If you, like me, remember antivirus software as Norton’s yellow box or the occasional pop-up in the corner of your screen saying “your virus definitions have expired,” you’ve probably wondered: where did all that go?
The answer is more nuanced than “Windows Defender killed it.” Antivirus didn’t vanish. It underwent a three-way fission: basic protection sank into the operating system, consumer products repackaged themselves as digital safety suites, and the real money and innovation migrated to the enterprise security market. Norton itself is doing fine — it’s just called Gen Digital now, pulling in over $5 billion a year, and pivoting from “protecting your PC” to “managing your money.”
Norton’s parent company Symantec made a pivotal decision in 2019: sell the enterprise security business to Broadcom for $10.7 billion, keep only the consumer side, and rebrand as NortonLifeLock (CNBC). This split Symantec in two — the enterprise half went to the chip giant, the consumer half became a pure-play “digital safety” company.
Three years later, NortonLifeLock merged with Czech antivirus company Avast in a deal worth roughly $8.6 billion (PRNewswire). Avast was the world’s largest free antivirus provider, with over 400 million users, dominant in Europe and emerging markets. The combined company rebranded as Gen Digital, now operating four antivirus brands — Norton, Avast, AVG, Avira — plus LifeLock identity protection and ReputationDefender online reputation management. Three of the four brands now share a common underlying detection engine.
In 2025, Gen did something that seemed entirely unrelated to antivirus: it acquired consumer fintech company MoneyLion for roughly $1 billion (Gen IR). MoneyLion has 18 million users and offers credit building, financial management, and product recommendations. Gen’s logic: we’re already protecting your devices and identity — helping you manage your money is the natural next step.
The result of this sequence: Gen Digital crossed $5 billion in revenue in FY2026, with double-digit growth (27%), 79 million paying customers, and over 500 million total users (Gen FY26 Earnings). Its business is roughly 70% cybersecurity and privacy products, 30% identity protection and financial wellness. The stock trades around $26, market cap about $15.8 billion, P/E under 17x. It’s doing fine — it just no longer looks like the company that sold you antivirus CDs.
The same story played out across other consumer antivirus brands. McAfee was taken private by private equity in a $14 billion deal in 2022, now focused on AI-powered scam detection and deepfake identification. Kaspersky was banned from all US sales and updates in 2024 on national security grounds (BIS Final Determination), its US market share falling to 3%, though it remains strong in Europe and Asia. Trend Micro’s consumer business continues to shrink, with all growth coming from enterprise security. ESET and Bitdefender are among the few remaining independent consumer antivirus companies, but nowhere near Gen’s scale.
Consumer antivirus went from “necessity” to “optional” along a clear timeline.
The historical data from independent testing lab AV-TEST tells the story well (AV-TEST Microsoft results). From 2014 through mid-2015, Microsoft’s Windows Defender (then called Security Essentials) scored 0 to 0.5 out of 6 on protection — effectively no protection at all. The turning point came with the release of Windows 10. By mid-2016, Defender was consistently earning AV-TEST certification. By 2026, Defender achieved perfect 6/6/6 scores across protection, performance, and usability, earning “Top Product” designation alongside Norton, Bitdefender, and other paid products.
In other words, ten years ago, not installing third-party antivirus meant going unprotected. Today, Windows’ built-in protection is sufficient for most ordinary users. AV-Comparatives put it diplomatically in a May 2026 article (AV-Comparatives): “For many home users with straightforward usage patterns, Microsoft Defender provides a meaningful baseline of protection straight out of the box. The gap between built-in Windows protection and third-party security products is significantly smaller today than it was ten years ago.”
This shift directly hit the bottom of the paid antivirus market. The global consumer antivirus software market contracted from a peak of roughly $8 billion in 2010 to about $4.7 billion in 2024 (Credence Research). Security.org’s annual survey shows (Security.org Annual Report) the share of US users on free antivirus rose from 52% in 2022 to 61% in 2025, while paid subscriptions fell from 44% to 36%.
But the market didn’t disappear — it redefined itself. Today’s consumer “antivirus” is actually a digital safety suite: beyond basic malware detection, it includes VPN, password manager, identity theft monitoring, dark web scanning, credit monitoring, parental controls, and even up to $2 million in identity theft insurance. Norton 360 with LifeLock Ultimate Plus can cost up to $300 per year. These additional features are what Windows Defender doesn’t provide, and they are the reason paid products still exist.
Looking more broadly, if you include identity protection, VPNs, password managers, and related categories, the consumer digital safety market is $43.6 billion, growing at 9.5% annually (Mordor Intelligence). Antivirus didn’t die — it evolved from “virus scanner” to “digital life insurance.”
