2023 Cybersecurity Market Review: Disruption and Resilience

Table of Contents

• Introduction to the 2023 Cybersecurity Landscape

• The TL;DR

• Analyzing Funding Rounds and M&A Trends

• Quarter-by-Quarter Breakdown of 2023

• The Worldwide Perspective on Cybersecurity Funding

• The Impact on Different Funding Stages

• Analyzing the Shifts in Cybersecurity Funding Dyna …

• Deep Dive into Cybersecurity Product Categories

• The Major M&A Movements in 2023

• Notable M&A transactions of 2023: 

• Other M&A trends in 2023 include:

• Final Reflections and Key Takeaways

• Data Methodology and Sources

• About Return on Security

Introduction to the 2023 Cybersecurity Landscape

Each year, Return on Security monitors, analyzes, and publishes data and insights on the cybersecurity market. This happens predominantly by way of the newsletter each week, but I like to pull back and analyze what happened each year in an annual report.

2023 was a year to remember (or forget).

A combination of factors made the year challenging, including the unwinding of policies and actions from the COVID era of 2020 and 2021, massive interest rate hikes and the dramatic market slowdown from 2022, wave after wave of layoffs across all sectors, the collapse of Venture Capitalist's preferred bank, Silicon Valley Bank (plus a few other banks), fresh geopolitical troubles and war, and the sharp return of private and public markets demanding efficient businesses (businesses that make money instead of just grow).

The TL;DR

• Overall: 2023 funding was down in volume and total spending.

• Globally: Europe took the biggest hit, followed by the US. Despite geopolitical tensions and conflicts, Israel had the smallest impact.

• Product categories: Spoiler alert: AI went from zero to hero.

• Funding Stages: Late-stage companies were supported, but bets were still placed on many early-stage companies. Middle / growth-stage companies took the biggest hit.

• M&A: 2023 saw the biggest acquisition in cybersecurity history.

It was a complex and volatile year, but despite all those challenges, the cybersecurity industry still had some shine.

Let's dive into the data and see what it can show us.

As a reminder: I collect as much funding data as possible every week through the newsletter, but since deal specifics often change after the fact or things aren’t reported correctly, it’s possible to miss things. If you want to follow along and get insights in real-time, click the button below to subscribe to the newsletter. 

Analyzing Funding Rounds and M&A Trends

Overall in 2023, the cyber industry felt much of the same pain as the broader economy. The total amount of funding, the total volume of funding transactions, and the amount of mergers and acquisition (M&A) activities for cybersecurity companies decreased in 2023 compared to 2022.

2023 at a glance: 

• 684 funding rounds across 100+ unique product categories worth ~$12.7B

• 259 M&A transactions across 70+ unique product categories worth ~$40.5B

Compared to 2022: 

• 2023 Funding rounds decreased ~12% (from 774 in 2022), and M&A transaction volume dropped ~3% (from 266 in 2022). 

• Total 2023 funding dollars dropped ~38% from the ~$20.6B in 2022, and overall M&A decreased ~21% from the ~$51.2B in 2022. 

• In short, fewer companies received funding, and those that did get funding saw much smaller checks. 

These stats show a sharp reversal from the heights in 2021 and 2022  when there was still massive global momentum for cyber investments despite economic setbacks. We saw this momentum begin to wane in Q3 of 2022.  

Quarter-by-Quarter Breakdown of 2023

Looking across 2023, we can see the drastic effects of increased interest rates and deal scrutiny at the beginning of the year.

2023 brought a big downturn in cybersecurity funding.

In the second quarter of 2023, people started to feel a bit more positive, and the economy showed some small signs of improvement. This positive vibe continued into the third quarter but dropped again in the fourth quarter. Investors were still hesitant, leading to a less favorable outcome than at the start of 2023.

Reflecting on 2022, the third quarter was a low point for the cybersecurity market. This was when we saw a big drop in venture capital funding for all kinds of businesses, and the cybersecurity and tech areas were hit particularly hard.

The Worldwide Perspective on Cybersecurity Funding

Now let's examine the global economies in 2023, focusing on the three key regions for cybersecurity funding:

• The United States

• Israel

• Europe

United States

The United States dominates, with about 80% of global cybersecurity funding and the majority of cybersecurity companies based there. Given the increasing interest rates and looming recession fears through 2022 and most of 2023, it's unsurprising that funding there fell by around 30% to $10.6B in 2023 from $15.1B in 2022.

