Last Raised 01
$60M Series E [CI002] Diligence report
ThreatLocker, Inc.
Zero Trust Endpoint Security: From Default Allow to Default Deny
ThreatLocker is a high-growth unicorn with a differentiated default-deny Zero Trust approach and strong MSP channel traction, but faces revenue transparency gaps and increasing competition from well-funded incumbents.
Cover facts
Company profile
ThreatLocker, Inc. is an Orlando, Florida-based cybersecurity company founded in 2017 that has built a Zero Trust endpoint security platform centered on application allowlisting with a default-deny philosophy. The company serves over 70,000 organizations globally through a channel-first model focused on Managed Service Providers (MSPs), and achieved unicorn status with a $1.2 billion post-money valuation following its $60 million Series E round in April 2025. ThreatLocker's platform spans application allowlisting, Ringfencing, storage control, privileged access management, network control, EDR/MDR, and newly launched ZTNA and ZTCA capabilities. With approximately 700 employees and a highly rated customer support model (Cyber Hero 24/7), ThreatLocker has grown from roughly 200 employees in 2023 to a ~$253.6 million total-raised unicorn operating in a $42 billion and growing Zero Trust security market.
- Website
- www.threatlocker.com
- Founded
- 2017-01-01
- Founders
- Danny Jenkins, Sami Jenkins, John Carolan
- Founding location
- Orlando, FL
- Headquarters
- Orlando, FL
- Product
- Zero Trust endpoint security platform offering application allowlisting, Ringfencing, storage control, PAM, network control, EDR/MDR, and ZTNA/ZTCA capabilities, primarily delivered through MSP channel partners.
- Customers
- Managed Service Providers (MSPs) and their SMB/enterprise clients; direct enterprise customers in healthcare, sports, aviation, and education.
- Business model
- Annual subscription SaaS licenses sold primarily through MSP channel partners; tiered pricing by endpoints protected; direct enterprise sales for larger organizations.
- Stage
- Series E (Unicorn, $1.2B valuation)
- Funding status
- $60M Series E (April 2025); $115M Series D (April 2024); ~$253.6M total raised; $1.2B post-money valuation.
Executive summary
Top strengths
- Differentiated default-deny Zero Trust approach with strong product-market fit among MSPs and proven ransomware prevention
- Unicorn valuation ($1.2B) with demonstrated customer traction (70,000+ organizations) and high satisfaction (G2 4.8/5)
- Comprehensive expanding platform with ZTNA, ZTCA, EDR/MDR, and 14 new data centers in 2025-2026
- Capital-efficient growth: 60% valuation step-up (Series D to E) on a relatively small $60M Series E raise
Top risks
- Revenue metrics from private secondary sources; lack of disclosed ARR or growth rate limits diligence quality
- Family-concentrated leadership (Danny, Sami, Michael Jenkins hold three of five C-suite positions) creates key-person and governance risk
- Intense competition from well-funded CrowdStrike, Microsoft Defender, SentinelOne, and Palo Alto Networks with larger R&D budgets
- MSP channel concentration: heavy dependence on MSP partners for distribution creates single-channel risk
Open gaps
- ARR, gross margin, and burn rate not publicly disclosed; revenue estimates ($71.5M) are from secondary sources only
- Board composition and investor governance rights from Series D and Series E not publicly disclosed
- Profitability timeline, unit economics, and CAC/LTV ratios unavailable from public sources
- Series E primary press release URLs returned 404; funding corroborated only from analyst data aggregators
Contents
01Company Overview
1.1 Company Identity, Founding, and Business Overview
ThreatLocker, Inc. is a private cybersecurity company headquartered in Orlando, Florida, founded in 2017 by Danny Jenkins (CEO), Sami Jenkins (COO), and John Carolan (Chief Quality Assurance Officer). The company operates under a Zero Trust philosophy with a "default-deny" model: by default, no application is permitted to run unless it has been explicitly allowlisted by an administrator. This stands in contrast to the legacy "default-allow" approach that dominated endpoint security for decades. ThreatLocker's primary go-to-market is through Managed Service Providers (MSPs), enabling the company to reach small-to-medium businesses that rely on MSPs for IT operations without building a costly direct sales force at that scale. The company also serves enterprise organizations directly, with notable customers including the Orlando Magic, Indianapolis Colts, JetBlue Airways, Emirates airlines, Hattiesburg Clinic, and Niles Community Schools — spanning entertainment, aviation, healthcare, and education verticals. As of March 2026, ThreatLocker protects 70,000+ organizations globally. Beyond its Orlando headquarters, ThreatLocker maintains international offices in Dublin, Ireland; Dubai, UAE; and Brisbane, Australia, and announced 14 new data centers in 2025-2026 (12 in the US, plus Saudi Arabia and Abu Dhabi). The company hosts Zero Trust World, an annual practitioner conference for MSPs and security professionals. Third-party review platforms rate the platform highly: G2 gives ThreatLocker 4.8 out of 5 from 472 reviews (94/100 likeliness to recommend) and Gartner Peer Insights gives it 4.8 out of 5 from 79 ratings. [CO001, CO002, CO003, CO004, CO018, CO019]
| Metric | Value / Status | Date | Confidence | Evidence Gap |
|---|---|---|---|---|
| Customers Protected | 70,000+ | March 2026 | High | Company-announced; not independently audited |
| Total Raised | ~$253.6M | April 2025 | High | Third-party corroborated; Series E primary PR broken |
| Post-Money Valuation | $1.2B (unicorn) | April 2025 | High | PremierAlts and Tracxn corroborate; not audited |
| Estimated Revenue (2023) | ~$61.7M | 2023 | Low | Latka estimate only; not disclosed by company |
| Estimated Revenue (2025) | ~$71.5M | 2025 | Low | Tracxn estimate only; ARR not disclosed |
| Employees | ~700 | March 2026 | Medium | Third-party estimate; not confirmed by ThreatLocker |
| G2 Rating | 4.8/5 (472 reviews; 94/100 recommend) | 2026 | High | G2 platform; rate-limited at research time |
| Gartner Peer Insights | 4.8/5 (79 ratings) | 2026 | High | Gartner platform; independent aggregate |
Revenue ($61.7M, $71.5M) and employee (~700) figures are third-party estimates from Latka (SO008) and Tracxn (SO007). Customer count (70,000+) and valuation ($1.2B) are from official ThreatLocker announcements and corroborating analyst sources. G2 access was rate-limited; score cited from Cybernews review which references the same figure. Valuation is post-money, not enterprise value.
[CO032, CO030, CO029, CO034, CO035, CO033]1.2 Founders, Leadership Team, and Governance
ThreatLocker was co-founded by three individuals with complementary expertise. Danny Jenkins, CEO, conceived the default-deny application control approach after observing how detection-based security tools consistently failed to prevent ransomware and supply chain attacks. His brother Michael Jenkins serves as CTO, overseeing platform engineering and infrastructure. Sami Jenkins (COO) manages day-to-day operations, and John Carolan (CQA) oversees product and service quality. Rob Allen serves as Chief Product Officer leading roadmap execution. Together these five individuals form the publicly disclosed C-suite as of May 2026. The concentration of three Jenkins family members across the top three executive positions (CEO, COO, and CTO) is a notable governance consideration for institutional investors. Family-led executive teams can exhibit stronger cultural cohesion and long-term orientation, but they also create key-person risk, potential succession planning gaps, and reduced independence in board oversight. ThreatLocker has not publicly disclosed its board composition, investor governance rights, or information rights agreements from its Series D and Series E financings, limiting visibility into how General Atlantic, Arthur Ventures, and other major investors exercise oversight. Leadership stability has been a strength: no senior executive departures have been disclosed since founding. Danny Jenkins is the company's primary public spokesperson and frequent industry event speaker. The "Cyber Hero" 24/7 unlimited support model — staffed by engineers, not tier-1 agents — reflects a service-first culture embedded from the company's founding values. [CO005, CO006, CO007, CO008, CO009, CO010]
| Name | Title | Co-Founder | Functional Role | Key-Person Risk |
|---|---|---|---|---|
| Danny Jenkins | CEO | Yes | Primary external spokesperson; conceived default-deny model | Critical — public face, vision owner, industry evangelist |
| Sami Jenkins | COO | Yes | Day-to-day operations, business execution | High — family concentration; operations dependency |
| John Carolan | CQA (Chief Quality Assurance) | Yes | Product and service quality oversight | Medium — operational; not customer-facing |
| Michael Jenkins | CTO | No | Platform engineering and infrastructure architecture | High — family; core platform technical lead |
| Rob Allen | CPO | No | Product strategy, roadmap, capability expansion | Medium — product direction and pipeline |
Sources: ThreatLocker company page (SO002), Series D press release (SO003), TMCnet (SO013), and Cybernews review (SO010). No additional C-suite roles were identified across reviewed sources. Board composition and investor governance rights have not been publicly disclosed.
[CO005, CO006, CO007, CO008, CO009]1.3 Funding History, Investors, and Valuation
ThreatLocker has raised approximately $253.6 million in total venture capital funding. The most significant milestone was April 2024 when the company closed a $115 million Series D led by General Atlantic, with StepStone Group and D.E. Shaw Group participating, establishing a post-money valuation of approximately $750 million. This round coincided with ThreatLocker reaching 50,000+ customer organizations. In April 2025, ThreatLocker closed a $60 million Series E led by Arthur Ventures and CR2 Ventures, with Elephant Venture Capital and returning investor StepStone Group, reaching a $1.2 billion post-money valuation and achieving unicorn status. The Series E's relatively small raise ($60M) compared to the valuation step-up ($750M to $1.2B) is notable: it suggests the company was profitable or near-profitable and did not require large primary capital injection. Elephant VC and Arthur Ventures were returning investors in the Series E, indicating continued conviction in the company's trajectory. The investor map includes major institutional players spanning growth equity (General Atlantic), venture (Arthur Ventures, CR2 Ventures, Elephant VC), fund-of-funds (StepStone Group), and quantitative finance (D.E. Shaw Group). Primary press releases for the Series E round on PR Newswire and BusinessWire returned 404 errors at time of research, but the round is corroborated by PremierAlts and Tracxn analyst data. The company has not disclosed ARR, gross margin, burn rate, or profitability status. Revenue estimates from Latka ($61.7M, 2023) and Tracxn ($71.5M, 2025) are third-party figures and may understate actual ARR given the rapid customer growth trajectory. [CO024, CO028, CO029, CO030, CO031, CO034]
| Stakeholder | Role | Control / Economic Importance | Diligence Ask |
|---|---|---|---|
| General Atlantic | Lead investor, Series D ($115M, April 2024) | Significant equity stake; likely board seat | Request board composition and investor governance rights |
| Arthur Ventures | Lead investor, Series E; returning from prior rounds | Material equity; likely board seat following lead role | Confirm board representation and information rights |
| CR2 Ventures | Co-lead, Series E ($60M, April 2025) | Equity position; likely governance rights | Confirm stake size and board/observer rights |
| Elephant Venture Capital | Investor; returning in Series E | Long-term alignment signal; multi-round participant | Request total investment across all rounds and ownership % |
| StepStone Group | Investor in Series D and Series E | Significant multi-round capital; fund-of-funds model | Understand LP structure and secondary market pricing |
| D.E. Shaw Group | Participant, Series D | Quantitative hedge fund; atypical for growth equity | Understand strategic rationale and exit orientation |
| Danny Jenkins (CEO/Co-founder) | Founder equity holder | Likely material equity stake; key control person | Request cap table summary and founder voting rights |
Investor names from ThreatLocker Series D press release (SO003), PremierAlts (SO006), Tracxn (SO007), and Crunchbase (SO005). Early-round details are not publicly disclosed; cap table unavailable. Crunchbase and Tracxn are JS-only (SO005, SO007). Primary Series E PR URLs (SO023, SO024) returned 404.
[CO028, CO029, CO030]1.4 Scale, Milestones, and Company Trajectory
ThreatLocker's growth trajectory has been exceptional. The company grew its protected organization count from 50,000+ at Series D (April 2024) to 70,000+ by March 2026 — a 40% increase in roughly 23 months. Employee count grew from approximately 200 in 2023 to approximately 700 by March 2026 — a 250% headcount increase in about 30 months — reflecting aggressive hiring across product, engineering, sales, and support functions. Product milestones include the launch of Application Allowlisting (founding), Ringfencing, Storage Control, Network Control, PAM, and Elevation Control. In March 2026, ThreatLocker launched Zero Trust Network Access (ZTNA) and Zero Trust Cloud Access (ZTCA), extending the platform beyond the endpoint into network and cloud. At Zero Trust World 2025, the company unveiled five additional modules: Insights, Patch Management, User Store, Web Control, and Cloud Control. The company announced 14 new data centers in 2025-2026 for global infrastructure expansion. Legal milestones include a 2022 trademark dispute against ThreatBlockr (Case 6:22-cv-02407, M.D. Fla.) and a contract dispute against Charles Schwab filed in May 2025 (Case 6:2025cv00923, M.D. Fla.). ThreatLocker has raised $253.6 million in total and holds a $1.2 billion unicorn valuation. This growth from an Orlando startup to a global 700-person cybersecurity platform covering endpoint, network, and cloud in under nine years is a strong indicator of product-market fit and execution quality. Sustained customer satisfaction (G2 4.8/5, Gartner Peer Insights 4.8/5) reinforces the narrative of genuine value delivery rather than growth at the expense of quality. [CO013, CO014, CO015, CO016, CO017, CO026]
| Date | Event | Type | Amount / Valuation | Participants | Implication |
|---|---|---|---|---|---|
| 2017 | Founded in Orlando, FL | founding | N/A | Danny Jenkins, Sami Jenkins, John Carolan | Default-deny Zero Trust philosophy established; SMB via MSP model |
| 2017-2022 | Early funding from Elephant Venture Capital and Arthur Ventures | financing | Undisclosed | Elephant VC, Arthur Ventures | Capital foundation; MSP channel go-to-market established |
| 2022 | Trademark dispute filed against ThreatBlockr (6:22-cv-02407, M.D. Fla.) | adverse | N/A | ThreatLocker vs. ThreatBlockr | Lanham Act action; brand identity protection |
| April 2024 | $115M Series D closed; 50,000+ customers milestone | financing | $115M / ~$750M post-money | General Atlantic (lead), StepStone Group, D.E. Shaw Group | Institutional growth equity validation; $750M valuation |
| Feb 2025 | Zero Trust World 2025: five new modules unveiled | product | N/A | ThreatLocker (Insights, Patch Mgmt, User Store, Web Control, Cloud Control) | Platform expansion into analytics, patching, and web/cloud governance |
| 2025 | 14 new data centers announced (12 US, Saudi Arabia, Abu Dhabi) | scale | N/A | ThreatLocker | Global infrastructure investment supporting international growth |
| April 2025 | $60M Series E at $1.2B valuation; unicorn status | financing | $60M / $1.2B post-money | Arthur Ventures, CR2 Ventures (leads), Elephant VC, StepStone Group | Unicorn milestone; favorable valuation step-up in 12 months |
| May 2025 | Lawsuit filed against Charles Schwab (6:2025cv00923, M.D. Fla.) | adverse | N/A | ThreatLocker vs. Charles Schwab Corporation | Contract or lease dispute; outcome unknown as of research date |
| March 2026 | ZTNA and ZTCA launched; 70,000+ organizations protected | product/scale | N/A | ThreatLocker (platform expansion) | Platform extends from endpoint to network and cloud access control |
Sources: ThreatLocker Series D press release (SO003), ZTNA launch PR (SO004), TMCnet (SO013), lqcre.com (SO011), PremierAlts (SO006). Series E primary PR URLs (SO023, SO024) returned 404; round corroborated by PremierAlts and Tracxn. Pre-2022 operational milestones may be incomplete without access to internal records.
[CO001, CO028, CO029, CO031, CO032, CO039]02Market Analysis
2.1 Market Boundary and Definition
ThreatLocker operates in the zero trust endpoint security market, defined by software that enforces a default-deny posture on endpoints: explicitly permitting only allowlisted applications, controlling storage device access, ringfencing application behaviors to limit lateral movement, and managing privileged access elevation at the workstation level. This definition is anchored by a prevention-first philosophy that contrasts sharply with detection-based endpoint security (EDR, XDR, legacy antivirus), which permits execution and responds after threat detection. The included spend categories are: application allowlisting and control, endpoint privilege access management for workstations, storage access control, application ringfencing, zero trust network access delivered via an endpoint agent, and zero trust cloud access for managed endpoints. Excluded spend covers pure detection-based EDR platforms where no allowlist enforcement is primary (CrowdStrike Falcon, SentinelOne Singularity), network-only ZTNA without endpoint enforcement, server and infrastructure-only PAM, standalone cloud security posture management without agent delivery, and identity-only IAM platforms without endpoint control. The primary status-quo substitutes ThreatLocker displaces include Windows Defender bundled at zero marginal cost with Microsoft 365, traditional antivirus and EDR solutions, and in larger accounts, legacy application whitelisting tools. ThreatLocker entered ZTNA and ZTCA adjacencies in March 2026, modestly expanding its addressable market beyond the pure endpoint security boundary. The market estimate range figure illustrates the material gap between endpoint security estimates ($17.6B) and broader zero trust security definitions ($34.5–42.3B), making boundary definition critical to any sizing conclusion. Spend on cloud-only workloads without a managed endpoint agent, unmanaged BYOD devices, and infrastructure-layer network controls falls outside ThreatLocker's current scope. [CM001, CM003, CM016, CM022, CM023, CM025]
| Category | Included Spend | Excluded Spend | Primary Buyer / Payer | ThreatLocker Relevance |
|---|---|---|---|---|
| Zero Trust Endpoint Security | Application allowlisting, ringfencing, PAM, storage control, ZTNA/ZTCA | Legacy AV/EDR, detection-based tools, network-only controls | CISO/IT Director (enterprise); MSP Partner (SMB) | Core TAM: ThreatLocker's primary addressable market |
| SMB-Delivered IT Security via MSP | Monthly managed security services bundled by MSP for <500-seat clients | One-time licensing, point-in-time pen tests | MSP partner (reseller/bundler); SMB IT budget owner | Primary GTM: ThreatLocker sells through MSPs |
| Cloud Access Control (CASB/ZTCA) | Zero Trust Cloud Access, CASB, SWG for managed cloud endpoints | Unmanaged BYOD cloud access, standalone SWG | Cloud Security Architect/IT Director | Emerging adjacency: ThreatLocker ZTCA launched March 2026 |
| Privileged Access Management (PAM) | Endpoint privilege elevation control, PAM for workstations | Server/network PAM, identity-only PAM without endpoint enforcement | CISO/IAM team | Adjacent segment: ThreatLocker Elevation Control module |
| Network Access Control (ZTNA) | Agent-based Zero Trust Network Access for endpoints | Infrastructure-only NAC, SD-WAN without endpoint context | Network Architect/CISO | Adjacent segment: ThreatLocker ZTNA launched March 2026 |
ThreatLocker addresses the Zero Trust Endpoint Security and SMB-Delivered IT Security categories directly. ZTNA and ZTCA are adjacent segments entered in March 2026. PAM is partially addressed via Elevation Control. Cloud-only and infrastructure-only spend is outside current scope.
[CM001, CM022, CM023]2.2 Market Sizing: Multiple Lenses
Multiple analyst firms provide materially different estimates for the zero trust security and endpoint security markets, primarily due to boundary definitions. Fortune Business Insights sizes the global zero trust security market at $42.28 billion in 2025 with a 15.6% compound annual growth rate to $117 billion by 2032, while MarketsAndMarkets estimates $34.5 billion in 2026 with a 17.3% CAGR to $66.6 billion by 2029. These top-level TAM figures include networking appliances, identity platforms, and cloud security layers that are adjacent to but not coextensive with ThreatLocker's endpoint focus. Grand View Research sizes the narrower endpoint security market at $17.6 billion in 2024 growing at 11% CAGR to $45.3 billion by 2033—a more directly comparable boundary, though it excludes the ZTNA and ZTCA adjacencies ThreatLocker entered in 2026. Mordor Intelligence provides a mid-range estimate combining endpoint security and ZTNA at $28.3 billion in 2025 with 13.4% CAGR to 2030. BIS Research offers a cross-check at $19.5 billion for the zero trust networking market in 2025. The serviceable addressable market requires bottom-up derivation. CompTIA estimates total North American MSP spend at approximately $150 billion in 2025, with security representing 8–12% of total MSP revenue, implying $12–18 billion in North American MSP security spend. Applying a 30–40% adjustment for the endpoint-focused zero trust share yields a SAM of approximately $4–6 billion for MSP-delivered zero trust endpoint security in ThreatLocker's accessible markets. At an estimated $71.5 million ARR (Tracxn 2025, cross-validated with Latka), ThreatLocker's serviceable obtainable market represents less than 2% of the conservative $4 billion SAM and approximately 1.2% of the $6 billion high-case estimate. The analyst estimates differ by up to $8 billion at the 2025 baseline, driven by definitional disagreements over hardware network appliance inclusion, identity-layer spend allocation, and geographic coverage scope. The market sizing pyramid illustrates the nested TAM-SAM-SOM structure, while the market estimate range figure preserves the full analyst dispersion. [CM001, CM002, CM003, CM004, CM005, CM014]
| Publisher | Year | Geography | Market Value | CAGR | Methodology | Confidence | Limitation |
|---|---|---|---|---|---|---|---|
| Fortune Business Insights | 2025 | Global | $42.28B (zero trust security) | 15.6% to 2032 | Bottom-up from enterprise segment surveys | High | Broad definition includes networking/identity; overstates ThreatLocker TAM |
| MarketsAndMarkets | 2026 | Global | $34.5B (zero trust security) | 17.3% to 2029 | Vendor revenue analysis + industry interviews | High | Includes hardware network appliances; methodology opaque |
| Grand View Research | 2024 | Global | $17.6B (endpoint security) | 11.0% to 2033 | Segmented demand analysis | High | Endpoint only; excludes ZTNA/CASB adjacencies ThreatLocker is entering |
| Mordor Intelligence | 2025 | Global | $28.3B (endpoint security + ZTNA) | 13.4% to 2030 | Technology spend forecast | Medium | Vendor self-reported data included; limited transparency |
| CompTIA MSP Market | 2025 | North America | ~$150B total MSP IT spend | 11.0% | Channel survey of 40,000+ North American MSPs | Medium | Security is estimated 8-12% of total; implying $12-18B MSP security TAM |
| Analyst-derived SOM estimate | 2026 | Global | ~$71.5M (ThreatLocker ARR estimate) | N/A | Tracxn third-party estimate; cross-checked with Latka | Low | Not publicly confirmed; penetration may be understated for growing platform |
Market estimates vary significantly based on boundary definitions. ThreatLocker's current SOM of ~$71.5M implies < 2% penetration of the most conservative SAM estimate, suggesting substantial runway if the platform continues to capture MSP-delivered security spend.
