What are the key sales KPIs for the Industrial Cybersecurity (OT/ICS) Services industry in 2027?

👁 0 views📖 3,123 words⏱ 14 min read5/28/2026

Direct Answer

The key sales KPIs for the Industrial Cybersecurity (OT/ICS) Services industry in 2027 are Annual Contract Value (ACV), Sales Cycle Length, Net Revenue Retention (NRR), Win Rate in Competitive Bake-Offs, POC-to-Production Conversion, Per-Site Expansion Velocity, Recurring Revenue Mix, Logo (Customer) Retention, and Lifetime Value (LTV) per Critical-Infrastructure Account.

These nine metrics matter because selling to factories, utilities, pipelines, and water systems is not a fast-twitch SaaS motion — it is a long, politically complex, multi-site land-and-expand game where a single account can grow from a $75K pilot at one plant to a $5M enterprise license spanning forty sites.

The buyer is conservative, the eval is long, the deployment is slow, and the renewal is nearly automatic once you are wired into the SCADA network. You win on patience, asset coverage, and regulatory tailwinds, not on demo flash.

TL;DR
** Run the OT/ICS sales motion on a quarterly expansion rhythm, not a monthly new-logo rhythm. Track ACV and per-site expansion weekly, NRR and POC conversion monthly, and LTV plus retention quarterly. Healthy 2027 operators land at $50K-$350K ACV in mid-market industrial and $500K-$5M+ in enterprise critical infrastructure, carry 110-130% NRR off site-by-site asset expansion, hold 90-96% logo retention because OT deployments are sticky and air-gapped, and convert 50-75% of POCs to production.
The sales cycle runs 9-18 months — plan capacity and forecast against that reality, not against an IT-software cadence. Let NERC CIP, TSA pipeline directives, CIRCIA, NIS2, and IEC 62443 do the urgency work that a feature pitch cannot.

Why Industrial Cybersecurity (OT/ICS) Works Differently

OT/ICS security sells into operational technology — the programmable logic controllers, SCADA servers, RTUs, HMIs, and safety instrumented systems that physically run plants, grids, and pipelines. That changes the sales physics in four specific ways.

1. The buyer fears downtime more than breaches. In IT security the worst case is data loss. In OT the worst case is a turbine trip, a batch ruined, or a safety system failing — events measured in millions of dollars per hour and, in the extreme, in lives.

This makes the OT buyer (plant manager, controls engineer, OT director) deeply conservative. They will not allow an agent on a 15-year-old Windows XP HMI, and they will not tolerate a scan that risks knocking a PLC offline. Passive, network-based monitoring that never touches the endpoint is the price of entry.

Your sales motion must lead with "we will not break your process," and the technical proof of that claim is what gates every deal.

2. Two organizations have to say yes, and they distrust each other. OT and IT report to different executives, run different budgets, and have spent decades in a cold war. The CISO owns the mandate and often the money; the VP of Operations owns the network and the veto.

A deal stalls the moment one side feels the other is taking over their turf. Winning reps run dual-track champion-building — a security champion for budget and a controls-engineering champion for technical trust — and explicitly broker the OT/IT peace rather than picking a side.

3. Regulation, not pain, is the clock. Industrial buyers rarely move on fear alone; they move on compliance deadlines. NERC CIP for electric utilities, TSA Security Directives for pipelines, CIRCIA incident-reporting rules, EU NIS2, and the IEC 62443 standard family create hard, dated obligations with audit consequences.

The best OT sellers map the prospect's specific regulatory exposure to a specific control gap and a specific deadline. Regulation converts a "someday" project into a budgeted, scheduled one.

4. The unit of growth is the site, not the seat. A customer does not buy more licenses per user — they buy coverage for another plant, substation, pumping station, or rig. A national manufacturer might have sixty facilities; an electric utility might have hundreds of substations.

The first deal is almost always a single-site or single-region pilot. Real revenue comes from the methodical roll-out across the asset base, which is why net revenue retention and per-site expansion velocity matter more here than top-of-funnel new logos.

flowchart TD A[Regulatory trigger or incident] --> B[Discovery: map OT/IT politics] B --> C[Build dual champions: CISO + Controls Eng] C --> D[Passive POC at one site] D --> E{No process disruption?} E -->|Yes| F[Single-site production deal] E -->|No| X[Deal dies on trust] F --> G[Land-and-expand to next sites] G --> H[Multi-site enterprise license] H --> I[Annual renewal + threat-intel attach] I --> G

The 9 KPIs, In Depth

1. Annual Contract Value (ACV) — dollars per account per year. The headline deal-size metric. Mid-market industrial accounts land at $50K-$350K; enterprise and multi-site critical infrastructure run $500K-$5M+.

