The Last Unsecured Market

Every major cybersecurity market has been created by the same sequence: a critical system is deployed without adequate security, a visible breach demonstrates the consequences, and capital floods in to fund the remediation. Enterprise IT security followed this pattern after the worms and breaches of the early 2000s. Industrial control system security followed it after Stuxnet in 2010. IoT security followed it after the Mirai botnet in 2016. Cloud security followed it as organizations migrated workloads without rearchitecting their security posture.

Space cybersecurity is entering this sequence now. The critical systems are deployed, over 10,000 active satellites, tens of thousands of ground stations, millions of user terminals. The visible breach has occurred, the Viasat attack of February 2022 demonstrated that satellite infrastructure can be disabled by a cyberattack timed to the opening hour of a military invasion. What follows, if the pattern holds, is the formation of a market: companies building products, governments writing checks, investors placing bets on the assumption that a problem this large and this visible will eventually produce a defense industry of corresponding scale.

The question for investors, founders, and policymakers is not whether this market will exist. It is how large it will be, how quickly it will form, and which companies will define it.

Sizing the opportunity

Market projections for space cybersecurity vary widely, which is typical for an emerging segment where the boundaries are not yet agreed upon. Estimates from defense and aerospace analysts place the addressable market between $1.5 billion and $4 billion by 2030, growing at compound rates above 15 percent annually. These figures are inherently uncertain, they depend on assumptions about regulatory timelines, defense procurement, and the rate at which commercial operators adopt security solutions, but the direction is unambiguous. The market is growing because the threat is growing, the infrastructure is growing, and the awareness is growing.

The drivers are structural, not cyclical. The number of satellites in orbit is increasing by several thousand per year. Defense budgets for space are expanding across NATO countries, the United States Space Force alone allocated over $30 billion for space programs in fiscal year 2025, with cybersecurity identified as a priority across multiple program lines. Germany committed €35 billion for military space through 2030. The United Kingdom, France, Japan, and Australia have each announced expanded space security programs. The European Union’s NIS2 directive, effective since October 2024, explicitly includes space in its definition of critical infrastructure, a regulatory signal that will eventually require satellite operators to meet binding cybersecurity standards or face penalties.

Regulation is the underappreciated accelerator. Terrestrial cybersecurity spending was driven initially by breaches, but the sustained growth came from compliance, GDPR, PCI DSS, HIPAA, SOX. Each regulation created a floor below which companies could not operate without investment. Space has no equivalent regulatory floor yet, but the direction is clear. NIST published SP 800-233, a voluntary cybersecurity framework for satellite ground segments, in 2023. ESA released cybersecurity guidelines for satellite operators in 2024. The FCC has begun including cybersecurity considerations in satellite licensing reviews. Each incremental step toward mandatory standards expands the addressable market for companies that can help operators comply.

The emerging stack

The companies building space cybersecurity solutions are organizing along a stack that mirrors, imperfectly, the structure of terrestrial cybersecurity. Understanding this stack is useful both for mapping the competitive landscape and for identifying where the most valuable companies are likely to emerge.

At the ground segment layer, the problem looks most like traditional enterprise cybersecurity, and the solutions are correspondingly familiar. Satellite ground stations are IT systems: servers, networks, databases, applications. They are vulnerable to the same classes of attack that affect any networked infrastructure, and they can be defended with many of the same tools. The Viasat attack was, at its core, a network intrusion that exploited a VPN vulnerability and deployed a wiper. It could have been mitigated by standard IT security practices, network segmentation, multi-factor authentication, intrusion detection, incident response planning. Companies operating in this layer include traditional cybersecurity firms extending into space (CrowdStrike, Palo Alto Networks) and specialized vendors building ground-segment-specific solutions.