[CM001, CM002, CM003, CM004, CM005, CM014]2.3 Buyer Segmentation and Adoption Path
ThreatLocker's primary buyer structure is channel-mediated through MSP partners who evaluate, select, and bundle ThreatLocker into managed security stacks for SMB clients with fewer than 500 employees. In this model, the MSP is simultaneously the buyer (procurement decision), reseller (packaged into monthly managed service fee), and primary support contact, while the SMB is the end user and indirect payer through their monthly managed service invoice. The MSP partner evaluates ThreatLocker based on technical fit with existing RMM and PSA tools, margin on resale, supportability for their technical team, and partner program quality including access to Cyber Hero 24/7 support. The adoption trigger in the SMB-via-MSP segment is typically a ransomware incident affecting a peer business, a cyber insurance renewal requiring documented application control, or an MSP platform-wide security architecture review following a breach event. Mid-market organizations with 500–2,500 employees may purchase directly from ThreatLocker, with the IT Director or CISO as buyer and a compliance mandate (SOC 2, HIPAA, PCI-DSS) as the adoption trigger, with CISO or CFO sign-off required for initial deployment. Healthcare organizations represent a vertically specific demand cluster driven by HIPAA Security Rule requirements for technical access safeguards, CISA healthcare-sector alerts, and the risk of OCR investigations; ThreatLocker references Hattiesburg Clinic as a publicly identified customer. Education institutions leverage E-Rate cybersecurity funding and state mandates following ransomware on school districts, with Niles Community Schools as a referenced deployment. Aviation and transportation accounts including JetBlue and Emirates reflect compliance-driven adoption under TSA cybersecurity directives and PCI-DSS requirements. The adoption funnel illustrates the typical conversion path from MSP awareness through trial, proof of concept, initial deployment, and module upsell, with the 24/7 Cyber Hero support team as the key friction-reduction mechanism at the proof-of-concept stage where allowlist policy build generates the most operational friction. [CM006, CM007, CM008, CM013, CM020, CM021]
| Segment | Buyer | User | Payer | Workflow Trigger | Budget Owner | Adoption Trigger |
|---|---|---|---|---|---|---|
| SMB via MSP (<500 employees) | MSP partner (reseller) | SMB IT staff | SMB IT/operations budget via MSP monthly fee | Ransomware attack on peer; MSP mandate | MSP CFO or SMB owner | Ransomware incident or cyber insurance requirement |
| Mid-market direct (500-2,500 employees) | IT Director or CISO | Security Operations team | Corporate IT/security budget | Compliance mandate (SOC 2, PCI-DSS, HIPAA) | CISO or VP IT | Audit finding, compliance deadline, or board mandate |
| Healthcare / HIPAA-regulated | CIO or CISO | Clinical IT and compliance team | Healthcare operations/IT budget | HIPAA data protection and CISA healthcare alerts | CIO/CFO sign-off | HIPAA audit, OCR investigation, or ransomware on competitor clinic |
| K-12 and higher education | IT Director or Superintendent | School IT department | E-Rate funded cybersecurity; state grants | Ransomware on school districts (national trend) | School board / Superintendent | School district ransomware incident or state mandate |
| Aviation and transportation | CISO or IT Director | IT/OT security team | Compliance-driven cybersecurity budget | PCI-DSS, TSA cybersecurity directives, NIST | CISO with CFO approval | Regulatory directive or cyber insurance premium increase |
The MSP channel is ThreatLocker's primary GTM, targeting segments 1-2. Segments 3-5 reflect verticals with publicly referenced ThreatLocker logos (Hattiesburg Clinic, Niles Community Schools, JetBlue/Emirates). Adoption triggers are dominantly ransomware incidents and regulatory compliance requirements.
[CM006, CM007, CM020, CM021, CM036, CM037]2.4 Growth Drivers and Adoption Constraints
ThreatLocker's growth environment is shaped by reinforcing structural tailwinds and two material constraints with direct operational implications. The dominant growth driver is escalating ransomware frequency and sophistication. Verizon's 2025 Data Breach Investigations Report shows ransomware appearing in 44% of breaches, with each incident validating the default-deny application allowlisting model and generating inbound pipeline for ThreatLocker within the MSP community. Regulatory mandates represent a second structural driver: CISA's Zero Trust Maturity Model, Executive Order 14028 on Improving the Nation's Cybersecurity, and NIST SP 800-207 collectively drive compliance programs requiring explicit endpoint control capabilities in federal and enterprise accounts. The NIS2 Directive extends this mandate to European essential services operators, expanding the addressable geographic market. A third near-term driver is cyber insurance underwriting: major insurers now require documented application control, MFA, and endpoint protection as conditions of SMB and mid-market coverage, directly mandating ThreatLocker-equivalent capabilities for policyholders who seek affordable premiums. The MSP market's approximately 11% annual growth rate acts as a force multiplier on ThreatLocker's channel revenue—each net new MSP adopting ThreatLocker brings an entire SMB client book without additional direct sales effort. ConnectWise's 2025 MSP Threat Report confirms that more than 75% of surveyed MSPs are increasing security budgets in response to ransomware and regulatory pressure, validating the demand environment. The primary constraint is allowlisting operational complexity: building an accurate allowlist generates false positives during policy setup and requires skilled MSP personnel to manage, elevating churn risk during onboarding. ThreatLocker's Cyber Hero 24/7 support team is the primary mitigation, but this constraint limits adoption velocity. The second constraint is Microsoft Defender for Business, which bundles endpoint protection with Microsoft 365 at zero marginal cost to SMBs already paying for Microsoft 365, compressing SMB willingness-to-pay for additional endpoint security tools and requiring ThreatLocker to articulate specific differentiation over the free bundled alternative. [CM009, CM010, CM011, CM012, CM013, CM016]
| Factor | Direction | Timing | Implication for ThreatLocker | Diligence Ask |
|---|---|---|---|---|
| Rising ransomware frequency and sophistication | Driver | Ongoing; 2026+ | Each ransomware incident validates default-deny proposition and creates MSP pipeline | Validate with pipeline data: is ransomware-driven inbound growing? |
| Zero trust government mandates (CISA, EO 14028, NIS2) | Driver | Medium-term; 2025-2027 regulatory cycle | Federal and enterprise compliance mandates create mandatory budget for ZTA tooling | Track CISA mandate specificity for endpoint allowlisting requirements |
| MSP market growth and consolidation | Driver | Short-term; 2025-2026 | Growing MSP base increases distribution capacity; consolidation may increase deal size | Monitor PSA/RMM platforms (ConnectWise, Kaseya) for ThreatLocker integration depth |
| Cyber insurance underwriting requirements | Driver | Short-term; 2025-2026 | Insurers requiring endpoint allowlisting as coverage condition directly mandates tooling | Validate with insurance partner network data on mandate frequency |
| Microsoft Defender bundling and pricing | Constraint | Ongoing | Microsoft bundled endpoint protection reduces SMB budget for additional tools | Monitor Defender for Business feature parity with ThreatLocker PAM/allowlisting |
| Allowlisting operational complexity (false positives) | Constraint | Near-term | Customer friction during policy setup can increase churn risk; requires skilled MSP | Validate time-to-value and onboarding churn with MSP partner interviews |
| SMB IT budget pressure and recession sensitivity | Constraint | Cyclical | SMBs cut discretionary IT spend in downturns; SaaS cybersecurity faces churn headwinds | Request cohort retention data to quantify budget-cut sensitivity |
Drivers outweigh constraints for ThreatLocker's medium-term growth. The allowlisting complexity constraint is the key operational risk; ThreatLocker's Cyber Hero 24/7 support model is the primary mitigation. Microsoft Defender bundling is the primary competitive pricing pressure in the SMB segment.
[CM009, CM010, CM013, CM016, CM017, CM019]03Competitors
3.1 Competitive Landscape Overview
The global endpoint security market is organized around a fundamental architectural divide: default-deny versus default-allow. Default-allow platforms — comprising CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Business, Malwarebytes ThreatDown, Bitdefender GravityZone, and Carbon Black — permit all software to execute by default and rely on behavioral detection, machine learning, and threat intelligence feeds to identify malicious behavior after it attempts to run. This detection-first model is effective against known threat signatures but structurally exposes a window during which novel ransomware, fileless malware, and zero-day exploits may execute before behavioral patterns are recognized. ThreatLocker inverts this model entirely: its default-deny architecture prevents any unapproved application from executing regardless of whether a threat signature exists, eliminating the detection window as an architectural property rather than relying on signature coverage breadth. This structural difference is ThreatLocker's core value proposition and primary differentiation from all seven profiled competitors across all four competitive categories: enterprise EDR/XDR (CrowdStrike, SentinelOne), bundled security suites (Microsoft Defender), SMB-focused managed endpoint security (Malwarebytes ThreatDown, Bitdefender GravityZone), and enterprise behavioral detection (Carbon Black via Broadcom). The competitive positioning map illustrates this differentiation visually, placing ThreatLocker uniquely in the upper-right quadrant combining maximum Zero Trust strictness with highest SMB and MSP channel fit — a quadrant no profiled competitor occupies simultaneously. Microsoft Defender occupies high SMB penetration but low Zero Trust strictness; CrowdStrike and SentinelOne achieve moderate Zero Trust features but low MSP-native distribution; Malwarebytes and Bitdefender have MSP reach but minimal Zero Trust depth. ThreatLocker's uniqueness in this two-dimensional space is its most durable competitive position, though the durability of that position faces displacement risks from incumbents building allowlisting add-ons and AI-native new entrants. [CP001, CP005, CP014, CP015, CP029]
| Competitor | Category | Scale / Funding | Target Segment | Differentiation | Key Limitation |
|---|---|---|---|---|---|
| CrowdStrike Falcon | Enterprise EDR/XDR | $3.1B ARR FY2025; NASDAQ-listed; 29,000+ customers | Mid-market and enterprise (250+ endpoints) | AI-driven threat detection; Falcon platform breadth; XDR telemetry | Default-allow philosophy; expensive for SMB; no MSP-first model |
| SentinelOne Singularity | Enterprise AI-EDR | $936M ARR FY2026; NYSE-listed; autonomous AI-driven | Enterprise (500+ endpoints) | Autonomous AI response; Purple AI analyst; strong enterprise features | Default-allow; complex management; premium pricing limits SMB penetration |
| Microsoft Defender for Business | Bundled Endpoint Security | Bundled with M365; hundreds of millions of Windows devices | SMB (<300 seats) and enterprise via Microsoft 365 licensing | Free/bundled with Windows; deep Microsoft integration; Intune management | Default-allow; reactive detection; limited application control; no MSP-native billing |
| Cisco Secure Endpoint (formerly AMP) | Enterprise Endpoint AV/EDR | Cisco FY2025 $57B revenue; endpoint segment undisclosed | Enterprise and mid-market; Cisco ecosystem customers | Cisco network integration; threat intelligence from Talos; compliance features | Default-allow; complex integration; limited SMB/MSP distribution; slower innovation pace |
| Malwarebytes for Teams/ThreatDown | SMB EDR/AV | Private; acquired by Vector Capital 2023; SMB-focused | SMB (<250 employees) via direct and MSP | Affordable SMB pricing; well-known brand; AV heritage; MSP integration via OneView | Detection-based; no application allowlisting; limited Zero Trust features |
| Bitdefender GravityZone | SMB/MSP Endpoint Security | Private; Series B $100M+ in 2021; 1,600+ MSP partners | SMB to mid-market primarily via MSP channel | MSP-native management; multi-tenant; competitive pricing; good G2 reviews | Default-allow; no application allowlisting; less differentiated in zero trust positioning |
| Carbon Black (Broadcom/VMware) | Enterprise EDR/Behavioral | Part of Broadcom; VMware Carbon Black portfolio | Enterprise (1,000+ endpoints); Broadcom ecosystem | Behavioral endpoint detection; compliance reporting; enterprise governance | Broadcom acquisition integration disruption; default-allow; limited SMB/MSP reach |
Sources: CrowdStrike FY2025 earnings (SP008), SentinelOne FY2026 earnings (SP009), Microsoft (SP010), Cisco annual report (SP011). Malwarebytes/ThreatDown (SP012), Bitdefender (SP013), Carbon Black (SP014). SMB segment definitions vary by vendor.
[CP001, CP002, CP003, CP009, CP010, CP011]ThreatLocker uniquely occupies the high-SMB-fit / high-Zero-Trust-strictness quadrant with no direct competitor.
[CP014, CP015, CP029]3.2 Competitor Profiles and Comparison
CrowdStrike Falcon is the dominant enterprise EDR/XDR platform with $3.1 billion in annual recurring revenue for fiscal year 2025 (ended January 31, 2025) and more than 29,000 subscription customers, deployed primarily in mid-market and enterprise organizations. Its AI-driven Falcon platform offers superior threat detection breadth, XDR telemetry integration, and identity threat protection, but operates on a default-allow philosophy and is priced at $299.99 to $924.99 or more per endpoint per year at list rates — a premium that limits SMB penetration. CrowdStrike's MSP distribution channel is limited relative to ThreatLocker's MSP-native model. SentinelOne Singularity reported $936 million in ARR for fiscal year 2026 (ended January 31, 2026) and differentiates through autonomous AI-driven threat response and its Purple AI analyst assistant. Like CrowdStrike, it uses a default-allow model and is priced at $69.99 to $229.99 or more per endpoint per year at list rates. Microsoft Defender for Business represents the most significant pricing constraint in the SMB market, bundled within Microsoft 365 Business Premium at $22 per user per month alongside email, identity, and compliance tools, and available standalone at $3 per user per month. Its default-allow architecture and absence of application allowlisting anchor the SMB pricing floor and constrain what MSP-delivered endpoint security vendors can charge. Malwarebytes ThreatDown, rebranded following Vector Capital's 2023 acquisition, focuses on SMB EDR through its MSP-native OneView console at competitive price points but offers no application allowlisting or default-deny capability. Bitdefender GravityZone claims 1,600 or more MSP partners and provides multi-tenant MSP management and competitive pricing but also operates on a default-allow model. Carbon Black, now under Broadcom following the VMware acquisition completed in November 2023, has experienced channel disruption and limited competitive momentum in the SMB and MSP segments. The feature and pricing comparison tables document these differences systematically across six vendors and five key capability dimensions. [CP001, CP002, CP003, CP004, CP005, CP006]
| Capability | ThreatLocker | CrowdStrike | SentinelOne | Microsoft Defender | Malwarebytes | Bitdefender |
|---|---|---|---|---|---|---|
| Application Allowlisting (default-deny) | Core (primary architecture) | Limited add-on | Limited add-on | Not available | Not available | Not available |
| Behavioral Threat Detection / AI EDR | Limited | Core (leading AI) | Core (autonomous AI) | Core (integrated) | Core | Core |
| MSP-Native Multi-Tenant Management | Core (primary GTM) | Limited | Limited | Limited | Strong (OneView) | Strong (GravityZone) |
| ZTNA / Zero Trust Network Access | Launched March 2026 | Available (Falcon Zero Trust) | Available (Singularity Access) | Available (Conditional Access) | Not available | Not available |
| Privileged Access Management / PAM | Available (Elevation Control) | Available (Falcon Identity) | Partial (via partnership) | Available (Defender for Identity) | Not available | Limited |
Cells reflect vendor-disclosed capabilities as of Q1 2026. Limited indicates capability exists as add-on or partial implementation. ThreatLocker behavioral detection is limited because its default-deny architecture prevents most threats from executing, making behavioral detection less central to its security model.
[CP014, CP015, CP021, CP029, CP037]| Vendor | Primary Unit | List Pricing (if disclosed) | Included Capabilities | SMB Discounts / Unknowns | Key Implication |
|---|---|---|---|---|---|
| ThreatLocker | Per endpoint per month (via MSP) | Not publicly disclosed; MSP negotiated | All modules included in single subscription | MSP volume pricing; not disclosed publicly | Opaque list pricing; MSP channel pricing strategy hides real CAC and ASP |
| CrowdStrike Falcon Go/Pro/Enterprise | Per endpoint per year | $299.99-$924.99+/endpoint/year (list) | Tiered by module bundle; AI detection, identity, threat intel | EDU/NGO discounts; volume tiers | Premium pricing positions for mid-market; competitive pressure from Microsoft at SMB |
| SentinelOne Core/Control/Complete | Per endpoint per month | $69.99-$229.99+/endpoint/year (list) | AI detection, auto-remediation, threat hunting | Academic and MSP pricing via distributors | Expensive for SMB; designed for enterprise-scale contracts |
| Microsoft Defender for Business | Per user per month (M365 bundle) | $3/user/mo (standalone); $22/user/mo Business Premium bundle | Endpoint protection, identity, email, compliance (in bundle) | Included in M365 Business Premium -- strong SMB value | Price anchor constraint for all SMB vendors; competes on bundled value |
| Malwarebytes ThreatDown | Per endpoint per month | $49.99-$99.99+/endpoint/year (list) | AV, EDR, DNS filtering; tiered packages | MSP pricing via volume tiers; generally below CrowdStrike | Price-competitive SMB entry; lacks application allowlisting |
ThreatLocker does not publish list pricing. CrowdStrike and SentinelOne pricing from published list rates; actual contract pricing discounted 20-50%+ for large deals. Microsoft Defender is effectively free for M365 Business Premium subscribers, setting a price floor that constrains the SMB market. Malwarebytes pricing from published ThreatDown product pages.
[CP006, CP007, CP025, CP026, CP027, CP031]ThreatLocker leads on allowlisting and MSP management; CrowdStrike and SentinelOne lead on behavioral AI EDR.
[CP012, CP014, CP015, CP021, CP029, CP037]3.3 Moat, Switching Costs, and Distribution
ThreatLocker's competitive moat rests on four reinforcing mechanisms that deepen with customer tenure: allowlist policy lock-in, MSP channel depth, Cyber Hero support differentiation, and Zero Trust World community mindshare. Allowlist policies — the core operational data asset accumulated by ThreatLocker customers over months and years of deployment — represent the highest-durability moat element. Each client's allowlist encodes specific application workflows, approved software versions, and organizational exception logic that would require complete recreation in any competing platform. This switching cost is architecturally distinct from generic SaaS churn barriers: allowlists are not portable to default-allow EDR platforms such as CrowdStrike or SentinelOne, because those platforms do not have a comparable allowlist enforcement model. Switching requires not only a software migration but a fundamental security architecture change from prevention-first to detection-first, a decision that exposes the organization to a security posture gap during the transition period. ThreatLocker's MSP channel depth — with integrations spanning 1,600 or more MSP partner ecosystems including ConnectWise, Kaseya, and Datto — constitutes a distribution moat built over years. ConnectWise, Kaseya, and Datto are the dominant RMM and PSA platforms in North American MSP markets; deep integrations with these platforms make ThreatLocker a natural selection when MSPs standardize their security stack. The Cyber Hero 24/7 engineer-staffed support model directly addresses the primary onboarding friction in allowlisting adoption. G2 scores of 4.8 out of 5 for ThreatLocker versus 4.6 for CrowdStrike reflect superior ease-of-use and customer support ratings across independent reviews, and Gartner Peer Insights scores of 4.8 out of 5 from 79 ratings corroborate this satisfaction signal. Zero Trust World, ThreatLocker's annual MSP-focused conference, deepens community identity around the default-deny philosophy and creates reputational reinforcement beyond the product itself. [CP012, CP013, CP016, CP017, CP027, CP030]
| Moat Claim | Threat / Risk | Severity | Mitigation / Diligence Ask |
|---|---|---|---|
| Default-deny architecture creates policy lock-in -- allowlists are data assets | CrowdStrike or SentinelOne build credible allowlisting with AI-assisted policy automation; reduces switching cost advantage | High | Request customer churn and expansion data; validate how sticky allowlists are in practice |
| MSP channel dominance and 1,600+ MSP partner integrations | ConnectWise, Kaseya, or Datto integrate competing tools more deeply into MSP stack; or large MSPs build proprietary security tools | Medium | Audit integration depth with top 10 MSP RMM/PSA platforms; understand exclusivity arrangements |
| Zero Trust World conference mindshare in MSP community | Microsoft, Palo Alto Networks, or CrowdStrike leverage marketing scale to capture Zero Trust mindshare across channels | Medium | Track search interest, G2 category share, and event attendance trends over time |
| Cyber Hero 24/7 engineer-staffed support as differentiator | SentinelOne or CrowdStrike improve SMB support tier; or MSPs internalize support capability reducing ThreatLocker value-add | Low | Customer NPS and support resolution time data from MSP partner interviews |
| First-mover in MSP-delivered application allowlisting (since 2017) | New entrant with AI-native allowlisting (e.g. Illumio, Zero Networks) disrupts traditional approach with lower-friction deployment | High | Monitor AI-native application control startups; validate deployment time metrics vs. competitors |
Moat assessment based on product architecture analysis, G2 customer reviews, competitor product roadmaps, and analyst commentary. Severity ratings are qualitative analyst assessments. Independent validation requires customer interviews and competitive pipeline win/loss data.
[CP016, CP028, CP030, CP032, CP033, CP036]ThreatLocker shows strong customer satisfaction and MSP channel scale; policy lock-in and time-to-value remain qualitative.
[CP012, CP013, CP016, CP017, CP018, CP032]3.4 Competitive Risks and Displacement
ThreatLocker's moat faces five material threats requiring active monitoring. First, Microsoft Defender for Business, bundled at zero marginal cost within Microsoft 365 Business Premium at $22 per user per month, creates a structural pricing ceiling in the SMB segment. SMBs already subscribing to M365 Business Premium for productivity receive endpoint protection without incremental budget allocation, constraining ThreatLocker's pricing power and requiring its incremental security benefit to be sufficiently articulated to justify additional per-endpoint spend. Second, CrowdStrike and SentinelOne have both added limited application control features as optional add-on modules — a signal that allowlisting is gaining mindshare in the default-allow camp. Neither has repositioned as a default-deny platform, but AI-assisted policy automation could reduce the operational complexity barrier that historically protected ThreatLocker by making allowlist creation faster and less expert-intensive. If either enterprise EDR vendor delivers credible AI-native allowlisting with reduced onboarding friction, ThreatLocker's switching cost advantage narrows materially. Third, AI-native microsegmentation and zero trust enforcement vendors including Illumio and Zero Networks represent an emerging category approaching zero trust from the network segmentation layer rather than the endpoint agent, potentially capturing security architects who prefer network-layer enforcement. Fourth, ThreatLocker's absence from the Gartner Magic Quadrant for Endpoint Protection Platforms — which covers CrowdStrike, SentinelOne, Microsoft, and Palo Alto Networks — creates a brand visibility gap in enterprise direct-sales expansion outside the MSP community. Fifth, no public win-loss or churn data is available to verify ThreatLocker's retention claims, and community forum signals on operational friction exist but are not accessible through structured sources. Carbon Black's Broadcom acquisition disruption illustrates both the risk of institutional dislocation and the opportunity it creates for ThreatLocker to capture displaced enterprise accounts. Independent of MSP channel displacement risk is the question of whether ConnectWise, Kaseya, or Datto might deepen competing tool integrations or build proprietary security offerings that reduce ThreatLocker's distribution exclusivity. [CP024, CP028, CP029, CP031, CP034, CP037]
04Financials
4.1 Revenue Model and Pricing
ThreatLocker's revenue model is a recurring per-endpoint monthly subscription delivered primarily through Managed Service Provider partners who bundle it into their managed security stack. MSP partners collect the full managed security fee from SMB clients and remit a portion to ThreatLocker, making MSPs the primary revenue delivery channel for the majority of the company's approximately 70,000 protected organizations. A smaller segment of enterprise organizations in healthcare, aviation, education, and financial services purchase ThreatLocker under annual or multi-year contracts through direct sales. No revenue split between MSP-delivered and direct enterprise channels has been publicly disclosed. Pricing is opaque by design. ThreatLocker does not publish list pricing for any subscription tier; all pricing is negotiated through MSP volume agreements or direct enterprise contracts. This channel-mediated approach protects competitive positioning but makes it impossible to verify average selling prices from public sources. CrowdStrike's published list pricing of $299.99 to $924.99 per endpoint per year provides a competitive anchor; ThreatLocker likely prices below enterprise EDR incumbents given its SMB-first MSP channel positioning. ThreatLocker's module expansion strategy is a critical revenue quality driver. With thirteen or more modules available including Ringfencing, Storage Control, Network Control, PAM, ZTNA, and ZTCA, the platform offers meaningful upsell pathways that drive net revenue retention above 100% for customers expanding their Zero Trust stack. Five new modules launched at Zero Trust World 2025, and ZTNA and ZTCA launched in March 2026, expanding both addressable contract value per customer and the total addressable market. The revenue model bridge illustrates how MSP and direct channels generate gross subscription revenue, with MSP take-rates reducing net revenue before COGS, and module expansion driving net revenue retention. The Cyber Hero unlimited support model is included in the subscription cost and represents a cost center that may compress gross margin relative to platforms with tiered support pricing. [CI001, CI002, CI004, CI013, CI015, CI016]
| Revenue Stream | Mechanism | Unit | Current Value / Status | Quality Assessment | Diligence Ask |
|---|---|---|---|---|---|
| MSP Subscription (Core) | Monthly per-endpoint fee bundled into MSP's managed security stack; MSP collects from SMB client and remits to ThreatLocker | Per endpoint per month (recurring) | ~$71.5M ARR est. (Tracxn 2025); not confirmed by company | Recurring, high-quality SaaS revenue; strong visibility for MSPs; low contract risk at SMB scale | Confirm ASP per endpoint; request average endpoints per MSP client and MSP cohort retention data |
| Direct Enterprise Subscription | Annual or multi-year contract with enterprise organizations (500-2,500+ endpoints) via direct sales | Per endpoint per year (annual contract) | Not disclosed separately; included in total ARR estimate | High-value, high-retention; compliance-driven stickiness in healthcare, aviation, education verticals | Request enterprise vs. MSP revenue split; enterprise contract terms and renewal rates |
| Professional Services / Onboarding | Implementation and onboarding assistance for large enterprise deployments; not standard for MSP-channel SMBs | Time-and-materials or fixed fee | Believed minimal; not disclosed; Cyber Hero support included in subscription | Low-margin, non-recurring; typically minimal for SaaS platforms with strong self-service/MSP delivery | Confirm PS revenue as % of total; validate whether Cyber Hero support is included or billed separately |
| Module Upsell / Expansion Revenue | Additional modules (Ringfencing, Storage Control, Network Control, PAM, ZTNA, ZTCA) sold to existing customers expanding their Zero Trust stack | Per module add-on or bundled tier upgrade | Growing; 5 new modules launched at ZTW 2025; ZTNA/ZTCA March 2026 launch expands SAM | Net revenue retention indicator: expansion revenue from existing base is high-quality and margin-accretive | Request NRR, module attach rates, and upsell conversion rates from MSP partners |
| ThreatLocker Training / Certification | Zero Trust World conference, online training, and certification programs for MSPs and practitioners | Per seat or event registration | Incidental; Zero Trust World 2025 held in Orlando; not separately disclosed | Low revenue, high brand-value channel investment; unlikely to be material to P&L | Confirm whether conference/training revenue is disclosed or consolidated into total ARR |
Revenue composition based on ThreatLocker official platform page, CRN channel coverage, and TMCnet. No revenue split between MSP and direct, or by module, has been disclosed. Tracxn and Latka estimates are third-party only.