For comparison, a generic IT MDR deal often closes at $15K-$60K ACV, so OT/ICS ACV runs roughly 3-10x higher per account because the asset footprint and regulatory stakes are larger. Track blended ACV and segment it (mid-market vs. Enterprise) because mixing them hides a deteriorating enterprise motion behind healthy SMB volume.

2. Sales Cycle Length — days or months from first meeting to closed-won. OT/ICS cycles run 9-18 months, versus 1-3 months for transactional IT security SaaS and 4-7 months for IT enterprise security. The length is driven by OT/IT politics, conservative technical evaluation, and change-management freeze windows (you cannot touch a refinery's network during turnaround season).

If your median cycle creeps past 18 months, the cause is usually a missing controls-engineering champion or an unclear regulatory trigger — not pricing.

3. Net Revenue Retention (NRR) — expansion + renewals minus churn, as a percentage. The single most important health metric in this industry. Strong operators carry 110-130% NRR, driven almost entirely by site-by-site asset expansion.

A best-in-class IT security SaaS targets 115-125%; OT can match or beat it because the expansion ceiling (more plants, more substations) is enormous and churn is rare. NRR below 105% in OT signals a stalled land-and-expand machine, which is more dangerous than a slow new-logo quarter.

4. Win Rate in Competitive Bake-Offs — won / (won + lost) in head-to-head evals. OT deals are frequently decided in formal POC bake-offs against one or two rivals. Healthy win rates sit at 25-40% in competitive situations.

Compare that to single-vendor IT renewals that close at 70%+ — bake-offs are intrinsically lower because Dragos, Claroty, Nozomi, Armis, and the platform players (Cisco, Fortinet, Palo Alto) all show up. A win rate under 25% usually means you are being invited as the "column fodder" third bidder rather than the favorite.

5. POC-to-Production Conversion — pilots that become paying deployments, as a percentage. Because the POC is the trust-building event, its conversion rate is a leading indicator of revenue 6-12 months out. Strong operators convert 50-75% of POCs.

A generic security trial might convert 20-35%; OT runs higher because reaching the POC stage already filters for serious, budgeted buyers. Conversion below 50% points to POCs that surprised the customer (an alert flood, a missed asset class) rather than proving safety and value.

6. Per-Site Expansion Velocity — new sites added per existing account per year (and the dollars they carry). This operationalizes NRR. Each additional plant or facility lands at $50K-$500K.

A high-performing account team expands an enterprise logo across multiple sites per year rather than waiting for the customer to ask. Compare a stalled account adding zero sites (effectively flat) to a healthy one adding three to six sites annually — the second is where the $1M-$15M lifetime accounts come from.

Track sites-covered vs. Total-sites-in-account as a penetration percentage.

7. Recurring Revenue Mix — subscription/SaaS revenue as a percentage of total. The market is shifting from one-time assessments to subscription platforms. Best operators run 70-90% recurring, with the remainder in professional services and assessments.

This matters because gross margin tracks the mix: software/SaaS carries 70-82% gross margin while professional services and assessments run 35-50%. A book that is 50% services looks like revenue but earns like a consultancy; investors and boards reward the 80%+ recurring profile.

8. Logo (Customer) Retention — accounts retained year over year, as a percentage. OT/ICS retention is exceptional at 90-96%, far above the 80-88% typical of IT security SMB. Once a Dragos or Claroty platform is wired into the SCADA network, integrated with Splunk or Sentinel, and tied to NERC CIP evidence, ripping it out is a multi-quarter, audit-risking project nobody wants.

The stickiness is real, but it cuts both ways: it makes the initial land slow because the buyer knows the decision is near-permanent.

9. Lifetime Value (LTV) per Critical-Infrastructure Account — total gross-profit dollars over the account's life. The metric that justifies the long, expensive sales motion. Enterprise critical-infrastructure accounts reach $1M-$15M lifetime across multi-site expansion and multi-year renewals.

With 90-96% retention and 110-130% NRR, the LTV-to-CAC ratio stays healthy even though customer acquisition cost is high (long cycle, technical pre-sales, travel to remote sites). A mid-market account might carry $150K-$600K LTV; the enterprise critical-infra account is the franchise asset the whole go-to-market is built to win.

Real Operators

Dragos — the OT-pure-play leader, roughly $100M+ ARR at a ~$1.7B valuation, anchored by the Dragos Platform and the WorldView threat-intelligence service; the reference brand controls engineers trust.

Claroty — broad OT/IoT/medical-device coverage (xDome and CTD) at a ~$1B+ valuation and ~$100M+ ARR, strong in manufacturing and healthcare-adjacent industrial.

Nozomi Networks — the OT/IoT visibility leader, Guardian and Vantage products, widely deployed in energy, utilities, and oil and gas for passive network monitoring.