Despite fewer funding deals, the average investment size in the U.S. only dropped about 21% ($22.1M in 2023 compared to $28M in 2022).

Israel

Next is Israel, a pivotal player in the cybersecurity industry. You can't think about the industry without thinking about Israel. While Israel doesn't have the same funding or transaction volume as the U.S., it's known for launching some of the most successful cybersecurity companies in history and has a strong set of systems to support cyber founders.

Israel experienced an approximate 11% decrease in funding transactions, from 139 in 2022 to 124 in 2023. The average funding per deal only dropped 16% (from $23.9M in 2022 to $20.1M in 2023). This is a small drop compared to other markets despite new regional geopolitical tensions and conflicts.

Europe

Cybersecurity funding in Europe plummeted about 74% to $405.3M in 2023 from roughly $1.6B in 2022. The average investment per deal also declined steeply, about 70%, to $7.6M in 2023 from $25.9M in 2022.

Europe's situation is more complex. After spending half of 2023 in the United Kingdom engaging with cybersecurity professionals, startups, and investors, it’s clear that Europe's cybersecurity scene is still developing. The strong influence of the U.S. and Israel and varied regulations across European countries make it challenging for European companies to expand beyond the region. A challenge I know many are working tirelessly to overcome.

The Impact on Different Funding Stages

If we break the funding transactions down further by stage, we start to hone in on some obvious patterns.

We saw a big drop in funding for early-stage companies, but the biggest hit was to companies looking to raise "growth stage" funding rounds.

Looking at the tech industry overall, most layoffs were also at companies in the “growth stage.” Generally, less money meant workforce reductions.

A quick look at the biggest layoffs in 2023 to cybersecurity companies. 

If you want to dig in more, Layoffs.fyi has more details on this data and the broader tech ecosystem to play around with.

Many cybersecurity firms that got Series B or C funding in 2022 or earlier found themselves in a tough spot. The prior decade saw bigger funding rounds, higher company values, and more startups joining the competition. But in 2023, these companies began to struggle, and the usual venture capital idea of growing no matter what began to seem unreasonable.

I had an opportunity to discuss more about job cuts and companies in the growth phase on Enterprise Security Weekly here:

When we examined the funding stages, we noticed a big change in the amount of money given from 2022 to 2023. Overall, the total money invested in 2023 was about 12% less than in 2022, but the amounts of individual investments varied much more.

Analyzing the Shifts in Cybersecurity Funding Dynamics

When we compare cybersecurity funding in 2023 with 2022, here’s what we see:

• Cybersecurity deals in 2023 between $10.0M and $250.0M saw the biggest drop, between 33%-52%, compared to 2022. This level of funding often correlates with growth-stage companies that struggled the most this year.

• Later-stage companies raising $250.0M to $500.0M saw a 33% increase in deals involving taking on debt to continue their operations. These same companies would have probably been IPO-ready in 2021.

• Early-stage deals had a bang-up year! Deals up to $1.0M increased the most by around 67%. Investors invested more money in new companies earlier than in previous years, signaling that the latest batch of startups would be the industry's great hope.

I see two themes emerge here:

1: Some later-stage companies may have been thrown a lifeline 

The few companies that received mega checks in 2023 (just 4, compared to 3 in 2022) would have been preparing for an IPO if this were 2021. Since times are tough, these companies are likely using the money to survive the downturn, become more financially and operationally smart, and adjust their values to match the current market. This will prepare them to act when the market for public stock offerings improves.

When we look at funding that isn’t specific to any stage, companies received over $842.0M in 2023, similar to 2022’s $860.1M. With the value of public companies dropping, money being scrutinized more closely, and fewer deals in general, getting loans helped many businesses stay in the game. This also shows that some companies that might have gone public in the past are still hanging in there.

2: Early-stage cybersecurity founders are strong and creative

On the flip side, 2023 saw more early and small deals than most people thought would happen, especially after how 2022 ended. These early-stage companies are playing a whole different ball game. Both investors and the people starting these companies are now aiming to create strong, money-making businesses with realistic growth goals - a major shift from the past. I believe this move towards more investment in early-stage companies will keep going into 2024.

