In the first quarter of 2026, the software industry sustained one of its most significant stock corrections in years. The selloff wasn’t triggered by the industry’s current business performance but rather its prospects over the long term, according to Goldman Sachs Research. With the growth of artificial intelligence (AI) applications, investors questioned the viability of the sector’s business models and the adequacy of its competitive defenses, or “moats.”

Yet Gabriela Borges, a software sector analyst with Goldman Sachs Research, says there are moves industry leaders can make to meet the challenges of AI. They may want to look at one particular tech subsector for inspiration—cybersecurity.

In their never-ending battle against digital attackers, cybersecurity companies have honed the agility to adapt to sudden technological and strategic challenges. They’ve become especially adept at using mergers and acquisitions (M&A) to fill gaps in their capabilities. Their resilience is a big reason why US cybersecurity stocks are trading at a 24% premium to the broader US software industry this year when measured by enterprise value to forward sales (as of April 15), says Borges.

“Over the last 10 years, cybersecurity firms have been dealing with existential threats,” Borges says. “Now they show what good innovation and durable moats look like over time. They set a good bar for the larger software industry.”

We spoke with Borges about the cybersecurity industry’s prowess at handling disruptive technology, what software companies can do to follow suit, and why an obscure idea called “technical debt” is becoming more important to investors in this space.

Why are cybersecurity companies well positioned to handle threats like AI?

The biggest difference in cybersecurity versus pretty much any other area of technology is that research and development is more revolutionary than evolutionary. So what does that mean? In cybersecurity you’re up against an active adversary, a bad guy, a hacker. They are constantly trying to undermine your product.

You can't just make the same product a little bit faster and a little bit better every year and expect to have a powerful, effective security software tool. You have to be prepared for the next big security threat, which we can't predict. And unlike software-as-a-service, or SaaS, companies, which may have a bit less experience operating in such a disruptive environment, the security companies do have this experience. They are battle-tested.

How do cybersecurity firms stay ahead of the innovation curve?

The best security platforms are really good at identifying holes in their organic product development road map and acknowledging that it doesn’t always make sense to develop new capabilities themselves. Instead, they look at the startup pipeline, acquire the best and brightest, and roll them out to their customers when they’re ready.

But leading cyber firms don’t just buy a startup and jury-rig its technology onto their own platforms as soon as possible. They take their time absorbing acquired firms. I cover one leading firm that took 18 months to integrate a company with $10 million in revenue. By the time they launched an integrated product it could scale really quickly, customers recognized its effectiveness right off the bat. Five years later, it is now the cornerstone of a business that has generated more than $500 million. So you can see how this deal became a huge source of strength for the company.

So software firms should follow suit?

Yes. For software companies, we think it makes a lot more sense to have the venture capital community sponsor next-generation innovation rather than depend too much on organically developing new capabilities. Then software company leadership teams can pick out and acquire the best technology.

What else should software companies do to defend their turf from AI rivals?

The first step for companies is to make sure they have as little technical debt as possible on their platform

Technical debt?

This is a term for technology that is bolted onto a platform, often through the acquisition of other companies, or due to the internal research and development team not being fully synchronized. Over time, companies inherit code bases that differ from their core product code. Instead of rewriting the new code to make sure it’s 100% integrated, many companies will just push the pieces together and hope for the best. It’s like the difference between doing a careful two-year renovation of an old house versus a two-month job that cuts corners.

You want to make sure all the technology on your existing platform works beautifully together. You can’t build AI tooling on a platform if it lacks structural integrity and is poorly integrated with legacy systems. I think managing technical debt and subsequently innovating quickly is moving up the list of things that investors are looking for.

There’s been a lot of speculation on how AI may spell the end of the SaaS model. Is that a stretch?

Yes, it is. Historically, software has been sold on what we call a “seat count,” which is a licensing model where the price is set by a client’s number of users. Now we are seeing seat counts combined with other pricing models, such as one based on a specified outcome.

What makes the most sense is giving customers a more advanced version of bundled pricing, which includes AI functionality. Then customers have some flexibility. I don’t think pricing is going to be as disruptive as investors worry it will be. Now, what could be more disruptive? A lot more competition. This is disruptive.

How so?

The big difference between this correction and prior ones is that we are not seeing a meaningful change in today’s demand environment or software key performance indicators like churn. What we are seeing is this big question mark around the durability of moats and whether the architecture of today’s software leaders will enable AI. 

These debates are about first principles: Why are a company’s products differentiated? And how do you think about the sustainability of that differentiation over time, especially given how quickly the large language model, or LLM, landscape is changing. What is certain is that the bar to offer the marketplace a differentiated product is moving higher.

As competition intensifies, how will investors separate software firms that get it from those that don’t?

The way we’ve put it recently is “good sticky” versus “bad sticky.” Good sticky means your customers love you. You’re innovating. Your products make your users better at their jobs. Then there’s bad sticky. You have an installed base of users that is pretty disgruntled, but it’s really hard to move off your software because it captures a lot of your enterprise’s policies and protocols.

What the LLMs are showing us is that bad sticky moats are eroding quickly. It doesn’t matter which software category you’re in. There are a flood of new entrants in the space, and they start with a clean sheet of paper. So can you build something with AI tools that provides a better customer experience?

Can they?

What software companies tell us time and time again is that they are the incumbents. “We have domain experience. We understand how this business works and we have been entrenched in enterprises for 10, 20, 40 years.” Well, if that’s the case, prove it. Prove your incumbency and domain experience can deliver a better product for your customers. Doing this would solve the pricing question and make the business model question less important.

This article is being provided for educational purposes only. The information contained in this article does not constitute a recommendation from any Goldman Sachs entity to the recipient, and Goldman Sachs is not providing any financial, economic, legal, investment, accounting, or tax advice through this article or to its recipient. Neither Goldman Sachs nor any of its affiliates makes any representation or warranty, express or implied, as to the accuracy or completeness of the statements or any information contained in this article and any liability therefore (including in respect of direct, indirect, or consequential loss or damage) is expressly disclaimed.