresslabs/deployment-scripts GitHub repository. PSA integrations include ConnectWise Manage, Datto Autotask, and HaloPSA—each receiving auto-generated tickets when Huntress confirms an incident, with incident status and remediation steps embedded in the ticket. Integration uses OAuth2 or API key authentication, with organizational mapping aligning Huntress account units to PSA customer records for precise alert routing. The Huntress Agent uses TLS 1.2/1.3 for cloud communication; no cleartext transmission is supported. Cloud infrastructure is hosted on AWS; Huntress does not publish specific cloud region deployment details, representing a diligence gap for customers with data residency requirements. The SIEM log ingestion architecture uses Smart Filtering at the source agent layer, reducing upstream bandwidth and storage cost. The Huntress platform is available to MSP partners for their own internal security use at no charge, reducing deployment risk and encouraging platform familiarity before client rollout. [CE027, CE028, CE029, CE003, CE017, CE038]

5.7 Technical Differentiation, Gaps, and Technology Risk

Huntress's key technical differentiations are: (1) purpose-built for MSP multi-tenancy from day one, unlike enterprise EDR platforms retrofitted for the channel; (2) non-kernel agent architecture, avoiding the class of endpoint stability risk exposed by the July 2024 CrowdStrike Falcon outage; (3) persistent-footholds-first detection philosophy that catches threats conventional AV misses; (4) sub-$5/endpoint/month pricing enabling broad SMB deployment; and (5) human SOC at scale delivering <1% false positives without requiring customer SIEM expertise. However, material gaps and adverse signals must be noted. macOS support, added May 2024, cannot manage or configure built-in AV tools (XProtect, Defender for Mac)—limiting preventive capability relative to Windows. Linux support remains basic with incomplete feature parity; SIEM syslog ingestion from Linux agents is not yet available as of May 2026. There is no mobile (iOS/Android) coverage. The SIEM product is acknowledged by Huntress leadership to be in early development relative to its ultimate target capability. G2 and Gartner Peer Insights user reviews cite weak reporting customization, delayed alert notifications, limited visibility on failed login events, and a clunky UI/UX in the portal. The SOC relies on human analysts—a model that delivers quality but may face margin pressure and scalability constraints as the monitored endpoint base grows, and which Huntress management acknowledges will require AI augmentation over time. Data residency commitments for SIEM and ITDR are not publicly documented, a gap for healthcare and public-sector clients with strict data governance requirements. Competition from enterprise vendors expanding downmarket (CrowdStrike Falcon Go, SentinelOne) and MSP-native peers (Blackpoint Cyber) could compress differentiation windows within 2–3 years. [CE006, CE007, CE008, CE033, CE035, CE036]

5.8 Exhibits

6.1 Customer Profile and Ideal Customer Characteristics

Huntress's end-customers are small and mid-sized businesses (SMBs) typically employing between 5 and 500 people—organizations that cannot afford dedicated in-house security operations teams but face the same ransomware, business email compromise (BEC), and identity-based threats as large enterprises. Typical Huntress-defended customers include dental offices, law firms, CPA practices, regional accounting firms, K-12 school districts, municipal governments, community health clinics, and independent insurance agencies. The pitch to these customers is direct: "Your existing antivirus won't stop modern ransomware—we will detect and evict the attacker before they encrypt your files, and your MSP doesn't need to hire a security analyst to make it happen." This resonates because SMBs are disproportionately targeted by ransomware gangs who know they lack detection capabilities, and because the cost of a breach vastly exceeds the cost of Huntress. Customer acquisition is entirely indirect: SMBs do not buy from Huntress directly. They receive Huntress coverage when their MSP (managed service provider) deploys the Huntress agent as part of the MSP's managed security stack. This creates a two-sided customer dynamic: the MSP is the buying customer (B2B); the SMB is the protected beneficiary. For diligence purposes, the relevant customer churn unit is the MSP partner, not the individual SMB business. The SMB security buying trigger has become structurally stronger due to three forces: (1) Cyber insurance underwriters increasingly require endpoint detection and MFA as conditions of coverage; (2) Healthcare, legal, and financial services SMBs face regulatory compliance mandates (HIPAA, FTC Safeguards Rule, state privacy laws); (3) Ransomware frequency targeting SMBs has grown, with Huntress's own 2025 Cyber Threat Report documenting proliferating RATs, RMM-abuse, and evolving ransomware. These forces are secular tailwinds that structurally expand the addressable buyer pool and reduce price sensitivity for Huntress's core offering. [CU001, CU002, CU003, CU004]

