The SaaSpocalypse: The $500B+ IT/Security Stack Is Collapsing Under Vendor Lock-In
Michael Assraf
February 2026. $1 trillion in SaaS market cap vanishes across early-to-mid February. The $285 billion cybersecurity wipeout was triggered by Claude Cowork's legal automation launch on Feb 3 (the "SaaSpocalypse"), with a separate cybersecurity-specific selloff following Claude Code Security on Feb 20. And somewhere in the wreckage, a 15-year-old assumption quietly dies: that SaaS vendors can raise prices forever because their customers have nowhere else to go.
February 2026. $1 trillion in SaaS market cap vanishes across early-to-mid February. The $285 billion cybersecurity wipeout was triggered by Claude Cowork's legal automation launch on Feb 3 (the "SaaSpocalypse"), with a separate cybersecurity-specific selloff following Claude Code Security on Feb 20. And somewhere in the wreckage, a 15-year-old assumption quietly dies: that SaaS vendors can raise prices forever because their customers have nowhere else to go.
They do now.
The thesis is simple: vendor consolidation has hit a wall across the entire IT and security industry. But it hits hardest in managed services – where the economics of vendor lock-in are most acute, and where the transition to unified open-source infrastructure will start first.
The numbers that spooked the market
| Event | Impact | Date |
|---|---|---|
| Claude Cowork launch (legal automation) | $285B SaaS wipeout triggered, traders at Jefferies coin "SaaSpocalypse" | Feb 3, 2026 |
| SaaS sector-wide repricing | ~$1T market cap erased across early-to-mid February, forward P/E ratios compressed from ~35x to ~20x (Janus Henderson, Wedbush) | Early-Mid Feb 2026 |
| Monday.com guidance cut | Q4 revenue +25% YoY but FY2026 guidance of $1.45–1.46B (18–19% growth) missed consensus, stock -17% after-hours | Feb 9, 2026 |
| DocuSign 12-month decline | ~50% stock price decline despite ~8% revenue growth (valuation reset, not business model collapse) | Feb 2025–2026 |
| Wedbush "Software-mageddon" note | SaaS repricing analysis published | Feb 13, 2026 |
| Claude Code Security announcement | Cybersecurity-specific selloff: CrowdStrike -8% (Feb 20), fell ~20% over two days (Feb 20-23); Okta -9.2%, Palo Alto -6.7% | Feb 20, 2026 |
These aren't companies that missed earnings. Monday.com is still growing at 25%. DocuSign is still growing at 8%. The market isn't punishing performance – it's repricing the assumption that SaaS revenue compounds forever.
Why? Because the buyers already moved. 75% of organizations are pursuing security vendor consolidation (Gartner, 2022). Median SaaS revenue growth rates have decelerated to their slowest in a decade (SaaS Capital, 2025). The stock correction didn't cause the behavior change – it caught up to it.
This consolidation wave is happening across the entire IT and security software market – a $500B+ sector spanning every organization that runs 8–20 separate vendor tools for infrastructure, endpoint management, identity, monitoring, and compliance. But it's most visible, and most urgent, in managed services, where vendor payout ratios leave almost no room for margin.
February 20th changed the thesis
When Anthropic announced Claude Code Security – an AI agent that autonomously handles vulnerability scanning, incident triage, and security policy enforcement – the market repriced the entire concept of software defensibility. This triggered a separate, cybersecurity-specific selloff (CrowdStrike -8%, Okta -9.2%, Palo Alto -6.7%), following the earlier February 3 "SaaSpocalypse" triggered by Claude Cowork's legal automation capabilities.
Wedbush had published their "Software-mageddon" analysis on Feb 13 – a week before the Claude Code Security announcement – flagging the broader SaaS repricing already underway. But cybersecurity was supposed to be the moat AI couldn't cross. Too complex. Too embedded. Too regulated. The Feb 20 announcement made the repricing empirical.
The signal is what matters: if cybersecurity isn't safe from AI agents, what software category is? That's the question now sitting in every investor model. And 35% of enterprises have replaced at least one SaaS tool with custom-built software, with AI accelerating the trend (Retool Build vs. Buy Report, 2026). The theoretical became empirical.
