Primary Theme · Identity, post-quantum security, zero trust and AI-era defence · Updated 9 May 2026

Cybersecurity & Digital Trust

Cybersecurity is becoming the trust layer of the AI economy. The investable stack includes identity, authentication, zero trust, secure semiconductors, post-quantum cryptography, defence cyber services, AI-native security operations, secure data infrastructure and machine-to-machine trust.

Maturity: ScalingCapital intensity: Low / MediumBest angle: identity + quantum-safe trustRisk: crowding + small-cap quality

Overview

Cybersecurity is one of the few futurology themes where the demand driver is already unavoidable: more cloud, more AI, more connected devices, more software-defined vehicles, more defence digitisation and more machine identities all expand the attack surface. The issue is not whether cybersecurity matters. The issue is finding public-market companies where the growth, margins, valuation and balance sheet are good enough.

At the microcap end, the sector is messy. The highest-quality public cyber platforms are usually much larger companies. Smaller cyber names often sit in services, defence contracting, identity niches, secure semiconductors or turnaround situations. That makes this page a useful filter: distinguish real recurring trust infrastructure from promotional “AI cyber” labels.

ScalingTheme maturity

HighStrategic demand

MixedMicrocap quality

StrongAI / quantum overlap

Stock Table

Working watchlist. The strongest near-term small-cap names are not necessarily pure cyber product companies; many are identity, secure semiconductor or defence cyber services businesses.

Rank	Company	Ticker	Role in trust stack	Category	Research view
1	OneSpan	OSPN	Digital identity, authentication, transaction security and digital agreements	Identity / digital trust	Highest-quality small-cap trust infrastructure name here: profitable, guided EBITDA, ARR and dividend support.
2	SEALSQ	LAES	Secure semiconductors, PKI, TPM and post-quantum security chips	Post-quantum security	Best quantum-safe semiconductor angle; huge cash balance, but valuation and execution risk are significant.
3	BlackBerry	BB	Cybersecurity software plus QNX embedded security for vehicles and IoT	Cyber + embedded trust	Not microcap, but important crossover between cybersecurity, mobility and embedded systems.
4	Castellum	CTM	Cybersecurity, electronic warfare and software services for US federal government	Defence cyber services	Small federal cyber/electronic warfare services name with improving 2025 results and debt reduction.
5	Plurilock	PLUR.V / PLCKF	Cybersecurity solutions and critical services for enterprise, defence and government	Cyber services	Revenue-backed nano/microcap; services shift improving direction, but gross margin and liquidity remain concerns.
6	CSP Inc.	CSPI	Security products, packet capture, managed IT and ARIA Zero Trust Protect	Zero trust / services	Interesting underfollowed microcap with AZT Protect optionality; needs current full-year validation.
7	HUB Cyber Security	HUBC	Identity, secure data and regulated AI trust infrastructure	High-risk cyber turnaround	Thematically relevant but too high-risk for core list until filings, margins and balance sheet are clearer.
8	WISeKey	WKEY	Digital identity, PKI, IoT security and parent/context for SEALSQ	Digital identity / IoT trust	Relevant but complicated by structure, volatility and overlap with SEALSQ.
9	Arqit Quantum	ARQQ	Quantum-safe encryption platform	Quantum security	Thematic fit is clear, but commercial traction and financial quality need stricter evidence before core inclusion.
10	BrandShield	BRSD.L	Online brand protection and anti-phishing	Digital risk protection	Useful niche exposure, but liquidity and scale make it a watchlist-only name.

Value Chain Map

Layer	What it supplies	Representative names	Investment note
Identity and authentication	MFA, passwordless, transaction signing, digital agreement security, identity proofing	OneSpan, WISeKey	Most durable trust layer because identity is required across every digital workflow.
Post-quantum security	Quantum-safe chips, TPMs, PKI, cryptographic migration and secure elements	SEALSQ, Arqit, WISeKey	High strategic value, but adoption timing and commercial conversion remain uncertain.
Zero trust / network defence	Access control, segmentation, endpoint/network monitoring, packet capture	CSP Inc., larger cyber platforms	Strong demand, but microcap product scale is limited.
Cyber services	Managed security, federal cyber, incident response, compliance, defence and critical infrastructure	Castellum, Plurilock	Revenue-backed but margin and labour intensity matter.
Embedded trust	Secure software in vehicles, IoT, industrial devices and connected systems	BlackBerry QNX, SEALSQ secure chips	Connects cybersecurity with mobility, robotics and smart infrastructure.
AI security	Model protection, prompt security, agent identity, data governance, AI-SOC tools	Mostly larger/private; emerging watchlist	Important future section but public microcap coverage is still weak.

Sub-Themes

Identity and digital trust: authentication, transaction security, e-signature and identity proofing.
Post-quantum cryptography: secure chips, TPMs, PKI and quantum-safe migration.
AI security: securing models, agents, data pipelines and AI-enabled workflows.
Defence cyber: federal cybersecurity, electronic warfare, secure software and critical infrastructure.
Embedded security: vehicles, IoT, robots, medical devices and industrial systems.
Zero trust: identity-centric access and network segmentation.