When we look closer at the funding data, it's clear that 2023 was still a really good year for founders of new cybersecurity startups.

In 2023, seed funding for startups reached over $1.0 B across 229 deals. This is just a small 3% drop from the $1.3B in seed funding for 236 deals in 2022.

When we look at the more advanced growth stages, the total money for Series B rounds dropped by about 52%. It was $1.3B across 46 deals in 2023, down from $4.2B across 96 deals in 2022. Series C rounds took an even bigger hit, with a 60% drop in funding. It was $1.1B across 18 deals in 2023, compared to $3.5B across 45 deals in 2022.

How did the new companies fare? Despite all the worries and unknowns in the cybersecurity world in 2023, the companies getting funding for the first time last year received most of the money.

Even though the number of one-time investments was similar in both years, the total amount of money dropped 41% ($5.2B in 2023 compared to $8.9B in 2022).

First-time raisers got about 42% less on average than the prior year ($13.3M compared to $22.5M in 2022). The purse strings are clearly getting tighter in an industry more accustomed to blank checks.

There is more evidence of investors' cautious approach: except for companies raising for the fifth time, the number of investments decreased generally from 2022 to 2023.

People often say that diamonds are created under a lot of pressure, and 2023 was a year full of it. I think this will lead to some really impressive companies over the next five years.

Quick reference for mapping funding stages to funding rounds: 

Deep Dive into Cybersecurity Product Categories

Competition in cybersecurity is constant. What's innovative today soon becomes the standard.

Buyers tend to make purchases based on categories, a trend driven by the industry at large. The subtle differences, overlapping functionalities between vendors, misleading (or generously, overly creative) marketing, and frameworks like the magic quadrants often spark much discussion and debate within companies.

To fully grasp the landscape, we have to dive into the nuance of cybersecurity product categories.

These product categories had a breakout year in funding dollar growth in 2023:

Another view from a funding transaction volume perspective:

In 2023, the AI Security sector saw remarkable growth, with funding increasing by approximately 4,000% to total around $95.2M. This was a significant jump from the single transaction in this category in 2022, which featured 12 such deals. 

Additionally, these numbers only partially capture the extensive investment in 'AI Security,' 'Security of AI,' and 'AI Privacy Assurance.' The numbers above also don’t show how much money the industry poured into injecting AI into existing security products or rebranding themselves as “AI Security.”

For reference, here is how I define these terms:

AI Security: Software platforms designed to maintain the integrity of AI systems and shield them from misuse.

Security of AI: Software platforms focused on securing AI applications from cyberattacks, unauthorized access, and manipulation.

AI Privacy Assurance: Software platforms focused on safeguarding sensitive data and personal information used in AI processes, ensuring the responsible use of AI systems.

These stats also do not include all the companies that pivoted to AI as their primary business. I anticipate the overall AI trend accelerating in 2024, although it's still small compared to the overall funding for AI technologies.

Spoiler alert:

Quick note: Secure Networking saw significant funding increases, mainly due to large investments in established companies like Akamai, which raised $1.1B in post-IPO debt. Hardware Security also had a strong year, but that’s mostly because it didn’t gain any traction in 2022, and the transaction amounts are still very small.

On the flip side, these twelve product categories saw the most significant contraction in funding dollars since 2022:

Another view from a funding transaction volume perspective:

The companies in the product categories that saw the biggest declines in 2023 are not necessarily in a bad position; just trends have changed year over year, and a story about this can be read here.

As an example, Cloud Security Posture Management (CSPM) really had its moment in the industry in 2020 and 2021. Since CSPM was announced to the world, there has been a Posture Managementification™️ of many subsequent disciplines. Overall, I think this is a good and important thing for the industry - to move to test-driven and trust-driven security tools - but CSPM was version one.

Since that time, many other products have climbed on the shoulders of CSPM and passed them by as standalone products:

In a market that changes slowly or is really new and technical, competition might be okay because you'll have time to create defenses and win customer loyalty. But in a fast-moving field like cybersecurity, the likelihood that you've built strong enough defenses by the time competitors show up is very small.