The second wave hits different
The first wave of SaaS disruption was simple apps – project management, note-taking, basic CRM. CRUD operations and a decent UI. Easy to replicate.
The second wave targets the hard stuff: the operational infrastructure that runs IT, security, and endpoint management for businesses. This wave moves slower because these products have real structural barriers:
| Barrier | Why it matters | Why incumbents love it |
|---|---|---|
| Technical depth | RMM, SIEM, EDR need deep OS integration, real-time telemetry, protocol-level access | Can't be prompt-engineered away |
| Maturity | Production-grade IT infra takes years of edge-case hardening | Creates a multi-year head start |
| Integration gravity | One alert must trigger ticketing, notification, docs, and remediation across systems | Forces customers into multi-product bundles |
| Data fragmentation | IT/security ops generate massive telemetry across 8–20 vendor dashboards | Whoever owns the data layer owns the customer |
| Compliance overhead | SOC 2, HIPAA BAAs take 12–18 months per tool | Raises switching cost beyond software alone |
| Contract lock-in | Multi-year auto-renewals, narrow cancellation windows | Makes churn structurally difficult |
These six barriers are why Kaseya (25.9% market share) and ConnectWise have maintained pricing power for decades (Canalys Q4 2024). They're also exactly what makes this market ripe for a different kind of disruption – not AI-generated tools, but unified open-source infrastructure that's already been battle-tested.
These barriers apply everywhere vendor stacks fragment. The MSP market is the beachhead – where vendor dependency is most extreme and the economics most acute. But the model scales structurally to any organization running fragmented IT/security stacks: enterprises with distributed infrastructure, government agencies with compliance constraints, mid-market operations managing multi-tenant environments.
The MSP unit economics are broken – a microcosm of the entire industry
The managed services market ($500B+ globally) is the most acute case of vendor lock-in economics in IT. Why? Because MSPs buy the entire stack – RMM, SIEM, EDR, PSA, backup, monitoring, IAM, ticketing – all of it. Every other buyer (enterprises, mid-market, government agencies) runs some combination of these same tools, but MSPs run all of them at scale on behalf of their clients.
MSP unit economics show what happens when vendor dependency is maximized:
Here's what their P&L actually looks like:
| MSP Economics (750-seat reference) | Value |
|---|---|
| Annual revenue | ~$2.03M |
| Monthly recurring revenue | $168.75K |
| Average seat price | $225.00 |
| Total cost per seat | $137.75 |
| Vendor payout as % of seat cost | 61.22% |
| Vendor payout margin (what MSP keeps) | 38.78% |
| Net margin | ~10–15% |
| Number of separate vendor tools | 8–20 |
| Technician time lost to context-switching | ~25% |
| Number of MSP employees (750-seat operation) | 11 |
| Total software OPEX overhead per employee | $1,936/mo |
Read that again: 61% of every dollar an MSP spends on its tool stack goes directly to vendor payouts. Net margins average 10–15% across the industry, with best-in-class MSPs reaching 18%+ (ConnectWise Service Leadership Index, MSP Success Profitability Report). And every single renewal cycle, those vendor costs go up while client budgets stay flat.
This is the extreme case. But any organization running 8–20 siloed vendor tools faces the same problem: the cost per tool keeps rising, the tools don't talk to each other, and the total stack cost becomes impossible to justify against alternatives.