6.2 Customer Scale, Reach, and Adoption Trajectory

As of September 2024, Huntress publicly disclosed the following scale figures (confirmed by multiple independent sources including ForgePoint Capital and company press releases): - 120,000+ SMB businesses defended - 3M+ endpoints managed - 1M+ identities protected (M365/Google Workspace identities under ITDR coverage) - 4,000+ MSP partners in the channel By early 2025, updated metrics from MSSP Alert confirmed continued scale gains: - 4M+ endpoints (33% increase from September 2024) - 2M+ identities (100% increase from September 2024) - 7,000+ MSP partners (75% increase from September 2024) These metrics reflect two compounding growth loops: (1) Existing MSP partners adding new SMB clients or expanding coverage within existing clients (endpoint or identity expansion); (2) Net new MSP partners being added to the channel. Healthcare stands out as the most prominently disclosed vertical: Huntress's own blog confirmed defending 14,000+ healthcare organizations, representing ~11.7% of all defended businesses. This vertical concentration reflects intentional go-to-market investment driven by HIPAA compliance requirements and the severity of healthcare ransomware attacks. Implied averages (all estimated): - Average defended businesses per MSP partner: ~17 (120,000 businesses / 7,000 partners) - Average endpoints per defended business: ~25–33 (4M endpoints / 120,000 businesses) - Average identities per defended business: ~17 (2M identities / 120,000 businesses) These averages reflect Huntress's SMB concentration: a 30-person dental office might have 30 endpoints and 35 M365 identities, aligning well with these implied averages and confirming the customer profile. [CU005, CU006, CU007, CU008, CU009]

6.3 Named Customer Proof and Reference Quality

Huntress's customer evidence takes several forms due to the indirect MSP channel model. Named end-customer case studies are limited because SMBs typically receive Huntress coverage as part of their MSP's stack rather than as a direct relationship with Huntress. The most verifiable customer proof comes from three categories: (1) Sector-level counts: Huntress explicitly disclosed 14,000+ healthcare organizations defended (blog, 2025) and 120,000+ total businesses (ForgePoint Capital, Sep 2024). These counts are the primary adoption proof rather than named logos. (2) MSP partner testimonials: Huntress's website and partner community pages feature named MSP testimonials from IT service providers who have deployed Huntress across their customer base. These testimonials document production deployment, threat detection outcomes, and the SOC response value. Multiple MSP operators on G2 and Spiceworks provide named reviews describing production deployments catching active threats. (3) Third-party review documentation: G2 reviewers (verified user accounts) have documented specific threat detection events—including catching fileless attacks and LOLBAS threats that preceded ransomware—providing outcome-level proof rather than simple satisfaction ratings. Gartner Peer Insights similarly documents production deployment outcomes in SMB environments. (4) Industry incident proofs: Huntress regularly publishes threat reports and incident documentation (e.g., the 2025 Cyber Threat Report) that describe real-world attacks detected and remediated through its platform. These represent implicit named-deployment proof via incident narratives even where customer names are anonymized. Key limitation: Huntress does not publish traditional enterprise case studies with named enterprise logos, ARR contribution, and measurable ROI outcomes. The customer proof is volumetric (120K+ businesses) and qualitative (review platforms) rather than the named-account reference format typical of enterprise security vendors. This is appropriate given the SMB indirect model but limits reference quality for diligence. [CU010, CU011, CU015, CU016, CU017]