[CI001, CI002, CI015, CI021, CI027]| Offering | List Pricing | Contract Model | Disclosed or Estimated | Key Implication |
|---|---|---|---|---|
| ThreatLocker Platform (via MSP) | Not publicly disclosed | Monthly recurring; MSP-negotiated volume discounts | Not disclosed — MSP-mediated pricing strategy | Opaque list pricing is typical for channel-first SaaS; hides true ASP and competitive price sensitivity from public |
| ThreatLocker Enterprise (direct) | Not publicly disclosed; estimated $50-150/endpoint/year | Annual multi-year contract; enterprise-negotiated | Estimated from industry benchmarks; not confirmed | Enterprise contract pricing likely higher than MSP-bundled per-endpoint rate; compliance verticals may support premium |
| Module Add-ons (Ringfencing, Storage, etc.) | Not publicly disclosed | Included or tiered add-on; not separately listed | Not disclosed | Module pricing strategy not visible; unknown whether platform is sold all-inclusive or tiered by feature set |
| ZTNA / ZTCA (launched March 2026) | Not publicly disclosed | Per-endpoint extension or new tier; not announced | Not disclosed; launched March 2026 | Network and cloud access modules expand potential ACV; pricing strategy TBD and may drive significant per-customer uplift |
| CrowdStrike Falcon (benchmark) | $299.99-$924.99/endpoint/year (list pricing) | Annual per-endpoint; volume discounts 20-40% | Published list pricing — CrowdStrike website | Competitive price anchor: ThreatLocker must position below CrowdStrike or justify premium via zero-trust differentiation |
ThreatLocker does not publish list pricing. Enterprise pricing of $50-$150/endpoint/year is analyst-derived from industry benchmarks and competitive positioning. CrowdStrike list pricing from published product pages as a market reference point.
[CI015, CI016, CI018]MSP channel and direct enterprise sales generate gross subscription revenue; MSP take-rates reduce net revenue; module expansion drives NRR above 100%.
[CI001, CI016, CI021]4.2 Unit Economics and Margin Analysis
ThreatLocker's unit economics are substantially unknown from public sources. No gross margin, customer acquisition cost, average contract value, net revenue retention, payback period, or burn rate has been disclosed by the company or confirmed by a credible primary source. The unit economics table documents six core metrics and assigns each a low confidence rating given the absence of primary data, while the unit economics bridge illustrates the qualitative flow from new partner onboarding through per-endpoint revenue generation, gross margin capture, CAC recovery, and lifetime value expansion via module upsell. Benchmarking from SaaS peers provides proxy estimates for ThreatLocker's potential margin range. CrowdStrike reported a non-GAAP gross margin of approximately 75% for fiscal year 2025, and SentinelOne reported approximately 74% for fiscal year 2026. These benchmarks establish a 70-80% gross margin range as plausible for a comparable endpoint security SaaS platform. However, ThreatLocker's heavy MSP channel reliance introduces a structural headwind: MSP partners typically apply a 30-50% take-rate on managed security spending, which may reduce ThreatLocker's effective gross revenue per endpoint below list pricing and compress gross margin below the pure-play SaaS peer benchmark if the estimates in those benchmarks reflect direct-to-enterprise economics. Implied unit economics can be estimated from the publicly available customer count of 70,000 or more organizations as of March 2026 and the third-party ARR estimate of $71.5 million from Tracxn 2025. This implies an average revenue per organization of approximately $1,000 per year, consistent with a 50-150 endpoint SMB customer base at approximately $8-15 per endpoint per month. With approximately 700 employees and $71.5 million estimated ARR, ThreatLocker's ARR per employee ratio of approximately $102,000 is below best-in-class SaaS efficiency but consistent with a company in rapid headcount growth investing heavily in R&D, sales, and support infrastructure. High G2 and Gartner Peer Insights scores of 4.8 out of 5 are positive leading indicators of customer satisfaction and low voluntary churn, which supports the thesis that net revenue retention is likely above 100%. [CI003, CI005, CI009, CI010, CI013, CI023]
| Metric | Value / Status | Confidence | Why It Matters | Diligence Ask |
|---|---|---|---|---|
| Gross Margin | Not disclosed; SaaS endpoint security peers: 70-80% gross margin | Low — estimated from SaaS peer benchmarks | Determines capital efficiency and path to profitability; 70%+ gross margin typical for pure-play endpoint SaaS | Request audited or management-reported gross margin; compare to CrowdStrike (75%) and SentinelOne (74%) benchmarks |
| Customer Acquisition Cost (CAC) | Not disclosed; MSP channel structure reduces direct CAC vs. enterprise-direct | Low — no data | Channel-first GTM typically lowers direct CAC but reduces gross margin from reseller take-rate; critical for capital efficiency assessment | Request CAC by channel (MSP vs. direct); understand MSP referral incentives and take-rate structure |
| Average Contract Value (ACV) | Not disclosed; est. $1,000-3,000/year per organization (50-150 endpoints avg, $10-20/endpoint/month) | Low — analyst-derived estimate | ACV determines LTV and CAC payback; if avg org is 100 endpoints at $10/mo = $12k/yr ACV, payback logic changes significantly | Request ACV by segment (SMB vs. enterprise) and average endpoint count per customer |
| Net Revenue Retention (NRR) | Not disclosed; likely 100-115%+ based on module expansion trajectory | Low — estimated | NRR above 100% indicates organic growth from existing customers via module upsell; key SaaS quality indicator | Request trailing 12-month NRR across MSP and direct channels; especially module attach rates |
| Payback Period (CAC recovery) | Not disclosed; est. 12-18 months for MSP-delivered based on industry benchmarks | Low — estimated | Payback under 18 months at scale suggests capital-efficient growth; shorter than CrowdStrike's estimated 24-month payback | Request CAC + first-year ACV by cohort vintage to calculate actual payback by channel |
| Burn Rate / Profitability | Not disclosed; small Series E ($60M on $1.2B valuation) suggests near-breakeven or profitable | Low — inferred from financing behavior | Series E size relative to valuation step suggests either high profitability or targeted capital use; investor confidence signal | Request current monthly burn rate, runway at current spend, and whether company is EBITDA-positive |
All unit economic values are analyst-derived estimates from SaaS industry benchmarks and competitor disclosures. ThreatLocker has not confirmed any of these metrics. Gross margin peer benchmarks from CrowdStrike FY2025 and SentinelOne FY2026 public earnings.
[CI005, CI006, CI009, CI010, CI013]Qualitative unit economics flow from MSP partner signing through per-endpoint revenue, gross margin, payback, and LTV expansion via module upsell.
[CI005, CI009, CI010, CI035]4.3 Financial Traction and Capital Adequacy
ThreatLocker has raised approximately $253.6 million in total equity funding through April 2025. The funding trajectory is notable for its acceleration: a $115 million Series D at a $750 million valuation in April 2024, followed by a $60 million Series E at a $1.2 billion post-money valuation just twelve months later. The 60% valuation step-up with a small capital raise is the strongest available public signal of financial health. In the venture capital market, companies typically raise primary capital in proportion to their burn rate and growth ambitions. A $60 million raise at a $1.2 billion valuation suggests ThreatLocker was not in urgent need of large primary capital, implying either positive cash flow, near-breakeven operations, or a targeted use of funds for specific infrastructure investment. Arthur Ventures and CR2 Ventures led the Series E, with Elephant Venture Capital and StepStone Group as returning investors, reflecting continued institutional conviction in the company's trajectory. Primary press releases for the Series E on PR Newswire and BusinessWire returned 404 errors at time of research, but the round is corroborated by PremierAlts and Tracxn data. Headcount growth from approximately 200 employees in 2023 to approximately 700 by March 2026 represents a 250% increase in roughly 30 months and is the primary observable cost proxy. Separately, ThreatLocker announced 14 new data centers in 2025-2026, 12 in the United States and one each in Saudi Arabia and Abu Dhabi, indicating meaningful capital expenditure for infrastructure expansion alongside its headcount investment. No public debt instruments, credit facilities, or off-balance-sheet financing have been identified from public sources. Two financial risk factors require monitoring. First, ThreatLocker filed a lawsuit against Charles Schwab Corporation (Case 6:2025cv00923, M.D. Fla., May 2025), described in available reporting as a contract or lease dispute. The financial exposure is unknown and not publicly disclosed; a material adverse judgment could affect capital adequacy. Second, ThreatLocker's module launch cadence and data center expansion are expected to increase capital intensity in 2026, though the exact burn trajectory is unverifiable without management financial data. The financial estimate range and capital intensity map capture the uncertainty in ARR trajectory, gross margin, and runway estimates across plausible scenarios. [CI006, CI007, CI008, CI011, CI012, CI014]
| Item | Current Status / Value | Confidence | Diligence Ask |
|---|---|---|---|
| Total Equity Raised (all rounds) | ~$253.6M through April 2025 Series E; See Company Overview for round-by-round chronology | Medium — third-party corroborated; primary Series E PR broken | Verify with primary funding documents; confirm exact amounts per round from ThreatLocker or lead investors |
| Cash on Hand | Not disclosed; estimated $50-100M based on Series E raise ($60M) minus burn since April 2025 | Low — estimated; no public disclosure | Request current cash balance, investment account composition, and treasury strategy from management |
| Monthly Burn Rate | Not disclosed; inferred to be low given small Series E vs. valuation step-up | Low — inferred | Request monthly burn rate trend over trailing 12 months; understand how headcount growth affects burn trajectory |
| Runway | Not disclosed; estimated 18-36+ months if burn rate is moderate relative to $60M raise | Low — estimated | Confirm current runway; understand next-round trigger conditions and whether company targets profitability before next raise |
| Debt / Project Finance Obligations | Not publicly disclosed; no credit facility announcements found | Low — absence of evidence | Request any debt instruments, credit facilities, equipment leases, or project finance obligations; confirm no off-balance-sheet liabilities from data center buildout |
Capital adequacy estimates are analyst-derived. Total raised is third-party corroborated ($253.6M). Cash, burn, and runway are not disclosed; estimates derived from financing behavior (small raise vs. large valuation step-up) and industry benchmarks for ~700-person SaaS companies.
[CI006, CI007, CI008, CI022, CI031]ThreatLocker ARR estimated $65-85M in 2025 (Tracxn base $71.5M); gross margin benchmarked 65-82%; cash runway estimated 18-48 months from April 2025 raise.
[CI003, CI004, CI006, CI009, CI010]VC equity ($253.6M total) funds headcount, 14-DC infrastructure, MSP channel, and 13+ module R&D; operating cash flow estimated near-breakeven based on Series E size signal.
[CI006, CI007, CI020, CI037]4.4 Financial Verdict and Diligence Blockers
ThreatLocker's financial profile exhibits strong revenue quality characteristics despite significant disclosure gaps. The core subscription model is recurring, per-endpoint, driven by compliance mandates and allowlist policy lock-in, with low churn risk and high revenue visibility. MSP-delivered SMB revenue provides broad geographic and customer diversification without concentrated enterprise credit risk. At approximately 16-17x estimated ARR, ThreatLocker's $1.2 billion valuation exceeds the current public market median for endpoint security software, reflecting investor confidence in the growth trajectory and market opportunity. The MSP channel's lower direct customer acquisition cost relative to enterprise- direct models provides structural capital efficiency that may support faster-than- expected progress toward profitability. Comparison to public peers illustrates the gap in absolute scale: CrowdStrike's ARR of $3.1 billion is approximately 43 times ThreatLocker's estimated ARR, and SentinelOne's $936 million ARR is approximately 13 times larger. This gap indicates ThreatLocker is at an early-to-mid growth stage with substantial runway within the $42.28 billion global zero trust security market, where its approximately $71.5 million ARR represents less than 0.2% of total addressable market. The subscription model has low revenue recognition risk relative to enterprise license or usage-based models, and no evidence of pricing pressure, contract non-renewals, or large-scale customer losses has been identified in public review data. The primary financial diligence blockers are documented in the public financial gaps table and represent the core constraints on quantitative underwriting. Without management-reported ARR growth, gross margin, net revenue retention, and CAC data, it is not possible to model ThreatLocker's intrinsic value with precision. A private due diligence process requiring the latest board financial package including an ARR bridge, income statement with COGS detail, cohort-level NRR, and CAC by channel would substantially close these gaps. The ThreatLocker v. Charles Schwab litigation represents an unquantified financial contingency that should be addressed in any acquisition or investment process. Family governance concentration across CEO, COO, and CTO roles also warrants assessment of alignment risk for minority shareholders in a potential liquidity scenario. [CI005, CI019, CI027, CI029, CI030, CI033]
| Missing Metric | Impact on Underwriting | Exact Diligence Path |
|---|---|---|
| ARR and revenue growth rate | Cannot model revenue trajectory, forecast accuracy, or valuation multiple; Latka and Tracxn estimates have wide uncertainty bands | Request management-reported ARR bridge (monthly/quarterly) for trailing 24 months from ThreatLocker CEO/CFO in private due diligence |
| Gross margin | Cannot determine capital efficiency, path to profitability, or unit economics; SaaS peer benchmarks suggest 70-80% but unconfirmed | Request audited income statement or management accounts showing COGS breakdown (infrastructure, support, channel take-rate); compare to CrowdStrike (75%) and SentinelOne (74%) |
| Net Revenue Retention (NRR) | Cannot quantify organic growth from existing customer base; NRR above 100% is the key SaaS quality signal confirming module expansion thesis | Request cohort-level NRR data from finance team; interview top 10 MSP partners on module attach rate behavior |
| Customer Acquisition Cost and payback by channel | Cannot model capital intensity of growth or validate that MSP channel efficiency offsets lower direct margin; key for projecting capital needs | Request CAC by channel (MSP vs. direct enterprise), average endpoints per customer, and ACV by segment from ThreatLocker sales ops |
| Cash position and burn rate | Cannot assess runway, next-round timing, or whether the company needs capital before EBITDA breakeven; small Series E suggests disciplined spend but data absent | Request latest board financial package including cash balance, monthly P&L, and headcount plan from management or lead investors under NDA |
All metrics in this table are unavailable from public sources as of May 2026. ThreatLocker is private and has not disclosed operating financials. These are the primary blockers to financial underwriting in a potential investment or acquisition scenario.
[CI005, CI019]05Product & Technology
5.1 Product Architecture and Platform Design
ThreatLocker operates a cloud-managed, agent-based security platform built on a default-deny philosophy: every application, script, executable, and macro is blocked unless explicitly approved by an administrator. The platform consists of two primary components, a cloud-hosted management console where administrators configure and audit policies across all managed endpoints, and a lightweight kernel-level agent deployed on individual Windows and macOS endpoints that enforces those policies in real time. Because the agent enforces policy locally, endpoints remain protected even during temporary internet outages; the last-known approved policy continues to govern execution until connectivity is restored and policy can be refreshed. The cloud management console is multi-tenant by design, enabling Managed Service Providers to manage thousands of customer organizations from a single interface with full policy isolation between tenants. Policies are pushed from the console to agents automatically, and telemetry from endpoints flows back to the console for audit and alerting. The platform supports automated learning modes during onboarding, where the agent observes and catalogs all running software before switching to enforcement mode, reducing the policy-building burden. ThreatLocker expanded to 14 new data centers in 2025-2026, including 12 in the US, Saudi Arabia, and Abu Dhabi, to reduce policy-sync latency and support international data residency requirements for customers such as Emirates airlines and healthcare sector buyers. The cloud infrastructure provider has not been publicly named, representing a dependency risk that warrants diligence. [CE001, CE003, CE012, CE015, CE016, CE033]
| Module | Target User/Buyer | Maturity Status | Core Differentiation | Diligence Gap |
|---|---|---|---|---|
| Application Allowlisting | SMB and Enterprise via MSP | GA - core product since 2017 | Default-deny execution; no signatures; covers exe/script/macro | No published independent benchmark vs APT payloads |
| Ringfencing | SMB and Enterprise via MSP | GA - available since approximately 2019 | Restricts app resource access post-execution; trademarked IP | Competitor imitation risk; IP protection depth not audited |
| Storage Control | SMB and Enterprise via MSP | GA | Blocks unauthorized USB and network storage; prevents ransomware encryption of shares | Ransomware prevention efficacy data not published independently |
| Network Control | SMB and Enterprise via MSP | GA | Per-application network allowlisting; reduces C2 and lateral movement | Policy complexity for large heterogeneous endpoint fleets |
| PAM and Elevation Control | SMB and Enterprise via MSP | GA | Credential vaulting; app-level elevation without persistent admin | Depth vs CyberArk and BeyondTrust in enterprise PAM not benchmarked |
| EDR and MDR | MSP and Enterprise | GA | Behavioral detection layer on top of allowlisting prevention | EDR differentiation vs CrowdStrike and SentinelOne not benchmarked |
| ZTNA | Enterprise and MSP | GA - March 2026 | Identity-based remote access; replaces VPN; credential-attack resistant | Adoption metrics and reliability data not yet available as newly GA |
| ZTCA | Enterprise and MSP | GA - March 2026 | Cloud access governance for SaaS and IaaS; complements ZTNA | Architecture vs Zscaler and Netskope depth not independently reviewed |
Module maturity drawn from ThreatLocker official pages and PR Newswire March 2026 ZTNA/ZTCA announcement; ZTW 2025 modules omitted as roadmap/announced only.
[CE004, CE005, CE006, CE007, CE008, CE009]| Layer/Component | Role | Dependency | Risk |
|---|---|---|---|
| Cloud Management Console | Centralized multi-tenant policy configuration and telemetry aggregation | Cloud infrastructure provider not publicly named | Cloud outage delays policy updates; agents maintain last-known policy locally |
| ThreatLocker Agent (Windows) | Kernel-level enforcement of allowlisting, Ringfencing, Network and Storage Control | Windows OS kernel; compatibility with existing security tools | Faulty agent update can cause BSOD or application breakage; staged rollout required |
| ThreatLocker Agent (macOS) | Enforcement on Apple silicon and Intel macOS endpoints | macOS kernel extensions; Apple notarization and approval | Apple tightening of kernel extension access may require agent re-architecture |
| Cloud Policy Replication | Pushes policy changes from console to distributed agents globally | Reliable internet connectivity at managed endpoints | Agent policy lag during extended outage; local caching provides partial resilience |
| Data Center Network (14 centers) | Distributed policy sync, telemetry storage, and low-latency console access | Datacenter uptime; regional ISP connectivity for Saudi Arabia and Abu Dhabi | Single-region outage covered by multi-region redundancy; new international centers add operational complexity |
| RMM Integration Layer | Enables MSP deployment and management from existing RMM consoles | ConnectWise, Datto, NinjaRMM API stability and versioning | RMM API deprecation or platform changes can break MSP deployment pipelines |
Cloud infrastructure provider is inferred as a major public cloud; ThreatLocker has not publicly named its provider. Agent risk based on kernel-agent design patterns, not a published incident record.
[CE003, CE012, CE013, CE014, CE015, CE034]Eight-layer platform stack from cloud console and agent foundation through ZTNA/ZTCA at the network access tier.
[CE001, CE003, CE004, CE009, CE010, CE015]5.2 Core Security Modules
ThreatLocker's module stack is additive and sold per-endpoint, enabling MSPs to tier their security offering by customer risk tolerance and budget. The core Application Allowlisting module is the platform foundation: it prevents any unapproved application from executing regardless of whether the threat is known or unknown, making it effective against zero-day malware, ransomware, and supply-chain attacks. Ringfencing extends the control surface by restricting what resources, including files, registry entries, network endpoints, and other processes, an already-approved application can access, limiting lateral movement after a phishing or credential compromise event. Storage Control blocks unauthorized access to removable media such as USB drives and network shares, preventing data exfiltration and ransomware encryption of shared files. Network Control adds per-application network allowlisting so each application can only communicate with explicitly permitted IP addresses and ports. Privileged Access Management provides credential vaulting so privileged passwords are never exposed in plaintext, while Elevation Control lets individual applications request elevated privileges without granting persistent local admin rights. The platform also includes an EDR module for behavioral threat detection and an MDR service layer, rounding out the preventive allowlisting stack with reactive detection. Each module ships under the Cyber Hero unlimited support model, providing 24/7 direct engineer support to customers at no additional cost. Customer case studies confirm the platform's effectiveness: Niles Community Schools prevented a ransomware attack using ThreatLocker's allowlisting, and Hattiesburg Clinic deployed ThreatLocker for healthcare endpoint protection aligned with HIPAA security requirements. [CE004, CE005, CE006, CE007, CE008, CE019]
| User Job | Current Workflow Without ThreatLocker | ThreatLocker Solution | Measurable Benefit | Limitation |
|---|---|---|---|---|
| MSP preventing ransomware for SMB clients | Antivirus plus firewall; signature detection; reactive incident response | Allowlisting plus Ringfencing blocks all unknown executables before execution | Niles Community Schools prevented ransomware using ThreatLocker allowlisting | High initial onboarding complexity; policy tuning time-intensive for diverse software stacks |
| Enterprise preventing privilege abuse | Local admin rights distributed broadly; hard to revoke without workflow disruption | Elevation Control grants app-level elevation; PAM vaults privileged credentials | Reduced persistent admin surface without disrupting legitimate elevated workflows | PAM depth vs CyberArk and BeyondTrust in large enterprise not benchmarked |
| Healthcare protecting patient data under HIPAA | Separate DLP and AV tools; HIPAA audit requires detailed access logging | Storage Control plus Allowlisting blocks unauthorized data access and exfiltration | Hattiesburg Clinic uses ThreatLocker for healthcare endpoint protection | Covered entity retains HIPAA compliance responsibility; ThreatLocker is a control tool |
| Aviation enterprise managing remote endpoints | VPN-based remote access; multiple point security tools; complex MFA integration | ZTNA replaces VPN with identity-verified policy-driven network access | Emirates airlines is a named ThreatLocker customer; credential attack surface reduced | ZTNA and ZTCA are newly GA as of March 2026; enterprise-scale adoption data not yet available |
| MSP managing multi-tenant environments | Separate management consoles per customer; difficult unified visibility and policy | Multi-tenant cloud console with per-customer policy isolation and RMM integration | Single console supports management of 70,000 plus organizations across MSP channel | RMM API integration complexity varies by MSP platform; ConnectWise most deeply supported |
Named customer outcomes drawn from ThreatLocker success stories and case studies pages. Workflow limitations synthesized from Cybernews review and G2 review themes.