Here's the per-category breakdown of what that $137.75/seat actually buys:
| Department | Category | Avg Cost/Seat | Wind-Down Phase |
|---|---|---|---|
| NOC | RMM | $3.00 | Gen 1 |
| NOC | Network Monitoring | $1.25 | Gen 2 |
| NOC | Patch Management | $0.75 | Gen 1 |
| NOC | Remote Access & Support | $0.50 + $38.50/emp | Gen 1 |
| SOC | EPP (Antivirus) | $3.00 | Gen 3 |
| SOC | EDR | $8.00 | Gen 3 |
| SOC | XDR | $15.00 | Gen 1 |
| SOC | SIEM | $10.00 | Gen 1 |
| SOC | Email Security | $3.00 | Gen 2 |
| SOC | MDR | $7.50 | Gen 3 |
| SOC | IAM | $4.00 | Gen 2 |
| SOC | Secure Remote Access | $7.50 | Gen 1 |
| SOC | ZTNA | $10.00 | Gen 2 |
| Ops | PSA | $825.00/emp | Gen 1 |
| Ops | Documentation & Passwords | $20.00 | Gen 1 |
| IT | MDM | $4.00 | Gen 1 |
| IT | Cloud Backup | $0.25 | Gen 2 |
| IT | BDR | $7.50 | Gen 3 |
| IT | Collaboration Tools | $10.00 | Never |
| IT | Virtualization | $10.00 | Never |
| IT | Cloud Services/SaaS | $12.50 | Never |
Note: Per-employee costs (PSA at $825/emp, Remote Access at $38.50/emp) represent operational expenditure (OPEX) allocated across the MSP's 11-person team. Per-seat costs represent cost of goods sold (COGS) scaling directly with managed endpoints. The $137.75/seat baseline normalizes both across the 750-seat reference deployment.
Each category with its own vendor, its own contract, its own dashboard, its own annual price increase. The MSP technician – already stretched across 11 people for a 750-seat operation – spends a quarter of their day just switching between them.
OpenFrame: unified data layer, not one more dashboard
OpenFrame doesn't build new tools. It doesn't AI-generate anything. It takes mature open-source projects – many with years of production deployment – and unifies them into a single stack with one API and a unified data layer built on Apache Pinot, Debezium, and Kafka — purpose-built for SIEM-grade telemetry aggregation and real-time cross-system correlation. Flamingo monetizes through per-seat SaaS licensing at $1–5 per endpoint for the seven Gen 1 modules, plus usage-based pricing for AI agent capabilities – roughly 60% below incumbent pricing, with optional managed hosting.
The defensibility lies not in the individual open-source tools but in the connection layers between them – the unified data model, the AI-native memory management across systems, and the integration logic that turns fourteen separate projects into a single operational surface. Flamingo's current engineering team of 10 is tripling to 30 with the seed round, with hires focused on platform integration, AI/ML, and MSP-specific workflows. Each integration project is owned by a dedicated engineer, with platform infrastructure, AI/ML, and QA shared across the team. Over 100 MSPs are testing the platform daily on our beta, with 40–50% expected to convert to commercial licensing as Gen 1 reaches general availability. OpenFrame uses point-in-time forked versions of all upstream projects, both to enforce Flamingo's own security standards and to insulate production deployments from upstream breaking changes. All forks are actively maintained by Flamingo's engineering team, with security patches applied within 48 hours of upstream CVE disclosure and bug fixes backported on a rolling basis.
Here's what that looks like category by category – the popular commercial vendors MSPs use today, the open-source project OpenFrame integrates instead, and the current status:
| Category | Popular MSP Vendors | OpenFrame | Phase | Status |
|---|---|---|---|---|
| RMM | Kaseya (VSA + Datto RMM), NinjaOne | TacticalRMM | Gen 1 | ✅ Live |
| Remote Access | ConnectWise ScreenConnect, Splashtop | MeshCentral | Gen 1 | ✅ Live |
| SIEM | Blumira, ConnectWise SIEM | Self-built | Gen 1 | ✅ Live |
| MDM | Microsoft Intune, Kandji | FleetDM | Gen 1 | ✅ Live |
| Patch Management | NinjaOne, Kaseya VSA | Chocolatey + Homebrew | Gen 1 | ✅ Live |
| PSA | ConnectWise PSA, Autotask (Kaseya) | Self-built | Gen 1 | 🚧 In dev |
| Documentation | IT Glue (Kaseya), Hudu | Self-built | Gen 1 | 🚧 In dev |
| IAM & ZTNA | Microsoft Entra ID, Okta | Authentik + OpenZiti + FleetDM | Gen 2 | ⏭️ Planned |
| Network Monitoring | Auvik, Domotz | Netdata | Gen 2 | ⏭️ Planned |
| Email Security | INKY (Kaseya), Proofpoint Essentials | Rspamd | Gen 2 | ⏭️ Planned |
| Cloud Backup | Datto SaaS Protection (Kaseya), Veeam | Restic | Gen 2 | ⏭️ Planned |
| EDR + EPP | Huntress, Bitdefender GravityZone | OSQuery + Windows Defender / Apple XProtect (free) | Gen 3 | ✅ Live |
| MDR | Huntress, Sophos MDR | Self-built AI automation + TheHive | Gen 3 | ⏭️ Planned |
| BDR | Datto BCDR (Kaseya), Axcient x360Recover | Restic + DRLM/ReaR | Gen 3 | ⏭️ Planned |
| Collaboration | Microsoft Teams, Slack | — | Never | Stays vendor |
| Virtualization | VMware (Broadcom), Microsoft Hyper-V | — | Never | Stays vendor |
| CRM | HubSpot, Kaseya BMS | — | Never | Stays vendor |
| Cloud Services | Microsoft 365 + Azure, AWS | — | Never | Stays vendor |
Seven Gen 1 categories – five live, two nearing completion. Four Gen 2 categories planned. Three on the Gen 3 roadmap, one already live (EDR+EPP). Four categories deliberately left untouched – because the open-source alternatives aren't there, and pretending otherwise would be dishonest.