Armis — asset-intelligence platform (Centrix) at a ~$4.6B valuation on an IPO track, expanding from device visibility into full OT/IoT security.

Tenable OT Security — Tenable.ot (formerly Indegy), bundling OT exposure management into Tenable's broader vulnerability-management franchise.

Forescout Technologies — unified OT, IoT, and IT asset visibility and control, strong in environments that want one console across the IT/OT boundary.

Fortinet (NASDAQ: FTNT) and Palo Alto Networks (NASDAQ: PANW) — the platform giants pushing into OT via FortiGate rugged appliances and the Industrial OT Security service, respectively, selling the "one vendor, IT plus OT" consolidation story.

Cisco — Cyber Vision OT, leaning on its dominant industrial-networking install base to bundle OT security with the switches already on the plant floor.

Microsoft Defender for IoT — built on the CyberX acquisition, attractive to buyers already standardized on Sentinel and the Microsoft security stack.

Rockwell Automation / Verve Industrial, Honeywell Forge Cybersecurity, Schneider Electric Cybersecurity, and Siemens — the OEM camp, selling OT security alongside the control systems they already manufacture; Rockwell acquired Verve Industrial in 2023.

Waterfall Security Solutions (unidirectional gateways), TXOne Networks (the Trend Micro and Moxa joint venture), Xage Security (zero-trust OT), OPSWAT, Mission Secure, and Radiflow — the specialist and emerging tier; SCADAfence was acquired by Honeywell.

On the services and MSSP side, Accenture, Deloitte, Mandiant (Google Cloud), 1898 & Co. (the Burns & McDonnell OT-consulting arm), Kudelski Security, and GuidePoint Security deliver the assessments, IEC 62443 gap analyses, and managed detection that wrap the product platforms.

Failure Modes

1. Selling IT security to OT buyers. The most common deal-killer is leading with EDR agents, active scanning, or an IT-centric dashboard. The controls engineer hears "you want to put software on my safety system" and the deal is dead before pricing.

The fix is to lead passive, prove zero process impact in the POC, and speak the buyer's language (PLCs, not endpoints).

2. Ignoring the OT/IT political fault line. Reps who build only a CISO champion get budget but no network access; reps who build only an OT champion get trust but no money. Deals stall in a silent veto when one organization feels steamrolled.

The fix is explicit dual-champion development and framing the project as OT/IT collaboration, with shared wins for both leaders.

3. Forecasting on an IT-software cadence. Plugging a 9-18 month OT cycle into a forecast model built for 60-day SaaS deals produces wild misses and a sales team that sandbags or panics. Change-management freeze windows (plant turnarounds, peak-season production locks) push deals a quarter with no warning.

The fix is stage-based forecasting calibrated to OT realities and capacity planning that assumes long cycles from day one.

4. Treating the first deal as the deal. Optimizing only for the initial single-site land — discounting hard to win it, then declaring victory — strands the account at flat revenue. With NRR and per-site expansion as the real value drivers, a team that does not staff and incentivize multi-site expansion leaves the $1M-$15M LTV on the table.

The fix is compensating expansion as aggressively as new logos and assigning named account teams to drive site roll-out.

Reporting Cadence

flowchart TD A[Daily: POC telemetry + alert quality] --> B[Weekly: pipeline + per-site expansion] B --> C[Monthly: NRR + POC conversion + win rate] C --> D[Quarterly: LTV + retention + regulatory pipeline] D --> E[Board / investor review] E --> F[Reallocate account teams + capacity] F --> B

Daily: POC health and alert quality (false-positive rate, asset-discovery completeness), any technical blockers that threaten an active pilot, and same-day escalation of any event where the product touched the OT process. In OT, a single bad POC day can cost a deal.

Weekly: Pipeline movement by stage, per-site expansion activity inside existing accounts (sites added, sites in flight), champion-development status on key deals (is there both a CISO and a controls-engineering sponsor?), and bake-off status on competitive evals.

Monthly: Net revenue retention, POC-to-production conversion, competitive win rate, blended and segmented ACV, and recurring-revenue mix. This is the cadence at which the land-and-expand machine's health becomes visible — a soft NRR month is the early warning.

Quarterly: Lifetime value per account cohort, logo retention, regulatory-driven pipeline (deals tied to NERC CIP / TSA / NIS2 deadlines), gross-margin mix (software vs. Services), and capacity/quota planning against the long-cycle reality. Quarterly is where you decide which enterprise accounts get a dedicated expansion team.

30/60/90 Day Plan

Days 1-30 — Instrument and segment. Stand up clean reporting that separates mid-market from enterprise ACV and isolates recurring revenue from services. Map every open deal to its regulatory trigger (NERC CIP, TSA, NIS2, CIRCIA) and its OT/IT champion coverage. Audit the POC pipeline for alert-quality and process-safety risk.

