Somewhere between the pop-up warnings and the auto-renewing subscriptions, the antivirus industry lost the plot. A sweeping new survey from CNET reveals that while Americans overwhelmingly believe they need protection from digital threats, a startling number can’t distinguish between the software they’re paying for and the free tools already baked into their operating systems. The gap between perception and reality has never been wider — and the companies selling $80-a-year security packages are counting on it staying that way.
The CNET Antivirus Survey 2026, conducted in partnership with research firm Dynata, polled more than 2,000 U.S. adults to gauge how people think about, purchase, and use antivirus software. The findings paint a portrait of a consumer base that is simultaneously anxious about cybersecurity and confused about the tools available to address it.
Consider the headline number: 54% of respondents said they currently pay for antivirus software. That’s a majority of the American public forking over money — often on recurring annual plans — for products whose core functionality is now offered at no cost by Microsoft, Apple, and Google. Windows Defender, which ships standard with every Windows PC, has for years scored competitively against paid alternatives in independent lab tests run by AV-TEST and AV-Comparatives. And yet the paid antivirus market continues to pull in billions.
Why? The survey offers clues.
Nearly 46% of those who pay for antivirus said they do so because they believe free options aren’t sufficient. Another 32% cited “peace of mind.” These aren’t irrational motivations. But they are, in many cases, uninformed ones. CNET’s editorial team, led by cybersecurity writer Attila Tomaschek, noted that the survey exposed a fundamental literacy gap: most consumers don’t understand what modern operating systems already provide, and antivirus companies have little incentive to educate them.
The fear factor is real. Roughly 7 in 10 respondents told CNET they worry about malware, ransomware, or data breaches on a regular basis. That anxiety has only intensified as AI-generated phishing attacks grow more convincing and high-profile breaches at companies like UnitedHealth Group and Snowflake have made national news. People feel vulnerable. And when people feel vulnerable, they buy things.
The Free vs. Paid Divide Is More About Marketing Than Malware
What the antivirus industry sells in 2025 is less about virus detection — a largely commoditized capability — and more about bundled extras. VPNs. Password managers. Dark web monitoring. Identity theft protection. Parental controls. The actual antivirus engine is almost an afterthought, a legacy feature that justifies the product category’s name while the real value proposition has shifted to a grab bag of adjacent services.
Norton, McAfee, and Bitdefender have all restructured their consumer offerings around this bundle model. Norton’s most popular plan, Norton 360 Deluxe, includes a VPN, cloud backup, and dark web monitoring alongside its malware scanner. McAfee+ bundles identity monitoring and a “protection score” that gamifies your security posture. Bitdefender Total Security throws in a file shredder and anti-tracker browser extension. The question consumers should be asking — but largely aren’t — is whether they actually need any of these extras, and whether they could get them cheaper or free elsewhere.
The CNET survey found that only 22% of paid antivirus users could correctly identify which features in their subscription were also available for free from other sources. That’s a knowledge gap the industry has profited from handsomely.
It’s not that paid antivirus software is useless. For certain users — small business owners handling sensitive client data, elderly users less familiar with phishing tactics, families wanting centralized parental controls — a well-designed paid security product can genuinely reduce risk. But for the median user running a modern Windows 11 or macOS Sequoia machine with automatic updates enabled, the marginal benefit of a $60-to-$100 annual subscription over built-in protections is debatable at best.
Independent testing backs this up. AV-TEST’s most recent evaluations, published in early 2025, gave Windows Defender a perfect 6/6 score in protection, the same mark earned by Kaspersky, Bitdefender, and Norton. Performance scores — measuring system slowdown — were similarly competitive. The days when Windows Defender was a punchline are long gone.
So what’s actually keeping the paid antivirus market alive? Inertia, for one. The CNET survey found that 38% of paid users have maintained the same antivirus subscription for more than three years. Many are on auto-renew plans they set up and forgot about. Another 17% said they continue paying because their antivirus came pre-installed on their computer and they assumed it was required. Pre-installation deals between PC manufacturers and antivirus vendors remain a lucrative distribution channel — one that critics have long compared to the bloatware practices of the early 2000s.