6.4 Vertical Market Penetration and Segment Strategy

Huntress has moved from a broad SMB-horizontal approach toward explicit vertical market investment, naming healthcare, financial services, and SLED as priority verticals in its Series D messaging and creating dedicated vertical web pages. Healthcare is the most developed vertical. Huntress has dedicated healthcare-specific landing pages, blog content, and case studies emphasizing HIPAA compliance support, ransomware defense for patient records, and the vulnerability of under-resourced healthcare IT. The 14,000+ healthcare organizations figure was prominently disclosed in a 2025 Huntress blog post. Financial services is the second-named vertical. The FTC Safeguards Rule (effective for most non-bank financial institutions since June 2023) mandates qualified information security programs including continuous monitoring—a requirement Huntress's managed EDR directly satisfies. Small RIAs, CPA firms, mortgage brokers, insurance agencies, and community banks are natural targets for MSP-delivered Huntress coverage. SLED (State/Local/Education) is the third vertical. K-12 school districts and municipalities are among the most targeted ransomware victims because their IT budgets are minimal and their data is sensitive. Huntress's sub-$5/endpoint/month pricing is achievable within SLED budgets in a way that enterprise MDR at $15–$40/ endpoint is not. Legal sector: law firms holding client confidential data face increasing state bar association ethics obligations requiring adequate cybersecurity; Huntress actively markets to this segment. Geographic: Primarily US-based customer base as of 2024. Canada is an established secondary market. APAC and EMEA expansion were listed as Series D use-of-funds priorities, signaling international customers represent a small minority of current ARR but are a growth priority. [CU012, CU013, CU014, CU029]

6.5 Customer Satisfaction and Review Platform Signals

Independent review platform data consistently places Huntress among the top-rated managed EDR vendors, with particular strength in the SMB and MSP segments: G2: Huntress has been ranked #1 in the EDR (Endpoint Detection and Response) category for 9 consecutive quarters as of Summer 2024, based on user satisfaction and market presence scores. G2 reviewers consistently cite the 24/7 SOC response, ease of MSP deployment, and actionable threat alerts as key differentiators. G2 competitor comparison data positions Huntress favorably against Blackpoint Cyber, CrowdStrike, and SentinelOne for the MSP/SMB use case. Gartner Peer Insights: Huntress carries strong ratings in the Managed Detection and Response category, with reviewers specifically noting the product's appropriateness for resource-constrained IT environments. Capterra: Customer reviews emphasize agent-based deployment simplicity and quality of SOC-generated remediation guidance, with strong overall satisfaction ratings. Trustpilot: Reviews reflect positive overall sentiment, particularly from MSPs describing Huntress as a core component of their managed security stack. Reddit r/MSP community: Practitioner discussions consistently recommend Huntress as the preferred MDR option for SMB-focused MSPs, with strong endorsements for catching fileless attacks and LOLBAS threats that endpoint AV products miss. Adverse review themes: Some customers cite annual price increases (from $2.50 to $3.50/endpoint) without equivalent feature additions. A minority mention occasional false positives and the need for MSP involvement to resolve alerts. [CU018, CU019, CU020, CU021, CU022]

6.6 Channel Economics, Retention Durability, and Concentration Risk

Huntress's entire distribution model flows through MSP partners, creating a structurally different retention dynamic than direct-to-SMB vendors. MSP switching costs are high: an MSP standardizing on Huntress faces substantial operational disruption to switch—agent re-deployment across all customer endpoints, retraining of technicians, reconfiguration of alert workflows. Once embedded, Huntress tends to stay. The inverse concentration risk is severe: if a large MSP partner churns, all of its SMB clients leave simultaneously. A single large-MSP churn event is not a customer event—it is a portfolio event. This is the defining adverse risk in Huntress's customer chapter. Net Revenue Retention (NRR) and Gross Revenue Retention (GRR) are not publicly disclosed. Based on 70%+ ARR growth for 3 years and the expansion mechanics (more endpoints, more identities, more products per partner over time), NRR is inferred to be well above 100%—likely in the 115–130% range—but this is inference, not fact. Huntress's expansion mechanics within existing MSP relationships include: (1) Natural endpoint expansion as MSPs add SMB clients; (2) Identity (ITDR) upsell on existing endpoint customers—1M to 2M identities in ~6 months; (3) SIEM upsell launched 2024; (4) Security Awareness Training (SAT) cross-sell via Curricula. Average ARR per MSP partner: ~$14K/year at $100M ARR / 7,000 partners. This average obscures a wide distribution—the top 5–10% of partners likely contribute 30–50% of ARR, while the long tail contributes the remainder. Customer concentration by partner is unknown and undisclosed. [CU023, CU024, CU025, CU026, CU027, CU028]