The unified data layer is the whole point. When RMM, SIEM, MDM, and ticketing share one database, a security alert automatically cross-references the device's patch status, compliance posture, ticket history, and documentation. No API integrations to maintain. No copying between dashboards. No hope-based workflows.
That's architecturally impossible with siloed vendors. It doesn't matter how many "integrations" they ship – the data was separated at birth.
The "self-built" components – SIEM, PSA, documentation – are self-built because they're AI-native by design. The PSA is fed by the desktop AI app, not forms. Knowledge management is AI-generated and AI-maintained. This is what makes them structurally different from incumbents and adds defensibility beyond the sum of the open-source components. The MDR detection pipeline combines Sigma-compatible anomaly detection rules with ML-generated insights about emerging issues. Mingo – Flamingo's technician-side AI agent – handles analyst-assisted triage in the initial release, with autonomous remediation capabilities rolling out post-Series A as the detection model matures on production data.
The phased vendor wind-down
OpenFrame's roadmap isn't "replace everything on day one." It's a phased TCO reduction that starts with the categories where open-source has the deepest maturity and the highest vendor margins:
| Phase | Timeline | What gets replaced | Cost/Seat | Vendor Payout % | Hosting Cost | Cumulative Reduction |
|---|---|---|---|---|---|---|
| Baseline | Today | Nothing | $137.75 | 61.22% | $0.00 | — |
| Gen 1 | Years 1–2 | RMM, Remote Access, SIEM, XDR, Secure Remote Access, MDM, Patching, PSA, Docs | $77.00 | 39.61% | $12.13 | ▲ 44% |
| Gen 2 | Years 3–4 | Network Mon, Email Sec, IAM, ZTNA, Cloud Backup | $58.50 | 33.47% | $16.80 | ▲ 58% |
| Gen 3 | Year 5+ | EPP, EDR, MDR, BDR | $32.50 | 23.57% | $20.53 | ▲ 76% |
The margin story:
| Metric | Baseline | Gen 1 | Gen 2 | Gen 3 |
|---|---|---|---|---|
| Vendor payout margin (what MSP keeps) | 38.78% | 60.39% | 66.53% | 76.43% |
| Total cost per seat | $137.75 | $77.00 | $58.50 | $32.50 |
| Vendor payout reduction | 0% | 44.10% | 57.53% | 76.41% |
From 38.78% vendor payout margin to 76.43%. For a 750-seat MSP at ~$2.03M revenue, that's the difference between scraping by at 10–15% net margin and running a structurally profitable operation.
Revenue assumption: $225/seat held constant across all phases. Actual pricing power may increase as MSPs reinvest margin savings into service differentiation.
Note the hosting costs climbing from $0 to $20.53/seat. That's honest accounting – self-hosting isn't free. But $20.53 in hosting to replace $105.25 in vendor costs is a trade any CFO makes instantly — that's $84.72 in net savings per seat. And the phasing is conservative – Gen 1 alone drops vendor cost from $137.75 to $77.00/seat, a 44% reduction before Gen 2 even starts.