You don’t feel the presence of viruses and worms anymore, not because they’re being blocked, but because attackers themselves abandoned that approach.
Technically, modern operating systems have systematically closed the propagation channels that viruses and worms relied on. ASLR (Address Space Layout Randomization) makes buffer overflow exploitation unreliable. DEP/NX prevents code injection into data pages. Code signing requirements block unsigned program execution. Sandboxing isolates every application in its own space. Default firewalls and automatic updates dramatically shrink the window for worm propagation. A worm like Slammer (2003) or Conficker (2008) would find almost no viable propagation paths in today’s infrastructure.
Economically, viruses and worms don’t make money. They were primarily destructive or for bragging rights — they didn’t generate revenue. Over the past two decades, cybercrime professionalized into a business that cares about ROI. Attackers now use methods that directly monetize.
The core shift in today’s threat landscape: attacks no longer depend on malware files. CrowdStrike’s 2025 Global Threat Report shows 79% of detections were malware-free (CrowdStrike 2025 GTR), rising to 82% in 2026. Attackers obtain legitimate credentials and move laterally through networks as normal users — traditional signature-based detection is largely useless against this.
The number one attack vector is phishing and social engineering. CrowdStrike data shows voice phishing attacks surged 442% in the second half of 2024. AI has dramatically improved phishing email quality, eliminating traditional tells like typos and awkward grammar, and can auto-generate personalized pretexts from targets’ LinkedIn profiles and leaked databases. The FBI’s Internet Crime Complaint Center 2025 report logged over 1 million complaints (FBI IC3 2025), with roughly 45% involving cyber-enabled fraud, accounting for 85% of reported losses ($21 billion).
Number two is ransomware, but it’s no longer the simple “encrypt your files, pay to unlock” model from five years ago. Today’s ransomware is a full industrial ecosystem: Ransomware-as-a-Service (RaaS) lets people with no technical skills launch enterprise-grade attacks, Initial Access Brokers (IABs) sell pre-compromised network entry points, and affiliates take 80% to 90% commission. BlackFog data shows 96% of ransomware attacks in Q3 2025 involved data exfiltration (BlackFog) — encryption itself has become secondary. The real leverage is the threat of regulatory fines and reputational damage from leaked sensitive data.
Attack speed is also compressing dramatically. CrowdStrike’s 2026 report shows the average breakout time — from initial intrusion to lateral movement — dropped from 62 minutes in 2023 to 29 minutes in 2025, with the fastest recorded at 27 seconds. Human-speed response is meaningless at this timescale, which is why AI-driven automated defense is becoming standard in enterprise security.
Supply chain attacks have the largest blast radius. A single compromised vendor can affect hundreds or thousands of downstream organizations. The 2020 SolarWinds incident was the watershed: attackers inserted a backdoor into the Orion software build system, and roughly 18,000 organizations received the tainted update (Aqua Security). In the 2025 Salesloft/Drift incident, attackers used OAuth tokens to simultaneously access customer environments of BeyondTrust, Cloudflare, CyberArk, Palo Alto Networks, Qualys, Rubrik, Tenable, Zscaler, and others (Hornetsecurity). That same year, F5 Networks was compromised by a China-linked actor who maintained access for over 12 months, exfiltrating BIG-IP source code and zero-day vulnerability reports.
On AI’s role in attacks, an important distinction is needed. AI is currently an amplifier of existing techniques, not a new attack category. Verizon’s 2025 Data Breach Investigations Report explicitly states (Verizon DBIR 2025) that attackers “are still not really using GenAI,” and when they do, “it doesn’t seem to make much of a difference.” The one exception is prompt injection — a genuinely new attack surface created by the AI era. Palo Alto Networks Unit 42 documented the first real-world case of malicious indirect prompt injection in December 2025 (Unit 42), used to bypass an AI-based ad review system. As enterprises deploy more AI agents, this attack surface will continue to expand.
If you feel the security industry is shrinking, it’s because consumer antivirus is the only part you can see. The part you can’t see is a $234 billion market growing at 11% annually (Persistence Market Research).
The enterprise security market breaks down roughly as: network security 22%, endpoint security about 15%, cloud security the fastest-growing segment, identity security about 12%, SIEM/SOAR about 8%, email security and data security each 5% to 6%. Large enterprises account for roughly 68% of spending, with financial services alone at 24%.
The biggest player isn’t any pure-play security company — it’s Microsoft. Microsoft disclosed $20 billion in annual security revenue in January 2023 (Dom Kirby analysis), and while it hasn’t published an updated figure since, analysts estimate it’s now in the $30-37 billion range. Microsoft’s security product line spans five of the seven major segments: endpoint (Defender), email (Defender for Office 365), cloud (Defender for Cloud), identity (Entra ID), SIEM (Sentinel), and data compliance (Purview). It processes 65 trillion security signals per day — a data volume no pure-play vendor can replicate.