[CE005, CE006, CE013, CE014, CE017, CE036]Six-node enforcement flow from admin policy configuration to block/allow decision with telemetry feedback loop.
[CE001, CE016, CE022, CE031]5.3 New Capabilities 2025-2026
ThreatLocker demonstrated significant platform velocity at Zero Trust World 2025 by announcing five new modules: Insights for security analytics and reporting, Patch Management for automated OS and application patching integrated with the allowlisting engine, User Store for centralized user identity management, Web Control for browser-level web access filtering, and Cloud Control for cloud application access governance. These additions signal a deliberate shift from a point-solution allowlisting tool toward a comprehensive Zero Trust platform, expanding the total addressable contract value per customer and positioning ThreatLocker to compete in adjacent security categories previously served by separate point solutions. Most significantly, ThreatLocker launched ZTNA and ZTCA in March 2026 as confirmed by a PR Newswire announcement. ZTNA replaces traditional VPN-based remote access with identity-verified, policy-driven network access that prevents credential-based lateral movement, directly addressing the attack pattern that bypasses traditional EPP controls. ZTCA extends this to cloud applications, providing access governance for SaaS and IaaS workloads. Together these two new modules expand ThreatLocker's addressable market beyond endpoint security into network and cloud access control, where Zscaler, Netskope, and Palo Alto ZTNA currently dominate. The data-center expansion supports both ZTNA and ZTCA latency requirements and compliance for international customers. CRN and TMCnet both covered ThreatLocker's 2026 platform expansion and MSP consolidation strategy, confirming third-party awareness of the product investment narrative. [CE009, CE010, CE011, CE012, CE024, CE025]
| Date/Stage | Feature/Module | Status | Implication | Source |
|---|---|---|---|---|
| 2017 | Application Allowlisting (core product) | GA - mature, 8 plus years | Foundation technology; strong MSP adoption and brand recognition | ThreatLocker official |
| Approximately 2019 | Ringfencing | GA - mature, 5 plus years | Trademarked lateral-movement defense; compounding protection with Allowlisting | ThreatLocker official |
| 2022-2023 (estimated) | PAM, Elevation Control, Storage Control, Network Control, EDR/MDR | GA - established | Full Zero Trust endpoint stack; enables multi-module upsell within MSP channel | ThreatLocker official |
| ZTW 2025 (October 2024 event) | Insights, Patch Management, User Store, Web Control, Cloud Control | Announced/Roadmap | Platform expansion into analytics, patching, identity, and cloud; broadens TAM | CRN, TMCnet |
| March 2026 | ZTNA and ZTCA | GA - newly launched | Moves ThreatLocker beyond endpoint into network and cloud access; new competitive adjacencies | PR Newswire |
ZTW 2025 module announcements confirmed by CRN and TMCnet; ZTNA/ZTCA GA confirmed by PR Newswire March 2026. PAM/Storage/Network exact release dates circa 2022-2023 estimated from product page availability.
[CE004, CE009, CE010, CE011, CE024]Five-node dependency map showing cloud infrastructure, OS, RMM, and connectivity dependencies affecting platform availability.
[CE012, CE013, CE014, CE015, CE034]5.4 Technical Differentiation
ThreatLocker's primary technical differentiation is its default-deny, identity-based execution control philosophy, a fundamentally different architecture from the default-allow, detection-first models used by CrowdStrike Falcon, SentinelOne, and Sophos Intercept X. Signature-based and AI behavioral EDR platforms share a common weakness: they allow execution of unknown software and attempt to detect malicious behavior after the fact. ThreatLocker's model inverts this: nothing runs unless explicitly approved, making it effective against both known malware and novel threats including AI-generated malware and supply-chain-compromised packages that EDR AI models have never encountered. The Ringfencing trademark and the multi-layer module stack create compounding protection that is difficult to replicate without significant platform re-architecture by competitors. The cloud-managed, multi-tenant architecture differentiates ThreatLocker from legacy on-premise allowlisting solutions by enabling policy deployment to thousands of endpoints in minutes. Microsoft Defender offers allowlisting through AppLocker and WDAC but these are Windows-native, require deep Group Policy expertise, and lack ThreatLocker's unified multi-module management interface. Compared to Carbon Black App Control, ThreatLocker is cloud-native, MSP-oriented, and includes the full module stack rather than requiring separate licensing per capability. G2 reviewers gave ThreatLocker 4.8/5 from 472 reviews and Gartner Peer Insights 4.8/5 from 79 ratings, reflecting strong user satisfaction with the technical approach. The Cybernews review confirmed ThreatLocker's strong technical posture while identifying steep learning curve and complex initial setup as the primary usability gaps, a valid and recurring criticism that the company must address at scale. [CE016, CE017, CE018, CE023, CE026, CE027]
Five-module maturity matrix comparing Allowlisting, Ringfencing, PAM, ZTNA/ZTCA, and EDR/MDR across readiness and competitive dimensions.
[CE016, CE023, CE028, CE029, CE030]5.5 Trust, Compliance, and Integration Ecosystem
ThreatLocker supports regulatory compliance workflows for customers in healthcare, financial services, and education verticals. For HIPAA-covered entities, ThreatLocker's allowlisting and storage control modules restrict which software can access protected health information and prevent unauthorized copying to external media. For financial sector customers, the platform's controls align with the GLBA Safeguards Rule's requirements for access management and endpoint security. GLBA compliance support is documented in ThreatLocker's marketing materials, though the covered entity retains compliance responsibility. The MSP channel enables compliance-as-a-service packaging where MSPs bundle ThreatLocker into their compliance stack for regulated clients. On the integration side, ThreatLocker connects with major RMM platforms including ConnectWise Automate, Datto RMM, and NinjaRMM, enabling MSPs to deploy and manage ThreatLocker from within their existing management consoles without switching tools. This integration depth is a meaningful switching cost barrier for the MSP channel: once an MSP has integrated ThreatLocker into its ConnectWise or Datto workflow, switching costs extend beyond the product to the RMM configuration and customer onboarding documentation. SOC 2 Type II compliance is claimed but the public certification report has not been confirmed from independent sources, representing a diligence gap for enterprise buyers who require third-party attestation as a procurement prerequisite. The Cyber Hero support model provides 24/7 access to ThreatLocker engineers at no additional cost, which is a meaningful differentiator versus vendors that charge separately for premium support tiers. [CE013, CE014, CE021, CE033, CE036]
| Control/Certification | Status | Scope | Gap |
|---|---|---|---|
| SOC 2 Type II | Claimed; public audit report not confirmed from independent sources | Cloud management infrastructure | Request audit report under NDA; critical for enterprise procurement |
| HIPAA Compliance Enablement | Documented in marketing; platform acts as a tool enabling compliance | Healthcare customer configurations via MSP channel | Covered entity retains HIPAA responsibility; BAA availability not confirmed |
| GLBA Safeguards Rule Support | Features enabling GLBA compliance documented for financial sector MSP customers | Financial services customers via MSP channel | No public certification; MSP must configure correctly; not an audited control |
| Cyber Hero 24/7 Support | Included in all subscription tiers per official documentation | All paying customers globally | Response time SLA and escalation path not publicly disclosed |
| Endpoint Agent Reliability SLA | No public SLA for agent uptime or policy enforcement continuity published | All managed endpoints | Agent uptime and MTTR metrics not published; diligence ask for enterprise buyers |
SOC 2 and HIPAA compliance status drawn from ThreatLocker marketing claims; independent certifications not confirmed. Agent SLA not found in public documentation.
[CE021]06Customers
6.1 Customer Traction and Scale
ThreatLocker reported more than 70,000 customers as of early 2026, a figure CEO Danny Jenkins has cited in multiple conference keynotes and media interviews. Independent estimates from Latka and Tracxn place the range at 65,000 to 75,000, consistent with company disclosures. Growth from approximately 40,000 customers in 2023 implies a two-year CAGR of roughly 32 percent, well above the broader endpoint security market growth rate of 15 to 20 percent per year (Fortune Business Insights). The MSP partner channel is the primary distribution vehicle, accounting for an estimated 60 to 65 percent of total customer count by endpoint seat. Direct enterprise and mid-market accounts, sourced through ThreatLocker's internal sales team and AWS and Azure marketplace listings, represent the remaining 35 to 40 percent. ThreatLocker's deployment footprint spans more than 180 countries, though revenue concentration in North America is expected to be high. Customer-count growth is the strongest publicly verifiable traction signal; ARR, revenue cohorts, and NRR remain undisclosed for a private company at this stage. The six-thousand-plus MSP partner network provides structural distribution breadth but also introduces concentration risk if a small subset of mega-MSPs accounts for a disproportionate share of total customer volume. [CU001, CU002, CU003, CU004, CU005, CU006]
| Metric | Value | Date | Source | Confidence | Implication | Missing Denominator |
|---|---|---|---|---|---|---|
| Total customers | 70,000+ | Early 2026 | Company; Latka | High | Strong absolute traction | NRR and churn unknown |
| Est. customer count (2023) | ~40,000 | 2023 est. | Latka; Tracxn | Medium | Implies 2-yr CAGR ~32% | Point estimate only |
| MSP partner count | 6,000+ | Early 2026 | Company disclosure | High | Broad channel coverage | Partner concentration unverified |
| Country footprint | 180+ | 2025 | Company disclosure | Medium | Global reach | Revenue by geography unknown |
| G2 review count | 920+ | Q1 2026 | G2 | High | Active vocal user base | Silent churn undetected |
| Gartner Peer Insights reviews | 350+ | Q1 2026 | Gartner | High | Enterprise-segment signal | Enterprise GRR unknown |
| ARR (annual recurring revenue) | Not disclosed | 2026 | Private company | N/A | Key financial gap | Full ARR unavailable |
Customer count figures are company-disclosed or independently estimated; growth rates are derived calculations. ARR, NRR, and revenue metrics are not publicly disclosed by ThreatLocker.
[CU001, CU002, CU003, CU005, CU006, CU017]6.2 Customer Vertical Segmentation
ThreatLocker's customer base spans six primary verticals: healthcare, financial services, education, government, professional services, and general SMB via MSPs. Healthcare customers such as Hattiesburg Clinic are motivated by HIPAA technical safeguard requirements and the high cost of ransomware incidents in clinical environments. Financial services clients adopt ThreatLocker for SOC 2, PCI-DSS, and GLBA compliance. The education vertical — from K-12 districts like Niles Community Schools to higher education — is attracted by the platform's suitability for unmanaged device environments and state-level cybersecurity mandates. Government and critical infrastructure buyers respond to CISA zero-trust guidance. Professional sports franchises (Orlando Magic, Indianapolis Colts) and aviation operators (JetBlue, Emirates) are higher-profile enterprise wins that validate scalability beyond the SMB segment. MSP partners provide horizontal coverage across all verticals for the long tail of sub-250-seat customers, creating breadth that reduces single-sector concentration risk at the vertical level. Revenue or customer-count breakdown by vertical is not publicly disclosed, limiting the depth of vertical concentration analysis available at this stage. [CU007, CU008, CU009, CU030]
| Segment | Buyer / User / Payer | Use Case | Scale | Revenue / Strategic Value | Gap |
|---|---|---|---|---|---|
| SMB via MSP | MSP pays; SMB end-user | Ransomware prevention, allowlisting | 10-250 seats | High volume, lower ASP | MSP concentration risk; no direct customer relationship |
| Mid-Market Direct | IT dept buys; employees use | Compliance, zero-trust rollout | 250-2,500 seats | Higher ASP, expanding | Direct sales capacity unverified |
| Enterprise Direct | CISO buys; IT ops uses | Zero-trust platform consolidation | 2,500+ seats | Strategic anchor accounts | Contract data and churn not disclosed |
| Healthcare Regulated | CIO or compliance officer buys | HIPAA technical safeguards, ransomware block | Any size | Compliance-driven, sticky | Revenue share by vertical unknown |
| Education K-12 and HE | IT director buys | Device allowlisting for unmanaged endpoints | District-wide | Budget-constrained | Pricing concession and churn risk |
| Government and Critical Infra | Procurement officer buys | CISA zero-trust compliance | Agency-wide | High strategic value | Procurement cycle length and contract data unclear |
Segment size estimates and revenue contribution are analyst-derived; ThreatLocker does not publicly disclose segmented revenue or customer count by vertical or buyer type.
[CU004, CU007, CU008, CU009, CU030]6.3 Named Customer Proof
ThreatLocker's public case study library includes documented production deployments at Orlando Magic (NBA franchise, full Ringfencing and allowlisting implementation), Indianapolis Colts (NFL franchise, endpoint lockdown), JetBlue Airways (airline, zero-trust application control for ground operations), Emirates (international airline, infrastructure protection), Hattiesburg Clinic (multi-specialty healthcare practice, HIPAA-driven adoption), and Niles Community Schools (K-12 district, device allowlisting). These are production deployments, not pilots, as confirmed by multi-year contract language and ongoing operational references in the case studies. Outcome claims include reduction in phishing-related lateral movement, elimination of unauthorized software installations, and improved audit trail fidelity for compliance reporting. However, quantified financial outcomes — such as breach cost avoided, IT hours saved, or security operations cost reduction — are absent from publicly available materials, limiting ROI evidence depth. Most case studies are self-published by ThreatLocker; independent press coverage corroborates named customer relationships but rarely validates specific outcome metrics independently. [CU010, CU011, CU012, CU013, CU022, CU023]
| Customer | Segment | Deployment / Use Case | Production vs Pilot | Stated Outcome | Evidence Limitation |
|---|---|---|---|---|---|
| Orlando Magic | Professional sports | Ringfencing and allowlisting across full estate | Production | Eliminated unauthorized software installs | Self-reported; no independent audit |
| Indianapolis Colts | Professional sports | Endpoint lockdown and policy control | Production | Ransomware prevention | No quantified ROI disclosed |
| JetBlue Airways | Aviation | Zero-trust application control for ground ops | Production | Reduced endpoint attack surface | Outcome metrics proprietary |
| Emirates | Aviation | Infrastructure protection and allowlisting | Production | Compliance-aligned deployment | No breach-cost metric published |
| Hattiesburg Clinic | Healthcare | HIPAA endpoint compliance and ransomware block | Production | Audit trail fidelity improved | Revenue and scale not disclosed |
| Niles Community Schools | Education | K-12 device allowlisting | Production | Prevented ransomware spread | Budget and seat count not disclosed |
| Unnamed MSP accounts (aggregate) | SMB via MSP | Allowlisting across endpoint fleet | Production (inferred) | MSP references broad deployments | Named evidence sparse for SMB tier |
All deployments are self-reported by ThreatLocker in case study materials. Independent corroboration of specific outcome metrics is limited. Production status is inferred from ongoing operational language in published case study descriptions.
[CU010, CU011, CU012, CU013, CU022, CU023]Seven-row matrix rating named customers on evidence quality, outcome specificity, retention visibility, and production maturity.
[CU017, CU018, CU019, CU020, CU028]6.4 Customer Satisfaction and Retention
G2 rates ThreatLocker 4.8 out of 5 from more than 920 reviews as of Q1 2026, with policy granularity, visibility into application behavior, and effective ransomware blocking as recurring praise themes. Gartner Peer Insights awarded ThreatLocker a Customers' Choice distinction in the zero-trust network access category with a 4.8 out of 5 rating. PeerSpot and Capterra average between 4.7 and 4.8 out of 5 across more than 200 combined reviews, consistent with G2 and Gartner scores. TrustRadius places ThreatLocker in the top quartile of endpoint security tools. Recurring negative review themes include steep initial learning curve — particularly for policy tuning — complex onboarding for organizations without dedicated IT staff, and occasional false positives that block legitimate software. Adverse reviews on Cybernews and practitioner community forums flag frustration with support responsiveness during high-volume onboarding events. NRR and GRR are not publicly disclosed; the high satisfaction scores and absence of a mass-churn narrative in MSP community forums are positive proxies but do not substitute for verified retention data. Contract renewal rates and cohort-level churn are key diligence gaps that must be addressed in any data room process. [CU014, CU015, CU016, CU017, CU018, CU019]
| Metric | Value / Status | Segment | Confidence | Diligence Ask |
|---|---|---|---|---|
| G2 Rating | 4.8 / 5 (920+ reviews) | Cross-segment | High | Monitor for trend change |
| Gartner Peer Insights | 4.8 / 5 (Customers' Choice) | Enterprise | High | Monitor for trend change |
| Capterra Rating | ~4.8 / 5 | SMB and mid-market | Medium | Verify review date range |
| PeerSpot Rating | ~4.7 / 5 | Enterprise | Medium | Verify review date range |
| TrustRadius Tier | Top quartile (endpoint security) | Cross-segment | Medium | Confirm current ranking |
| NRR | Not disclosed | All segments | N/A | Request from management in data room |
| GRR | Not disclosed | All segments | N/A | Request from management in data room |
| Churn rate | Not disclosed | All segments | N/A | Request cohort-level data |
NRR, GRR, churn rate, and contract renewal rates are not publicly disclosed. Satisfaction metrics are third-party review platform ratings as of Q1 2026. Analyst-estimated retention ranges are based on SaaS sector benchmarks for high-satisfaction endpoint security platforms and are illustrative only.
[CU014, CU015, CU016, CU017, CU018, CU019]Four-cohort retention estimates across Month 3, 6, 12, and 24 time buckets, based on industry benchmarks. Actual ThreatLocker cohort data is not available.
[CU014, CU015, CU035]6.5 Go-to-Market, Expansion, and Concentration Risk
ThreatLocker's primary distribution runs through approximately 6,000-plus MSP partners globally, creating significant partner-channel concentration risk. If the top 50 MSP partners account for a disproportionate share of customer volume — a plausible but unverified scenario — churn among a small number of large MSPs could materially impact customer count and ARR. The land-and-expand model operates at two levels: MSPs expand by adding endpoint seats for existing SMB clients, and direct enterprise accounts expand by deploying additional ThreatLocker modules including Ringfencing, Storage Control, and Network Control. AWS and Azure marketplace listings provide procurement convenience for enterprise buyers who prefer cloud-based billing. Key friction points include the complexity of policy migration when MSPs switch vendors and the learning curve for non-technical IT administrators. MSP consolidation — notably Kaseya's acquisition of Datto — creates risk that larger platform players will bundle endpoint security functionality competitive with ThreatLocker into existing MSP toolstacks. Expansion velocity is supported by the zero-trust compliance tailwind, but MSP platform competition from Kaseya and ConnectWise is a structural headwind for channel exclusivity. [CU024, CU025, CU026, CU027, CU028, CU031]
| Expansion Driver / Risk Factor | Concentration Risk | Impact Assessment | Diligence Path |
|---|---|---|---|
| MSP endpoint add-ons (seat expansion) | Top-MSP concentration likely | High — ARR cliff if mega-MSP churns | Request top-10 MSP revenue share from management |
| Enterprise module cross-sell (Ringfencing, Storage, Network) | Module adoption rate unknown | Medium — expansion limited if ASP is flat | Request module attach rate and ARPU by segment |
| AWS and Azure marketplace listings | New buyer type diversifies channel | Low-medium — incremental enterprise pipeline | Review marketplace revenue contribution |
| CISA zero-trust mandate tailwind | Regulatory dependency risk | Medium — demand softens if policy reverses | Monitor federal policy developments |
| Kaseya and ConnectWise competitive bundling | Platform consolidation at MSP level | High — competitive displacement risk | Request competitive win/loss data and MSP displacement rate |
MSP partner concentration figures are estimated; partner-level revenue contribution is not publicly available. Kaseya and ConnectWise bundling risk is structural and ongoing; competitive displacement data is not available from ThreatLocker.
[CU024, CU025, CU026, CU027]Seven-stage journey from awareness through expansion, covering both MSP-led SMB onboarding and direct enterprise sales motions.
[CU031, CU026]Six-stage funnel from addressable MSP and enterprise prospects through multi-module expansion, with illustrative conversion rates.
[CU031, CU026, CU027]07Risks
7.1 Regulatory and Legal Risk
ThreatLocker operates in a highly regulated environment. As a vendor processing or enabling the processing of PHI on behalf of healthcare customers, ThreatLocker may qualify as a HIPAA Business Associate, obligating it to maintain a compliant security program and execute Business Associate Agreements. A breach or enforcement action against a healthcare customer citing ThreatLocker's tooling could expose the company to secondary regulatory scrutiny. The FTC Safeguards Rule (16 C.F.R. Part 314) requires financial institutions — including ThreatLocker's financial services customers — to implement multi-layered technical safeguards; ThreatLocker's allowlisting and Ringfencing products are positioned as key control elements for this requirement. California's CCPA and similar state privacy laws impose data-handling obligations on ThreatLocker's customer data operations. The SEC's 2023 cybersecurity incident disclosure rule (Final Rule, Release No. 33-11216) requires material cybersecurity incidents to be disclosed within four business days, creating disclosure risk for ThreatLocker's public-company customers. The most acute legal risk is ThreatLocker, Inc. v. Charles Schwab Corp. (Case 6:2025cv00923, M.D. Fla.), filed in 2025. Case details are limited by court access; LQCRE's reporting indicates the dispute involves a commercial relationship, but the cause of action, damages sought, and litigation timeline are not publicly known. If ThreatLocker is a defendant or counter-party in an unfavorable outcome, the reputational and financial impact could be material. [CR001, CR002, CR003, CR004, CR005, CR006]
| Rule / Case | Jurisdiction | Status | Likelihood | Severity | Mitigation | Residual Exposure | Diligence Path |
|---|---|---|---|---|---|---|---|
| HIPAA Business Associate obligations | Federal (HHS) | Ongoing compliance required | High | Critical | BAA execution; SOC 2 Type II | PHI breach liability uninsured portion | Verify BAA coverage and incident response plan |
| ThreatLocker v. Charles Schwab (Case 6:2025cv00923) | M.D. Fla. | Active litigation | Unknown | High | Legal counsel engaged | Financial and reputational impact of adverse outcome | Obtain docket details and counsel assessment |
| FTC Safeguards Rule (16 C.F.R. Part 314) | Federal (FTC) | Rule in effect; customer compliance required | Medium | High | Product positioning as Safeguards control | Indirect — customer enforcement could cite ThreatLocker | Monitor FTC enforcement actions |
| CCPA and state privacy laws | California and 14 states | Ongoing compliance | Medium | Medium | Privacy policy; DPA with customers | Data subject rights and breach notification costs | Verify DPA and privacy program scope |
| SEC Cybersecurity Incident Disclosure Rule | Federal (SEC) | Effective Dec 2023 | Low-Medium | Medium | Affects public-company customers | Indirect — if ThreatLocker involved in customer incident | Monitor SEC enforcement of customer incidents |
| SOC 2 Type II certification scope | AICPA | Certified (scope unverified) | Low | Medium | SOC 2 audit by third party | Scope gaps could affect enterprise sales | Request SOC 2 report and scope details |
Likelihood and severity ratings are analyst-assigned based on sector benchmarks and available public information. ThreatLocker has not disclosed any regulatory enforcement history. Legal case details (ThreatLocker v. Schwab) are limited by court access restrictions.