At the communications layer, the challenge is encrypting and authenticating the links between satellites, ground stations, and user terminals. This is where the space-specific engineering problems begin. Satellite communication links operate under constraints, limited bandwidth, latency requirements, power budgets, that make standard encryption protocols impractical in some configurations. SpiderOak, perhaps the most visible pure-play space cybersecurity company, has built its business around zero-trust security for space communications. Their OrbitSecure platform provides end-to-end encryption and cryptographic access controls for satellite data, designed to operate within the computational and bandwidth constraints of space systems. The company has secured contracts with the US Space Force and NASA, and has raised funding to expand into commercial markets.

Aalyria, spun out of Google’s Project Loon, operates at the intersection of communications and security. Their Spacetime platform manages the routing and scheduling of communications across heterogeneous networks, satellite, aerial, terrestrial, with security integrated into the network layer. The platform can dynamically reroute traffic around compromised nodes, a capability that becomes critical when the network includes thousands of satellites and the threat model includes adversarial interference.

At the space segment layer, securing the satellites themselves, the market is earliest and the technical challenges most acute. CryptoSat, an Israeli-American startup, is building cryptographic processors that operate in orbit, leveraging the physical isolation of space to create a root of trust that is, by definition, air-gapped from terrestrial networks. The concept is elegant: certain cryptographic operations (key generation, random number generation, secure computation) benefit from an environment where physical access is impossible. Whether this translates into a scalable business depends on whether the market values orbital-grade cryptographic services enough to pay the premium of space-based hardware.

At the monitoring and situational awareness layer, companies are building the equivalent of SOCs (Security Operations Centers) for space, systems that detect anomalies in satellite behavior, communications patterns, and orbital dynamics that might indicate interference or attack. This is the space equivalent of network monitoring and threat detection, adapted for the unique observables of the space domain: unexpected orbital maneuvers, signal anomalies, command-link irregularities, RF interference patterns.

Government as anchor customer

In terrestrial cybersecurity, the US Department of Defense was the foundational customer for many of the companies that later defined the commercial market. Mandiant, CrowdStrike, Palantir, Recorded Future, each built initial revenue on government contracts before expanding into enterprise sales. The same dynamic is forming in space cybersecurity.

The US Space Force is the largest single source of demand. Its Space Systems Command has issued multiple contracts for cybersecurity capabilities across ground systems, communications, and space control. The Space Force’s Commercial Space Office actively seeks commercial solutions that can be adapted for military use, a procurement philosophy that favors startups with dual-use technologies over traditional defense primes building bespoke systems. SpiderOak’s contracts with the Space Force are the clearest example of this model working in practice.

In Europe, the picture is more fragmented but the trajectory is similar. Germany’s €35 billion military space commitment includes explicit provisions for space resilience and cybersecurity. ESA’s ARTES and ScyLight programs fund development of secure satellite communications technology. France’s CNES has invested in sovereign cryptographic capabilities for its military satellite programs. The UK’s Defence Science and Technology Laboratory (DSTL) runs research programs in space cybersecurity.

The government-as-anchor-customer model works because it solves two problems simultaneously. It provides early revenue to companies that would otherwise struggle to sell a security product to a commercial market that does not yet face regulatory mandates to buy one. And it provides the validation, technical rigor, security clearance, operational deployment, that de-risks the company for subsequent commercial and venture investors.

The risk in this model is dependency. A company that builds exclusively for government customers may optimize for procurement compliance rather than product quality, may become locked into classified programs that prevent commercial expansion, or may find itself dependent on budget cycles and political priorities that shift unpredictably. The most successful cybersecurity companies have been those that used government contracts as a launchpad, not a destination, building commercial products on top of government-funded technology.

The venture thesis

The venture capital case for space cybersecurity rests on three pillars: a large and growing addressable market, strong secular tailwinds (regulatory, geopolitical, and technological), and the historical precedent of terrestrial cybersecurity as one of the best-performing venture categories of the past two decades.

Terrestrial cybersecurity has produced a remarkable concentration of venture outcomes. CrowdStrike went public in 2019 and reached a market capitalization exceeding $80 billion. Palo Alto Networks exceeds $120 billion. The sector has generated dozens of unicorns and hundreds of successful exits. The pattern, find a critical system that is inadequately defended, build a product that defends it, sell to the increasingly anxious owners of that system, has been repeatable across enterprise IT, cloud, IoT, and operational technology.

