Are SaaS Haircuts Too Short?

In late February 2026, the market wiped about $285bn off SaaS valuations in 48 hours. Thomson Reuters lost 15.83% in a single session, its biggest ever drop. LegalZoom lost 19.68%. The precursor was Anthropic launching Claude Cowork, a solution that does multi-step knowledge work without needing a seat licence, and a solution the bears had been waiting six months for someone to demo. Bain and Deloitte had spent the back half of 2025 producing earnest reports on how per-seat enterprise software was structurally cooked. The market had nodded politely. Then Cowork happened, and the market stopped nodding. [6]

By March, the SaaS Capital Index had gone from roughly 7.0x ARR at the start of 2025 to roughly 3.8x. [2] Aventis had public SaaS at a median 3.4x EV/Revenue. [1] Software now trades at a discount to the S&P 500 for the first time in modern history — a sentence I did not expect to write. Salesforce, Adobe, Workday and Monday have all seen multiples compress 30–50% in twelve months. [5] Marc Benioff has been on stage at Dreamforce being asked, with apparent sincerity, whether his product still has a future.

The argument here is that the haircut is overdone. Not in the cheerful buy-the-dip sense — there are perfectly good reasons multiples have come in, which I’ll get to — but in a more specific sense: the market has priced one variable (agentic substitution) extremely loudly while pricing another variable (who’s holding the cyber-risk parcel when the music stops) at roughly zero. I think that second variable starts to matter quite a lot and quite soon.

The bears, to be fair

The bear case isn’t stupid. Three things have changed.

One: software is no longer hard to build. Frontier coding agents have collapsed the marginal cost of producing functional application code, and a depressing percentage of the things we used to rent from SaaS vendors are now plausibly buildable in-house in days rather than months. Two: per-seat pricing is getting eaten. Agents don’t need seats. Monday, the SaaS company, replaced 100 of its own SDRs with agents earlier this year, which is an awkward thing for SaaS bulls to explain. [6] Three: growth has been decelerating for a while, independent of AI. The SaaS Capital Index median has fallen from above 30% in 2021 to the low teens, and the 2026 guides are mostly under 10%. [1] [2] Growth-adjusted multiples look less stretched than headline ones, which means there’s plausibly more downside if growth keeps slipping. [2]

These are real. I’m not arguing they aren’t. I’m arguing they aren’t the whole story, and that the bit they leave out is becoming structurally more important.

Enter Mythos

In April, Anthropic announced it had trained a model called Mythos Preview that’s so good at finding security holes that the company decided not to let anyone have it. Or rather: not anyone outside a chosen forty partners under something called Project Glasswing, which is exactly the sort of name a frontier-AI containment programme would have. [7] Anthropic’s own engineers found Mythos turning up exploits in every major operating system and browser they pointed it at. The company claimed thousands of high-severity vulnerabilities had been identified during evaluation, and CEO Dario Amodei warned of a six-to-twelve-month window for the world to patch them before Chinese AI catches up. [8] [9]

Mythos itself is contained… sort of. The capability class it represents very much isn’t. Z.ai’s open-source GLM-5.1 dropped the same month, hit roughly 95% of Claude Opus 4.6’s coding performance under an MIT licence, and reportedly beats it on SWE-bench Pro. [11] Researchers at AISLE tested cheaper, smaller open models against the same vulnerabilities Anthropic flagged in its Mythos announcement and found that 3B-parameter models priced at pennies per million tokens could detect the flagship FreeBSD zero-day. They describe AI cyber capability as “jagged”: it doesn’t scale smoothly with model size or price, which means you don’t actually need a frontier model to find zero-days. [12] As if to underline the point, Bloomberg reported a few weeks after Mythos’s launch that unauthorised users had been accessing the model itself through a contractor’s account… so much for containment. [10] The implication is straightforward: the gap between closed frontier offensive capability and openly available offensive capability is compressing toward zero. Mythos is the warning shot, not the event.