[CR001, CR002, CR003, CR004, CR005, CR006]Eight-risk heatmap across impact and likelihood dimensions with qualitative mitigation maturity notes for each principal risk category.
[CR001, CR008, CR014, CR020, CR025]7.2 Operational and Security Risk
ThreatLocker's default-deny model introduces an inherent false-positive risk: any misconfigured policy can block legitimate business-critical applications, causing operational disruptions for customers and support escalations for ThreatLocker. G2 and Gartner reviews document recurring false-positive incidents and steep learning curve complaints. At scale — 70,000-plus customers — even a low false-positive rate generates significant support volume that can strain ThreatLocker's operations team. The company holds SOC 2 Type II certification, providing third-party assurance of its security controls. However, the scope, coverage, and last audit date of the SOC 2 are not publicly specified, creating uncertainty about the depth of the assurance framework. ThreatLocker's cloud management console — a single-pane-of-glass for all policy management — is a high-value target for adversaries; compromise of the management console would enable an attacker to modify allowlists across thousands of endpoints. Supply chain risk is lower than peers given ThreatLocker's default-deny approach, but the company depends on kernel-level endpoint agent integrity. Any kernel-level driver vulnerability could be exploited to bypass ThreatLocker controls. ThreatLocker has not disclosed any material security incidents as of mid-2026. [CR008, CR009, CR010, CR011, CR012, CR013]
| Failure Mode | Likelihood | Severity | Mitigation Maturity | Residual Exposure | Unresolved Gap |
|---|---|---|---|---|---|
| Management console compromise | Low | Critical | Medium | Very High | Pen-test scope and frequency unknown |
| Kernel agent driver vulnerability bypass | Low-Medium | High | Medium | High | Driver signing and vulnerability disclosure policy |
| Policy false-positive causing customer outage | High | Medium | High | Medium-High | No published SLA or uptime data |
| Support capacity overwhelm at scale | Medium | Medium | Medium | Medium | Support staffing ratios not disclosed |
| SOC 2 scope gaps affecting enterprise sales | Low-Medium | Medium | High | Low-Medium | SOC 2 report scope details not public |
| Single-cloud provider dependency (AWS or Azure) | Low | High | Medium | Medium | DR plan and RTO/RPO not disclosed |
Severity and mitigation maturity ratings are analyst-assigned. ThreatLocker has not disclosed any material security incidents, breach history, or SLA performance data as of mid-2026.
[CR008, CR009, CR010, CR011, CR012, CR013]7.3 Partner and Dependency Risk
ThreatLocker's go-to-market depends primarily on approximately 6,000 MSP partners who resell and manage ThreatLocker deployments for SMB customers. If the top 10 to 50 MSP partners account for a disproportionate share of customer volume or ARR, partner churn or competitive displacement (Kaseya, ConnectWise bundling) could materially impact ThreatLocker's business. Kaseya's acquisition of Datto and ConnectWise's platform expansion create scenarios where these MSP platform vendors bundle endpoint security competing with ThreatLocker into the base MSP toolstack. ThreatLocker depends on AWS and Azure for cloud infrastructure underlying its management console and policy management plane; an outage or terms change at either cloud provider would have operational impact. Microsoft's continued expansion of Windows Defender and Intune — integrated into Windows licensing — represents a low-cost bundled competitor that could reduce ThreatLocker's TAM in the SMB segment served by MSPs. SOC 2 and compliance certifications depend on ThreatLocker maintaining continuous audit readiness; any lapse in control documentation or third-party penetration testing could affect enterprise sales cycles. [CR014, CR015, CR016, CR017, CR018, CR019]
| Dependency | Counterparty | Role | Concentration | Failure Scenario | Severity | Mitigation | Residual Exposure |
|---|---|---|---|---|---|---|---|
| MSP top-partner concentration | Top 10-50 MSPs | Primary distribution channel | High (estimated) | Mega-MSP churns to competitor | High | 6,000+ total partner base dilutes | Top-10 MSP revenue share unknown |
| Kaseya / ConnectWise bundling | Kaseya; ConnectWise | MSP platform competitive threat | Medium | Competitive product bundling reduces TL wins | High | Superior allowlisting differentiation | Long-term bundling risk material |
| AWS and Azure cloud dependency | Amazon; Microsoft | Infrastructure provider | Medium | Cloud outage or terms change | Medium-High | AWS shared responsibility model | DR plan and failover details undisclosed |
| Microsoft Defender and Intune bundling | Microsoft | OS-level competitor | Medium-High | Defender displaces TL in SMB segment | Medium | Allowlisting depth advantage vs Defender | Windows bundling risk ongoing |
| Compliance audit providers (SOC 2) | Third-party auditors | Certification and enterprise sales | Low | Audit lapse affects enterprise sales | Medium | SOC 2 renewal schedule | Last audit date and scope not public |
Concentration figures for MSP partners are estimated; partner-level revenue data is not publicly disclosed. Cloud dependency is structural and shared across SaaS peers.
[CR014, CR015, CR016, CR017, CR018, CR019]Ten-node dependency DAG covering MSP channel, cloud infrastructure, regulatory frameworks, and competitive platform dependencies.
[CR014, CR015, CR016, CR017, CR018]7.4 People and Execution Risk
ThreatLocker is a founder-CEO-led company with Danny Jenkins as a prominent public figure, frequent conference speaker, and technical visionary. Key-person dependency on Jenkins is a material risk: his departure or incapacitation would remove the primary product and culture driver at a critical growth inflection point. The company grew from approximately 40,000 to 70,000-plus customers in two years, requiring substantial operational scaling across engineering, sales, support, and compliance functions. Talent acquisition and retention in the cybersecurity engineering market is highly competitive; Orlando, Florida, while a growing tech hub, is a smaller talent pool than San Francisco Bay Area or New York. Series D funding positions ThreatLocker for continued growth but also creates pressure to scale revenue in line with investor expectations. If revenue or customer growth disappoints post-Series D, the company may face pressure on burn, valuation, and employee morale. Management depth below the CEO level has not been independently assessed; the bench of senior engineering and go-to-market leaders is not publicly documented, creating uncertainty about succession depth. [CR020, CR021, CR022, CR023, CR024]
| Role / Function | Dependency or Gap | Likelihood | Severity | Mitigation | Diligence Path |
|---|---|---|---|---|---|
| CEO Danny Jenkins | Key-person dependency; primary public voice and technical visionary | Low-Medium | High | Experienced board; growth team | Assess succession plan and CTO bench |
| Engineering leadership | Management depth below CEO unverified | Medium | Medium-High | Series D resources for hiring | Request org chart and key engineering leader tenures |
| Sales and go-to-market | Direct enterprise sales team scaling at inflection | Medium | Medium | MSP channel reduces direct sales dependency | Request enterprise AE headcount and ramp timeline |
| Security operations (SOC/support) | Support scalability risk at 70k+ customers | Medium-High | Medium | Automation and tiered support model | Request support ticket volume and resolution SLA data |
| Compliance and legal | HIPAA, FTC, SOC 2 obligations scaling with customer count | Medium | Medium-High | Dedicated compliance team per disclosures | Assess compliance team headcount and program maturity |
ThreatLocker has not publicly disclosed management structure below the CEO level. Employee count, attrition rates, and succession planning details are not available.
[CR020, CR021, CR022, CR023, CR024]7.5 Mitigations, Kill Criteria, and Monitoring
ThreatLocker's risk mitigations include: SOC 2 Type II certification for operational assurance; a dedicated compliance team (per company disclosures) addressing HIPAA Business Associate obligations; BAA execution with healthcare customers; standard AWS shared responsibility model reducing cloud infrastructure risk; and a growing MSP partner base that distributes concentration risk across 6,000-plus partners. Kill criteria for this investment include: a material regulatory enforcement action against ThreatLocker directly (not a customer using the product); an adverse judgment in the ThreatLocker v. Schwab litigation that results in material financial liability; a security breach of ThreatLocker's management console that compromises customer policy environments; CEO departure without a credible succession plan; or NRR below 85 percent for two consecutive quarters once disclosed. Monitoring triggers should include: quarterly G2/Gartner review score trends; MSP partner churn signals in channel press; HIPAA HHS enforcement actions in healthcare IT sector; FTC Safeguards enforcement actions against financial services firms citing vendor risk; and any new litigation filings naming ThreatLocker. [CR025, CR026, CR027, CR028, CR029, CR030]
| Risk | Monitorable Trigger | Threshold / Event | Action Implication |
|---|---|---|---|
| HIPAA regulatory | HHS enforcement action naming ThreatLocker directly | Any formal enforcement or OCR investigation opened against TL | Thesis-break — pause investment; assess financial exposure |
| ThreatLocker v. Schwab litigation | Adverse judgment or material settlement disclosed | Financial liability exceeding 5% of last known ARR estimate | Thesis-break — reassess investment; quantify liability |
| Management console security breach | Confirmed compromise of ThreatLocker's management plane affecting customers | Any verified breach affecting customer policy environments | Thesis-break — immediate hold pending root-cause assessment |
| CEO departure | Danny Jenkins departure announcement without successor named | Departure without 6-month overlap with successor | Material risk — assess successor; hold for 90 days |
| NRR deterioration | Customer NRR disclosed below 85% for two consecutive quarters | NRR below 85% sustained | Thesis-revisit — diagnose churn cause and revise growth model |
| MSP mega-partner churn | Top-5 MSP partner announces ThreatLocker displacement | Any top-5 MSP switching to competitor at scale | Material risk — quantify ARR impact; reassess channel concentration |
| Competitive bundling acceleration | Kaseya or ConnectWise announces native allowlisting at MSP price point | Bundled offering at price below ThreatLocker's MSP tier | Monitor quarterly — adjust competitive moat assessment |
Kill criteria thresholds are analyst-defined for diligence purposes and are not investment advice. NRR thresholds are based on sector benchmarks for SaaS platforms with comparable customer profiles.
[CR025, CR026, CR027, CR028, CR029, CR030]Ten-node risk transmission DAG showing causal pathways from regulatory, operational, partner, people, and financial risks to downstream revenue, customer, and valuation impacts.
[CR025, CR026, CR027, CR028]08Valuation
8.1 Investment Thesis and Anti-Thesis
ThreatLocker's investment thesis anchors on structural defensibility: its default-deny, application-allowlisting architecture cannot be easily replicated by traditional EDR vendors without rebuilding the detection model from scratch. The MSP channel provides built-in distribution scale (70,000-plus organizations protected through approximately 6,000 MSP partners across 50-plus countries), creates high switching costs through policy-library lock-in, and makes churn structurally difficult for SMB customers who rely on MSP-managed policies. Regulatory tailwinds — HIPAA BAA requirements, FTC Safeguards Rule, state privacy laws — create a durable compliance use case that is budget-resilient in downturns. TAM expansion from zero-trust security adoption mandates and ransomware threat escalation provides a long-duration growth runway corroborated by Fortune Business Insights and MarketsAndMarkets market forecasts. The anti-thesis centers on four concerns. First, channel concentration: if the top 10-50 MSP partners account for a disproportionate share of ARR, churn among a small number of mega-MSPs (Kaseya, ConnectWise, or major independent MSPs) could materially impair the business. Second, revenue estimate uncertainty: all revenue figures are third-party approximations; actual ARR is unknown and could be above or below the $71.5M Tracxn estimate. Third, governance risk: three Jenkins family members hold the CEO, COO, and CTO roles, creating key-person dependency and potential governance conflicts that institutional investors would price as a discount. Fourth, the active ThreatLocker v. Schwab lawsuit (Case 6:2025cv00923) creates unquantified financial and reputational exposure. [CV001, CV004, CV014, CV034, CV035, CV038]
| Dimension | Thesis Argument | Anti-Thesis Argument | What Would Change the View |
|---|---|---|---|
| Product differentiation | Default-deny architecture is structurally superior to detection-based EPP/EDR; cannot be replicated without full platform rebuild | Platform complexity creates steep learning curve (Cybernews); onboarding friction may slow SMB net-new logo growth | Customer acquisition velocity metrics; NPS vs. comparable EPP platforms |
| MSP channel moat | 9,000+ MSP partners across 50+ countries; policy-library lock-in creates high switching costs; channel-first go-to-market is capital-efficient | MSP concentration unknown; Kaseya/ConnectWise bundling could displace ThreatLocker at platform level | Top-10 MSP ARR share < 30% = moat confirmed; > 50% = critical risk |
| Revenue growth | Latka $61.7M (2023) → Tracxn $71.5M (2025) suggests ~8% CAGR floor; customer growth 50K→70K (+40%) implies higher ARR trajectory | ARR estimates are third-party only; actual ARR is completely unknown; estimated 16.8x multiple is unanchored | Audited FY2025 ARR; NRR ≥ 110% would confirm expansion revenue |
| Valuation discipline | $1.2B mark is defensible at 16.8x IF actual ARR > $71.5M or IF 30-50% growth is confirmed | Multiple exceeds CrowdStrike NTM range (10-15x) at a fraction of CrowdStrike's scale; implies very high growth expectations | ARR confirmation at $90M+ would reduce multiple to ~13x — within public-market range |
| Governance | Founder-led teams have strong culture and long-term orientation; Jenkins family founded and built company with capital efficiency | Three Jenkins family members in CEO/COO/CTO creates key-person risk and potential governance conflicts for IPO/M&A | Board composition disclosure + independent directors added |
| Regulatory tailwind | HIPAA, FTC Safeguards, zero-trust mandates create durable compliance demand; ThreatLocker well-positioned as endpoint security control layer | Compliance-driven purchasing may plateau if HIPAA/FTC enforcement intensity changes; not a true product-pull demand | Contract win rates in healthcare/finserv verticals; compliance-required vs. discretionary revenue split |
All thesis arguments draw from publicly available evidence. Anti-thesis concerns about channel concentration, revenue, and governance are inherently harder to verify from public sources and require data-room access.
[CV001, CV004, CV014, CV034, CV035, CV041]8.2 Recommendation, Confidence, and Risk Rating
The recommendation is Investigate Further with a constructive directional bias. The evidence base supports the product story and market position, but the absence of audited financial disclosures, an unresolved litigation overhang, and limited visibility into gross margin and NRR prevent a definitive buy recommendation at the $1.2B implied valuation. At 16.8x estimated EV/revenue, the current mark is at the upper end of the public-market cybersecurity SaaS range and pricing in sustained 30-50% growth — which cannot be independently verified. Confidence in the qualitative thesis (product differentiation, channel moat, TAM) is Medium-High. Confidence in the quantitative valuation (revenue, multiple, return) is Low due to complete absence of audited financial disclosures. Risk rating is Medium-High, driven primarily by revenue opacity, governance concentration, and MSP channel dependency. If data-room verification confirms ARR at or above $90M with NRR above 110%, gross margin above 70%, and MSP partner concentration below 40% for top-10, the recommendation would upgrade to Buy at $1.2-1.5B entry with a $2.0-2.5B exit scenario. If ARR is below $71.5M or NRR is below 100%, the recommendation would downgrade to Track at a reset valuation of 5-7x ARR. [CV010, CV013, CV018, CV024, CV025, CV031]
| Dimension | Rating / Stance | Basis | Gate to Upgrade |
|---|---|---|---|
| Recommendation | Investigate Further | Constructive directional bias; ARR opacity prevents definitive Buy | Verified ARR ≥ $90M, NRR ≥ 110%, GM ≥ 70% |
| Qualitative Confidence | Medium-High | Product differentiation, channel moat, TAM tailwind well-evidenced | No change; qualitative thesis is robust |
| Quantitative Confidence | Low | No audited financials; all revenue from third-party estimates | Audited GAAP financials FY2023-FY2025 in data room |
| Risk Rating | Medium-High | Revenue opacity, governance concentration, MSP channel dependency, litigation | Litigation resolution, MSP concentration < 40% top-10 |
| Valuation Stance | At Premium (16.8x est.) | $1.2B at $71.5M est. revenue; above CrowdStrike NTM range | Buy at $1.2-1.5B if ARR confirmed; Track if below $71.5M |
| Target Return (base case) | ~1.7x in 4-5 years | $1.2B → ~$2.0B if revenue reaches $200M at 10x | Bull case: $2.5-3.0B if 50-70% growth and 18-20x |
| Primary Risk | Revenue opacity / litigation | No audited financials + active lawsuit | Data room + legal counsel assessment required |
Recommendation is based on publicly available evidence only. Financial estimates (revenue, multiple) are third-party figures subject to high uncertainty. Confidence and risk ratings are analyst-assigned; they would change materially if audited financial data confirmed or contradicted current estimates.
[CV010, CV013, CV024, CV038]8.3 Current Valuation Context, Financing, and Entry Discipline
ThreatLocker crossed the unicorn threshold in April 2025 with a $1.2 billion post-money valuation after closing a $60 million Series E led by Arthur Ventures and CR2 Ventures, with Elephant Venture Capital and returning investor StepStone Group also participating. This followed the company's $115 million Series D in April 2024, led by General Atlantic with StepStone Group and D.E. Shaw Group, which established a ~$750 million post-money valuation when the company served 50,000-plus customer organizations. Total funding through April 2025 stands at approximately $253.6 million. The valuation step-up from ~$750M to $1.2B (60% increase) was achieved on a relatively modest $60M raise, consistent with a company that did not require large primary capital injection — a signal of strong unit economics or near- profitability. Third-party revenue estimates put 2023 revenue at $61.7M (Latka) and 2025 revenue at $71.5M (Tracxn), implying an EV/revenue multiple of approximately 16.8x at the April 2025 Series E mark. Entry discipline for secondary investors requires verification that ARR, NRR, and gross margin justify this multiple before committing capital at the $1.2B mark or above. [CV002, CV003, CV005, CV006, CV008, CV009]
8.4 Bull / Base / Bear Scenario Analysis
Valuation scenario analysis for ThreatLocker requires explicit assumptions about revenue growth, multiple expansion or compression, and timing of a liquidity event. The base case ($1.2B) reflects the April 2025 Series E mark. It is supported by the Tracxn $71.5M 2025 revenue estimate, a 16.8x EV/revenue multiple consistent with 20-30% growth expectations, and continued MSP channel momentum. A base-case investor buying at $1.2B needs revenue to reach approximately $200M at 10-12x to achieve a 2x return, implying roughly 180% revenue growth over 4-5 years — achievable if current growth rates hold and the company maintains channel health. The bull case ($2.0-3.0B) requires revenue to scale to $120-150M (50-70% growth from $71.5M) at an 18-20x multiple. This is plausible if ThreatLocker successfully expands into enterprise direct sales, adds network access and cloud security modules that increase deal size, and maintains MSP channel health. Employee growth from ~200 to ~700 over 30 months supports the possibility of significant revenue scaling in the 2026-2028 window. The bear case ($600-800M) emerges if revenue growth decelerates to 10-15% annually, compelling a multiple reset to 8-11x. Triggers include: MSP platform consolidation displacing ThreatLocker, an adverse outcome in the ThreatLocker v. Schwab litigation, a management console security incident, or macro-driven SMB IT budget contraction. At $600-800M, Series E investors would face a 33-50% mark-to- market loss. The steep learning curve and complex onboarding documented in Cybernews and G2 reviews represent an ongoing bear trigger: if customer acquisition velocity in the SMB segment slows due to platform friction, base-case growth assumptions would need to be revised downward. [CV021, CV022, CV023, CV026, CV033, CV037]
| Scenario | Revenue Growth | Implied Revenue | EV/Rev Multiple | Implied Valuation | Key Assumptions | Probability Signal |
|---|---|---|---|---|---|---|
| Bull | 50-70% (3-yr forward) | $120-150M | 18-20x | $2.0-3.0B | Enterprise expansion, new modules (network/cloud), MSP channel health maintained, NRR > 120% | Medium — requires confirmed 50%+ growth and enterprise traction |
| Base | 20-30% growth | ~$86-93M (2026 est.) | ~14-16x | ~$1.2-1.5B | Current trajectory sustained; MSP channel intact; no litigation impact; no major macro disruption | Medium-High — consistent with Series E investor expectations |
| Bear | 10-15% / deceleration | $55-70M | 8-11x | $600-800M | MSP platform displacement, litigation adverse outcome, multiple compression, SMB budget contraction | Low-Medium — requires multiple simultaneous adverse triggers |
All figures are analyst estimates. Starting revenue of $71.5M is Tracxn 2025 third-party estimate. Growth rates are scenario assumptions, not guidance. Multiples derived from comparable company analysis. Not investment advice.
[CV021, CV022, CV023, CV026]8.5 Comparable Company Set and Relative Valuation
ThreatLocker's primary public-market comparable set includes CrowdStrike, SentinelOne, Palo Alto Networks, and Sophos, each representing a different segment of the endpoint and zero-trust security market. CrowdStrike (CRWD) is the most direct public comp: a channel-heavy endpoint security platform with approximately $4 billion ARR growing at roughly 25% as of fiscal year 2026, trading at approximately 10-15x NTM revenue. CrowdStrike's scale premium is substantial — its size, enterprise penetration, and threat intelligence network justify significant multiple versus smaller peers. SentinelOne (S) trades at approximately 6-9x NTM revenue on approximately $850 million ARR growing at roughly 33% annually. SentinelOne's lower multiple reflects competitive pressure from CrowdStrike and a path-to-profitability narrative that has lagged investor expectations. ThreatLocker's 16.8x implied multiple exceeds SentinelOne's range despite SentinelOne being 11x larger by ARR. Palo Alto Networks trades at approximately 8x revenue given its large-cap diversified platform profile and lower relative growth rate. Sophos was acquired by Francisco Partners and is private, serving as a transaction comparable (PE buyout at 4-8x revenue) rather than a tradeable NTM benchmark. Microsoft Defender is excluded as a bundled OS feature rather than a standalone SaaS product. The comparable analysis suggests ThreatLocker's 16.8x multiple is defensible only if actual ARR is higher than the $71.5M Tracxn estimate and/or the market is pricing in sustained 30-50% growth. If revenue growth decelerates, a 6-9x SentinelOne-comparable multiple would imply a $430-640M valuation. [CV015, CV016, CV017, CV019, CV020, CV036]
| Comparable | ARR / Revenue (approx.) | Growth (YoY) | NTM Multiple / Valuation | Relevance to ThreatLocker | Limitation |
|---|---|---|---|---|---|
| CrowdStrike (CRWD, Nasdaq) | ~$4B ARR | ~25% | 10-15x NTM revenue | Channel-heavy endpoint security; MSP-served SMB segment; cloud-delivered architecture | 50x larger by ARR; scale discount already embedded in CrowdStrike multiple |
| SentinelOne (S, NYSE) | ~$850M ARR | ~33% | 6-9x NTM revenue | High-growth EDR/XDR peer; path-to-profitability narrative; venture-backed to public journey | Different product architecture (detection-based, not allowlisting); lower margin profile |
| Palo Alto Networks (PANW, Nasdaq) | ~$9B+ revenue | ~15% | ~8x revenue | Platform diversification comp; enterprise-first; large-cap reference for compressed multiples | Different scale, market segment, and growth profile; limited direct comparability |
| Sophos (private, Francisco Partners) | N/A (private) | N/A | 4-8x revenue (PE buyout) | MSP-served endpoint security; similar channel model; private PE exit comp | Not a tradeable NTM benchmark; PE-buyout multiples well below VC-backed unicorn marks |
| ThreatLocker (implied, April 2025) | ~$71.5M (Tracxn est.) | Undisclosed | ~16.8x (EV/$71.5M) | Subject company; all estimates third-party; multiple is upper-end of public-market range | Revenue is unaudited third-party estimate; actual ARR could be higher or lower |
| Private-round cybersecurity comps (2024-2025) | Varies ($50-200M ARR) | 30-60% typical | 15-25x at entry | Provides private-market context for growth-stage endpoint/zero-trust SaaS | No single standard comp; round terms and preferences not disclosed for comps |
Multiples are approximate public-market ranges as of Q1-Q2 2026. CrowdStrike and SentinelOne figures from public filings and analyst consensus; Palo Alto Networks is a large-cap diversified platform comp. Sophos is a PE-buyout transaction comp only (private). ThreatLocker implied multiple uses Tracxn $71.5M 2025 estimate vs. $1.2B Series E mark.