6.7 Exhibits

7.1 Regulatory and Legal Risk

Huntress operates at the intersection of several heavily regulated domains. As a managed security provider for healthcare, financial services, and legal sector SMBs, Huntress indirectly processes data subject to HIPAA (health), GLBA/FTC Safeguards Rule (financial), and attorney-client privilege constraints (legal). The company must maintain HIPAA Business Associate Agreement (BAA) coverage with all healthcare MSP partners and their downstream SMB clients. A single uncovered BAA creates direct HIPAA liability. The HHS Office for Civil Rights (OCR) actively enforces HIPAA against technology vendors serving covered entities; enforcement actions against cybersecurity vendors have increased since 2022. The SEC's new cybersecurity incident disclosure rules (adopted July 2023, effective December 2023) require public companies to disclose material cybersecurity incidents within 4 business days on Form 8-K. While Huntress itself is private, its enterprise MSP partners who are public companies are subject, and any incident on the Huntress platform that affects a public company client could trigger partner-level regulatory obligations and create reputational damage for Huntress. The FTC Safeguards Rule (amended 2023) tightens requirements for financial institutions including many Huntress MSP customers in accounting and banking around information security program standards, incident response plans, and annual reporting. GDPR exposure is emerging as Huntress pursues international expansion into the EU. Processing endpoint telemetry from EU-based employees requires lawful basis under GDPR Article 6, a Data Processing Agreement with each MSP partner, and cross-border transfer mechanisms for data flowing to Huntress's US-based AWS infrastructure. Non-compliance in a single EU customer incident can trigger up to 4% of global annual turnover in fines. IP risk is present but not acute: no active litigation against Huntress has been identified as of May 2026, though CrowdStrike, SentinelOne, and Microsoft hold thousands of cybersecurity patents collectively. [CR001, CR002, CR003, CR004, CR005, CR006]

7.2 Operational and Security Risk

Huntress operates entirely on Amazon Web Services (AWS), creating a single-cloud dependency risk. An AWS us-east-1 region outage in December 2021 affected thousands of SaaS providers including security vendors. For a 24/7 managed security provider, any outage in detection or alerting capability creates customer exposure and SLA breach liability. Huntress does not publicly disclose its cloud redundancy architecture, failover procedures, or RTO/RPO targets, which are critical diligence items for a mission-critical security service. The 24/7 SOC model is Huntress's primary competitive differentiator but also its key operational risk. Security analyst attrition in the industry runs 15-25% annually. Huntress has noted that it leverages AI and automation to handle tier-1 triage, reducing analyst load, but human review remains central to the value proposition. If analyst attrition exceeds manageable levels or talent cost inflation compresses margins further, the human-augmented model faces execution risk. As a high-profile security vendor, Huntress itself is a priority target for nation-state actors and ransomware groups. The 2020 SolarWinds supply chain attack demonstrated that security vendors can be compromised through their own software distribution or update mechanisms. Huntress must maintain exceptional internal security hygiene; a breach of the Huntress platform would be catastrophic for customer trust and potentially existential. Product integration risk includes the Curricula (SAT) and Inside Agent (ISPM) acquisitions; acquired codebases introduce new attack surfaces, integration defects, and data model incompatibilities. [CR007, CR008, CR009, CR010, CR011, CR012]

7.3 Partner and Channel Concentration Risk

Huntress distributes 100% of its revenue through the MSP channel, creating a structural channel concentration risk. The company discloses 7,000+ MSP partners as of 2024, but does not disclose the ARR distribution across partners. In a typical MSP-distributed security business, the top 10% of partners (approximately 700 partners) likely drive 50-60% of ARR. If the top 5 MSP partners each represent 1-3% of ARR, the loss of a single large partner could remove $1-3M of ARR in a single event. Concentration risk is a critical diligence gap requiring partner-level cohort analysis. MSP consolidation is accelerating. Major RMM and PSA platforms including ConnectWise, Datto/Kaseya, and NinjaRMM are acquiring or bundling security tools, creating a potential disintermediation threat. If ConnectWise, which has its own security platform (ConnectWise Fortify), bundles a competitive MDR capability into its platform at lower cost, smaller Huntress MSP partners might churn to the integrated stack. Huntress integrates deeply with these platforms, providing deployment automation, but this also means Huntress's retention is partially dependent on the goodwill and API stability of these platform providers. Microsoft is the most significant structural channel risk. Microsoft Defender for Business and Microsoft 365 Business Premium include endpoint protection, identity protection (Entra ID P2), and basic MDR capabilities at $22/user/month. As Microsoft improves its SMB-tier security posture, MSPs may recommend Microsoft's native stack over standalone Huntress. Huntress's ITDR product directly competes with Microsoft's Entra ID protection layer, creating both partnership and competition tension with a critically important ecosystem partner. [CR013, CR014, CR015, CR016, CR017, CR018]