Why does this matter for SaaS multiples? Because it changes who has to deal with all this. An enterprise SaaS provider — the proper kind, with SOC 2 Type II, an actual security team, a vulnerability-disclosure programme, and meaningful cyber-insurance coverage — has the institutional kit to absorb a faster CVE cadence. A self-hosted, AI-generated knockoff of the same software does not. The bear case treats the SaaS provider as a margin layer to be removed. It’s also a risk-absorption layer, and that layer is becoming more valuable, not less.

About that vibe-coded code

The build-it-yourself thesis quietly assumes AI-generated code is roughly as safe as the engineered kind. The data does not really cooperate with this assumption.

Contrast Security, drawing on benchmarks from NYU and BaxBench, finds 40–62% of AI-generated code contains security flaws. CurXecute (CVE-2025-54135) lets attackers run arbitrary commands on a developer’s machine through Cursor; a July 2025 vulnerability in the Base44 platform exposed every private application built on it. OX Security found critical flaws in Visual Studio Code, Cursor and Windsurf in February. [13] BeyondTrust’s Phantom Labs turned up a command-injection bug in OpenAI’s Codex cloud environment that exposed GitHub credentials. [13] Infosecurity Magazine reckons at least 35 of March’s CVEs were directly attributable to AI-coding-tool issues. In one month. [13] Databricks’ own AI Red Team has shown vibe-coded apps routinely producing arbitrary-code-execution and memory-corruption bugs even when the code looks fine on first inspection. [14]

Two things make this worse than the headline numbers. First, security quality of AI-generated code degrades through iteration: a study had GPT-4o revise the same code 40 times, and the model kept introducing new flaws even after old ones were fixed. Second, shadow IT now has a cousin called shadow AI, and IBM’s Cost of a Data Breach Report 2025 found one in five breached organisations had a shadow-AI incident, adding roughly $670,000 to the average breach cost. In 97% of AI-related breaches, basic access controls were just missing. [15] [16] This is the world an enterprise inherits when it replaces a SaaS subscription with a thing it built itself in a weekend.

The point isn’t that AI-generated code is unusable — it’s manifestly not, it’s enormously productive. The point is that consuming it safely needs an entire stack of security capability: code review by people senior enough to spot the subtle stuff, runtime monitoring, vulnerability scanning, dependency hygiene, secrets management and incident response. Again, this is exactly what an enterprise SaaS provider is paid to maintain. Run the buy-vs-build calculation on cost of development alone and build wins. Run it on cost of development plus expected loss and the answer changes.

The bit nobody is pricing

Here’s the piece of an enterprise SaaS contract that doesn’t get talked about much in valuation models. A serious enterprise SaaS agreement comes with: an indemnification clause covering third-party IP and data-breach claims; a limitation-of-liability cap (commonly a multiple of trailing fees, with super-caps for security-sensitive deployments); defined breach-notification obligations; audited security certifications; and vendor-side cyber insurance backing the whole thing. [17] [18] [19] None of this eliminates customer risk. The shared-responsibility model still applies, and the lawyers will still bill you, but it does shift a defined slice of the risk onto the vendor’s balance sheet, and onto whatever cyber-insurance market the vendor has access to. [20]

The slice is not small. IBM’s Cost of a Data Breach Report 2025 has the global average breach cost at $4.44m, the US average at $10.22m, healthcare at $7.42m. [15] [16] Multi-environment breaches — basically what you get when a company piecemeal-rebuilds an outsourced workflow in-house — average $5.05m. [15] Sixty per cent of AI-related security incidents in the IBM dataset led to compromised data; the average breach now takes 241 days to resolve. [16] Against numbers like that, even a fairly chunky SaaS subscription that contractually shifts a defined portion of your breach risk to a vendor with a real cyber-insurance tower starts to look like rationally priced insurance, not just software access.