Space cybersecurity offers the same pattern with an earlier entry point. The market is still forming. The dominant companies have not yet been established. The regulatory mandates that will drive adoption are still being written. For venture investors, this represents an opportunity to invest at the formation of a category rather than the maturation of one.

The counter-argument is timing. Early movers in terrestrial cybersecurity, the companies that tried to sell firewall products in 1995, often failed not because their products were wrong but because the market was not ready. Buyers did not yet understand the threat, did not yet face regulatory pressure, and did not yet have budgets allocated for security. The space cybersecurity market may be in a similar pre-formation phase: the threat is understood by experts but not yet by the broader market of satellite operators and constellation builders. The Viasat attack moved the needle, but one incident, however dramatic, may not be sufficient to trigger the sustained spending that creates a durable market.

The question for investors is whether 2026 is more analogous to 1995 or to 2005 in the terrestrial cybersecurity timeline. In 1995, the internet was new, the threats were nascent, and the market was speculative. By 2005, after years of worms, breaches, and regulatory responses, cybersecurity spending had become a line item in every enterprise IT budget. The space industry is somewhere between these two states, past the first breach, approaching the first regulations, but not yet at the point where every satellite operator budgets for cybersecurity as a matter of course.

There is a third consideration that the historical parallel does not fully capture: the insurance market. As space infrastructure becomes critical infrastructure, supporting banking transactions, air traffic control, precision agriculture, military operations, the insurers who underwrite these dependencies will begin requiring evidence of cybersecurity due diligence. Space insurance is already a sophisticated market, pricing risk for launch failures, orbital debris, and component degradation. Adding cyber risk to that calculus is not a question of if but when, and the moment insurers begin requiring security audits as a condition of coverage, every satellite operator will need a cybersecurity vendor. This is the same dynamic that drove adoption of physical security standards in commercial aviation and cybersecurity standards in financial services, not conviction, but contractual obligation.

The pattern repeats

The formation of the space cybersecurity market follows a logic that is by now well-established. A critical system is built. Its builders optimize for performance, cost, and speed, not security. The system scales until it becomes infrastructure. An adversary demonstrates that the infrastructure is vulnerable. The owner of the infrastructure discovers that remediation is more expensive than prevention would have been. A market forms around the remediation.

What distinguishes space from previous iterations of this cycle is the permanence of the deployed hardware. When enterprise IT was found to be insecure, organizations could patch software, upgrade hardware, segment networks, and deploy new security tools. When IoT devices were found to be insecure, manufacturers could push firmware updates and redesign the next generation. When a satellite is found to be insecure, the options are limited to whatever the original design permits, and for many satellites in orbit today, the original design permits very little.

This permanence has a paradoxical effect on the market. It makes the problem harder to solve, which limits the addressable market for certain solutions. But it also makes the problem more persistent, which extends the duration of demand. A satellite launched today with inadequate security will need compensating controls, ground-based monitoring, communications-layer encryption, anomaly detection, for the entirety of its operational life. The market is not a one-time remediation. It is a sustained service.

The companies that will define this market share certain characteristics. They build products that operate within the constraints of space systems, limited bandwidth, power, and computational resources, rather than simply porting terrestrial solutions to a space context. They address the full lifecycle of the problem, from design-phase security engineering through operational monitoring to incident response. They can sell to both government and commercial customers, using government contracts for early revenue and validation while building commercial products that scale. And they understand that their ultimate customer is not the satellite operator alone, it is the entire ecosystem of insurance underwriters, regulators, defense agencies, and end users who depend on the integrity of space-based services.

Terrestrial cybersecurity became a $200 billion market because the internet became infrastructure. Space is becoming infrastructure. The pattern is not subtle, and it is not speculative. The satellites are up. The threats are demonstrated. The regulations are coming. The only question is which companies will build the defenses, and whether they will build them in time.