Two PANW partners, same logo, half the price
Picture two Palo Alto Networks partners sitting across from the same private equity buyer. Both have roughly $18M in revenue. Both carry NextWave status. Both show the partner logo on the homepage. One walks out of diligence with a term sheet at 6x EBITDA. The other gets 14x. The difference has almost nothing to do with how many firewalls they move and everything to do with what happens after the appliance is racked.
The first partner still earns north of 40% of revenue fulfilling hardware and pass-through subscriptions. To a buyer, that revenue reads as distribution arbitrage: thin margin, set by competitive bid, renewed on a three-to-five-year device lifecycle that the partner does not control. When a refresh slips a quarter, the bookings slip with it. There is no contractual reason the customer stays beyond inertia. That is why the comps land where staffing and IT-fulfillment shops land — single digits — no matter how good the relationships feel.
The second partner sells the same gear but treats it as a foot in the door for a managed practice built on PANW's Cortex XSIAM and Prisma Cloud stack. They are not reselling a license and walking away; they are running the customer's detection and response on top of it, billing monthly, embedded in the security operations the customer cannot rip out without a 90-day migration project of their own. Recurring, high-margin, switching-cost protected. PANW's own investor reporting frames this platform consolidation as the company's center of gravity — and the partners who mirror it inherit the multiple that goes with it. The hardware drag on the first partner's valuation is not a rounding error. On an $18M business, the gap between 6x and 14x is the difference between a $10M outcome and a $25M one.
The margin question buyers actually probe: does your SOC scale without your headcount?
A traditional managed security shop has a math problem that no sales effort fixes. Every new customer adds alerts, every batch of alerts adds analysts, and analyst salaries cap gross margin in the low 40s. Grow fast and profitability gets worse, because you are hiring and onboarding Tier 1 staff ahead of revenue. Buyers know this curve cold, and it is the first thing diligence stress-tests: model the business at 3x the logos and watch whether the margin survives.
This is where Cortex XSIAM changes the answer rather than the pitch. Partners running it report roughly an 85% reduction in Tier 1 alert volume — the automation correlates, enriches, and closes the noise that used to land in a human's queue. Concretely: a SOC that needed eight analysts to babysit a given customer load now needs the headroom to take on three times that load with the same bench. Median time to resolution compresses from the industry's four-to-six-hour range to about 43 seconds on the incidents the platform can handle end to end. That is not a marketing stat for a slide — it is the lever that pushes a 40%-gross-margin service into the mid-60s, and a mid-60s recurring service is what a software comp is made of.
What "automated" has to mean under diligence
The trap is buying the platform and operating it like the old SIEM. A buyer's technical team will not ask how many firewalls you manage; they will ask what percentage of your alert triage runs without a human touching it, and they will ask to see the playbooks. The partners commanding the premium have built their own vertical detection content and automated response sequences on top of XSIAM — a healthcare client's ransomware containment runbook, a fintech client's data-exfiltration response — IP that travels with the practice and is hard to replicate. Gartner's market guide for managed security services draws this exact line between providers selling staffed monitoring and those selling automated outcomes. If your honest answer to "what's automated" is "the tool does some correlation, the rest is the team," you have a 6x business wearing a 14x logo.
What to fix in the next two quarters if you want the higher number
Start with your certification roster, because a buyer will pull it before they pull your financials. A bench stacked with PCNSA administrators tells them you can keep firewalls running — table stakes, priced like table stakes. What moves the needle is depth on the automation side: PCNSC consultants and PCSAE automation engineers concentrated on Cortex and Prisma. That density is the proof that your team can actually deliver the managed outcomes your contracts promise, not just resell the seats. If you have one XSIAM-fluent engineer and a sales deck that says "AI-native," diligence will find the gap.
Next, fix the sale itself. A "Precision AI" deal is not a renewal conversation with a bigger number on it; it is a security-operations transformation the buyer's CISO has to sponsor. That requires sales engineers who can sit in a room and demonstrate an automated containment, walk through unified data ingestion, and show a reduced-risk posture — not recite throughput specs. Partners who genuinely make this shift tend to see average deal size climb 3x to 4x, because they are no longer pricing a box; they are pricing the operating model around it.
Then watch one number above all others: the share of gross profit coming from hardware. If it is north of 20%, you are carrying drag that suppresses your whole multiple, and the move is to grow recurring managed services toward 50%+ of the mix with the balance in sticky software subscriptions. That revenue shape is what earns the platform premium instead of the fulfillment discount. For how this same pattern plays out under a different vendor's flag, see our read on the Azure security specialization premium, and for where these multiples sit against the broader market, IT services M&A valuation trends. And before you take any of this to market, pressure-test your own house against the technical due diligence red flags that kill deals — the gap between your pitch and your runbooks is the first thing a buyer will price down.
