security Bullish 7

OneSpan Accelerates Software Pivot Amid 16.6% Hardware Revenue Slump

· 3 min read · Verified by 19 sources · By Cyber Intelligence Brief Editorial
Share

Key Takeaways

  • OneSpan reported a strategic shift toward recurring software revenue, with cybersecurity ARR growing 12% to $187 million.
  • The company is aggressively consolidating its mobile security portfolio through the acquisitions of Knock Knock, ThreatFabric, and the pending Build38 deal.

Mentioned

OneSpan company OSPN Victor T. Limongelli person Jorge Martell person Knock Knock company ThreatFabric company Build38 company

Key Intelligence

Key Facts

  1. 1Cybersecurity Annual Recurring Revenue (ARR) increased 12% year-over-year.
  2. 2Hardware revenue experienced a significant 16.6% decline in 2025.
  3. 3Full-year Adjusted EBITDA reached $78 million with a 32% margin.
  4. 4Acquisitions of Knock Knock and ThreatFabric completed; Build38 expected to close in Q1 2026.
  5. 5Net retention rate improved to 104%, up from 103% in the prior year.
  6. 6Quarterly dividend increased by 8% to $0.13 per share for 2026.
Software Transition Outlook

Analysis

OneSpan’s Q4 2025 earnings results serve as a definitive case study for the structural transformation currently sweeping the authentication and identity management sector. The company reported a total Annual Recurring Revenue (ARR) of $187 million, representing an 11.5% year-over-year increase. However, the headline figure masks a deeper divergence: while cybersecurity-specific ARR grew by 12%, legacy hardware revenue plummeted by 16.6% for the full year. This shift marks the twilight of the physical hardware token era, as enterprise clients—particularly in the financial services sector—migrate toward software-defined, mobile-first security architectures. For OneSpan, this transition is not merely a change in delivery method but a total re-engineering of its business model toward higher-margin, predictable subscription revenue.

The strategic centerpiece of OneSpan’s evolution is its aggressive M&A activity, designed to build a comprehensive 'Mobile Identity' stack. During 2025, the company completed the acquisitions of Knock Knock and ThreatFabric, with the acquisition of Build38 expected to close in Q1 2026. These are not random additions; they represent a calculated move to own the entire lifecycle of mobile application security. Knock Knock brings FIDO-based passwordless authentication, ThreatFabric provides sophisticated mobile fraud detection and threat intelligence, and Build38 specializes in mobile app shielding. By integrating these technologies, OneSpan is positioning itself as a critical infrastructure provider for mobile banking and high-value digital transactions, moving beyond simple two-factor authentication into proactive threat mitigation.

The company reported a total Annual Recurring Revenue (ARR) of $187 million, representing an 11.5% year-over-year increase.

Financially, OneSpan is managing this pivot with remarkable discipline. Despite the heavy costs associated with integrating multiple acquisitions and the drag from declining hardware sales, the company maintained a 32% Adjusted EBITDA margin for the full year, generating $78 million. This profitability is bolstered by a 74% gross margin, a 200-basis-point improvement over the previous year, reflecting the superior economics of software over physical goods. Furthermore, the company’s net retention rate ticked up to 104%, suggesting that existing customers are not only staying but expanding their footprint into new software modules. This is a vital metric for investors, as it proves the cross-sell potential of the newly acquired security assets.

What to Watch

From a competitive standpoint, OneSpan is carving out a niche that differentiates it from generalist identity providers like Okta or Microsoft. By focusing on deep-tech mobile security—specifically for regulated industries—OneSpan is targeting the 'high-assurance' market where the cost of a single fraudulent transaction can be catastrophic. The integration of ThreatFabric’s intelligence into the core platform allows OneSpan to offer 'risk-based authentication,' where the level of security challenge is dynamically adjusted based on the real-time threat profile of the user’s device and environment. This move toward 'invisible' but robust security is the current gold standard in cybersecurity user experience.

Looking ahead to 2026, the primary challenge for CEO Victor T. Limongelli and his team will be the successful integration of Build38 and the continued management of the hardware decline. Management’s guidance for software and services revenue growth of 4% to 5% appears conservative, likely accounting for the macroeconomic headwinds and the time required for the new sales teams to hit their stride with the integrated portfolio. However, the underlying growth in ARR suggests that the 'software-first' OneSpan is a much more resilient and scalable entity than its hardware-centric predecessor. Analysts should watch for the first combined product launches in mid-2026, which will be the true test of whether these acquisitions can deliver a unified, market-leading security platform.

Timeline

Timeline

  1. M&A Expansion

  2. Fiscal Year End

  3. Q4 Earnings Release

  4. Build38 Acquisition

Related Stories

security

$30M Investment Supercharges Sovereign AI for Cybersecurity in India

Innefu Labs’ $30 million Series B will accelerate development of AI‑powered cyber and national security platforms, including secure language models and agentic tools. The round underscores the urgency of indigenous defense tech amid rising cyber threats.

security

Embee Software Targets 100% DPDP Compliance with New Microsoft Security Stack

Embee Software has launched an expanded cybersecurity portfolio centered on Microsoft’s security ecosystem and Zero Trust principles. The move aims to bolster cyber resilience for Indian firms while ensuring compliance with the Digital Personal Data Protection (DPDP) Act.

security

ISI CCTV Espionage Ring Leverages Women and Minors for Surveillance

Intelligence reports have uncovered a sophisticated espionage operation orchestrated by Pakistan's ISI, utilizing a network of women and underage recruits to manage and exploit CCTV surveillance systems. This hybrid warfare tactic combines traditional human intelligence with technical IoT vulnerabilities to monitor sensitive locations and public infrastructure.

security

India Data Center Capacity to Hit 4 GW by FY30 with ₹1.5T+ Investment

India's data center capacity is projected to quadruple to 4 GW by fiscal year 2030, driven by investments between ₹1.5 lakh crore and ₹4 lakh crore. This massive infrastructure surge reflects the nation's push for data sovereignty and the rising demands of AI and 5G technologies.

How we covered this story

Every story in our cybersecurity coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.

Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the cybersecurity space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.

Signal on this pageWhat it tells you
Verified by N sourcesIndependent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly.
Impact score (1-10)Regulatory + financial + operational weight. 8+ signals an experienced-operator action item.
SentimentFive-tier classification trained on labeled cybersecurity-specific corpora.
TimelineWhere applicable, the related-events sequence that contextualizes today's development.