Establish baselines for all nine KPIs so later movement is measurable, and confirm CRM hygiene in Salesforce or HubSpot with the cybersecurity-overlay and GovCon fields (GovWin IQ, Unanet) populated.

Days 31-60 — Fix the conversion chokepoints. Attack the two leading indicators: POC-to-production conversion and per-site expansion velocity. Build a standardized, process-safe POC playbook that proves zero disruption and maps to the buyer's regulatory gap. Launch named-account expansion plans for the top enterprise logos, with site-by-site penetration targets.

Tighten bake-off positioning against Dragos, Claroty, Nozomi, and the platform vendors so you stop being column fodder. Calibrate the forecast model to true 9-18 month cycles.

Days 61-90 — Compound the expansion engine. Shift compensation and account-team structure to reward multi-site expansion as much as new logos. Stand up a quarterly regulatory-pipeline review tied to upcoming compliance deadlines. Formalize threat-intelligence and managed-service attach (Dragos WorldView, Mandiant Advantage) to lift ACV and NRR.

Review LTV-to-CAC by segment and reallocate selling capacity toward the critical-infrastructure accounts with the highest lifetime ceilings.

FAQ

Why is the OT/ICS sales cycle so much longer than IT security? Because two distrustful organizations (OT and IT) must both approve, the technical evaluation is conservative (no agents, no risky scans, passive-only POCs), and industrial change-management freeze windows can push a deal an entire quarter.

The realistic range is 9-18 months, and forecasting against anything shorter produces chronic misses.

What is the single most important KPI to watch? Net revenue retention. OT deployments are sticky (90-96% logo retention) and the expansion ceiling is enormous because growth comes site by site, so a healthy 110-130% NRR is the clearest signal that the land-and-expand machine is working.

NRR drifting below 105% is a louder alarm than a slow new-logo month.

How do regulations actually drive sales? Industrial buyers move on compliance deadlines more than on fear. NERC CIP (utilities), TSA pipeline directives, CIRCIA incident reporting, EU NIS2, and IEC 62443 create dated, audited obligations. Mapping a prospect's specific regulatory exposure to a specific control gap converts a vague "someday" project into a budgeted, scheduled purchase.

Why does gross margin vary so widely in this industry? Because the revenue mix spans two very different businesses. Subscription software and SaaS platforms carry 70-82% gross margin, while professional services and assessments run 35-50%. A book heavy on assessments looks like revenue but earns like a consultancy, so tracking recurring-revenue mix (target 70-90%) is essential to reading true profitability.

What separates a winning bake-off from a losing one? Trust proven in the POC. The winner demonstrates zero process disruption, complete asset discovery, and clean, low-noise alerts mapped to MITRE ATT&CK for ICS — and has both a security champion and a controls-engineering champion.

Win rates run 25-40% in competitive evals; sliding below 25% usually means you were invited as the third bidder, not the favorite.

How big can a single account get? Enterprise critical-infrastructure accounts reach $1M-$15M lifetime value across multi-site expansion and multi-year renewals, with each new plant or substation adding $50K-$500K. This is why named-account teams and expansion-weighted compensation matter — the franchise value is in the roll-out, not the first pilot.

Sources

Dragos — 2026 OT/ICS Cybersecurity Year in Review and platform/WorldView positioning (2026)
Claroty — Global State of Industrial Cybersecurity report and xDome/CTD product disclosures (2025-2026)
Nozomi Networks — OT/IoT Security Report, semiannual threat-trend and visibility benchmarks (2026)
Gartner — Market Guide for Operational Technology Security and CPS Protection Platforms (2025-2026)
IDC — Worldwide OT Security Forecast, market size and CAGR estimates (2026-2027)
North American Electric Reliability Corporation (NERC) — CIP standards and compliance enforcement updates (2025-2026)
U.S. Transportation Security Administration (TSA) — Pipeline and Rail Security Directives (2025-2026)
U.S. CISA — CIRCIA incident-reporting rule guidance and critical-infrastructure advisories (2026)
International Society of Automation / IEC — IEC 62443 industrial automation and control systems security standard family (2025-2026)
MITRE — ATT&CK for ICS framework, techniques and detection mapping (2026)
European Union — NIS2 Directive transposition and enforcement guidance (2025-2026)
Armis — State of Cyberwarfare and Trends report, OT/IoT asset-intelligence benchmarks (2026)

Download:

### Direct Answer

The key sales KPIs for the Industrial Cybersecurity (OT/ICS) Services industry in 2027 are **Annual Contract Value (ACV)**, **Sales Cycle Length**, **Net Revenue Retention (NRR)**, **Win Rate in Competitive Bake-Offs**, **POC-to-Production Conversion**, **Per-Site Expansion Velocity**, **Recurring Revenue Mix**, **Logo (Customer) Retention**, and **Lifetime Value (LTV) per Critical-Infrastructure Account**. These nine metrics matter because selling to factories, utilities, pipelines, and water systems is not a fast-twitch SaaS motion — it is a long, politically complex, multi-site land-and-expand game where a single account can grow from a $75K pilot at one plant to a $5M enterprise license spanning forty sites. The buyer is conservative, the eval is long, the deployment is slow, and the renewal is nearly automatic once you are wired into the SCADA network. You win on patience, asset coverage, and regulatory tailwinds, not on demo flash.

