Instructure read it and didn't respond. Their K-12 customers did.
Five targeted intelligence briefs, simultaneously published across all sides of the post-breach LMS market. Here is everything we said.
Last week, we sent the following piece exclusively to ~300 newsletter subscribers with instructure.com email addresses, including C-level leaders. The open rate was ~65 percent and the piece circulated approximately 3x beyond the initial send.
Nobody reached out. Their loss, your win.
So we’re publishing it now with our full audience because the analysis does not expire with silence, and because the displacement mechanics, negotiation dynamics, and competitive windows we document are not Instructure-specific problems. They describe the market you are operating in. If you sell into K-12 or higher education, the institutional procurement behavior and competitive sequencing this piece maps are the environment you are operating in right now, regardless of which side of the Instructure situation you are on.
This was one of five pieces we published simultaneously across our audiences. In addition to this letter sent only to Instructure, we published highly tailored versions for K-12 vendor executives, and higher education vendor executives — directly addressing Instructure’s competitors — mapping the accounts in motion, the procurement triggers to intercept, and the positioning that wins against Canvas in a post-breach evaluation. Both versions generated significant engagement from direct competitors, courseware partners and others. We also published versions for K-12 district leaders, and higher education institutional leaders, giving each ‘buyer-side’ audience the specific renewal leverage available to them and the negotiating mechanics to use it. The same underlying research produced all five intelligence briefs because the risks and opportunities here are not running on one side of this situation.
Traditional Education media and EdTech trade publications do not publish targeted intelligence briefs across all sides of a live competitive situation simultaneously. Only The Intelligence Council does.
If you’re an edtech buyer, you should subscribe to this publication.
You can reach us at hello@intelligencecouncil.com for group rates.
Now, here’s what we wrote to Instructure:
Everyone Is Telling Instructure to Play Defense. They’re Wrong
The breach didn’t start this. But it’s given you a window to end it.
Every consultant, banker, and board advisor in Instructure’s orbit right now is treating the May 2026 breach as the origin of the commercial problem. It is not. The breach is an accelerant applied to a displacement cycle that was already running before ShinyHunters defaced a single login portal. Wall Street analysts reported, before the breach, that Instructure’s post-KKR price increases were already driving customers to evaluate alternative platforms and that Brightspace’s win rates had climbed from 10 to 20 percent a few years ago to consistently above 50 percent. An expert described how D2L was specifically targeting the maturity of Canvas’s 2015 to 2019 contract cohorts. The breach landed on top of that dynamic. It did not create it.
The advice Instructure is currently receiving reflects this misdiagnosis. Secure the renewals. Segment the concessions. Outrun the forgetting curve before D2L activates. These are reasonable tactical responses to a breach-driven churn event. They are insufficient responses to a structural displacement cycle that was already compressing the timeline in which Instructure needs to act. The distinction matters commercially because it changes what the right moves are and how urgently they need to be made.
The Intelligence Council published four intelligence briefs today. Two briefs were addressed to your institutional customers across K-12 and Higher Education, mapping in precise detail the leverage available to them at renewal, the specific contractual demands they should make, and the negotiating mechanics they should use against your account teams. Two briefs were addressed to your competitors across K-12 and Higher Ed, mapping the accounts in play, the procurement triggers to intercept, and the competitive positioning that wins against Canvas in a post-breach evaluation. Those briefs are being read this week.
But this piece is addressed to you.
The Cycle Was Already Running
The most important commercial data point Instructure’s leadership should be sitting with right now is not the breach. It is the D2L earnings call from December 2025. On that call, CEO John Baker confirmed that D2L’s new business pipeline is now coming from Canvas directly, not only from the traditional displacement targets of Moodle and Blackboard. That statement was made five months ago. It reflects a systematic targeting of Canvas accounts that has been building for years, not a breach-opportunistic sales motion that started in May 2026.
The mechanics of that targeting are specific and we’ve documented them. The LMS market is a two-horse race, and here’s the precise commercial logic D2L is exploiting: the natural maturity of Canvas’s explosive growth cohort from 2015 to 2019. The institutions that adopted Canvas during that period are now approaching the contract anniversaries at which multi-year renewal decisions recur, and they are approaching them with a platform that has been breached twice by the same threat actor in eight months. D2L has been building account relationships and reference credibility at those institutions for years. The breach has provided the forcing function. D2L has been quietly building the destination.
Baker’s stated goal of compressing LMS migration timelines from three years to three months, with a target of three weeks, is the structural commercial threat that Instructure’s executive team and board should be discussing alongside the breach response. The one moat Canvas has always relied on commercially is the cost and complexity of leaving. That moat is being systematically dismantled through AI-driven migration tooling. When migration takes three weeks instead of three years, the switching cost calculation changes fundamentally for any institution that has even a mild motivation to evaluate alternatives. The breach provided that motivation at scale across 8,800 institutions simultaneously. The migration compression provides the operational path. Together they constitute a more durable competitive threat than any single security incident, and neither is addressed by the breach response playbook currently being executed.