7.4 Financial and Business Model Risk

Huntress's human-SOC model structurally compresses gross margins compared to pure-software security vendors. Estimated gross margins of 65-72% lag the 75-80% typical for enterprise SaaS, driven by the labor cost of 24/7 security analysts. As the company scales, automation (AI triage, automated response playbooks) should improve margins, but this transition has not been confirmed with public data. If gross margins are actually below 65%, the valuation multiple at $1.5B+ becomes harder to justify relative to public software comps. IPO delay risk is material. The company targeted an IPO within 18-24 months of September 2024, implying a target window of Q1-Q3 2026. As of May 2026, no S-1 has been publicly filed. A further delay into 2027 would extend the period during which the company operates with private-market constraints including limited secondary liquidity and restricted M&A currency. If growth decelerates significantly before the IPO, the valuation achievable at IPO could be below the $1.5B+ Series D mark, creating a down-round or flat-round scenario. The company has raised approximately $310M in total funding. At an estimated burn rate of $42-80M per year, the $150M Series D provides roughly 22-43 months of runway from June 2024. However, at the higher end of the burn range, runway could fall below 18 months by late 2025, potentially requiring a pre-IPO bridge round or forcing an accelerated IPO in adverse market conditions. Revenue concentration risk is compounded by the lack of public NRR and GRR disclosures. [CR019, CR020, CR021, CR022, CR023, CR024]

7.5 Competitive and Execution Risk

The cybersecurity endpoint market is one of the most competitive segments in enterprise software. CrowdStrike's Falcon Go and Falcon Complete provide enterprise-grade EDR at SMB price points with the brand recognition advantage. SentinelOne's Singularity platform offers comparable AI-powered detection with potentially lower per-endpoint cost at volume. Both companies are investing in MSP-friendly packaging and pricing to compete directly with Huntress in the SMB channel. Sophos, which has a 35+ year installed base in the SMB market, operates its own Sophos MDR service at similar price points to Huntress with existing MSP channel relationships. New entrants including Blackpoint Cyber, Field Effect, and Adlumin are purpose-built for the MSP/SMB MDR market and compete directly for Huntress's core MSP partner relationships. Huntress's multi-product expansion including SIEM, ISPM, and ESPM launched or entering GA 2024-2026 creates execution risk. Each new product requires dedicated go-to-market, customer success, and support resources. SIEM is a technically complex, highly competitive category dominated by Splunk (Cisco), Microsoft Sentinel, and IBM QRadar. Huntress's Smart Filtering SIEM approach targets SMBs' inability to manage enterprise SIEM complexity, but early-stage products carry adoption risk. Key-person risk is concentrated around CEO Kyle Hanslovan, who is the public face of the company, leads threat intelligence communications, and drives the MSP partnership strategy. Loss of Hanslovan or co-founders Bisnett and Ferrell would create significant leadership risk in a company where government-background operator culture is a core talent magnet. [CR025, CR026, CR027, CR028, CR029, CR030]