Market Forces

AI-enabled attacks: phishing, social engineering, vulnerability discovery and malware development are accelerating.
Machine identities: APIs, agents, IoT devices and services all need authentication.
Quantum transition: organisations need to prepare for post-quantum cryptography before fault-tolerant quantum arrives.
Regulation: cyber resilience, breach reporting, digital identity and critical infrastructure rules are tightening.
Defence spending: cyber and electronic warfare are core national-security priorities.
Vendor consolidation: large platforms can squeeze smaller cyber vendors unless they own a niche.

Technology Deep Dive

Cybersecurity is shifting from perimeter defence to continuous trust. The future stack has to authenticate humans, machines, agents and devices; verify transactions; secure data; protect models; harden embedded systems; and prepare for post-quantum cryptography.

Bottleneck	Why it matters	Public-market angle
Identity assurance	If identity fails, every digital system fails.	OneSpan, WISeKey.
Quantum-safe trust	Long-lived data and secure hardware need migration before cryptographically relevant quantum computers arrive.	SEALSQ, Arqit, WISeKey.
Secure embedded systems	Vehicles, IoT, robots and medical devices need secure boot, trusted execution and lifecycle security.	BlackBerry QNX, SEALSQ.
Federal cyber capability	National-security demand pulls cyber services, electronic warfare and secure software.	Castellum, Plurilock.
Zero trust enforcement	Networks and devices need identity-based access rather than assumed internal trust.	CSP Inc. and larger platforms.
AI agent trust	Autonomous agents will need credentials, permissions, audit trails and policy enforcement.	Emerging public opportunity; likely overlaps with identity vendors.

Company Profiles

1. OneSpan · OSPN

Digital identity, authentication and transaction security

OneSpan is the highest-quality small-cap digital trust company in this screen. It provides authentication, transaction security, identity verification and digital agreement products.

Why it matters: digital identity is a core trust layer for banking, regulated workflows and AI-era transactions.
Recent evidence: Q1 2026 revenue was $65.9m, with FY2026 guidance of $244m–$249m revenue, ARR of $194m–$198m and adjusted EBITDA of $64m–$68m.
Main risks: slower growth, competition from larger identity platforms, hardware decline and customer concentration.
Research rating: highest-quality core cyber/trust watchlist name.

2. SEALSQ · LAES

Post-quantum secure semiconductors, PKI and TPMs

SEALSQ is one of the clearest public post-quantum security and secure-semiconductor names. Its QS7001 and QVault TPM programmes target the intersection of hardware security, post-quantum cryptography and sovereign semiconductors.

Why it matters: quantum-safe hardware security is a long-duration trust-infrastructure bottleneck.
Recent evidence: FY2025 revenue was $18.3m, up 66%; the company had over $525m in cash and short-term investments as of March 31, 2026; management cited a potential $200m business pipeline for 2026–2029.
Main risks: net losses, valuation, pipeline conversion, technical adoption and volatility.
Research rating: strongest post-quantum hardware watchlist name, but speculative.

3. BlackBerry · BB

Cybersecurity plus QNX embedded trust for vehicles and IoT

BlackBerry is not a microcap, but it is important because it overlaps cybersecurity, mobility and embedded systems. QNX is a strategic embedded software asset in vehicles and industrial systems, while the cybersecurity business gives direct exposure to endpoint and enterprise security.

Why it matters: embedded trust becomes more important as vehicles, robots and industrial devices become software-defined.
Recent evidence: Reuters reported that BlackBerry raised the lower end of fiscal 2026 revenue guidance to $531m–$541m, with Q3 revenue of $141.8m and QNX used in more than 275m vehicles.
Main risks: slower cyber growth, competitive endpoint market, valuation of split businesses and execution.
Research rating: embedded trust crossover watchlist.

4. Castellum · CTM

Federal cybersecurity, electronic warfare and software services

Castellum is a small defence cyber and electronic-warfare services company focused on US federal government customers. It is more services-heavy than software-platform-heavy, but it has real revenue and improving operating performance.

Why it matters: cyber and electronic warfare are core defence priorities.
Recent evidence: unaudited 2025 revenue increased 15.2% to $52.9m; net loss improved to $2.5m; adjusted EBITDA was positive at $1.0m; debt fell to $0.4m from $10.7m.
Main risks: services margins, federal contract timing, small scale and customer concentration.
Research rating: federal cyber services microcap watchlist.

5. Plurilock · PLUR.V / PLCKF

Cybersecurity solutions and critical services

Plurilock is a Canadian cybersecurity solutions provider focused on enterprise, defence and government customers. The key positive is growth in higher-margin critical services, but the company remains financially fragile.