> **TL;DR:** Run the OT/ICS sales motion on a quarterly expansion rhythm, not a monthly new-logo rhythm. Track ACV and per-site expansion weekly, NRR and POC conversion monthly, and LTV plus retention quarterly. Healthy 2027 operators land at $50K-$350K ACV in mid-market industrial and $500K-$5M+ in enterprise critical infrastructure, carry 110-130% NRR off site-by-site asset expansion, hold 90-96% logo retention because OT deployments are sticky and air-gapped, and convert 50-75% of POCs to production. The sales cycle runs 9-18 months — plan capacity and forecast against that reality, not against an IT-software cadence. Let NERC CIP, TSA pipeline directives, CIRCIA, NIS2, and IEC 62443 do the urgency work that a feature pitch cannot.

## Why Industrial Cybersecurity (OT/ICS) Works Differently

OT/ICS security sells into operational technology — the programmable logic controllers, SCADA servers, RTUs, HMIs, and safety instrumented systems that physically run plants, grids, and pipelines. That changes the sales physics in four specific ways.

**1. The buyer fears downtime more than breaches.** In IT security the worst case is data loss. In OT the worst case is a turbine trip, a batch ruined, or a safety system failing — events measured in millions of dollars per hour and, in the extreme, in lives. This makes the OT buyer (plant manager, controls engineer, OT director) deeply conservative. They will not allow an agent on a 15-year-old Windows XP HMI, and they will not tolerate a scan that risks knocking a PLC offline. Passive, network-based monitoring that never touches the endpoint is the price of entry. Your sales motion must lead with "we will not break your process," and the technical proof of that claim is what gates every deal.

**2. Two organizations have to say yes, and they distrust each other.** OT and IT report to different executives, run different budgets, and have spent decades in a cold war. The CISO owns the mandate and often the money; the VP of Operations owns the network and the veto. A deal stalls the moment one side feels the other is taking over their turf. Winning reps run dual-track champion-building — a security champion for budget and a controls-engineering champion for technical trust — and explicitly broker the OT/IT peace rather than picking a side.

**3. Regulation, not pain, is the clock.** Industrial buyers rarely move on fear alone; they move on compliance deadlines. NERC CIP for electric utilities, TSA Security Directives for pipelines, CIRCIA incident-reporting rules, EU NIS2, and the IEC 62443 standard family create hard, dated obligations with audit consequences. The best OT sellers map the prospect's specific regulatory exposure to a specific control gap and a specific deadline. Regulation converts a "someday" project into a budgeted, scheduled one.

**4. The unit of growth is the site, not the seat.** A customer does not buy more licenses per user — they buy coverage for another plant, substation, pumping station, or rig. A national manufacturer might have sixty facilities; an electric utility might have hundreds of substations. The first deal is almost always a single-site or single-region pilot. Real revenue comes from the methodical roll-out across the asset base, which is why net revenue retention and per-site expansion velocity matter more here than top-of-funnel new logos.

```mermaid
flowchart TD
    A[Regulatory trigger or incident] --> B[Discovery: map OT/IT politics]
    B --> C[Build dual champions: CISO + Controls Eng]
    C --> D[Passive POC at one site]
    D --> E{No process disruption?}
    E -->|Yes| F[Single-site production deal]
    E -->|No| X[Deal dies on trust]
    F --> G[Land-and-expand to next sites]
    G --> H[Multi-site enterprise license]
    H --> I[Annual renewal + threat-intel attach]
    I --> G
```

## The 9 KPIs, In Depth

**1. Annual Contract Value (ACV) — dollars per account per year.** The headline deal-size metric. Mid-market industrial accounts land at **$50K-$350K**; enterprise and multi-site critical infrastructure run **$500K-$5M+**. For comparison, a generic IT MDR deal often closes at $15K-$60K ACV, so OT/ICS ACV runs roughly 3-10x higher per account because the asset footprint and regulatory stakes are larger. Track blended ACV and segment it (mid-market vs. Enterprise) because mixing them hides a deteriorating enterprise motion behind healthy SMB volume.

