Global cybersecurity spending is forecast to exceed $300 billion in 2026, and the catalyst is no longer abstract. AI agents now outnumber human identities within enterprises by roughly 109 to 1; Fortinet’s threat report logged a 389% year-over-year jump in ransomware victims; and Check Point measured a 51-point gap between corporate AI adoption and security readiness. Every prompt-injection vector, deepfake voice clone, and automated phishing campaign expands the attack surface defenders must cover.
Three ETFs offer different angles on the same trend: First Trust NASDAQ Cybersecurity ETF (NASDAQ:CIBR), Amplify Cybersecurity ETF (NYSEARCA:HACK), and Global X Cybersecurity ETF (NASDAQ:BUG). Each one screens the universe differently, and the differences matter more than the overlapping top holdings suggest.
CIBR: The Default Allocation
Holding $13.01 billion in assets as of late June, CIBR stands as the category leader while maintaining an expense ratio of 0.58% across 46 distinct holdings. Its strategy mirrors the NASDAQ CTA Cybersecurity Index by blending specialized vendors with established networking giants and IT service firms. This approach delivers a smart investment logic, as it lets you ride the broader wave of industry spending rather than gambling on a single platform to dominate the market.
The portfolio leans heavily on the platform consolidators. Palo Alto Networks sits at 9%, CrowdStrike at 8%, and Fortinet at 7%, with Cisco and Broadcom close behind at 8% and 8%. That weighting matters because the news flow keeps validating the platform thesis: Palo Alto formed a NATO partnership and launched its Idira identity layer for AI agents, while Fortinet’s Q1 2026 billings grew 31%, driven by demand for AI and operational technology. Cisco and Broadcom give CIBR exposure to the networking layer where AI traffic actually moves, which a pure software fund misses.
The infrastructure tail goes further than most realize. Cloudflare carries a 5% weight, Akamai 4%, and F5 3%, and the fund also holds federal contractors Booz Allen and Leidos. That diversification is why CIBR’s 15% one-year price change is lower than that of some peers, despite a year-to-date gain of nearly 24%. The tradeoff is straightforward: less torque on a CrowdStrike-style breakout, more cushion when any single name stumbles.
HACK: The Small-Cap Tilt
With $1.73 billion in assets and 23 holdings, Amplify’s HACK maintains a 0.60% expense ratio. Its strategy uses a modified equal-weight method that funnels capital into smaller pure-play firms often overshadowed by massive companies in CIBR. This unique mechanical edge is what sets HACK apart: the fund captures real momentum whenever agile innovators such as Rubrik or SentinelOne experience a major surge.
These metrics clearly highlight the fund’s structural design. Leading the pack with a 28% year-to-date return, HACK currently trades at a 32x price-to-earnings ratio. While its 0.86 beta might suggest a defensive stance, that number primarily reflects its relationship to the overall market rather than the sector’s specific volatility. Because the portfolio is limited to 23 names, you should expect that a single poor quarter from a top holding will hit this fund much harder than it would affect the more diversified CIBR.
Income from the fund is essentially absent. The fund’s dividend yield is 0.06% with a semi-annual payout, so the return engine is entirely capital appreciation tied to enterprise software multiples. Investors looking for the closest thing to a growth proxy on cyber stocks without buying CrowdStrike outright will find HACK the sharpest instrument on this list.
BUG: The Purity Screen
Global X’s BUG is the smallest of the three at $1.11 billion and the cheapest at a 0.50% expense ratio. It also applies the strictest filter: the index requires companies to derive at least 50% of their revenue from cybersecurity. That single rule meaningfully changes the portfolio. Cisco, Broadcom, Accenture, and IBM, which together account for roughly a fifth of CIBR, do not qualify.
The remaining portfolio is a concentrated bet on vendors whose entire business models depend on the threat trend continuing. With 35 holdings and no diversification into adjacent IT services, BUG is the cleanest expression of the thesis: if AI keeps generating new attack vectors and enterprises keep paying premiums for specialized defense, the purity screen pays off. If spending broadens into hybrid networking and services budgets, the same screen leaves money on the table.
BUG’s year-to-date gain of 22% trailed both peers through June, and its one-year return of -4% underscores the volatility that comes with a purer software-vendor mix. The dividend yield of 0.03% is effectively zero. The momentum has shifted: the fund returned 8% over the past month as the AI-threat narrative reasserted itself following the brief Anthropic Claude Mythos panic in early June.
Choosing Between Them
The three funds map to three different convictions about the same trend. CIBR fits investors who want cybersecurity exposure without taking a view on whether platform vendors or pure-plays capture spending; the networking and services holdings act as ballast when sentiment in software names sours. The custom allocation framework, which uses CIBR as the 50% anchor in a three-way split, reflects that role.
Investors who are already convinced of the long-term growth story and crave higher volatility from smaller firms will find HACK to be the right fit. The equal-weight tilt provides that extra push, though the smaller portfolio of 23 names introduces more concentration risk. Meanwhile, BUG serves those who demand that every single dollar is strictly tied to dedicated cybersecurity revenue rather than broader IT services. It consistently outperforms when pure-play software rallies, but the fund tends to lag when massive defense and networking giants drive the sector.
Top holdings overlap heavily across all three: Palo Alto, CrowdStrike, Fortinet, and Zscaler appear in every portfolio. The weighting and the tail are where the funds diverge, and that divergence is what allows a three-way blend to behave like a diversified position rather than a triple-counted single bet.
Contact [email protected] for any questions or corrections.