Why it matters: services-led cyber can benefit from AI threat complexity and NATO/defence spending.
Recent evidence: FY2025 revenue was C$61.0m, up 5%; Critical Services revenue grew 48% to C$12.6m; EBITDA loss improved 45% year-on-year.
Main risks: gross margin was only 10.9%, cash was C$2.6m, and working-capital deficit remained C$5.4m.
Research rating: high-risk services turnaround watchlist.

6. CSP Inc. · CSPI

Security products, packet capture, managed IT and zero trust

CSP Inc. combines managed IT/professional services with security products such as ARIA Zero Trust Protect. It is small and underfollowed, but the zero-trust optionality is interesting if customer traction continues.

Why it matters: zero trust and packet capture are practical cyber-infrastructure functions.
Recent evidence: fiscal Q1 2025 showed services revenue growth of 17%, expanded gross margin and new ARIA Zero Trust Protect customers in utility and wastewater treatment verticals.
Main risks: small scale, need for updated full-year validation, services dependence and product traction uncertainty.
Research rating: underfollowed microcap zero-trust watchlist.

7. HUB Cyber Security · HUBC

Identity, secure data and regulated AI trust infrastructure

HUB Cyber is thematically relevant because it talks directly about identity, secure data and regulated AI trust infrastructure. However, it belongs in the high-risk basket until financial reporting, margins and balance-sheet quality are more convincing.

Why it matters: the strategy aligns with the future trust-infrastructure thesis.
Recent evidence: H1 2025 revenue was $15.1m and gross margin improved to 23% from 10% the prior year.
Main risks: high execution risk, small scale, volatility and need for cleaner full-year evidence.
Research rating: high-risk thematic watchlist only.

Future Scenarios

Bull case: AI agents, machine identities, post-quantum migration and critical-infrastructure regulation drive a new spending cycle in identity, hardware trust and cyber services.

Base case: security demand remains strong, but small-cap winners are selective. Profitable identity/trust names outperform weaker promotional cyber turnarounds.

Bear case: vendor consolidation, weak microcap balance sheets, services margins and lack of product differentiation cause smaller cyber names to underperform larger platforms.

Signals to Watch

OneSpan ARR, adjusted EBITDA and subscription/digital agreement growth.
SEALSQ QS7001/QVault production revenue and post-quantum pipeline conversion.
BlackBerry QNX growth, cybersecurity demand and any structural split progress.
Castellum federal contract wins, adjusted EBITDA and debt discipline.
Plurilock Critical Services growth, gross margin and liquidity improvement.
CSP Inc. ARIA Zero Trust Protect customer traction and updated annual results.
AI security adoption: agent identity, data governance, model monitoring and SOC automation.

Metrics That Matter

ARR: best measure for recurring cyber and identity quality.
Net revenue retention: shows whether customers expand security spend.
Gross margin: separates software/IP from low-margin resale and services.
Adjusted EBITDA / free cash flow: critical because cyber microcaps often overpromise.
Cash runway: important for high-risk turnaround names.
Pipeline conversion: especially important for SEALSQ and post-quantum claims.
Customer mix: financial, government and critical-infrastructure customers can improve defensibility.

Risk Map

Vendor crowding: cybersecurity is crowded and dominated by larger platforms.
Microcap quality risk: many small cyber names have poor liquidity, weak margins or unclear product traction.
Services margin risk: cyber services can grow revenue without strong operating leverage.
Post-quantum timing: the need is real, but customer adoption may be slower than narratives suggest.
Customer concentration: government and defence contracts can create lumpy revenue.
AI hype risk: adding “AI cyber” language does not prove product differentiation.
Balance-sheet risk: weaker names may require dilution or restructuring.

Convergence

Cybersecurity + AI: securing models, agents, data pipelines and automated workflows.
Cybersecurity + Next-Gen Computing: post-quantum cryptography and secure semiconductors.
Cybersecurity + Mobility: secure software-defined vehicles and automotive embedded systems.
Cybersecurity + Robotics: robot identity, command integrity and industrial-network security.
Cybersecurity + Space: satellite communications, space-domain awareness and sovereign infrastructure.
Cybersecurity + Financial Systems: identity, transaction security, fraud prevention and digital agreements.

Research Library

Source links used for this first filled-out version:

Summary

Cybersecurity & Digital Trust is structurally attractive but difficult at the microcap level. The best-quality small-cap name in this first pass is OneSpan because it has real revenue, ARR, profitability guidance and a clear identity/trust role. SEALSQ is the most interesting post-quantum hardware/security name, but it is much more speculative. BlackBerry is a useful embedded-trust crossover. Castellum and Plurilock provide small-cap cyber services exposure, while CSP Inc. and HUB Cyber belong in the higher-risk watchlist until stronger current evidence is available.

Current working conclusion: focus first on identity, authentication, secure semiconductors, post-quantum migration, embedded trust and defence cyber services. Avoid overpaying for small companies that simply relabel ordinary services as “AI cybersecurity” without recurring revenue, margin improvement or product differentiation.