**2. Sales Cycle Length — days or months from first meeting to closed-won.** OT/ICS cycles run **9-18 months**, versus 1-3 months for transactional IT security SaaS and 4-7 months for IT enterprise security. The length is driven by OT/IT politics, conservative technical evaluation, and change-management freeze windows (you cannot touch a refinery's network during turnaround season). If your median cycle creeps past 18 months, the cause is usually a missing controls-engineering champion or an unclear regulatory trigger — not pricing.

**3. Net Revenue Retention (NRR) — expansion + renewals minus churn, as a percentage.** The single most important health metric in this industry. Strong operators carry **110-130% NRR**, driven almost entirely by site-by-site asset expansion. A best-in-class IT security SaaS targets 115-125%; OT can match or beat it because the expansion ceiling (more plants, more substations) is enormous and churn is rare. NRR below 105% in OT signals a stalled land-and-expand machine, which is more dangerous than a slow new-logo quarter.

**4. Win Rate in Competitive Bake-Offs — won / (won + lost) in head-to-head evals.** OT deals are frequently decided in formal POC bake-offs against one or two rivals. Healthy win rates sit at **25-40%** in competitive situations. Compare that to single-vendor IT renewals that close at 70%+ — bake-offs are intrinsically lower because Dragos, Claroty, Nozomi, Armis, and the platform players (Cisco, Fortinet, Palo Alto) all show up. A win rate under 25% usually means you are being invited as the "column fodder" third bidder rather than the favorite.

**5. POC-to-Production Conversion — pilots that become paying deployments, as a percentage.** Because the POC is the trust-building event, its conversion rate is a leading indicator of revenue 6-12 months out. Strong operators convert **50-75%** of POCs. A generic security trial might convert 20-35%; OT runs higher because reaching the POC stage already filters for serious, budgeted buyers. Conversion below 50% points to POCs that surprised the customer (an alert flood, a missed asset class) rather than proving safety and value.

**6. Per-Site Expansion Velocity — new sites added per existing account per year (and the dollars they carry).** This operationalizes NRR. Each additional plant or facility lands at **$50K-$500K**. A high-performing account team expands an enterprise logo across multiple sites per year rather than waiting for the customer to ask. Compare a stalled account adding zero sites (effectively flat) to a healthy one adding three to six sites annually — the second is where the $1M-$15M lifetime accounts come from. Track sites-covered vs. Total-sites-in-account as a penetration percentage.

**7. Recurring Revenue Mix — subscription/SaaS revenue as a percentage of total.** The market is shifting from one-time assessments to subscription platforms. Best operators run **70-90% recurring**, with the remainder in professional services and assessments. This matters because gross margin tracks the mix: **software/SaaS carries 70-82% gross margin** while **professional services and assessments run 35-50%**. A book that is 50% services looks like revenue but earns like a consultancy; investors and boards reward the 80%+ recurring profile.

**8. Logo (Customer) Retention — accounts retained year over year, as a percentage.** OT/ICS retention is exceptional at **90-96%**, far above the 80-88% typical of IT security SMB. Once a Dragos or Claroty platform is wired into the SCADA network, integrated with Splunk or Sentinel, and tied to NERC CIP evidence, ripping it out is a multi-quarter, audit-risking project nobody wants. The stickiness is real, but it cuts both ways: it makes the initial land slow because the buyer knows the decision is near-permanent.

**9. Lifetime Value (LTV) per Critical-Infrastructure Account — total gross-profit dollars over the account's life.** The metric that justifies the long, expensive sales motion. Enterprise critical-infrastructure accounts reach **$1M-$15M lifetime** across multi-site expansion and multi-year renewals. With 90-96% retention and 110-130% NRR, the LTV-to-CAC ratio stays healthy even though customer acquisition cost is high (long cycle, technical pre-sales, travel to remote sites). A mid-market account might carry $150K-$600K LTV; the enterprise critical-infra account is the franchise asset the whole go-to-market is built to win.

## Real Operators

**Dragos** — the OT-pure-play leader, roughly $100M+ ARR at a ~$1.7B valuation, anchored by the Dragos Platform and the WorldView threat-intelligence service; the reference brand controls engineers trust.

**Claroty** — broad OT/IoT/medical-device coverage (xDome and CTD) at a ~$1B+ valuation and ~$100M+ ARR, strong in manufacturing and healthcare-adjacent industrial.

**Nozomi Networks** — the OT/IoT visibility leader, Guardian and Vantage products, widely deployed in energy, utilities, and oil and gas for passive network monitoring.

**Armis** — asset-intelligence platform (Centrix) at a ~$4.6B valuation on an IPO track, expanding from device visibility into full OT/IoT security.

**Tenable OT Security** — Tenable.ot (formerly Indegy), bundling OT exposure management into Tenable's broader vulnerability-management franchise.