8.1 Investment Thesis and Anti-Thesis

THESIS: Huntress is the best-positioned pure-play MDR vendor serving the underserved SMB segment via the MSP channel. The company has achieved the $100M ARR milestone with three consecutive years of 70%+ YoY growth—a rate that places it in the top decile of B2B SaaS at this stage. The TAM is structurally large: 33 million SMBs in the US alone with fewer than 15% having any dedicated endpoint security beyond bundled AV. Huntress's channel model (7,000+ MSP partners) creates a distribution flywheel that is capital-efficient and defensible—competitors must build equivalent MSP relationships to displace Huntress at scale. The platform expansion from pure EDR into identity (ITDR, 2M+ identities by early 2025), SIEM (launched 2024), and security awareness training (SAT via Curricula) increases total addressable revenue per MSP partner by 3-5x, extending the growth runway. The Series D at $1.5B+ from Kleiner Perkins (lead), Meritech Capital, and Sapphire Ventures signals tier-1 VC conviction in the IPO path and validates a 15x ARR entry multiple. ANTI-THESIS: The bull case rests on multiple assumptions that are currently unverifiable: (1) NRR has never been publicly disclosed—if it is below 110%, the 15x multiple and growth story are both at risk; (2) gross margins are undisclosed and structurally compressed by the 24/7 SOC human labor component, which may be 25-35% of revenue—if blended gross margins are below 65%, the company cannot justify a SaaS-like multiple at IPO; (3) Microsoft Defender for Business is bundled into M365 Business Premium at $22/user/month, creating a pricing gravity toward free or near-free endpoint coverage that MSPs can deliver without Huntress; (4) the IPO targeted for "late 2025–mid 2026" has already slipped (no S-1 filed as of May 2026), creating growing equity overhang and capital markets timing risk; (5) the MSP channel is Huntress's only distribution lever—the loss of top-20 MSP partners would represent a material revenue event with no direct sales fallback. The thesis breaks if any two of these risks materialize simultaneously. [CV001, CV002, CV003, CV004, CV005, CV006]

8.2 Recommendation, Confidence and Valuation Stance

RECOMMENDATION: WATCH (for new investors) / HOLD (for existing Series A-C shareholders). For Series D investors (Kleiner Perkins, Meritech, Sapphire): base-case 2x return over 2-3 years; bull-case 3-4x; bear-case approximately flat with liquidation preference protection. CONFIDENCE: Medium. The positive case is supported by confirmed $100M ARR, verified 70%+ YoY growth, and three years of consistent performance. The negative case is obscured by the absence of audited financial statements, undisclosed NRR, undisclosed gross margin, and no S-1 on file as of May 2026. RISK RATING: Medium-High. The three dominant risks—NRR opacity, gross margin below SaaS-threshold (70%), and IPO delay—are individually material and compounding. No single risk is certain to materialize, but the probability-weighted downside from simultaneous realization is severe (bear-case $1.2-1.5B vs. Series D price of $1.5B+). VALUATION STANCE: AT FAIR VALUE for current stage. The 15x ARR multiple on $100M ARR is consistent with a high-growth, partially-disclosed private company in the managed security segment—above pure-MDR comps (Arctic Wolf 6.5x, Blackpoint 9x) and below pure- software public comps (CrowdStrike 21x, SentinelOne 22x). The premium over MDR peers is justified by faster growth; the discount to public software peers is justified by services margin compression. However, the current multiple may be stale—the valuation was set in June 2024 and ARR has likely grown to $130-150M by mid-2026 (implied by 70% trajectory decelerating to ~30%), which would reduce the effective multiple to 10-12x at current price—making Huntress potentially attractive if IPO pricing converges to $3B+. TARGET RETURN/HOLD/EXIT: For a new investor entering at current $1.5B+ valuation mark, the base-case 2x return to $3B at IPO requires 24-36 months hold. A 3x return ($4.5B) requires bull-case conditions. Bear-case entry at this price is flat-to-negative without preferred stock protection terms. [CV007, CV008, CV009, CV010, CV011]