[CV015, CV016, CV017, CV019, CV020]8.6 Exit Readiness, Final Diligence Asks, and Thesis-Break Triggers
ThreatLocker's IPO readiness is emerging but not confirmed. The company has the brand recognition, customer scale (70,000-plus organizations), and market narrative (zero trust, MSP-first) required to support a public offering. Its revenue run rate, if the Tracxn $71.5M estimate is directionally correct, would need to reach at least $150-200M ARR before a credible Nasdaq or NYSE listing, suggesting an IPO window of 2027-2029 at current growth rates. Pre-IPO governance requirements — audited GAAP financials for 3 fiscal years, Sarbanes-Oxley internal control readiness, an independent board majority — have not been publicly demonstrated. The Jenkins family's three-member C-suite concentration would require board independence additions and potentially dual-class share structuring to satisfy institutional IPO investors. Strategic M&A exit at $1.5-2.5B is possible if Palo Alto Networks, CrowdStrike, or Microsoft seeks to acquire the MSP channel asset. PE-led buyouts of comparable cybersecurity SaaS companies have occurred at 4-8x revenue, implying $285-570M — well below the $1.2B Series E mark and unattractive to late-stage investors. Thesis-break triggers requiring investment hold: an adverse judgment in ThreatLocker v. Schwab with material financial liability; a confirmed breach of ThreatLocker's management console; CEO departure without succession; or NRR below 85% for two consecutive quarters once disclosed. Final diligence asks before increasing position: audited FY2023-FY2025 financials, top-10 MSP ARR concentration, gross margin confirmation (target: >70%), NRR (target: >110%), and board composition and governance rights documentation. [CV027, CV028, CV029, CV030, CV011, CV012]
| Trigger | Threshold | Transmission to Thesis | Action Implication |
|---|---|---|---|
| Audited ARR below $71.5M | ARR < $70M confirmed in FY2025 | Implied multiple expands above 17x; below-estimate ARR invalidates current valuation discipline | Downgrade to Track; re-evaluate at 5-7x actual ARR |
| NRR below 100% | Net revenue retention < 100% in most recent fiscal year | Contraction revenue means no organic growth; MSP channel losing share at existing customers | Immediate hold; product/channel investigation required |
| Adverse Schwab litigation outcome | Material judgment or settlement > 5% of estimated ARR ($3.5M+) | Financial liability + reputational damage; customer trust impaired in financial services vertical | Hold pending financial exposure assessment and management disclosure |
| Management console security breach | Confirmed breach affecting customer policy environments at any scale | Existential product credibility risk; core zero-trust claim undermined | Immediate diligence hold; customer churn signal monitoring |
| CEO departure without succession | Danny Jenkins departure with no named successor within 6 months | Primary product vision and culture driver removed at growth inflection | Hold; assess management depth and board succession plan |
| MSP channel concentration > 50% (top-10) | Top-10 MSP partners account for > 50% of ARR | Single-partner churn creates material ARR risk; channel diversification insufficient | Downgrade risk rating; require channel diversification evidence |
Thresholds are analyst-assigned based on sector benchmarks and available public information. ThreatLocker does not publicly disclose the financial or operational metrics referenced in these thresholds; they are target gates for data-room verification.
[CV027, CV028, CV029, CV030, CV038]| Priority | Topic | Missing Evidence | Why It Matters | Owner / Diligence Path |
|---|---|---|---|---|
| Blocking (1) | Revenue verification | Audited GAAP revenue + ARR for FY2023-FY2025 | 16.8x multiple is unanchored without audited ARR; actual revenue could be 13x-25x at $1.2B | CFO/auditors; request in data room |
| Blocking (2) | Gross margin and unit economics | Gross margin %, NRR, CAC, LTV by MSP cohort | Gross margin < 65% would compress sustainable multiple by 30-40%; NRR < 100% breaks growth model | CFO; request cohort financial model in data room |
| Blocking (3) | Litigation exposure | Full docket, cause of action, damages sought in Case 6:2025cv00923 | Unknown financial liability; adverse judgment could represent material ARR-equivalent loss | Legal counsel; PACER docket + management representation |
| Material (4) | MSP channel concentration | Top-10 and top-50 MSP ARR share as % of total ARR | High concentration (> 50%) would amplify bear scenario severity | CRO; request top-partner revenue concentration in data room |
| Material (5) | Board and governance structure | Board composition, investor governance rights, information rights, protective provisions from Series D and E | Governance quality affects IPO readiness timeline and multiple; family C-suite discount quantification | CEO/General Counsel; corporate governance memo |
| Informational (6) | SOX readiness and IPO timeline | Audit committee status, SOX gap analysis, auditor engagement letter | IPO window depends on SOX readiness; delays push exit beyond 2028 | CFO/General Counsel; governance readiness memo |
Diligence asks are ranked by valuation impact. All items in this table are blocking or material for a definitive investment recommendation. Clearing all blocking items would be required before committing capital at the $1.2B mark.
[CV027, CV028, CV031, CV032]Disclaimer
This report is produced by an AI research agent for diligence purposes only. All information is sourced from publicly available data as of 2026-05-11. Revenue and financial estimates are from secondary sources (Latka, Tracxn) and should not be treated as audited figures. This does not constitute investment advice.
Evidence index
| ID | Statement | Confidence | Sources |
|---|---|---|---|
| CO001 | ThreatLocker, Inc. was founded in 2017 in Orlando, Florida. | High | SO001, SO002, SO003 |
| CO002 | ThreatLocker's three co-founders are Danny Jenkins (CEO), Sami Jenkins (COO), and John Carolan (Chief Quality Assurance Officer). | High | SO002, SO003 |
| CO003 | ThreatLocker's platform is built on a default-deny philosophy: no application is permitted to run unless explicitly allowlisted by an administrator. | High | SO001, SO010 |
| CO004 | ThreatLocker is headquartered in Orlando, Florida, with additional international offices in Dublin, Ireland; Dubai, UAE; and Brisbane, Australia. | High | SO002, SO013 |
| CO005 | Danny Jenkins is ThreatLocker's CEO and primary external spokesperson, having conceived the default-deny approach after observing failures of legacy AV tools against ransomware. | High | SO002, SO010 |
| CO006 | Sami Jenkins serves as ThreatLocker's COO, managing day-to-day business operations. | High | SO002, SO003 |
| CO007 | John Carolan is ThreatLocker's co-founder and Chief Quality Assurance Officer (CQA). | High | SO002, SO003 |
| CO008 | Michael Jenkins serves as ThreatLocker's CTO, overseeing platform engineering and infrastructure. | High | SO002, SO013 |
| CO009 | Rob Allen serves as ThreatLocker's Chief Product Officer (CPO), leading product strategy and roadmap. | High | SO002, SO013 |
| CO010 | Three of ThreatLocker's five disclosed C-suite members are Jenkins family members: Danny Jenkins (CEO), Sami Jenkins (COO), and Michael Jenkins (CTO). | High | SO002, SO003 |
| CO011 | ThreatLocker has not publicly disclosed its board composition or investor governance rights from its Series D and Series E financings. | Medium | SO006, SO007 |
| CO012 | ThreatLocker's executive team has remained stable since founding with no disclosed senior leadership departures as of May 2026. | High | SO002, SO013 |
| CO013 | ThreatLocker's Application Allowlisting module prevents unauthorized software from executing on managed endpoints as the platform's core default-deny control. | High | SO001, SO018 |
| CO014 | ThreatLocker's Ringfencing module limits what allowlisted applications can access, preventing lateral movement and fileless malware propagation. | High | SO018, SO029 |
| CO015 | ThreatLocker's Storage Control module restricts USB and cloud storage access to prevent data exfiltration and ransomware spread. | Medium | SO021, SO001 |
| CO016 | ThreatLocker's Network Control module enforces device-level firewall rules for granular network access management. | Medium | SO020, SO001 |
| CO017 | ThreatLocker launched Zero Trust Network Access (ZTNA) and Zero Trust Cloud Access (ZTCA) in March 2026 to extend Zero Trust controls beyond the endpoint. | High | SO004, SO013 |
| CO018 | The Orlando Magic professional basketball organization is a publicly referenced ThreatLocker customer. | High | SO016, SO017 |
| CO019 | The Indianapolis Colts NFL franchise is a publicly referenced ThreatLocker customer. | Medium | SO016, SO001 |
| CO020 | JetBlue Airways is a publicly referenced ThreatLocker customer in the aviation vertical. | High | SO016, SO017 |
| CO021 | Emirates airlines and Emirates Flight Catering are publicly referenced ThreatLocker customers. | High | SO016, SO017 |
| CO022 | Hattiesburg Clinic is a publicly referenced ThreatLocker customer in the healthcare vertical. | Medium | SO017, SO016 |
| CO023 | Niles Community Schools is a publicly referenced ThreatLocker customer in the K-12 education vertical. | Medium | SO017, SO016 |
| CO024 | ThreatLocker's primary go-to-market channel is Managed Service Providers (MSPs), enabling reach into SMBs without a large direct sales force. | High | SO009, SO001 |
| CO025 | ThreatLocker offers 24/7 unlimited Cyber Hero customer support staffed by engineers rather than tier-1 agents as a core service differentiator. | High | SO001, SO010 |
| CO026 | ThreatLocker unveiled five new product modules at Zero Trust World 2025: Insights, Patch Management, User Store, Web Control, and Cloud Control. | High | SO013, SO004 |
| CO027 | ThreatLocker announced 14 new data centers in 2025-2026: 12 in the US plus locations in Saudi Arabia and Abu Dhabi. | Medium | SO013, SO004 |
| CO028 | ThreatLocker raised $115 million in Series D funding in April 2024, led by General Atlantic with StepStone Group and D.E. Shaw Group, at a post-money valuation of approximately $750 million. | High | SO003, SO006 |
| CO029 | ThreatLocker raised $60 million in Series E funding in April 2025, led by Arthur Ventures and CR2 Ventures, with Elephant Venture Capital and StepStone Group, at a $1.2 billion post-money valuation. | Medium | SO006, SO007 |
| CO030 | ThreatLocker's total venture capital raised is approximately $253.6 million across all rounds through April 2025. | Medium | SO006, SO007, SO005 |
| CO031 | ThreatLocker reached 50,000+ organizations protected at the time of its Series D round in April 2024. | High | SO003, SO004 |
| CO032 | ThreatLocker protects 70,000+ organizations globally as of March 2026, representing approximately 40% growth from April 2024. | High | SO004, SO013 |
| CO033 | ThreatLocker had approximately 200 employees in 2023 and grew to approximately 700 employees by March 2026. | Medium | SO007, SO008 |
| CO034 | Third-party data source Latka estimates ThreatLocker's annual revenue at approximately $61.7 million for 2023. | Low | SO008 |
| CO035 | Third-party data source Tracxn estimates ThreatLocker's annual revenue at approximately $71.5 million for 2025. | Low | SO007 |
| CO036 | ThreatLocker has not publicly disclosed its ARR, gross margin, burn rate, or profitability status as of May 2026. | Medium | SO006, SO007 |
| CO037 | ThreatLocker's G2 rating is 4.8 out of 5 from 472 reviews, with a 94 out of 100 likeliness-to-recommend score. | High | SO014, SO010 |
| CO038 | ThreatLocker's Gartner Peer Insights rating is 4.8 out of 5 from 79 ratings as of 2026. | High | SO015, SO010 |
| CO039 | ThreatLocker filed a trademark lawsuit against ThreatBlockr (Case 6:22-cv-02407, M.D. Fla.) in 2022 under the Lanham Act over brand confusion. | Medium | SO011, SO002 |
| CO040 | ThreatLocker filed a contract dispute lawsuit against Charles Schwab Corporation (Case 6:2025cv00923, M.D. Fla.) in May 2025. | Medium | SO011, SO002 |
| CM001 | Fortune Business Insights estimates the global zero trust security market at $42.28 billion in 2025, with a 15.6% CAGR to $117 billion by 2032, including networking and identity layers beyond ThreatLocker's pure endpoint focus. | High | SM001, SM002 |
| CM002 | MarketsAndMarkets estimates the global zero trust security market at $34.5 billion in 2026 with a 17.3% CAGR to $66.6 billion by 2029, reflecting a broader boundary than ThreatLocker's endpoint-centric addressable market. | High | SM002, SM001 |
| CM003 | Grand View Research sizes the endpoint security market at $17.6 billion in 2024 with an 11.0% CAGR to $45.3 billion by 2033, representing the most directly comparable boundary to ThreatLocker's core product footprint. | High | SM003, SM015 |
| CM004 | Mordor Intelligence sizes the combined endpoint security and ZTNA market at $28.3 billion in 2025 with a 13.4% CAGR to 2030, providing a mid-range estimate between endpoint-only and full zero trust security boundaries. | Medium | SM015 |
| CM005 | CompTIA's 2025 MSP market data estimates total North American managed services provider spend at approximately $150 billion, with cybersecurity representing an estimated 8–12% of total MSP revenue. | Medium | SM007 |
| CM006 | ThreatLocker distributes its zero trust endpoint security platform primarily through MSP partners who bundle it into managed security stacks for SMB clients, making the MSP channel its primary go-to-market motion. | High | SM013, SM012 |
| CM007 | MSP partners serve as the primary buyer, reseller, and bundler for ThreatLocker deployments, with SMB clients having fewer than 500 employees as the end users and indirect payers through monthly managed service fees. | High | SM013, SM012 |
| CM008 | ThreatLocker serves more than 70,000 organizations globally as of 2025, reflecting the scale achieved through MSP channel distribution since its 2017 founding. | High | SM013, SM014 |
| CM009 | Verizon's 2025 Data Breach Investigations Report shows ransomware appearing in 44% of all analyzed breaches, reinforcing the demand case for prevention-first endpoint security solutions like ThreatLocker's default-deny platform. | High | SM009, SM012 |
| CM010 | CISA's Zero Trust Maturity Model mandates a phased adoption of zero trust principles across all US federal agencies, driving mandatory budget allocation for endpoint control and access management capabilities. | High | SM004, SM005 |
| CM011 | NIST SP 800-207 defines Zero Trust Architecture as a framework that assumes no implicit trust for any resource or user, with explicit verification required before granting access to any enterprise resource from any network location. | High | SM005, SM004 |
| CM012 | Executive Order 14028, signed in May 2021, directed all US federal agencies to implement zero trust architecture, creating a compliance-driven procurement mandate for ZTA-aligned endpoint security tools including allowlisting and PAM capabilities. | High | SM004, SM005 |
| CM013 | Cyber insurance underwriters are increasingly requiring documented application control, multi-factor authentication, and endpoint protection as conditions of SMB and mid-market coverage, directly mandating deployment of ThreatLocker-equivalent capabilities. | High | SM009, SM012 |
| CM014 | ThreatLocker's estimated annual recurring revenue is approximately $71.5 million in 2025, based on Tracxn third-party data cross-validated with Latka; this figure has not been publicly confirmed by the company. | Low | SM015 |
| CM015 | At an estimated $71.5 million ARR against a $4–6 billion SAM for MSP-delivered zero trust endpoint security, ThreatLocker has penetrated less than 2% of its conservative serviceable addressable market, indicating substantial runway for continued growth. | Low | SM007, SM015 |
| CM016 | Microsoft Defender for Business is bundled with Microsoft 365 Business Premium at zero marginal cost for SMBs already paying for Microsoft 365, including antivirus, EDR, and vulnerability management, compressing SMB willingness-to-pay for additional endpoint tools. | High | SM020, SM014 |
| CM017 | Application allowlisting generates false positives during initial policy setup, creating operational friction that can elevate early churn risk and requires skilled MSP personnel to manage policy exceptions during the onboarding period. | Medium | SM014, SM013 |
| CM018 | Channel Futures' 2025 MSP 501 Research Report identifies cybersecurity as the fastest-growing managed service category among surveyed MSPs, driven by ransomware incidents and increasing cyber insurance requirements. | Medium | SM008 |
| CM019 | The EU's NIS2 Directive, effective October 2024, mandates that operators of essential services implement cybersecurity risk management measures including access controls and incident response, expanding the European regulatory addressable market for ZTA tools. | High | SM004, SM005 |
| CM020 | HIPAA's Security Rule requires healthcare organizations to implement technical safeguards including access controls that limit which applications can access protected health information, creating a direct compliance mandate for endpoint allowlisting in healthcare. | High | SM010, SM004 |
| CM021 | PCI DSS v4.0 requires organizations processing payment card data to implement application controls to prevent unauthorized software execution in cardholder data environments, creating a compliance-driven use case for ThreatLocker in retail, aviation, and hospitality. | High | SM011, SM004 |
| CM022 | ThreatLocker launched its Zero Trust Cloud Access (ZTCA) product in March 2026, entering the CASB and secure web gateway adjacency and expanding its addressable market beyond the pure endpoint security boundary. | High | SM013, SM014 |
| CM023 | ThreatLocker launched its Zero Trust Network Access (ZTNA) product in March 2026, entering the network access control adjacency and enabling agent-based endpoint-enforced network segmentation for MSP-managed environments. | High | SM013, SM014 |
| CM024 | The serviceable addressable market for MSP-delivered zero trust endpoint security in ThreatLocker's accessible markets is estimated at $4–6 billion, derived from CompTIA's $150B North American MSP spend applying 8–12% security share and a 30–40% endpoint-focused adjustment; this derivation carries significant methodological uncertainty. | Low | SM007, SM008 |
| CM025 | CrowdStrike Falcon Complete is positioned as an enterprise-grade managed detection and response plus EDR solution, with pricing and operational requirements that typically exceed ThreatLocker's MSP-focused subscription tiers, reflecting a different primary target segment. | Medium | SM018 |
| CM026 | SentinelOne Singularity targets the SMB and mid-market with AI-detection-based endpoint security at price points that compete with ThreatLocker in the SMB segment, though its detection-based model contrasts with ThreatLocker's prevention-first allowlisting approach. | Medium | SM019 |
| CM027 | Gartner's 2025 Magic Quadrant for Endpoint Protection Platforms positions CrowdStrike and SentinelOne as Leaders, while ThreatLocker does not appear in the Leaders quadrant, reflecting its smaller enterprise brand footprint relative to detection-based EDR incumbents. | Medium | SM006 |
| CM028 | ConnectWise's 2025 MSP Threat Report finds that more than 75% of surveyed North American MSPs are increasing their cybersecurity budgets in direct response to ransomware threats and growing regulatory pressure on their SMB client base. | Medium | SM012 |
| CM029 | The Ponemon Institute and IBM's 2025 Cost of a Data Breach report estimates the global average cost of a data breach at $4.88 million, up from $4.45 million in 2023, strengthening the ROI case for prevention-first endpoint security products. | High | SM017, SM009 |
| CM030 | G2 users rate ThreatLocker at 4.8 out of 5 stars in the Endpoint Security software category based on hundreds of verified reviews, reflecting consistently high customer satisfaction among deployed MSP and SMB users. | High | SM014, SM013 |
| CM031 | ThreatLocker is not individually placed among the recognized Leaders in Gartner's Endpoint Protection Platform Magic Quadrant, indicating that its brand recognition and analyst coverage remain narrower than enterprise EDR incumbents CrowdStrike, SentinelOne, and Microsoft Defender, particularly outside the MSP community. | Medium | SM006 |
| CM032 | Fortune Business Insights projects the global zero trust security market to reach $117 billion by 2032, representing a 15.6% compound annual growth rate from the $42.28 billion 2025 estimate, reflecting the breadth of the definition rather than endpoint-only growth. | High | SM001, SM002 |
| CM033 | MarketsAndMarkets projects the global zero trust security market to reach $66.6 billion by 2029 from a $34.5 billion 2026 base, implying a 17.3% CAGR and a more conservative trajectory than the Fortune Business Insights forecast for the same market. | High | SM002, SM001 |
| CM034 | Analyst estimates for the zero trust security market in 2025-2026 differ by approximately $8 billion at the baseline ($34.5B vs. $42.28B), driven primarily by definitional differences around hardware network appliance inclusion, identity-layer spend, and geographic scope rather than data quality differences. | High | SM001, SM002 |
| CM035 | CISA issued sector-specific zero trust and endpoint security guidance for the healthcare sector in 2024, directing hospitals and health systems to implement phased zero trust controls in response to escalating ransomware attacks targeting the sector. | High | SM004, SM010 |
| CM036 | K-12 education institutions are eligible for E-Rate cybersecurity funding under FCC rules updated in 2024, enabling schools to use federal subsidies to cover qualifying endpoint security and firewall solutions including application control tools. | High | SM010, SM004 |
| CM037 | TSA cybersecurity directives issued between 2021 and 2024 for surface transportation and aviation operators require implementation of access control and application security measures equivalent to zero trust endpoint controls, driving compliance-mandated adoption in aviation. | High | SM011, SM004 |
| CM038 | BIS Research estimates the zero trust networking market at approximately $19.5 billion in 2025, providing a mid-range cross-check between the endpoint security market ($17.6B) and the broader zero trust security market ($34.5–42.3B) and confirming the range of analyst estimates for this market boundary. | Medium | SM023 |
| CP001 | CrowdStrike reported annual recurring revenue of $3.1 billion for fiscal year 2025 (ended January 31, 2025), representing approximately 27% year-over-year growth and establishing CrowdStrike as the largest pure-play cybersecurity company by ARR. | High | SP002, SP008 |
| CP002 | CrowdStrike reported more than 29,000 subscription customers at the end of fiscal year 2025, serving primarily mid-market and enterprise organizations with 250 or more endpoints, according to the company's Q4 FY2025 earnings press release. | High | SP002, SP008 |
| CP003 | SentinelOne reported annual recurring revenue of $936 million for fiscal year 2026 (ended January 31, 2026), reflecting strong enterprise growth and positioning the company as a top-tier AI-driven endpoint security vendor. | High | SP003, SP009 |
| CP004 | SentinelOne's Singularity platform uses autonomous AI to detect, investigate, and respond to threats without human intervention, with Purple AI serving as an analyst assistant for threat hunting and investigation workflows. | High | SP003, SP009 |
| CP005 | Microsoft Defender for Business is bundled within Microsoft 365 Business Premium, which provides endpoint security to hundreds of millions of Windows devices globally at no incremental cost for existing M365 Business Premium subscribers. | High | SP004, SP010 |
| CP006 | Microsoft 365 Business Premium is priced at $22 per user per month at list rates, including Microsoft Defender for Business, Exchange Online, Intune device management, and Azure AD Premium P1 capabilities bundled into a single subscription. | High | SP010, SP004 |
| CP007 | Microsoft Defender for Business is available as a standalone product at $3 per user per month at list rates, setting an effective price floor for the SMB endpoint security market. | High | SP010, SP004 |
| CP008 | Malwarebytes ThreatDown offers MSP-native management through its OneView multi-tenant console, enabling MSPs to manage multiple clients from a single interface and deploy endpoint protection across SMB client organizations at scale. | High | SP005, SP012 |
| CP009 | Malwarebytes was acquired by Vector Capital, a technology-focused private equity firm, in 2023, and subsequently rebranded its business security product line as ThreatDown to differentiate it from the consumer Malwarebytes brand. | High | SP005, SP012 |
| CP010 | Bitdefender claims more than 1,600 MSP partners using its GravityZone MSP security platform, according to company-disclosed channel program data on its official business website. | Medium | SP006, SP013 |
| CP011 | Bitdefender raised approximately $100 million or more in a Series B funding round in 2021, according to company-disclosed funding information, providing capital to expand its MSP channel and enterprise product development. | Medium | SP013, SP006 |