Migration costs and training overhead vary by deployment but are modeled separately in Flamingo's deployment planning – the TCO figures above reflect steady-state vendor spend reduction, not one-time transition costs. Flamingo's deployment model is designed for a 30-day side-by-side transition – MSPs run OpenFrame alongside their existing vendor stack, validate functionality, then wind down the incumbent. Flamingo offers free months during the transition period to eliminate dual-cost overlap. The five-year phasing in the table above represents the full roadmap across three integration generations, not the transition timeline for any single phase.
What OpenFrame deliberately won't touch: Collaboration tools ($10/seat – Microsoft 365/Google Workspace), virtualization ($10/seat), CRM, and cloud services ($12.50/seat). These stay vendor-purchased. The open-source alternatives haven't reached MSP-grade maturity, and the integration value doesn't justify the build. The $32.50/seat remaining in Gen 3 is a feature, not a bug – it's the honest boundary of the model.
The convergence
Three things happening at the same time:
SaaS pricing power is cracking. $1T in market cap repriced. Forward multiples compressed. 75% of buyers actively consolidating. The "we can raise prices 10% annually forever" model is meeting resistance for the first time.
AI is redrawing category lines. February 20th proved that even "complex" software categories aren't immune. If cybersecurity stocks can drop 8% on a single AI announcement, every vendor's "moat" narrative needs revision.
Open-source IT/security infrastructure matured. Not last year. Not next year. Right now. Projects like TacticalRMM, OSQuery, Authentik, FleetDM, MeshCentral, OpenZiti, Restic, DRLM/ReaR, Windows Defender, and Apple XProtect have years of production deployments across thousands of environments. The maturity gap that protected commercial vendors for the past decade closed while they were busy raising prices.
These three forces are hitting every organization running fragmented vendor stacks. But they hit hardest in managed services – where the vendor dependency is most extreme, the margin pressure is most acute, and the business case for unified open-source infrastructure is most obvious.
MSPs are the beachhead. The market is $500B+ globally, with 61% vendor payout ratios and 10–15% net margins on average (top quartile 18%+). MSPs have been waiting for an alternative that doesn't require ripping and replacing their entire stack overnight. The phased wind-down model gives them exactly that – start with Gen 1 where the maturity gap is zero, see the cost reduction, expand from there.
The thesis scales structurally to any organization running 8–20 separate tools for IT and security operations – enterprises with distributed infrastructure, mid-market operations, government agencies. The MSP case is the most acute, but the underlying economics are universal.
OpenFrame by Flamingo – open-source IT & Security OS for any organization trapped in vendor stack fragmentation.
Sources
- Gartner vendor consolidation survey, 2022
- SaaS Capital growth benchmarks, 2025
- Retool Build vs. Buy Report, 2026
- ConnectWise Service Leadership Index, Q4 2024
- Wedbush Securities "Software-mageddon" note, Feb 13 2026
- CNBC SaaS selloff analysis, Feb 6 2026
- SecurityWeek Claude Code Security impact
- Canalys Q4 2024 MSP market share
- Monday.com Q4 FY2025 Earnings Call, Feb 9 2026
- DocuSign 12-month stock decline analysis (TIKR)
- Jefferies "SaaSpocalypse" coining (Fintech Brain Food)
- Jefferies downgrades Workday and DocuSign, Feb 23 2026
- NxCode SaaSpocalypse $285B analysis
- Benzinga cybersecurity stocks selloff, Feb 20 2026
- Janus Henderson: SaaS forward P/E ~20x, Feb 4 2026
- Forrester: Claude Code Security cybersecurity impact
MSP unit economics from Flamingo internal financial modeling across a 750-seat reference deployment. The 61.22% vendor payout figure represents vendor software cost as a percentage of total per-seat tool cost ($137.75). This sits slightly above the industry benchmark range of 40–60% (Kaseya 2025 MSP Benchmark Report, Datto State of the MSP Report) because it includes fully-loaded security categories (SIEM, EDR, MDR, ZTNA) that many benchmarks exclude. The figure is cross-validated against real MSP P&Ls in Flamingo's beta cohort of 100+ MSPs.
Michael Assraf
Contributing author to the OpenMSP Platform