8.3 Financing Context, Entry Discipline and Preference Overhang

Huntress has raised approximately $310M across five rounds from 2018 to June 2024: Seed (~$10M, 2018, ForgePoint Capital); Series A (undisclosed, 2020, ForgePoint); Series B (~$40M, 2021, JMI Equity + ForgePoint); Series C (~$60M, 2022, JMI Equity); Series D ($150M, June 2024, Kleiner Perkins lead + Meritech + Sapphire Ventures). Total capital raised of ~$310M against $100M ARR implies a capital-to-ARR ratio of 3.1x, at the upper end of Bessemer's "good" benchmark (2-3x) for SaaS companies, reflecting the SOC labor costs that prevent free cash flow generation typical of pure-software peers. The Series D post-money valuation of $1.5B+ carries standard preferred-stock mechanics: liquidation preference, anti-dilution protection, and possibly ratchets (not publicly disclosed). In a bear-case IPO at $1.5B, Series D investors recover capital but common shareholders (including employees) receive minimal proceeds. This preference overhang is material and standard for a late-stage VC-backed company; it does not change the growth thesis but affects the downside payoff distribution. Entry discipline for new investors: public evidence supports the 15x ARR multiple as of the June 2024 data point. However, investors entering in secondary market transactions should seek a 20-25% discount to the last-round mark to account for liquidity discount, NRR opacity risk, and IPO delay risk. At $1.0-1.2B entry (implied 10-12x ARR on ~$100M), the risk-reward is favorable: 3x+ to bull-case $5B, 2.5x to base-case $3B, and flat-to- positive even in the bear case. No secondary transaction data is publicly available as of May 2026, suggesting limited secondary market activity to date. Burn and runway: the estimated burn ratio of 0.6 (burn/new ARR) at 70% growth implies ~$42M annual burn; at this rate, the $150M Series D provides approximately 3.5 years of runway from June 2024 (through ~late 2027), sufficient to reach IPO under base and bull cases without requiring additional financing. The runway estimate is low-confidence due to absence of disclosed burn rate or cash position. [CV012, CV013, CV014, CV015, CV016]

8.4 Bull, Base and Bear Scenarios

Bull case (IPO 2027, favorable conditions): Huntress demonstrates $250M+ ARR at 25-30% YoY growth, delivers audited gross margins above 75% (driven by SIEM and ITDR software layers displacing SOC-heavy MDR as a share of revenue), and confirms NRR above 120% based on per-endpoint and per-identity expansion. Public cybersecurity markets remain favorable with CrowdStrike and SentinelOne sustaining 20x+ multiples. At 20x ARR, the implied valuation is approximately $5B. Probability signal: Low-Medium (~20-25%). The main positive catalyst is SIEM adoption—if Huntress's MSP-optimized SIEM reaches $50M+ ARR by 2026, the platform mix shift to software is credible. Base case (IPO 2026-2027, normal conditions): Huntress reaches approximately $200M ARR at 15-20% growth in the IPO year, consistent with the standard deceleration seen in SaaS businesses scaling from $100M to $200M. Gross margins are 65-72% (unchanged from current estimated range); NRR is approximately 115%. At 15x ARR multiple, implied valuation is approximately $3B. This represents 2x on the Series D. Probability signal: Medium (~45-50%). The base case requires sustained MSP partner expansion (to 10,000+ partners) and ITDR continuing to grow from 2M to 5M+ identities. Bear case (IPO delay or multiple compression): ARR decelerates to approximately $150M at 10-15% growth (caused by MSP churn, Microsoft competition, or limited international traction) and gross margins compress below 65%. At 8-10x ARR multiple, implied valuation is $1.2-1.5B—at or below the Series D price. Probability signal: Low-Medium (~25-30%). Bear-case triggers include: NRR disclosure revealing churn above 10%, gross margin audited below 62%, or public market SaaS multiple compression below 10x sector-wide. Downside trigger: any single bear-case trigger combined with continued IPO delay beyond Q4 2027 would likely result in a down-round or forced trade sale at below-$1.5B, activating Series D liquidation preference mechanics and concentrating proceeds to preferred holders. [CV017, CV018, CV019, CV020, CV021]