| CP012 | ThreatLocker holds a G2 score of 4.8 out of 5 in the endpoint security category, compared to CrowdStrike Falcon's 4.6 out of 5, with ThreatLocker rated higher on ease-of-use and ease-of-setup in independent G2 user reviews as of 2026. | High | SP015, SP016 |
| CP013 | ThreatLocker holds a Gartner Peer Insights score of 4.8 out of 5 based on 79 verified user ratings as of Q1 2026, providing an independent satisfaction signal corroborating its G2 reviews. | High | SP018, SP016 |
| CP014 | ThreatLocker is the primary pure-play application allowlisting vendor operating at scale in the MSP security market, with no direct equivalent combining default-deny architecture and MSP-native multi-tenant management at comparable customer count. | High | SP001, SP017 |
| CP015 | ThreatLocker's default-deny architecture enforces that no application can execute unless explicitly allowlisted, in structural contrast to the default-allow philosophy of CrowdStrike, SentinelOne, and Microsoft Defender, which permit all software execution and rely on behavioral detection to identify threats after they attempt to run. | High | SP001, SP015 |
| CP016 | Allowlist policies accumulate over time as MSPs add, modify, and curate permitted application lists for each client, making them proprietary operational data assets that would require significant effort to recreate in a competing platform, creating switching costs that increase with customer tenure. | Medium | SP001, SP017 |
| CP017 | ThreatLocker protects more than 70,000 customer organizations as of March 2026, according to company disclosures, serving primarily SMB organizations delivered through its MSP partner channel. | High | SP001, SP017 |
| CP018 | ThreatLocker grew from approximately 50,000 customer organizations at its April 2024 Series D to more than 70,000 as of March 2026, representing approximately 40% growth over approximately two years. | Medium | SP001, SP017 |
| CP019 | ThreatLocker achieved a $1.2 billion valuation following its April 2025 Series E funding round, attaining unicorn status and representing a significant step-up from its Series D valuation. | High | SP001, SP017 |
| CP020 | ThreatLocker was founded in 2017 and was among the first vendors to offer MSP-delivered application allowlisting as a managed security service, establishing a first-mover position in the MSP endpoint allowlisting category. | High | SP001, SP017 |
| CP021 | ThreatLocker launched its Zero Trust Network Access product in March 2026, expanding its platform beyond endpoint application allowlisting into agent-delivered network access control as an adjacency to its core product. | High | SP001, SP017 |
| CP022 | Cisco reported total revenue of approximately $57 billion for fiscal year 2025 (ended July 2025), with Cisco Secure Endpoint (formerly AMP) part of the Cisco Security portfolio and integrated with the Talos threat intelligence and Cisco network ecosystem. | High | SP011, SP023 |
| CP023 | VMware Carbon Black was acquired by Broadcom as part of the VMware acquisition completed in November 2023, and Broadcom's subsequent portfolio restructuring has created significant channel and product uncertainty that has reduced Carbon Black's competitive momentum in SMB and MSP segments. | High | SP007, SP014 |
| CP024 | No systematic or public evidence of significant organized customer churn from ThreatLocker to competitors is available from G2 reviews or Gartner Peer Insights as of Q1 2026; available review data does not surface a pattern of migrations to CrowdStrike, SentinelOne, or other platforms. | Medium | SP015, SP018 |
| CP025 | CrowdStrike Falcon list pricing ranges from approximately $299.99 per endpoint per year for Falcon Go to $924.99 or more per endpoint per year for Falcon Enterprise, before enterprise volume discounts that can reduce actual contract pricing by 20 to 50 percent or more for large deals. | Medium | SP002, SP008 |
| CP026 | SentinelOne list pricing ranges from approximately $69.99 per endpoint per year for Core tier to $229.99 or more per endpoint per year for Complete tier, with MSP and academic pricing available through authorized distributors at negotiated rates. | Medium | SP003, SP009 |
| CP027 | ThreatLocker does not publish list pricing for its endpoint security platform; all pricing is negotiated through its MSP partner channel, making direct price comparisons with CrowdStrike and SentinelOne unavailable from public sources. | High | SP001, SP017 |
| CP028 | AI-native application segmentation and microsegmentation vendors including Illumio and Zero Networks represent emerging competitive threats that could offer lower-friction approaches to zero trust enforcement than traditional endpoint allowlisting, potentially disrupting ThreatLocker's first-mover position within three to five years. | Medium | SP022, SP025 |
| CP029 | CrowdStrike and SentinelOne both use default-allow behavioral detection as their primary security mechanism, with application allowlisting available only as a limited optional add-on module rather than as the core architectural enforcement principle. | High | SP002, SP003 |
| CP030 | ThreatLocker's Cyber Hero service provides 24/7 engineer-staffed support for MSP partners and their clients, with on-demand access to ThreatLocker's in-house security engineers as a differentiating support offering beyond standard helpdesk-level managed detection and response. | Medium | SP001, SP017 |
| CP031 | Microsoft's bundling of Defender for Business into M365 Business Premium at $22 per user per month creates a structural pricing ceiling in the SMB endpoint security market, as SMBs already paying for M365 Business Premium receive endpoint protection at zero marginal additional cost. | High | SP004, SP010 |
| CP032 | ThreatLocker integrates with 1,600 or more MSP partner ecosystems including deep integrations with leading RMM and PSA platforms, according to company disclosures reported in channel partner coverage. | Medium | SP001, SP017 |
| CP033 | ConnectWise, Kaseya, and Datto are the dominant RMM and PSA platform providers in the North American MSP market, serving as the primary distribution infrastructure through which security tools including ThreatLocker are deployed to SMB clients. | High | SP019, SP020 |
| CP034 | ThreatLocker is not currently included in the Gartner Magic Quadrant for Endpoint Protection Platforms, which covers enterprise-scale EPP vendors including CrowdStrike, SentinelOne, Microsoft, Trend Micro, and Palo Alto Networks, creating a brand visibility gap for ThreatLocker in enterprise direct-sales contexts. | High | SP018, SP016 |
| CP035 | Palo Alto Networks Cortex XDR is positioned as an enterprise XDR and endpoint security platform competing in the enterprise segment with CrowdStrike and SentinelOne but lacks MSP-native distribution and is not a direct competitor in the SMB-via-MSP segment where ThreatLocker primarily operates. | High | SP024, SP016 |
| CP036 | ThreatLocker hosts Zero Trust World, an annual security conference focused on the MSP community, as part of its community-building and thought leadership strategy to deepen mindshare among MSP decision-makers around the default-deny philosophy. | Medium | SP001, SP017 |
| CP037 | CrowdStrike and SentinelOne have added limited application control features as optional add-on modules but neither has repositioned as a default-deny platform or launched allowlisting as a primary go-to-market motion targeting the MSP segment as of Q1 2026. | Medium | SP015, SP016 |
| CP038 | CompTIA research estimates that cybersecurity represents approximately 8 to 12 percent of total North American managed services provider revenue, suggesting a substantial channel through which ThreatLocker's default-deny platform competes for MSP security stack budget allocation. | Medium | SP021, SP017 |
| CI001 | ThreatLocker's primary revenue model is a per-endpoint monthly subscription sold through MSP partners who bundle it into their managed security stack. | High | SI001, SI002, SI018 |
| CI002 | ThreatLocker raised $60 million in Series E funding in April 2025 at a $1.2 billion post-money valuation, led by Arthur Ventures and CR2 Ventures. | Medium | SI006, SI007 |
| CI003 | Latka, a third-party SaaS revenue database, estimates ThreatLocker's ARR at approximately $61.7 million for fiscal year 2023. | Low | SI008 |
| CI004 | Tracxn, a third-party analyst database, estimates ThreatLocker's revenue at approximately $71.5 million for 2025. | Low | SI007 |
| CI005 | ThreatLocker does not publicly disclose ARR, gross margin, burn rate, profitability status, or unit economics as of May 2026. | High | SI001, SI006, SI007 |
| CI006 | The $60 million Series E fundraise is small relative to the $1.2 billion post-money valuation, suggesting ThreatLocker may be near breakeven or generating positive cash flow. | Medium | SI006, SI007 |
| CI007 | ThreatLocker has raised approximately $253.6 million in total equity funding across all rounds through April 2025. | Medium | SI006, SI007, SI011, SI031 |
| CI008 | ThreatLocker's total employee count grew from approximately 200 in 2023 to approximately 700 by March 2026, representing a 250% headcount increase. | Medium | SI007, SI013, SI029 |
| CI009 | CrowdStrike reported a non-GAAP gross margin of approximately 75% for FY2025, providing a relevant benchmark for ThreatLocker's potential gross margin range. | High | SI009, SI010, SI030 |
| CI010 | SentinelOne reported a non-GAAP gross margin of approximately 74% for FY2026, providing a relevant benchmark for ThreatLocker's potential gross margin range. | High | SI010, SI009, SI030 |
| CI011 | ThreatLocker filed a lawsuit against Charles Schwab Corporation (Case 6:2025cv00923, M.D. Fla.) in May 2025; the nature and financial exposure are not publicly disclosed. | Medium | SI004, SI012 |
| CI012 | ThreatLocker's primary press releases for the Series E round on PR Newswire and BusinessWire returned 404 errors at time of research, preventing primary verification of investor and valuation terms. | High | SI016, SI017 |
| CI013 | At 70,000+ organizations protected and approximately $71.5 million in estimated ARR, ThreatLocker's implied average revenue per customer is approximately $1,000 per year, consistent with a 50-150 endpoint SMB customer at $8-15/endpoint/month. | Low | SI005, SI007 |
| CI014 | ThreatLocker's Series D was $115 million at a $750 million post-money valuation in April 2024; the Series E's $1.2B valuation represents a 60% step-up in approximately 12 months. | Medium | SI003, SI006 |
| CI015 | ThreatLocker does not publicly list prices for its endpoint security subscription; pricing is negotiated through MSP partners at volume tiers. | High | SI001, SI002, SI025 |
| CI016 | MSP partners who bundle ThreatLocker typically apply a 30-50% take-rate on the total managed security spend, reducing ThreatLocker's effective revenue per endpoint relative to list pricing. | Low | SI019, SI018 |
| CI017 | ThreatLocker's Cyber Hero 24/7 unlimited support model is included in the subscription cost, making it a cost center that compresses gross margin relative to platforms with tiered support pricing. | Medium | SI001, SI002 |
| CI018 | Microsoft Defender for Business is included in Microsoft 365 Business Premium at $22 per user per month, effectively setting a price ceiling for SMB endpoint security tools competing with ThreatLocker. | High | SI021, SI009 |
| CI019 | At a $1.2B valuation and approximately $71.5M ARR estimate, ThreatLocker trades at approximately 16-17x ARR -- above the public market median for endpoint security but below hypergrowth SaaS multiples. | Low | SI006, SI007, SI026, SI032 |
| CI020 | ThreatLocker announced 14 new data centers in 2025-2026 (12 US, Saudi Arabia, Abu Dhabi), indicating significant capital expenditure for infrastructure expansion. | Medium | SI013, SI005 |
| CI021 | ThreatLocker's module launch cadence of five new modules at ZTW 2025 plus ZTNA and ZTCA in March 2026 suggests active R&D investment that increases operating costs but expands ACV opportunity. | Medium | SI005, SI013 |
| CI022 | No public debt instruments, credit facilities, or off-balance-sheet financing for ThreatLocker have been identified from public sources as of May 2026. | Medium | SI006, SI011 |
| CI023 | ThreatLocker's G2 rating of 4.8 out of 5 from 472 reviews and Gartner Peer Insights rating of 4.8 out of 5 from 79 ratings are positive leading indicators of customer satisfaction and low voluntary churn. | High | SI014, SI015 |
| CI024 | ThreatLocker's 40% growth in organizations protected from April 2024 (50,000+) to March 2026 (70,000+) implies a minimum ARR growth rate of approximately 15-25% per year if ACV is stable. | Low | SI005, SI003 |
| CI025 | The ThreatLocker v. Charles Schwab lawsuit (6:2025cv00923) is a contract or lease dispute; its financial exposure is unknown but could affect capital adequacy if damages are material. | Medium | SI004, SI012 |
| CI026 | No public customer churn reports, contract terminations, or large-scale customer losses have been identified in research sources covering ThreatLocker from 2020 through 2026. | Medium | SI014, SI015 |
| CI027 | ThreatLocker's zero trust platform-as-a-subscription model has high revenue quality characteristics: recurring, compliance-driven, with allowlist policy lock-in reducing voluntary churn. | High | SI001, SI018, SI002 |
| CI028 | PremierAlts corroborates the $1.2B post-money valuation for the April 2025 Series E despite the primary PR Newswire and BusinessWire press releases being inaccessible. | Medium | SI006, SI017 |
| CI029 | CrowdStrike's ARR of $3.1 billion for FY2025 is approximately 43 times ThreatLocker's estimated $71.5M ARR, indicating ThreatLocker is at an early-to-mid growth stage relative to public endpoint security peers. | Medium | SI009, SI007 |
| CI030 | SentinelOne's ARR of $936 million for FY2026 is approximately 13 times ThreatLocker's estimated ARR, showing the gap to full enterprise-scale endpoint security platforms. | Medium | SI010, SI007 |
| CI031 | ThreatLocker's use of funds from the $60M Series E is not publicly disclosed; the company has not announced M&A activity or major capital programs beyond data center expansion as of May 2026. | Medium | SI006, SI016 |
| CI032 | ThreatLocker's revenue recognition model -- subscription SaaS, monthly recurring through MSPs -- has low recognition risk relative to enterprise license or usage-based models. | Medium | SI001, SI002 |
| CI033 | The MSP channel model reduces ThreatLocker's customer support burden at the SMB tier since MSPs handle first-line support, lowering service delivery COGS versus a direct-support model. | Medium | SI018, SI019, SI028 |
| CI034 | Investor Arthur Ventures led both ThreatLocker's early rounds and the Series E, indicating strong institutional conviction and continuity across the company's growth stages; family governance concentration across CEO, COO, and CTO warrants assessment in a liquidity event. | Medium | SI006, SI011 |
| CI035 | ThreatLocker's headcount of approximately 700 employees with approximately $71.5M ARR implies approximately $102,000 ARR per employee -- below best-in-class SaaS efficiency but typical for a company in rapid headcount growth. | Low | SI007, SI008, SI026, SI028 |
| CI036 | ThreatLocker's Series E was led by Arthur Ventures and CR2 Ventures as co-leads, with Elephant Venture Capital and StepStone Group participating as returning investors. | Medium | SI006, SI007 |
| CI037 | ThreatLocker's capital intensity is expected to increase in 2026 due to ZTNA and ZTCA infrastructure buildout across 14 data centers and continued headcount scaling, though the exact burn trajectory is unknown. | Low | SI013, SI005 |
| CI038 | The Fortune Business Insights estimate of a $42.28 billion zero trust security market in 2025 implies ThreatLocker's approximately $71.5M ARR represents less than 0.2% of the TAM, suggesting substantial long-term growth runway. | Medium | SI023, SI007, SI027 |
| CE001 | ThreatLocker's platform operates on a default-deny model in which no application, script, or executable is permitted to run unless it has been explicitly approved by an administrator. | High | SE001, SE003 |
| CE002 | Ringfencing technology restricts the resources, including files, registry keys, network endpoints, and other processes, that an already-approved application can access after execution. | High | SE003, SE009 |
| CE003 | The ThreatLocker platform consists of an agent deployed on individual endpoints and a cloud-hosted management console from which administrators configure and audit policies centrally. | High | SE001, SE002 |
| CE004 | ThreatLocker's Application Allowlisting is the core module of the platform, covering executables, scripts, macros, and installers across Windows and macOS endpoints. | High | SE001, SE003 |
| CE005 | The Storage Control module prevents unauthorized access to USB drives and network shares, protecting against data exfiltration and ransomware encryption of shared storage. | Medium | SE006 |
| CE006 | Network Control provides per-application network allowlisting, restricting each approved application to only the IP addresses and ports it has been explicitly permitted to contact. | Medium | SE007 |
| CE007 | The Privileged Access Management module provides credential vaulting so that privileged passwords are never exposed in plaintext to end users or scripts. | Medium | SE004 |
| CE008 | Elevation Control allows applications to request elevated privileges on a per-application basis without granting the user persistent local administrator rights. | Medium | SE008 |
| CE009 | ThreatLocker launched Zero Trust Network Access as a generally available product in March 2026 per PR Newswire announcement. | High | SE011, SE012 |
| CE010 | ThreatLocker launched Zero Trust Cloud Access alongside ZTNA in March 2026, extending Zero Trust access governance to cloud applications. | High | SE011, SE013 |
| CE011 | At Zero Trust World 2025, ThreatLocker announced five new modules: Insights, Patch Management, User Store, Web Control, and Cloud Control. | High | SE012, SE013 |
| CE012 | ThreatLocker expanded its data center footprint by 14 new centers in 2025-2026, including 12 in the US plus Saudi Arabia and Abu Dhabi. | High | SE012, SE013 |
| CE013 | The ThreatLocker endpoint agent supports Windows and macOS operating systems for its core allowlisting and Ringfencing modules. | Medium | SE001 |
| CE014 | ThreatLocker formally integrates with major RMM platforms including ConnectWise Automate, Datto RMM, and NinjaRMM to support MSP deployment and management workflows. | Medium | SE001 |
| CE015 | ThreatLocker uses a cloud-managed architecture in which policies are configured centrally and pushed automatically to endpoint agents across all managed organizations. | High | SE001, SE002 |
| CE016 | The default-deny model blocks all unknown or unapproved applications automatically without requiring signature updates, making it effective against zero-day and novel malware. | High | SE001, SE003 |
| CE017 | Cybernews reviewers identified steep learning curve and complex initial setup as the primary drawbacks of ThreatLocker's platform relative to lower-touch security tools. | High | SE014, SE015 |
| CE018 | ThreatLocker's Ringfencing is a trademarked product name, providing brand and IP protection against direct naming imitation by competitors. | Medium | SE003 |
| CE019 | ThreatLocker provides an EDR module that adds behavioral threat detection to complement the preventive allowlisting core of the platform. | Medium | SE001 |
| CE020 | ThreatLocker offers an MDR service layer providing expert-managed threat detection and response for customers requiring hands-on security operations support. | Medium | SE001 |
| CE021 | The Cyber Hero support model provides 24/7 direct engineer access as part of all ThreatLocker subscription tiers at no additional cost. | High | SE001, SE002 |
| CE022 | ThreatLocker's Application Allowlisting covers all software execution including PowerShell and VBScript scripts, Office macros, and compiled executables. | Medium | SE003 |
| CE023 | ThreatLocker's platform is signature-free, relying on identity-based allowlisting rather than malware signature databases that require regular update cycles. | High | SE001, SE003 |
| CE024 | CRN reported in 2026 that ThreatLocker is driving a reimagined Zero Trust consolidation strategy for MSPs and channel partners. | Medium | SE012 |
| CE025 | TMCnet reported that ThreatLocker expanded globally and deepened its Zero Trust offerings ahead of MSP Expo 2026. | Medium | SE013 |
| CE026 | G2 gives ThreatLocker's platform a score of 4.8 out of 5 from 472 reviews with a 94 out of 100 likelihood to recommend rating. | High | SE015, SE016 |
| CE027 | Gartner Peer Insights rates ThreatLocker at 4.8 out of 5 from 79 ratings in the Endpoint Protection Platforms market segment. | High | SE016, SE015 |
| CE028 | SentinelOne's platform uses AI-based behavioral detection as its primary defense mechanism in contrast to ThreatLocker's default-deny allowlisting approach. | Medium | SE017 |
| CE029 | CrowdStrike's Falcon platform relies on cloud-native behavioral AI and does not offer a native default-deny application allowlisting engine comparable to ThreatLocker. | Medium | SE018 |
| CE030 | Palo Alto Networks Cortex XDR offers behavioral analysis and extended detection and response but does not provide a native allowlisting engine comparable to ThreatLocker. | Medium | SE019 |
| CE031 | Ringfencing limits an application's network connections to approved destinations, reducing the blast radius if an approved application is compromised or used in a credential abuse attack. | High | SE003, SE007 |
| CE032 | ThreatLocker's included Cyber Hero support differentiates it from EDR vendors such as Microsoft Defender that charge separately for premium support tiers. | Medium | SE001, SE021 |
| CE033 | ThreatLocker's module architecture enables MSPs to activate individual modules per endpoint, supporting flexible tiered security packaging for MSP customers. | Medium | SE001 |
| CE034 | ThreatLocker announced 14 new data centers for 2025-2026 to reduce latency and support international data residency compliance requirements. | High | SE012, SE013 |
| CE035 | Elevation Control enables standard-user workflows that previously required local administrator rights to function without granting persistent administrative access. | Medium | SE008 |
| CE036 | ThreatLocker's cloud management console is multi-tenant, enabling MSPs to manage thousands of customer organizations from a single interface with full policy isolation between tenants. | High | SE001, SE002 |
| CE037 | ThreatLocker's platform supports automated learning modes during onboarding where the agent observes all running software before switching to enforcement mode. | Medium | SE001 |
| CU001 | ThreatLocker reported more than 70,000 customers as of early 2026, per CEO Danny Jenkins in multiple conference presentations and media interviews. | High | SU017, SU016 |
| CU002 | Independent data sources Latka and Tracxn estimate ThreatLocker's customer count in the 65,000 to 75,000 range as of 2025 to 2026, consistent with company disclosures. | Medium | SU017, SU018 |
| CU003 | ThreatLocker grew from approximately 40,000 customers in 2023 to more than 70,000 in early 2026, implying a two-year CAGR of approximately 32 percent. | Medium | SU017, SU021 |
| CU004 | The MSP partner channel accounts for an estimated 60 to 65 percent of ThreatLocker's total customer count by endpoints, based on channel revenue ratios cited in industry press. | Medium | SU019, SU020 |
| CU005 | ThreatLocker works with 6,000-plus MSP partners globally as of early 2026 per company disclosures. | High | SU011, SU016 |
| CU006 | ThreatLocker's deployment footprint spans more than 180 countries, though North America is estimated to be the primary revenue concentration geography. | Medium | SU011, SU022 |
| CU007 | Healthcare is a primary vertical for ThreatLocker, driven by HIPAA technical safeguard requirements and the high cost of ransomware incidents in clinical settings. | High | SU007, SU005 |
| CU008 | Financial services customers adopt ThreatLocker primarily for compliance with SOC 2, PCI-DSS, and GLBA requirements. | Medium | SU009, SU011 |
| CU009 | Education sector customers including K-12 school districts adopt ThreatLocker for endpoint allowlisting in unmanaged-device environments and to meet state cybersecurity mandates. | High | SU011, SU016 |
| CU010 | Orlando Magic, the NBA franchise, is a publicly named ThreatLocker customer with a production deployment of Ringfencing and allowlisting technology across its full endpoint estate. | High | SU011, SU016 |
| CU011 | Indianapolis Colts, the NFL franchise, is a publicly named ThreatLocker customer with a documented endpoint lockdown and policy control deployment. | High | SU016, SU012 |
| CU012 | JetBlue Airways is a publicly named ThreatLocker customer using zero-trust application control for ground operations endpoint security. | High | SU011, SU016 |
| CU013 | Emirates airline is a publicly named ThreatLocker customer with a documented infrastructure protection and allowlisting deployment. | High | SU011, SU016 |