The pure-play vendor landscape: Palo Alto Networks at roughly $9.2 billion in annual revenue, the largest independent security company, covering network, cloud, and SOC. Fortinet at about $6 billion, focused on network firewalls and SASE. CrowdStrike at an annualized ~$4.4 billion, the benchmark for endpoint security and XDR — despite a faulty sensor update in July 2024 that crashed roughly 8.5 million Windows devices globally (CrowdStrike Q1 FY26 Earnings), revenue still grew 20% year-over-year with no mass customer exodus. Gen Digital at about $5 billion, but purely consumer, not competing in the enterprise market.
Google acquired cloud security company Wiz for $32 billion in 2025 — the largest acquisition in Google’s history. Wiz is the leader in multi-cloud security platforms (CNAPP), covering security posture across AWS, Azure, GCP, and other cloud environments simultaneously. The deal received unconditional approval from the European Commission in February 2026 (EU Commission). Combined with the $5.4 billion acquisition of threat intelligence firm Mandiant in 2022, Google is assembling a full security product portfolio.
The core drivers of enterprise security spending growth aren’t the vague claim that “attacks are increasing” — several specific mechanisms are at work simultaneously. First, regulatory compliance has turned security spending from “optional” to “mandatory.” The EU’s NIS2 directive covers 160,000 entities across 18 critical sectors, the DORA regulation requires ICT risk management for all EU financial institutions, and the SEC’s cybersecurity disclosure rules make board members personally accountable for security incidents. Second, the cyber insurance market is projected to grow from roughly $15 billion in 2024 to $29 billion by 2027 (Security.org), with insurers increasingly mandating specific security products (MFA, EDR, backup testing) as coverage conditions — creating a de facto regulatory layer. Third, AI adoption creates new attack surfaces, with 68% of CFOs expecting IT spending increases and 58% expecting security spending increases (Grant Thornton).
Platformization is another major trend unfolding in this market. Enterprises use an average of 76 security tools (Decryption Digest), each generating independent alert streams that overwhelm SOC analysts. More and more enterprises are consolidating toward one or two platform vendors while maintaining independent tools in two or three critical domains. The typical combination: Microsoft for endpoint and identity, Wiz for cloud security, Zscaler for network security. CrowdStrike’s 2024 outage actually strengthened the “don’t put all your eggs in one basket” argument — many enterprises now deliberately maintain at least two endpoint security vendors.
Back to the original question: where did antivirus go?
It split into three layers. The bottom layer — basic file scanning and malware detection — sank into the operating system, becoming something you no longer need to buy separately. The middle layer — consumer security products — repackaged from “antivirus software” into “digital safety suites,” bundling VPN, password management, identity monitoring, and credit protection together because selling virus scanning alone no longer works. The top layer — the real money, talent, and innovation — all migrated to the enterprise security market, with its $234 billion scale, 11% annual growth, and a full technology stack spanning endpoint, cloud, identity, and AI security.
Norton’s story is the microcosm of this transformation. It went from Symantec’s consumer division to NortonLifeLock, merged with Avast to become Gen Digital, and acquired MoneyLion to enter fintech. Its annual revenue grew from roughly $2.5 billion in 2019 to $5 billion in 2026, with the stock up 47% over three years. It didn’t disappear — it just no longer looks like the company that sold you that yellow box.
The threats didn’t disappear either — they just changed form. Viruses and worms were jointly eliminated by OS-level technical improvements and the shift in economic incentives. What replaced them: credential-based attacks that don’t need malware files, industrially operated ransomware-as-a-service, and supply chain backdoors distributed through legitimate software update channels. Attackers are no longer teenage hackers writing viruses — they’re professional criminal enterprises with affiliate commission plans, initial access broker marketplaces, and automated negotiation tools.
The security industry as a whole is experiencing a paradoxical kind of growth: you, as an ordinary consumer, feel fewer and fewer security products around you, while the industry’s total spending and scale continue to swell. It just moved to places you can’t see — behind enterprise data centers, cloud consoles, and the big screens in security operations centers. What’s happening there is far more complex, and far larger, than anything that ever fit inside a yellow box.
This article is based on public data research conducted in June 2026. Key sources include: Gen Digital investor relations pages and FY26 earnings, AV-TEST and AV-Comparatives independent testing data, CrowdStrike 2025 and 2026 Global Threat Reports, Verizon 2025 Data Breach Investigations Report, FBI IC3 2025 report, Persistence Market Research cybersecurity market report, Security.org annual consumer survey, and threat intelligence analysis from Palo Alto Networks Unit 42, BlackFog, Panorays, and other organizations.