**Forescout Technologies** — unified OT, IoT, and IT asset visibility and control, strong in environments that want one console across the IT/OT boundary.

**Fortinet** (NASDAQ: FTNT) and **Palo Alto Networks** (NASDAQ: PANW) — the platform giants pushing into OT via FortiGate rugged appliances and the Industrial OT Security service, respectively, selling the "one vendor, IT plus OT" consolidation story.

**Cisco** — Cyber Vision OT, leaning on its dominant industrial-networking install base to bundle OT security with the switches already on the plant floor.

**Microsoft Defender for IoT** — built on the CyberX acquisition, attractive to buyers already standardized on Sentinel and the Microsoft security stack.

**Rockwell Automation / Verve Industrial**, **Honeywell Forge Cybersecurity**, **Schneider Electric Cybersecurity**, and **Siemens** — the OEM camp, selling OT security alongside the control systems they already manufacture; Rockwell acquired Verve Industrial in 2023.

**Waterfall Security Solutions** (unidirectional gateways), **TXOne Networks** (the Trend Micro and Moxa joint venture), **Xage Security** (zero-trust OT), **OPSWAT**, **Mission Secure**, and **Radiflow** — the specialist and emerging tier; **SCADAfence** was acquired by Honeywell.

On the services and MSSP side, **Accenture**, **Deloitte**, **Mandiant** (Google Cloud), **1898 & Co.** (the Burns & McDonnell OT-consulting arm), **Kudelski Security**, and **GuidePoint Security** deliver the assessments, IEC 62443 gap analyses, and managed detection that wrap the product platforms.

## Failure Modes

**1. Selling IT security to OT buyers.** The most common deal-killer is leading with EDR agents, active scanning, or an IT-centric dashboard. The controls engineer hears "you want to put software on my safety system" and the deal is dead before pricing. The fix is to lead passive, prove zero process impact in the POC, and speak the buyer's language (PLCs, not endpoints).

**2. Ignoring the OT/IT political fault line.** Reps who build only a CISO champion get budget but no network access; reps who build only an OT champion get trust but no money. Deals stall in a silent veto when one organization feels steamrolled. The fix is explicit dual-champion development and framing the project as OT/IT collaboration, with shared wins for both leaders.

**3. Forecasting on an IT-software cadence.** Plugging a 9-18 month OT cycle into a forecast model built for 60-day SaaS deals produces wild misses and a sales team that sandbags or panics. Change-management freeze windows (plant turnarounds, peak-season production locks) push deals a quarter with no warning. The fix is stage-based forecasting calibrated to OT realities and capacity planning that assumes long cycles from day one.

**4. Treating the first deal as the deal.** Optimizing only for the initial single-site land — discounting hard to win it, then declaring victory — strands the account at flat revenue. With NRR and per-site expansion as the real value drivers, a team that does not staff and incentivize multi-site expansion leaves the $1M-$15M LTV on the table. The fix is compensating expansion as aggressively as new logos and assigning named account teams to drive site roll-out.

## Reporting Cadence

```mermaid
flowchart TD
    A[Daily: POC telemetry + alert quality] --> B[Weekly: pipeline + per-site expansion]
    B --> C[Monthly: NRR + POC conversion + win rate]
    C --> D[Quarterly: LTV + retention + regulatory pipeline]
    D --> E[Board / investor review]
    E --> F[Reallocate account teams + capacity]
    F --> B
```

**Daily:** POC health and alert quality (false-positive rate, asset-discovery completeness), any technical blockers that threaten an active pilot, and same-day escalation of any event where the product touched the OT process. In OT, a single bad POC day can cost a deal.

**Weekly:** Pipeline movement by stage, per-site expansion activity inside existing accounts (sites added, sites in flight), champion-development status on key deals (is there both a CISO and a controls-engineering sponsor?), and bake-off status on competitive evals.

**Monthly:** Net revenue retention, POC-to-production conversion, competitive win rate, blended and segmented ACV, and recurring-revenue mix. This is the cadence at which the land-and-expand machine's health becomes visible — a soft NRR month is the early warning.

**Quarterly:** Lifetime value per account cohort, logo retention, regulatory-driven pipeline (deals tied to NERC CIP / TSA / NIS2 deadlines), gross-margin mix (software vs. Services), and capacity/quota planning against the long-cycle reality. Quarterly is where you decide which enterprise accounts get a dedicated expansion team.

## 30/60/90 Day Plan

**Days 1-30 — Instrument and segment.** Stand up clean reporting that separates mid-market from enterprise ACV and isolates recurring revenue from services. Map every open deal to its regulatory trigger (NERC CIP, TSA, NIS2, CIRCIA) and its OT/IT champion coverage. Audit the POC pipeline for alert-quality and process-safety risk. Establish baselines for all nine KPIs so later movement is measurable, and confirm CRM hygiene in Salesforce or HubSpot with the cybersecurity-overlay and GovCon fields (GovWin IQ, Unanet) populated.

