Enterprise cybersecurity budgets are on track to reach $215 billion in 2026, according to Gartner, as AI-powered phishing, prompt-injection attacks against language models, and tighter CISA disclosure rules push security spending higher across every industry. For investors who want broad exposure without picking individual winners between endpoint, network, identity, and cloud security vendors, three ETFs dominate the category: the Global X Cybersecurity ETF (NASDAQ:BUG), the First Trust NASDAQ Cybersecurity ETF (NASDAQ:CIBR | CIBR Price Prediction), and the Amplify Cybersecurity ETF (NYSEARCA:HACK).
Each fund covers the same theme through a different lens. BUG runs a concentrated, modified equal-weighted portfolio of roughly 25 pure-play names. CIBR uses a market-cap weighted approach that pushes Palo Alto Networks and CrowdStrike to the top. HACK, the original cybersecurity ETF launched in 2014, blends pure-plays with IT services and consulting firms that handle security work for federal clients. Year to date, CIBR is up 32%, HACK is up 28%, and BUG is up 27%.
Why the full security stack matters now
A modern enterprise breach rarely starts and ends within a single product category. An attacker uses a deepfake voice call to phish credentials, pivots through an identity provider, exfiltrates data through an unmonitored cloud bucket, then disables backups. Defending against that chain requires endpoint detection, network segmentation, identity governance, cloud posture management, and data resilience tools, often from different vendors. A cybersecurity ETF gives an investor exposure to the whole chain rather than a bet on which vendor wins each layer.
The largest funds disagree on which layer matters most, which is why holdings overlap less than the shared theme suggests. Picking among them comes down to how much concentration an investor wants in two mega-cap names, how much diversification into adjacent IT services is acceptable, and whether smaller pure-plays should pull weight equal to the giants.
Global X Cybersecurity ETF (BUG): the concentrated pure-play
BUG is the sharpest tool on the list for investors who want cybersecurity exposure with minimal dilution from large-cap tech conglomerates. The fund holds roughly two dozen positions, all dedicated to security vendors, with no Cisco, Broadcom, Microsoft, or Alphabet in the mix. Net assets sit near $800 million, a fraction of CIBR’s size, which means the fund trades less actively and carries wider bid-ask spreads at the margin.
Top holdings as of late February include Okta, CrowdStrike, Fortinet, Palo Alto Networks, and Akamai Technologies. The modified equal-weight construction means smaller names like SentinelOne, SailPoint, Tenable, and Rubrik carry weights of around 4-5%, giving emerging platforms real influence on returns rather than rounding-error positions.
The trade-off is exposure to single-stock volatility in mid-caps that lack the diversified revenue base of Cisco or Broadcom. BUG’s 10% one-year return trails CIBR and HACK by a wide margin, reflecting how recent weakness in pure-play software has compared with the strength of the mega-caps the other funds emphasize.
First Trust NASDAQ Cybersecurity ETF (CIBR): the institutional default
CIBR is the largest cybersecurity ETF, with $14.4 billion in net assets, and the standard choice for investors who want broad coverage without taking on concentration risk in smaller vendors. The market-cap-weighted index pushes the largest names to the top, but the methodology caps single positions and extends well beyond pure-plays into the networking and consulting layers that anchor enterprise security architectures.
Palo Alto and CrowdStrike together account for about 21% of net assets, with Cisco at 8% and Broadcom at 7% rounding out the top tier. Beyond those names, the fund holds Cloudflare, Zscaler, F5, Okta, Datadog, Dynatrace, and a slew of federal contractors. The federal exposure is the underappreciated feature: defense and intelligence agencies often spend through those contractors before the budget reaches a software vendor, and CISA’s expanded incident-reporting rules push more procurement through them.
The thing to keep in mind is that companies like Cisco and Broadcom aren’t cybersecurity pure-plays. Having them in the mix definitely helps smooth out the bumps, but it also waters down the “pure” theme. If you’re hunting for a dedicated security fund because you think software specialists are going to crush the rest of tech, you might find yourself a bit underwhelmed by how much CIBR just mirrors the broader Nasdaq.
Amplify Cybersecurity ETF (HACK): the diversified original
HACK launched in 2014 as the first US-listed cybersecurity ETF and remains a credible third option for investors who want a different weighting scheme than CIBR while keeping broader exposure than BUG. The fund splits holdings between security vendors and the IT services firms that implement and manage their products, with a tilt toward names that derive a meaningful share of revenue from security but are not pure-plays.
Performance has been competitive across recent windows. HACK delivered a 28% one-year return and 81% over five years, narrowly trailing CIBR but well ahead of BUG over both windows. The tradeoff is that HACK’s diversification into consulting and infrastructure names can blunt upside when pure-play software vendors lead the market, which has been the dominant pattern for most of the past decade.
Choosing between them
An investor convinced that dedicated security software will outperform broader tech should favor BUG, accepting that a bad quarter from Palo Alto or CrowdStrike will hit the fund harder than a diversified peer. An investor who wants the deepest liquidity pool, the most institutional comfort, and exposure to federal security contractors should default to CIBR, recognizing that Cisco and Broadcom dilute the pure-play story. HACK serves as a long-tenured alternative for investors seeking an index methodology for their cybersecurity allocation without sacrificing diversification.
Top Gaining Stocks
Top Losing Stocks