Canvas: The Contestability Window
Canvas has been breached twice by the same actor in eight months. The market is open. Here is how long it stays that way, the only move worth making, and where to point the spear.
Canvas just handed its competitors the rarest thing in a mature SaaS market: a credible reason for 9,000 institutions to reconsider a platform they have not seriously evaluated in fifteen years. The breach, the ransom payment, the second attack in eight months, the Congressional summons: these are not only a PR crisis for Instructure, but a temporary genuine reduction in switching costs across a market that has seen almost no meaningful competitive displacement in fifteen years. That window is 12 to 18 months, and most competitors will spend it making the wrong moves: cutting price, leading with feature comparisons, and waiting while Instructure reframes the entire conversation around shared industry vulnerability.
This Premium Intelligence Brief maps the actual offensive playbook: which accounts are switchable and why, what procurement triggers to intercept, which contractual terms Canvas cannot currently offer and why they constitute your most credible competitive signal, and what the dynamics of focal point competition mean for whichever vendor credibly claims the security-sovereign position first.
"Forget EdTech media, you can't even get McKinsey to pull actual contracts, name specific accounts in play, tell D2L directly that it's asleep at the wheel, or instruct you to weaponize the Schoology breach against your biggest competitor for the Canvas defectors you want. And even if they did all that research, they would not apply game theory, behavioral economics, and negotiation strategy to it and hand you a directive. The Intelligence Council delivers that. We combine the best strategic thinking in the world with primary source intelligence that’s outside the reach of most in-house strategy teams. This is not a cautious memo full of hedging and obfuscation. We are writing for the person in the arena. And yes, that makes some people uncomfortable. That's the point."
— Adil Husain, Founder, The Intelligence Council
Competitors that want our strategic thinking and research access applied to their specific market position, sales motion, and competitive strategy should contact ahusain@emerging-strategy.com.
This brief draws on primary source Instructure contracts obtained through public procurement databases and freedom-of-information records spanning over a dozen institutions, original threat intelligence from Google's Threat Intelligence Group, CrowdStrike, and Push Security, EDUCAUSE and CoSN cybersecurity benchmarking surveys, D2L's public financial disclosures, and equity analyst and regulatory coverage of the post-breach LMS market. The competitive strategy analysis applies six leading theoretical frameworks to the specific market structure the breach has created: Baumol's contestable markets theory, Kahneman and Tversky's prospect theory, Spence's signaling model, Schelling's focal point framework, Hotelling's spatial competition model, and Fisher and Ury's BATNA framework.
Every factual claim in this brief traces to a primary source; the strategic reasoning connecting them is our own analysis.
We also published an Intelligence Brief today for our Higher Ed institutional audience (“the buyers”) on what this breach should mean for their procurement posture and renewal negotiations. If you want to know our posture in advising them, read it here.
Canvas: The Contestability Window
Canvas has been breached twice by the same actor in eight months. The market is open. Here is how long it stays that way, the only move worth making, and where to point the spear.
1. The Window
The Canvas breach created a contestable market. Competitors who treat it as a switching event will act on the wrong timeline and waste the window. William Baumol’s contestable markets theory holds that markets with high switching costs are uncontestable when exercising the alternative is prohibitively expensive. An LMS migration at a mid-sized university runs $500,000 to $2 million in direct costs, 18 to 36 months of parallel operation, full SIS re-integration, LTI re-authorization across every connected publisher tool, and multi-year grade history migration. The breach lowered none of those costs. It raised the perceived cost of staying. When 9,000 institutions simultaneously had their first genuine conversation about what they would move to instead of Canvas, the market became contestable.
Frame every competitive conversation around loss mitigation: institutional buyers are in a loss frame right now, and in the loss frame, switching is perceived as reducing exposure rather than taking a risk. Kahneman and Tversky’s prospect theory establishes that decisions made in a loss frame are risk-seeking rather than risk-averse. Under normal conditions, inertia wins because staying feels safe. The breach changed that calculus. Finals-week outage at Harvard, Columbia, Princeton, and Rutgers was a concrete operational failure at the highest-stakes academic moment of the calendar. Phishing warnings sent to students, launched FERPA investigations, CISO war-footing protocols: these are loss experiences. Every competitor who leads with platform capabilities is working against the psychology.
Force every conversation to treat Canvas’s two breaches as a structural liability, because procurement committees that internalize a pattern will not give Instructure the benefit of the doubt on a third incident. Instructure was breached twice by ShinyHunters, the group Google’s Threat Intelligence Group tracks under clusters UNC6240, UNC6661, and UNC6671, in eight months. CEO Steve Daly called them “distinct events involving different systems,” which means either the September 2025 remediation failed to address the May 2026 vector, or ShinyHunters maintained persistent access across both events. Tversky and Kahneman’s availability heuristic tells us that assessments of probability are shaped by how easily examples come to mind. With two confirmed breaches by the same actor on record, a third Canvas incident will register as confirmation of a pattern that was visible and ignored.
Segment your target accounts before you act, or risk spending the window on institutions that cannot make a decision within it. Active RFP and imminent renewal accounts are institutions whose Canvas contracts expire within 18 months and who are now conducting evaluations under materially changed security criteria. Institutionally disrupted accounts are large systems where operational severity triggered board-level review regardless of contract status: the UC system’s Office of the President blocked Canvas access across all UC locations; the California Community Colleges Chancellor’s Office did the same. Pipeline accounts are mid-contract institutions where migration is impractical near-term but where establishing architectural credibility now creates the 2027 and 2028 conversion. The mistake is treating all three with the same motion.
The forgetting curve is the first mechanism closing this window, and it is already running. Breach recall peaks in the next 60 to 90 days and decays materially afterward. The PowerSchool breach of January 2025 is the reference case: it exposed data for approximately 62 million K-12 students, produced a $17.25 million settlement, generated intense institutional alarm through Q1 2025, and had largely faded from active procurement decision-making by Q3 2025 with no significant platform departures. What feels like a market-defining event today will feel like background context by Q1 2027.
Canvas’s recovery playbook is already in motion, and every institution that signs a three-year renewal in Q3 or Q4 2026 is a closed account through 2029. The playbook is predictable: SOC 2 recertification communications to customers, congressional testimony that allows CEO Steve Daly to demonstrate responsiveness to Chairman Garbarino’s formal inquiry, and aggressive renewal pricing concessions designed to lock institutions into multi-year terms before the security alarm fades. The third closing mechanism is the focal point race among competitors themselves, addressed in Section 2. The governing principle: the window closes institution by institution, as procurement committees re-commit to Canvas or commit to an alternative.