Brand recognition matters too. Norton and McAfee, names that have been synonymous with antivirus since the 1990s, still command outsize consumer trust despite the industry’s transformation. In the survey, Norton was the most recognized antivirus brand at 89%, followed by McAfee at 85%. Windows Defender — technically their most formidable competitor — registered just 52% brand recognition, despite being installed on hundreds of millions of machines worldwide.
There’s an age dimension to all of this. Respondents over 55 were significantly more likely to pay for antivirus (63%) compared to those aged 18-34 (41%). Younger users, who grew up with smartphones and app stores that handle security more transparently, tend to view dedicated antivirus as unnecessary. Older users, many of whom remember the era of rampant PC viruses in the late ’90s and early 2000s, still associate computer ownership with the need for a separate security product. That generational memory is fading, but slowly.
The corporate side of the antivirus business tells a different story. Enterprise endpoint protection — sold by companies like CrowdStrike, SentinelOne, and Palo Alto Networks — has evolved dramatically, incorporating behavioral analysis, AI-driven threat detection, and automated incident response. These are genuinely sophisticated products designed for complex IT environments. But consumer antivirus? It’s largely riding on the coattails of enterprise innovation while selling a product that, for most individuals, duplicates what they already have.
And the economics are striking. Gen Digital, the parent company of Norton and LifeLock, reported $3.8 billion in revenue for fiscal year 2024, with consumer security subscriptions accounting for the vast majority. NortonLifeLock’s average revenue per user has actually increased over the past three years, even as the technical necessity of its core product has diminished. The company has achieved this by upselling existing customers into higher-tier bundles — a strategy that works precisely because consumers don’t realize how much protection they already have.
McAfee, taken private by an investor consortium in 2022, has pursued a similar playbook, aggressively marketing its identity theft protection features as the primary reason to subscribe. The pivot makes strategic sense: identity theft is a genuine and growing problem, and consumers are right to worry about it. But packaging identity monitoring inside an “antivirus” product creates a misleading impression — that the malware scanner is the thing you’re paying for, when really it’s the least differentiated component of the bundle.
Privacy advocates have raised another concern. Some antivirus products collect significant amounts of user data, including browsing history and application usage patterns. Avast, now owned by Gen Digital, was fined $16.5 million by the FTC in 2024 for selling user browsing data through a subsidiary called Jumpshot. The irony — a security product monetizing the very data it’s supposed to protect — was not lost on the cybersecurity community. CNET’s survey found that only 29% of antivirus users had read their product’s privacy policy. Most had no idea what data their security software was collecting.
The rise of AI-powered threats has added a new wrinkle. Phishing emails generated by large language models are harder to spot. Deepfake voice scams have targeted executives and ordinary consumers alike. Malware authors are using AI to iterate faster and evade signature-based detection. These are real and escalating dangers. But the defense against them isn’t necessarily a traditional antivirus product — it’s a combination of email filtering, browser-based protections, multi-factor authentication, and user awareness. The antivirus industry, understandably, would prefer consumers believe that a single subscription can handle all of it.
Some voices in the security community have been blunt. “For most people, the best antivirus is the one built into your operating system, combined with not clicking on things you shouldn’t click on,” said one cybersecurity researcher quoted by CNET. That advice — simple, unsexy, and free — doesn’t generate subscription revenue. But it’s increasingly the consensus among professionals who don’t have a product to sell.
None of this means the antivirus industry is going away. It means it’s transforming into something else: a consumer cybersecurity services business that happens to include malware scanning as a legacy feature. The companies that thrive will be those that clearly articulate what their paid offerings provide beyond what’s already free — and are honest about the boundaries of their protection. The ones that continue to rely on fear, confusion, and auto-renew inertia will eventually face a reckoning, as younger, more technically literate consumers age into the market’s core demographic.
For now, though, the survey’s most telling data point may be this: when asked if they felt their antivirus software was worth the money, 71% of paid users said yes. And when asked what specifically it protected them from that free alternatives wouldn’t, 58% couldn’t name a single thing.
That gap — between confidence and comprehension — is where the antivirus industry lives. And business, for the moment, is good.
Pingback: The Antivirus Industry’s Dirty Secret: Most Americans Still Don’t Know What They’re Paying For - AWNews