Looking briefly at the Password Manager category, it's hard to top the big rounds we saw in 2022 and earlier, so naturally, this looks a lot lower in 2023. If you remember, in 2022, 1Password raised $620.0M (after raising $100.0M in 2021), and BitWarden raised $100.0M. 

I imagine the investment thesis went something like this:

The Major M&A Movements in 2023

Did we witness The Great Cybersecurity Industry Consolidation™️? It seems not to be any more or less than in previous years.

2023 marked another significant year for M&A in the cybersecurity sector, with numbers almost matching those of 2022.

Various factors influence cybersecurity industry consolidation, and there's unlikely ever to be a single “Big Event" consolidating all security companies, leaving only a few options for customers (which no one would like, anyway).

I see cybersecurity industry consolidation as similar to playing the accordion (not that I know how to do that, but I’m using this analogy anyway).

To make music, someone has to not only press the correct set of keys and buttons but also expand and contract the whole instrument at the same time to play the right notes. There are always new entrants into the cybersecurity industry because technology is constantly changing, and there are always new threats and adversaries to contend with. Different keys get played, buttons get pressed, and different parts of the accordion expand and contract, but the music of progress is always playing.

Notable M&A transactions of 2023: 

• Cisco acquires Splunk for $28.0B: This is the largest acquisition in the cybersecurity industry ever, surpassing SailPoint's $6.9B acquisition in 2022. With the meteoric rise of AI companies in 2023, everyone is scrambling to acquire data to build and train their own Large Language Models (LLMs) from, so many see this Cisco acquisition as a pure data play.

• Palo Alto spent over $1B to expand: They acquired Talon Cyber Security for $625.0M - the second remote browser isolation company to be acquired - the year after winning the RSA Innovation Sandbox in 2022 and raising nearly $150.0M. Next up, they purchased Dig Security for $400M. Palo Alto’s CEO, Nikesh Arora, stated that Palo Alto intends to continue their M&A cadence at roughly $1.0B/year.

If you want to read more about the importance of LLM security and how the new data security risk has changed: 

Other M&A trends in 2023 include:

• Attack Surface Management (ASM) companies are beginning to exit, amounting to ~$376.0M (I see this shaping out the same way that the CSPM product space. It's a feature, not a standalone platform).

• Data Security Posture Management (DSPM) companies are fast-tracking exits totaling ~$710.0M. This is especially interesting given that the term has only been around for a year.

• Managed Security Service Providers (MSSPs) continued their streak with over 50 acquisitions totaling about $382.0M, a 50% increase from 2022.

• Secure Access Service Edge (SASE) companies were acquired for approximately $1.2B across four deals as traditional firewall providers struggle to keep up with changing market demands. Palo Alto is leading the way.

Final Reflections and Key Takeaways

2023 in cybersecurity was a year of recalibration. A few key points stand out when I reflect on the trends:

• The industry showed adaptability amid economic and geopolitical difficulties, with early-stage companies leading the way.

• Mergers and acquisitions played a major role, with some deals setting new records.

• Despite setbacks, the cybersecurity field continues to hold potential for future innovation, and you can see that through the shifts in funding and product categories.

2023 was a pivotal year for cybersecurity, marked by adaptability and strategic shifts. The industry's response in 2023 shows a bright future for innovation and growth.

Data Methodology and Sources

• All of the data is captured point-in-time from publicly available sources.

• All financial figures are converted to U.S. dollars (USD) when collected.

• Company country locations are pulled from publicly available sources.

• Companies are categorized using our system at Return on Security, and we write all the company descriptions.

• Sometimes, the details about deals, like who led the round, how much money was raised, or the deal stage, might get updated after the issue is first published.

• Let us know if you spot any errors, and we’ll fix them.

About Return on Security

Return on Security is all about breaking down the cybersecurity industry for you with expert analysis, hard facts, and real-life stories. The goal? To keep security pros, entrepreneurs, and investors ahead in a fast-moving field. Read more about the “Why” here.

Feel free to borrow any data, charts, or advice you find here. Just make sure to give a shoutout to Return on Security when you do.

Thank you for reading. If you liked this analysis, please share it with your friends, colleagues, and anyone interested in the cybersecurity market.

Follow me on LinkedIn or Twitter to never miss Return on Security updates.