**Days 31-60 — Fix the conversion chokepoints.** Attack the two leading indicators: POC-to-production conversion and per-site expansion velocity. Build a standardized, process-safe POC playbook that proves zero disruption and maps to the buyer's regulatory gap. Launch named-account expansion plans for the top enterprise logos, with site-by-site penetration targets. Tighten bake-off positioning against Dragos, Claroty, Nozomi, and the platform vendors so you stop being column fodder. Calibrate the forecast model to true 9-18 month cycles.

**Days 61-90 — Compound the expansion engine.** Shift compensation and account-team structure to reward multi-site expansion as much as new logos. Stand up a quarterly regulatory-pipeline review tied to upcoming compliance deadlines. Formalize threat-intelligence and managed-service attach (Dragos WorldView, Mandiant Advantage) to lift ACV and NRR. Review LTV-to-CAC by segment and reallocate selling capacity toward the critical-infrastructure accounts with the highest lifetime ceilings.

## FAQ

**Why is the OT/ICS sales cycle so much longer than IT security?**
Because two distrustful organizations (OT and IT) must both approve, the technical evaluation is conservative (no agents, no risky scans, passive-only POCs), and industrial change-management freeze windows can push a deal an entire quarter. The realistic range is 9-18 months, and forecasting against anything shorter produces chronic misses.

**What is the single most important KPI to watch?**
Net revenue retention. OT deployments are sticky (90-96% logo retention) and the expansion ceiling is enormous because growth comes site by site, so a healthy 110-130% NRR is the clearest signal that the land-and-expand machine is working. NRR drifting below 105% is a louder alarm than a slow new-logo month.

**How do regulations actually drive sales?**
Industrial buyers move on compliance deadlines more than on fear. NERC CIP (utilities), TSA pipeline directives, CIRCIA incident reporting, EU NIS2, and IEC 62443 create dated, audited obligations. Mapping a prospect's specific regulatory exposure to a specific control gap converts a vague "someday" project into a budgeted, scheduled purchase.

**Why does gross margin vary so widely in this industry?**
Because the revenue mix spans two very different businesses. Subscription software and SaaS platforms carry 70-82% gross margin, while professional services and assessments run 35-50%. A book heavy on assessments looks like revenue but earns like a consultancy, so tracking recurring-revenue mix (target 70-90%) is essential to reading true profitability.

**What separates a winning bake-off from a losing one?**
Trust proven in the POC. The winner demonstrates zero process disruption, complete asset discovery, and clean, low-noise alerts mapped to MITRE ATT&CK for ICS — and has both a security champion and a controls-engineering champion. Win rates run 25-40% in competitive evals; sliding below 25% usually means you were invited as the third bidder, not the favorite.

**How big can a single account get?**
Enterprise critical-infrastructure accounts reach $1M-$15M lifetime value across multi-site expansion and multi-year renewals, with each new plant or substation adding $50K-$500K. This is why named-account teams and expansion-weighted compensation matter — the franchise value is in the roll-out, not the first pilot.

## Sources

- Dragos — 2026 OT/ICS Cybersecurity Year in Review and platform/WorldView positioning (2026)
- Claroty — Global State of Industrial Cybersecurity report and xDome/CTD product disclosures (2025-2026)
- Nozomi Networks — OT/IoT Security Report, semiannual threat-trend and visibility benchmarks (2026)
- Gartner — Market Guide for Operational Technology Security and CPS Protection Platforms (2025-2026)
- IDC — Worldwide OT Security Forecast, market size and CAGR estimates (2026-2027)
- North American Electric Reliability Corporation (NERC) — CIP standards and compliance enforcement updates (2025-2026)
- U.S. Transportation Security Administration (TSA) — Pipeline and Rail Security Directives (2025-2026)
- U.S. CISA — CIRCIA incident-reporting rule guidance and critical-infrastructure advisories (2026)
- International Society of Automation / IEC — IEC 62443 industrial automation and control systems security standard family (2025-2026)
- MITRE — ATT&CK for ICS framework, techniques and detection mapping (2026)
- European Union — NIS2 Directive transposition and enforcement guidance (2025-2026)
- Armis — State of Cyberwarfare and Trends report, OT/IoT asset-intelligence benchmarks (2026)

Was this helpful?

⌬ Apply this in PULSE

Gross Profit CalculatorModel margin per deal, per rep, per territory Industry KPIs · SaaSThe 9 sales KPIs that matter for SaaS

Deep dive · related in the library