Instructure’s own commercial decisions compounded the exposure before the breach arrived. This is documented by equity analysts: CIBC Capital Markets said post-KKR price increases were already driving customers to evaluate alternative platforms prior to May 2026. That dynamic emerged from a debt service obligation requiring approximately $160 to $180 million in annual interest payments and an ARR mandate requiring growth from roughly $660 million to $1 billion by 2028. The customers who had already been asked to absorb price increases are not approaching their Canvas renewal conversation in a neutral evaluative posture, given recent events. Prospect theory establishes that institutions operating in a loss frame are risk-seeking rather than risk-averse. The account team that arrives at a renewal conversation without internalizing that dynamic is negotiating against a psychological reality it cannot see.
The PowerSchool re-extortion story is the evidence your customers are already using in renewal conversations, and it is also the evidence Instructure’s leadership should be using constructively. In May 2025, months after PowerSchool paid a ransom to resolve its December 2024 breach, individual school districts in the United States and Canada began receiving fresh extortion demands from the same threat actors, accompanied by samples of data that was supposed to have been deleted. School boards issued public statements confirming they had been made aware that the data was not deleted as previously believed. That sequence is precisely what Instructure’s customers are now citing when they question the value of the shred logs Instructure received in exchange for its own ransom payment. But the PowerSchool story has a second chapter that nobody else in Instructure’s orbit appears to be deploying: PowerSchool survived. Not cleanly, not without legal and commercial cost, but it is still operating, still serving its customer base, and still generating revenue. Survival after a breach of that magnitude, followed by re-extortion, is a data point that reframes what recovery actually looks like. It is a harder path than the breach narrative implies, and a more achievable one than the doom cycle suggests.
There is a counter-playbook to the pressure that customers and competitors are bearing on Instructure. We published the playbooks they will use against Instructure. But the counter-playbook is also deeply grounded in the primary research we uncovered. It operates at the account level, addresses the specific mechanisms your customers are going to use against your account teams, distinguishes the demands that represent genuine costly signals from the ones that represent negotiating posture, and identifies where the actual concession floor sits versus where customers will open. That counter-playbook converts the renewal cycle from a damage-limitation exercise into a relationship restructuring opportunity that Instructure could not have created in a normal cycle.
The Market Opened in Both Directions
The breach has created procurement activation energy across the entire LMS market simultaneously, and the displacement risk is not running only against Instructure. Every major player in this market is carrying a vulnerability right now. Those vulnerabilities are not equivalent in character, in severity, or in the timeline on which they become actionable. Some of them have nothing to do with security or the breach. Some of them are closing on a known and documented schedule. The research we conducted for this series of briefs surfaces the specific nature of each, the window in which each is exploitable, and what it would take to convert institutional motion in the broader market into net new ARR.
What our research confirms is that Instructure is the only player in this market with the commercial infrastructure to act on multiple displacement opportunities simultaneously. The cooperative purchasing vehicle coverage across Region 4 ESC, OMNIA Partners, and state-level frameworks, the implementation partner ecosystem, the brand recognition across both K-12 and higher education, and the account management infrastructure required to move at scale across thousands of institutions do not exist at D2L, at the reconstituted Blackboard, or in the Moodle certified partner network. The institutions currently in motion across this market are not all Canvas customers. Some of them are available to the player that moves with the most precision in the shortest window. That player, by infrastructure and by scale, is Instructure.
D2L is already moving, and there is a brief window in which the offensive opportunities our research surfaced will remain unclaimed. D2L’s professional services revenue declined 27 percent in its most recent quarter, which means its implementation consultants are available and actively being deployed. Its win rate is above 50 percent and confirmed to be rising against Canvas accounts specifically. Baker confirmed the pipeline includes Canvas customers on the most recent earnings call. The competitive opportunities that exist in this market right now will not remain uncontested through the end of 2026.
Instructure has a unique opportunity right now to build an offensive playbook: which accounts to prioritize, which competitive vulnerabilities to intercept, which procurement triggers are already in motion, and how to sequence the moves against a closing timeline.
The Intelligence Council published the institutional playbook your customers will be using against you, and the competitive playbook your competitors will be running against your accounts. The research that produced those playbooks also surfaced exactly what the counter looks like on each front.
I am a competitive strategist. My advisory work applies primary source research, game theory, and negotiation strategy to the specific commercial situations clients are inside of.
If you’re leading commercial strategy at Instructure in the wake of the breach and if you believe, as I do, that there is a genuine offensive competitive strategy that can be deployed, let’s talk.
You can reach me at ahusain@emerging-strategy.com
The Intelligence Briefs / Playbooks we published today:
End of Message to Instructure
About Us
K-12 Leadership Intelligence is for superintendents, CIOs, and senior school district leaders navigating policy, procurement, and change.
This is one of our six education and learning-related publications spanning K-12, Higher Education, and Workforce. Our education newsletters reach tens of thousands of senior decision-makers across the U.S. and key international markets.
Ping us at hello@intelligencecouncil.com if you’d like to learn more, explore Enterprise Subscriptions, or would like to partner in other ways.
The Intelligence Council is a next-gen B2B media and business intelligence platform built for people who make strategy, allocate capital, and carry operating risk.