| CU014 | ThreatLocker's NRR is not publicly disclosed; G2 and Gartner satisfaction scores and absence of a mass-churn narrative in MSP community forums are positive proxies but do not substitute for verified retention data. | High | SU013, SU014 |
| CU015 | Gross revenue retention for ThreatLocker is not publicly available; the company has not disclosed cohort-level churn data through any public filing or press release. | High | SU013, SU014 |
| CU016 | Enterprise contract length for ThreatLocker is estimated at one to three years based on customer case study language; multi-year contracts are referenced but renewal rate data is not disclosed. | Medium | SU011, SU012 |
| CU017 | G2 rates ThreatLocker 4.8 out of 5 from more than 920 reviews as of Q1 2026; top praise themes include strong policy granularity and effective ransomware blocking. | High | SU013, SU014 |
| CU018 | Gartner Peer Insights awarded ThreatLocker a Customers' Choice distinction in the zero-trust network access category with a 4.8 out of 5 rating as of early 2026. | High | SU014, SU006 |
| CU019 | PeerSpot and Capterra rate ThreatLocker between 4.7 and 4.8 out of 5 across more than 200 combined reviews, consistent with G2 and Gartner scores. | Medium | SU003, SU001 |
| CU020 | Recurring negative review themes for ThreatLocker include steep initial learning curve for policy tuning, complex onboarding for organizations without dedicated IT staff, and occasional false positives blocking legitimate software. | High | SU015, SU013 |
| CU021 | Cybernews reviewers and MSP practitioner community participants have flagged ThreatLocker support responsiveness as a concern during high-volume onboarding events. | Medium | SU015, SU004 |
| CU022 | Hattiesburg Clinic is a publicly named ThreatLocker customer that adopted the platform for HIPAA-driven endpoint security compliance and ransomware prevention. | High | SU005, SU007 |
| CU023 | Niles Community Schools is a publicly named ThreatLocker customer using K-12 device allowlisting to prevent ransomware spread and comply with state cybersecurity mandates. | High | SU011, SU016 |
| CU024 | MSP partner concentration risk is elevated: if the top 50 MSP partners account for a disproportionate share of customer volume, churn among a small number of mega-MSPs could materially impact ThreatLocker's ARR. | Medium | SU019, SU020 |
| CU025 | Kaseya's acquisition of Datto creates risk that larger MSP platform players will bundle endpoint security functionality competitive with ThreatLocker into existing MSP toolstacks. | Medium | SU025, SU020 |
| CU026 | ThreatLocker's land-and-expand motion operates at two levels: MSPs expand by adding endpoint seats for existing SMB clients, and direct enterprise accounts expand by deploying additional modules including Ringfencing, Storage Control, and Network Control. | High | SU011, SU016 |
| CU027 | ThreatLocker's AWS and Azure marketplace listings provide procurement convenience for enterprise buyers who prefer cloud-based billing, supporting direct enterprise adoption beyond the MSP channel. | Medium | SU022, SU016 |
| CU028 | ThreatLocker's deployment footprint spanning professional sports, aviation, healthcare, education, and government validates cross-sector applicability while MSP-served SMBs remain the volume driver. | High | SU011, SU016 |
| CU029 | ThreatLocker's named enterprise customers Orlando Magic, JetBlue, and Emirates represent production deployments with multi-module use, not limited pilots, based on case study language referencing ongoing operations. | Medium | SU011, SU016 |
| CU030 | Revenue and customer-count breakdown by vertical is not publicly disclosed by ThreatLocker; vertical segmentation estimates in this chapter are analyst inferences from case study distribution and review data. | High | SU017, SU016 |
| CU031 | ThreatLocker's customer journey from discovery to full deployment typically involves MSP-led evaluations, proof-of-concept periods of 60 to 90 days, policy configuration workshops, and phased module rollouts. | Medium | SU011, SU020 |
| CU032 | CISA zero-trust mandates for federal contractors and critical infrastructure operators have driven government and regulated-industry customer adoption of ThreatLocker's allowlisting and Ringfencing technologies. | Medium | SU009, SU005 |
| CU033 | ThreatLocker's MSP partner network of 6,000-plus partners provides broad distribution breadth across SMB verticals but also introduces concentration risk if mega-MSPs account for a disproportionate revenue share. | Medium | SU019, SU008 |
| CU034 | ThreatLocker's Series D press release and management commentary reference continued strong demand from enterprise and mid-market customers, supplementing MSP-driven SMB growth. | Medium | SU022, SU021 |
| CU035 | The absence of publicly disclosed cohort retention data combined with lack of NRR and GRR disclosure means that ThreatLocker's customer lifetime value and expansion economics cannot be independently verified. | High | SU013, SU014 |
| CU036 | TrustRadius places ThreatLocker in the top quartile of endpoint security tools based on verified user reviews as of early 2026. | Medium | SU002, SU013 |
| CU037 | SecurityWeek and Dark Reading coverage of ThreatLocker in 2025 and 2026 confirms the platform's position as a notable zero-trust endpoint vendor with growing enterprise traction. | Medium | SU005, SU006 |
| CR001 | ThreatLocker may qualify as a HIPAA Business Associate for healthcare customers that use its platform to process or access electronic protected health information, imposing BAA execution and security rule compliance obligations. | High | SR012, SR001 |
| CR002 | ThreatLocker, Inc. v. Charles Schwab Corp. (Case 6:2025cv00923, M.D. Fla.) is an active lawsuit filed in 2025; cause of action, damages, and litigation timeline are not publicly known. | High | SR011, SR004 |
| CR003 | The FTC Safeguards Rule requires financial institutions to implement information security programs covering technical safeguards; ThreatLocker's products are positioned as key control components for Safeguards Rule compliance. | High | SR001, SR013 |
| CR004 | CCPA and 14 other state privacy laws impose data-handling obligations on ThreatLocker as a SaaS vendor collecting endpoint telemetry and customer operational data. | Medium | SR003, SR008 |
| CR005 | The SEC's 2023 cybersecurity incident disclosure rule requires public companies to disclose material cybersecurity incidents within four business days, creating disclosure risk for ThreatLocker's public-company customers if ThreatLocker tooling is involved. | High | SR004, SR014 |
| CR006 | ThreatLocker holds SOC 2 Type II certification per company disclosures, but the scope, coverage domains, and most recent audit date are not publicly specified. | Medium | SR010, SR017 |
| CR007 | Regulatory precedents including FTC enforcement actions against data processors and HHS OCR enforcement against covered entities establish that cybersecurity vendors can face indirect regulatory exposure when their tools are involved in a customer breach. | Medium | SR001, SR012 |
| CR008 | ThreatLocker's default-deny model introduces an inherent false-positive risk: misconfigured policies block legitimate applications, causing operational disruptions for customers and escalating support volumes. | High | SR019, SR015 |
| CR009 | ThreatLocker's cloud management console is a high-value adversarial target; compromise of the management console would enable an attacker to modify allowlists across thousands of endpoints simultaneously. | High | SR005, SR006 |
| CR010 | Kernel-level endpoint agent driver vulnerabilities in allowlisting tools have historically been exploited to bypass protection; ThreatLocker's driver vulnerability disclosure policy is not publicly documented. | Medium | SR002, SR005 |
| CR011 | ThreatLocker has not disclosed any material security incidents, data breaches, or significant operational outages as of mid-2026. | Medium | SR017, SR006 |
| CR012 | G2 and Gartner reviews document recurring false-positive incidents and steep learning curve complaints at ThreatLocker; at 70,000-plus customers this generates significant support volume. | High | SR019, SR020 |
| CR013 | ThreatLocker's default-deny approach reduces supply chain attack surface compared to traditional EPP and EDR vendors that rely on signature-based detection, providing a structural operational security advantage. | High | SR013, SR014 |
| CR014 | ThreatLocker's MSP partner channel concentration risk is elevated; if the top 10 to 50 MSP partners account for a disproportionate share of customer volume, churn among a small number of mega-MSPs could materially impact ARR. | Medium | SR023, SR024 |
| CR015 | Kaseya's acquisition of Datto and ConnectWise's platform expansion create scenarios where these MSP platform vendors bundle endpoint security competing with ThreatLocker into the base MSP toolstack at no additional cost to the MSP. | Medium | SR026, SR023 |
| CR016 | ThreatLocker depends on AWS and Azure for cloud infrastructure underlying its management console and policy management plane; an extended cloud outage would impair policy management capabilities. | High | SR009, SR017 |
| CR017 | Microsoft Defender for Business and Intune's bundled positioning within Windows licensing represents a low-cost competitor that could displace ThreatLocker in the SMB segment served by cost-conscious MSPs. | Medium | SR027, SR022 |
| CR018 | ThreatLocker's SOC 2 Type II certification and compliance audit readiness depend on maintaining continuous control documentation and third-party penetration testing; any lapse could affect enterprise sales cycles. | Medium | SR010, SR017 |
| CR019 | MSP platform consolidation — Kaseya acquiring Datto, ConnectWise expanding security offerings — reduces the independence of ThreatLocker's channel partners and increases the risk of competitive displacement at the MSP platform level. | Medium | SR026, SR018 |
| CR020 | CEO Danny Jenkins is ThreatLocker's primary public voice, conference speaker, and technical visionary; his departure or incapacitation would remove the primary product and culture driver at a critical growth inflection point. | High | SR018, SR017 |
| CR021 | Management depth below the CEO level at ThreatLocker has not been independently assessed; the bench of senior engineering and go-to-market leaders is not publicly documented. | Medium | SR018, SR025 |
| CR022 | ThreatLocker's rapid growth from approximately 40,000 to 70,000-plus customers in two years requires substantial operational scaling across engineering, sales, support, and compliance functions simultaneously. | Medium | SR025, SR028 |
| CR023 | Talent acquisition in the cybersecurity engineering market is highly competitive; Orlando, Florida, while a growing tech hub, is a smaller talent pool than Bay Area or New York, creating hiring and retention risk. | Medium | SR018, SR029 |
| CR024 | Series D funding creates pressure to scale revenue and customer count in line with investor expectations; if growth disappoints post-Series D, ThreatLocker may face burn pressure, valuation compression, and employee morale risk. | Medium | SR028, SR025 |
| CR025 | A material regulatory enforcement action against ThreatLocker directly (not a customer) would represent a thesis-break trigger requiring an investment hold pending financial exposure assessment. | High | SR001, SR012 |
| CR026 | An adverse judgment or material settlement in ThreatLocker v. Schwab resulting in financial liability exceeding 5 percent of estimated ARR would represent a thesis-break trigger. | High | SR011, SR004 |
| CR027 | A confirmed breach of ThreatLocker's management console affecting customer policy environments would represent a thesis-break trigger requiring immediate investment hold. | High | SR005, SR006 |
| CR028 | CEO departure without a credible named successor and 6-month overlap would represent a material risk trigger requiring investment thesis reassessment. | High | SR018, SR017 |
| CR029 | Quarterly G2 and Gartner review score trends, MSP partner churn signals in channel press, and HIPAA or FTC enforcement actions in key customer verticals are actionable monitoring triggers for ThreatLocker investors. | Medium | SR019, SR001 |
| CR030 | ThreatLocker's mitigations include SOC 2 Type II certification, dedicated compliance team, BAA execution with healthcare customers, AWS shared responsibility model, and a 6,000-plus MSP partner base that dilutes concentration risk. | Medium | SR017, SR010 |
| CR031 | Ransomware threat actors have evolved techniques to bypass allowlisting controls by abusing trusted, pre-approved applications; ThreatLocker's Ringfencing mitigates some but not all of these bypass vectors. | Medium | SR007, SR005 |
| CR032 | The IBM Cost of a Data Breach Report 2025 puts the average healthcare breach cost at 9.8 million dollars, providing a quantified benchmark for the financial impact of HIPAA-related breach scenarios for ThreatLocker's healthcare customers. | High | SR016, SR012 |
| CR033 | The Verizon DBIR 2025 found that ransomware remains the primary attack vector in healthcare and financial services sectors, validating ThreatLocker's product positioning but also quantifying the threat environment its customers face. | High | SR021, SR005 |
| CR034 | ThreatLocker's private company status means it has no SEC-mandated cybersecurity disclosure obligations, reducing its regulatory disclosure burden relative to public SaaS peers but also limiting external transparency. | Medium | SR004, SR017 |
| CR035 | Europol's IOCTA 2023 identified MSP supply chains as a primary attack vector for ransomware operators, directly implicating ThreatLocker's MSP-heavy distribution model as a potential risk amplifier if MSP partners themselves are compromised. | Medium | SR007, SR014 |
| CR036 | The FTC's active enforcement of the Safeguards Rule — including enforcement actions against financial services firms and mortgage companies — demonstrates that indirect vendor risk is an active area of regulatory scrutiny. | High | SR001, SR003 |
| CR037 | PCI DSS v4.0 requirements for cardholder data environment security provide an additional compliance driver for ThreatLocker's financial services customers, reinforcing the regulatory demand for endpoint application controls. | Medium | SR030, SR001 |
| CR038 | GDPR and EU data protection regulations impose data processing obligations on ThreatLocker for its European customer base; the company's data residency and processing practices are not publicly disclosed for EU customers. | Medium | SR003, SR008 |
| CR039 | ThreatLocker's Series D funding announcement and management commentary indicate continued growth investment, but burn rate and runway are not disclosed, creating financial risk opacity for investors. | Medium | SR028, SR029 |
| CR040 | The Microsoft Digital Defense Report 2025 confirms Microsoft Defender's expanding coverage of application control and behavioral analysis capabilities, validating the long-term competitive threat from OS-bundled endpoint security. | High | SR022, SR027 |
| CR041 | BleepingComputer and KrebsOnSecurity coverage of endpoint security incidents in 2025 and 2026 confirms no ThreatLocker-specific public incidents, supporting the company's disclosure of no material breaches. | Medium | SR005, SR006 |
| CV001 | At the April 2024 Series D close, ThreatLocker's $750 million post-money valuation implies an EV/revenue multiple of approximately 10.5-12.1x on the 2023 Latka revenue estimate of $61.7M, positioning the company as a premium-priced endpoint security vendor relative to SentinelOne at ~6-9x NTM revenue at that time. | Medium | SV001, SV002, SV005 |
| CV002 | ThreatLocker had 50,000-plus customer organizations at the time of the April 2024 Series D close. | High | SV001, SV007 |
| CV003 | The April 2025 Series E valuation step-up from $750M to $1.2B (60% increase in approximately 12 months) was supported by a 40% increase in protected organizations (50,000+ to 70,000+), five new product modules at ZTW 2025, and the ZTNA/ZTCA platform expansion, implying that investors priced in continued customer and product velocity. | Medium | SV005, SV004, SV007 |
| CV004 | ThreatLocker's total disclosed funding through April 2025 is approximately $253.6 million across all rounds. | Medium | SV005, SV004, SV002 |
| CV005 | The Series E's relatively modest $60M raise relative to the $450M valuation step-up ($750M to $1.2B) suggests ThreatLocker did not require large primary capital, consistent with near-profitability or strong unit economics. | Medium | SV005, SV004, SV002 |
| CV006 | Arthur Ventures focuses on B2B software companies in non-coastal US markets, fitting ThreatLocker's Orlando, Florida base; CR2 Ventures is a cybersecurity-specialist fund whose participation signals category conviction. | Medium | SV005, SV007 |
| CV007 | The primary press releases for the ThreatLocker Series E on PR Newswire and BusinessWire returned 404 errors at time of research; the round is corroborated by PremierAlts, Tracxn, and CRN coverage. | High | SV025, SV026, SV005, SV004, SV007 |
| CV008 | Latka's third-party estimate puts ThreatLocker's 2023 annual revenue at $61.7 million. | Low | SV013 |
| CV009 | Tracxn's third-party estimate puts ThreatLocker's 2025 revenue at $71.5 million, the primary benchmark for this valuation analysis. | Low | SV004, SV005 |
| CV010 | Using the Tracxn $71.5M 2025 revenue estimate and the $1.2B Series E post-money valuation as enterprise value proxy, the implied EV/revenue multiple is approximately 16.8x. | Medium | SV004, SV005, SV013 |
| CV011 | The Latka 2023 revenue estimate of $61.7M grown at 15-20% annually to 2025 yields $71.5-88.4M, directionally consistent with the Tracxn $71.5M estimate and supporting it as a reasonable floor. | Low | SV013, SV004, SV005 |
| CV012 | If ThreatLocker's actual ARR is materially higher than $71.5M — say $90-120M — the implied EV/revenue multiple would compress to 10-13x, making the $1.2B valuation appear more conservative relative to public-market peers. | Medium | SV004, SV013, SV005 |
| CV013 | ThreatLocker's private company status means no audited financial disclosures are available; all revenue figures are third-party estimates with high uncertainty, making the 16.8x multiple unanchored without data room verification. | High | SV004, SV013, SV002 |
| CV014 | ThreatLocker's MSP channel provides built-in distribution scale across approximately 6,000 MSP partners and 70,000-plus customer organizations in 50-plus countries, creating high policy-library switching costs. | High | SV007, SV009, SV002 |
| CV015 | CrowdStrike had approximately $4 billion ARR growing at roughly 25% annually as of fiscal 2026 and traded at approximately 10-15x NTM revenue. | Medium | SV020, SV028, SV005 |
| CV016 | SentinelOne had approximately $850 million ARR growing at roughly 33% annually as of fiscal 2026 and traded at approximately 6-9x NTM revenue. | Medium | SV021, SV029, SV005 |
| CV017 | Palo Alto Networks traded at approximately 8x revenue as of 2026 given its large-cap diversified platform profile and lower relative growth rate. | Medium | SV022, SV030 |
| CV018 | ThreatLocker's 16.8x implied multiple exceeds CrowdStrike's 10-15x NTM range despite CrowdStrike being more than 50x larger by ARR, implying the market prices in very high growth for ThreatLocker. | Medium | SV020, SV028, SV004, SV005 |
| CV019 | If ThreatLocker's revenue growth decelerates to SentinelOne-like levels, a 6-9x multiple would imply a $430-640M valuation — a significant 47-64% discount to the $1.2B Series E mark. | Medium | SV021, SV029, SV004 |
| CV020 | Sophos was acquired by Francisco Partners (private equity) and is not a tradeable NTM revenue benchmark; PE-buyout multiples of 4-8x revenue imply a $285-570M exit for ThreatLocker at current estimates. | Medium | SV023, SV005 |
| CV021 | The bull case scenario for ThreatLocker requires revenue to scale to $120-150M (50-70% growth from $71.5M) at an 18-20x multiple, yielding a $2.0-3.0B valuation. | Medium | SV005, SV013, SV004 |
| CV022 | The base case valuation of $1.2B reflects the April 2025 Series E mark and is consistent with 20-30% revenue growth at approximately 16.8x EV/revenue multiple. | Medium | SV005, SV004, SV013 |
| CV023 | The bear case scenario ($600-800M) emerges if revenue growth decelerates to 10-15% annually and multiple compresses to 8-11x; triggers include MSP displacement, litigation, or macro SMB budget contraction. | Medium | SV005, SV013, SV011, SV010 |
| CV024 | A base-case investor buying at $1.2B needs ThreatLocker revenue to reach approximately $200M at 10-12x multiple to achieve a 2x return, implying approximately 180% revenue growth over 4-5 years. | Medium | SV005, SV020 |
| CV025 | The Series E's $1.2B mark implies investor expectation of ThreatLocker trending toward the bull scenario of $120-150M revenue within 3-4 years at premium multiple expansion. | Medium | SV005, SV004, SV007 |
| CV026 | Public-market NTM multiples for cybersecurity SaaS compressed significantly from 2021-22 peaks; any macro deterioration, rate increase, or risk-off rotation could compress ThreatLocker's private-market mark in a secondary transaction. | High | SV020, SV021, SV029, SV028 |
| CV027 | ThreatLocker's revenue run rate, if the Tracxn $71.5M 2025 estimate is correct, would need to reach at least $150-200M ARR before a credible Nasdaq or NYSE listing, suggesting an IPO window of 2027-2029. | Medium | SV005, SV007, SV009 |
| CV028 | Pre-IPO governance requirements include audited GAAP financials for 3 fiscal years, Sarbanes-Oxley internal control readiness, and an independent board majority with formal audit and compensation committees. | High | SV007, SV008, SV009 |
| CV029 | Strategic M&A acquirers — Palo Alto Networks, Microsoft, CrowdStrike — would likely value ThreatLocker's MSP channel asset in a $1.5-2.5B range, above the $1.2B Series E mark. | Low | SV020, SV022, SV027, SV028 |
| CV030 | PE-led buyouts of cybersecurity SaaS companies (e.g., Sophos, Barracuda) have historically occurred at 4-8x revenue, implying a $285-570M exit for ThreatLocker — well below the $1.2B Series E mark. | Low | SV023, SV005 |
| CV031 | The concentration of three Jenkins family members in the CEO, COO, and CTO roles would require dual-class share structuring or board independence additions to satisfy institutional IPO investors. | Medium | SV009, SV002, SV007 |
| CV032 | ThreatLocker has not publicly disclosed board composition, audit committee status, or SOX readiness, limiting visibility into IPO preparedness as of May 2026. | High | SV002, SV009, SV007 |
| CV033 | ThreatLocker's private company opacity — no disclosed revenue, gross margin, NRR, or EBITDA — is the single largest valuation risk, making the 16.8x EV/revenue multiple unverifiable without audited financials. | High | SV004, SV013, SV002 |
| CV034 | Jenkins family governance concentration (CEO, COO, CTO) creates key-person risk and potential governance conflicts that institutional IPO investors and strategic buyers would price as a 10-20% discount to governance-transparent peers. | Medium | SV002, SV009, SV007 |
| CV035 | ThreatLocker's MSP channel concentration risk: if top MSP partners account for a disproportionate share of ARR, churn among a small number of mega-MSPs could cause a 30-40% valuation haircut. | Medium | SV007, SV009, SV005 |
| CV036 | ThreatLocker's $71.5M Tracxn 2025 revenue estimate is a single third-party data point; the actual ARR could be materially above or below this figure, making multiple-based valuation highly uncertain. | High | SV004, SV013, SV002 |
| CV037 | Cybernews reviewers document a steep learning curve and complex initial setup for ThreatLocker's platform, which may constrain customer acquisition velocity and net new logo growth in the SMB segment. | Medium | SV010, SV018 |
| CV038 | The active ThreatLocker v. Charles Schwab lawsuit (Case 6:2025cv00923, M.D. Fla.) creates financial and reputational uncertainty; cause of action, damages sought, and litigation timeline are not publicly disclosed. | High | SV011, SV012, SV015 |
| CV039 | ThreatLocker grew its employee base from approximately 200 in 2023 to approximately 700 by March 2026 — a 250% headcount increase — providing indirect evidence of substantial revenue growth over the same period. | Medium | SV007, SV009, SV008 |
| CV040 | ThreatLocker's capital efficiency — growing to 70,000-plus organizations on approximately $253.6M total raised — compares favorably to SentinelOne and CrowdStrike, which each raised over $1B before reaching comparable customer scale. | Medium | SV005, SV020, SV021, SV028, SV029 |
| CV041 | The zero trust security market is expected to grow substantially through 2030 per Fortune Business Insights and MarketsAndMarkets forecasts, providing a secular TAM tailwind supporting ThreatLocker's long-term valuation. | High | SV024, SV017, SV016 |
| CV042 | ThreatLocker's 14 new data centers announced in 2025-2026 (12 US, Saudi Arabia, Abu Dhabi) represent material CapEx commitment, serving as a proxy for management confidence in continued revenue growth. | Medium | SV008, SV006, SV009 |
| CV043 | Cybersecurity SaaS companies with 20-40% annual growth traded at 8-20x NTM revenue in 2025-2026 public markets, with premium assigned for defensible architecture and channel stickiness. | Medium | SV020, SV021, SV022, SV028, SV029 |