The bear case implicitly assumes a company rebuilding a SaaS workflow internally inherits zero security cost. The empirical record screams the opposite. The company inherits the full vulnerability surface, the full GDPR and US state-level breach-notification obligation, the full reputational hit, and the full operational disruption — but without the vendor’s insurance, the vendor’s SOC 2, or the vendor’s indemnity. As Mythos-class capability becomes the baseline, all of that gets more expensive in expectation. The SaaS subscription, in that light, is a hedge whose premium hasn’t been re-rated upward to match the new threat environment. It’s been re-rated down. That is, I’d argue, the wrong direction.

What I think the market has got wrong

Three observations support a re-rating from here.

First, the dispersion within the sector is already enormous and roughly rational. Data infrastructure, DevOps and cybersecurity SaaS are still trading at premiums; sales automation, ad-tech and undifferentiated horizontal tools have been crushed. [4] My point isn’t that this should reverse. My point is that it should keep going: workloads with regulatory exposure, big breach blast-radius and hard integration should hold or re-rate higher; commodity workflows can keep compressing. Both at once.

Second, the strategic-buyer signal disagrees with the public-market signal. The Onestream acquisition at roughly 8x forward ARR in late March 2026 — after the SaaSpocalypse — is the relevant data point. Private deal flow is robust; private-equity dry powder is enormous. When public and private marks disagree this loudly, the thing tends to resolve toward the more informed marginal buyer. The marginal buyer in private SaaS is paying premium multiples for quality assets. They have presumably done some work on this.

Third, the consensus narrative is already softening. Klarna’s CEO publicly walked back his August 2024 “we shut down Salesforce” claim. The firm had, it turned out, replaced one SaaS stack with a different SaaS stack rather than with a large language model. He used the word “embarrassed”, then quietly started rehiring the humans he’d laid off, telling Bloomberg the AI-first approach had produced “lower quality” service. [21] Jensen Huang, speaking at Cisco’s AI Summit days after the SaaSpocalypse, called the assumption that AI replaces enterprise software “the most illogical thing in the world” — though admittedly he sells the picks and shovels and would say that. [22] Either way: the corrective is happening.

The cyber-risk argument I’ve made here is a fourth signal that hasn’t been priced. Once buyers start putting real numbers on the expected loss of running an in-house, AI-assembled stack against the contractually transferred risk of an enterprise SaaS arrangement, the implied discount rate on enterprise SaaS revenue should fall, and multiples should expand from current trough levels. That’s the call.

What could go wrong with all of this

Three things could falsify or weaken the thesis. I’d be remiss not to spell them out.

One: vendor-side security might not actually hold up against Mythos-class threats either. If offensive AI overwhelms defenders inside SaaS providers as easily as it would inside enterprises, the risk-transfer story collapses and the SaaS contract just reallocates a loss neither side can absorb. Project Glasswing’s bet is that defensive use of frontier capability keeps pace with offensive proliferation. [7] That bet is hopeful, not demonstrated.

Two: growth might keep slipping for reasons that have nothing to do with AI. As SaaS Capital’s growth-adjusted analysis shows, multiples are still above prior troughs on a growth-adjusted basis. [2] If median growth slips below 10%, a risk-transfer re-rating could be entirely swamped by a continued growth re-rating.

Three: the law might move. There are active conversations about whether vendor liability caps as currently drafted hold up in cases involving AI-mediated harms, and an AI-specific liability regime that pierces standard SaaS limitations would push risk back from vendor to customer in ways that would erode exactly the hedging value I’ve just argued for. [19] Where that legal evolution lands matters a lot.

Sign-off

The SaaS reset of 2025–26 is a rational response to a real shift in the cost of producing software. It is also an incomplete one. The same forces that lower the cost of building software raise the cost of owning what you’ve built: vulnerability surface, breach exposure, regulatory liability, the silent insurance premium that an enterprise SaaS contract bundles in for free. As Mythos-class capability becomes ambient and as cyber risk becomes a board-level rather than a CISO-level conversation, the contractual risk-transfer in enterprise SaaS should re-rate upward. The current discount, applied indiscriminately across the sector, materially under-prices that. The next 12–18 months of multiple recovery, in the parts where it does recover, will, I suspect, be largely about that.