8.5 Comparable Company Set

Public company comps (pure-software endpoint security, highest multiples): CrowdStrike (NASDAQ: CRWD) is the gold-standard comparable: ~$4B ARR in FY2025 (ended January 2025), $80-90B market cap, ~21x ARR multiple, >75% gross margins, Rule of 40 score above 50 (32% growth + 30%+ FCF margin). CrowdStrike's sustained premium multiple validates that high-growth cybersecurity SaaS can command 20x+ at scale. Huntress aspires to this multiple but must close the gross margin gap to justify it. SentinelOne (NYSE: S): ~$700M ARR in FY25 Q3 (quarter ended October 2024), $14-18B market cap, ~20-25x ARR, >70% gross margins. SentinelOne illustrates how high-growth endpoint security commands premium multiples even while burning cash, as long as growth is above 30% YoY. The multiple has compressed from 40x+ to ~22x as growth decelerated from 70%+ to ~33%, confirming the growth/multiple relationship that governs Huntress's IPO scenario math. Palo Alto Networks (NASDAQ: PANW): ~$8B NGS ARR, ~$100B market cap, ~12-13x NGS ARR. Its "platformization" strategy—bundling SIEM, endpoint, cloud, and identity into a single platform—is the clearest competitive analog to Huntress's multi-product expansion. Rapid7 (NASDAQ: RPD): ~$800M ARR, ~$1.5-2B market cap, ~2-3x ARR. The cautionary comp— growth deceleration to below 10% YoY produced rapid multiple compression from 10x+ to sub-3x within 18 months. This is the most important downside comp for Huntress. Qualys (NASDAQ: QLYS): ~$500M ARR, ~$4B market cap, ~8x ARR. Mature, low-growth cybersecurity SaaS at 12% YoY—represents Huntress's valuation floor in a prolonged deceleration scenario. Private company comps (MDR-focused): Arctic Wolf: $1.3B valuation in 2022 at ~$200M ARR (6.5x ARR)—the most direct private comparable; lower multiple reflects both 2022 market conditions and higher services intensity. Arctic Wolf also raised at a $4.3B valuation in January 2021 (pre-downturn), illustrating significant multiple compression even for leading MDR vendors. Blackpoint Cyber: $190M Series C in 2023 (lead: Bain Capital Tech Opportunities) at an undisclosed valuation; estimated at approximately $800M-1B at ~$100M ARR (~9x ARR). Pure MDR focus, no platform expansion disclosed. Acquisition comp: Sophos was acquired by Francisco Partners at approximately $3.9B in 2019 at roughly $400M in revenue (~10x). Sophos's MSP-channel model makes it the best M&A precedent for Huntress; the 10x multiple at acquisition suggests strategic buyers pay a modest premium to growth-stage private multiples for channel-rich security vendors. [CV022, CV023, CV024, CV025, CV026, CV027]

8.6 Exit Readiness and Final Diligence Asks

IPO readiness: The CEO targeted "late 2025–mid 2026" in public statements in late 2024. As of May 2026, no S-1 has been filed with the SEC. The timeline has slipped by at least 6-12 months. Possible causes: (1) public market window was unfavorable in early 2026; (2) organizational readiness (audited financials, CFO credentialing, board reconstitution) not complete; (3) ARR growth decelerated below the level required for a premium valuation. The absence of a public S-1 filing means no audited financials, revenue cohort data, or NRR are publicly available—maximizing investor uncertainty. Strategic M&A readiness: Huntress represents an attractive tuck-in acquisition for several strategic buyers. The MSP channel (7,000+ partners, 120,000+ SMBs) is a distribution asset that is difficult to replicate organically. Potential acquirers: Palo Alto Networks (expand MSP/SMB reach; complement Prisma and Cortex); Cisco (fill Talos MDR gap in SMB segment); Broadcom (leverage Symantec MSP channel); Qualys (expand managed service offering). An M&A transaction at 12-15x ARR on $150-200M ARR would yield $1.8-3.0B—a competitive outcome relative to the base-case IPO ($3B). Final diligence asks (priority-ordered): 1. NRR and GRR: the single most important disclosure; must be obtained before any investment at current valuation. Target: verified NRR above 110% to justify current multiple. 2. Audited gross margin: P&L access required. Target: confirmed blended gross margin above 70% to justify software-company valuation treatment. 3. Updated ARR (post-September 2024): the last confirmed ARR was September 2024 ($100M). Two years of unconfirmed growth creates significant uncertainty. Target: management disclosure of Q1 2026 ARR and growth rate. 4. IPO timeline and S-1 status: confirmed timeline from CEO/CFO with S-1 drafting milestones. Delay beyond Q2 2027 would require a bridge financing assessment. 5. MSP partner concentration: top-20 MSP partner revenue share and churn history. Target: no single partner above 5% of ARR. [CV029, CV030, CV031, CV032, CV033]

8.7 Exhibits