2025 State of the Cybersecurity Market: $25B Funding, $76B M&A, and What's Next

Welcome to the fourth annual State of the Cybersecurity Market report from Return on Security. If you’ve read the previous reports (thank you!), you know what to expect. For the new folks, I wanted to share what you’re about to get into.

What you’ll find is that these annual reports follow a narrative structure, using data to explain key developments in the cybersecurity industry and the broader economy over the past year and to highlight their significance. All of this comes from data and will leave you with the “so what” and clarity on the year that was.

What you will not find in these reports is just as important as what you do. These reports do not include 100+ page slide decks, logo collections, or promotional content disguised as thought leadership. The way we work has changed significantly in the past year, and this report reflects that. This report, like all the others before it, is text-first and is built for you and the AI tools you now use to do your job. 

I've been doing it this way for four years, and the rest of the world just caught up.

New here? The weekly Return on Security newsletter is where this analysis lives year-round. Four years of consistent tracking, every week, watching patterns develop in real time.

Let's get into it.

When 2025 started, did you think the cybersecurity industry would have such a stellar year? I was optimistic, of course, but 2025 far exceeded my expectations.

In a year of global uncertainty, no less. A year where regulatory and geopolitical issues increasingly impacted how technology companies operated, where capital flowed, and where companies were started and built.

Every year when I do these annual reports, I come back to a central question that I try to answer. That question?

2025 proved that we are, in fact, so back in the cybersecurity industry. But it wasn’t because everything went well, and because the year didn’t have its challenges.

Before diving into the cybersecurity-specific data, it's worth understanding the economic backdrop that shaped 2025.

2025 marked the start of The Uncertainty Era.

US tariffs and trade wars created global uncertainty, central banks cut rates worldwide (except Japan), currency valuations went wild, AI optimism and fears loomed larger than ever, Big Tech couldn’t spend enough money on data centers and energy, global conflicts continued to rage on, Europe rearmed itself, and precious metals stockpiling were among the most significant market drivers of 2025. Not to mention that many stock markets, somehow, had their best performance in years.

Here were some of the biggest highlights that had direct and indirect impacts on the cybersecurity industry:

Central Banks Finally Eased

After years of tightening, the major central banks pivoted in 2025. The US Federal Reserve cut rates three times, bringing the target range down to 3.50%-3.75% by December. The European Central Bank (ECB) delivered eight cuts in total (starting in June 2024), bringing the rate to 2.00% by mid-2025. The Bank of England made four cuts, ending the year at 3.75%. The notable exception was the Bank of Japan +, which raised rates to 0.5%, still the lowest among major economies, but a meaningful shift from below zero. 

Lower rates unlock capital, and investors who had sat on the sidelines in 2023-2024 started deploying and financing M&As again in 2025.

Big Tech Went All-In on AI Infrastructure

The hyperscalers spent over $380 billion on capital expenditures in 2025, most of it on AI infrastructure. Meta nearly doubled its capex to $72 billion. Amazon hit $125 billion. Google and Microsoft each approached $90-95 billion. These numbers are projected to exceed $500 billion in 2026. 

It’s these large players driving technology that ultimately determine where security budgets come from downstream. When hyperscalers spend, they and their customers need to secure what they're building, and the AI infrastructure boom has created an equally sized boom in new attack surfaces and new markets for security vendors.

The large shifts also had downstream effects on the labor market.

While broader financial headlines looked strong, the labor market told a more complicated story and reshaped headcount decisions across the industry.

The layoff landscape in cybersecurity cooled significantly from the 2022-2023 peak.

Return on Security tracked 21 layoff events at cybersecurity companies in 2025, down from over 50 in 2023 but up from 16 in 2024. The most significant single event was CrowdStrike's May announcement of 500 layoffs (5% of staff), and this was notable because the company's stock was up 35% for the year at the time.

Several layoffs were M&A-driven rather than market-driven:

This story was one that many companies saw across all industries in 2025, where cost optimization was the name of the game, not mismanagement or distress.

There was, however, one AI disruption story: Deepwatch cited "accelerating investments in AI and automation" as the reason for cutting 25% of its workforce in November.

Just like in 2024, 2025 brought more worries and more demand for AI and AI Agents to supplement, replace, and displace knowledge work as we know it. While there is not always a direct correlation that we can see, AI is changing the tone of every conversation.

Something new we started tracking in 2025 at Return on Security: cybersecurity company closures. 

In total, six cybersecurity companies shut down in 2025:

These are the ones we know about and from a public source. The observations here are less “industry in distress" and more natural market corrections.

Likely, many other permutations of closing the proverbial doors in 2025 did not make the news but were effectively the same. Are endless product pivots that burn runway without real, consistent customer traction that much different than shutting things down? For investors and equity holders, there can be some fates worse than death.

Meanwhile, the financial side of the industry told a very different story. Capital flowed back into the industry in a major way at both the earliest and the latest stages. But that prosperity wasn’t always universal or evenly distributed.

Let’s analyze the recent developments in public markets, private funding, and M&A activity, as well as the geographic shifts that determined the winners and losers.

TL;DR: Cybersecurity companies raised $25.1 billion across 743 deals in 2025, a 59% increase from 2024. Capital returned to the market, but concentrated heavily: 48 mega-rounds ($100M+) captured 65% of all funding. Average deal size jumped 37% to $40.9M.

The financial side of the cybersecurity industry tells us a lot about market health. In 2025, the story was clear: capital came back, and it came back in a big way.

Highlights:

June and December were the standout months, accounting for 35% of the year's funding. August was the summer lull for the cybersecurity industry (too many people at Burning Man?), and the only month in 2025 below $1 billion.

Looking at a year-over-year view, the story unfolds a bit more.

This four-year view shows the industry's full cycle. 2022 marked ZIRP’s peak and subsequent crash, 2023 was the year of course correction and austerity measures (i.e., startups needing to “make revenue”), 2024 was all about stabilization and an industry healing, and 2025 was a return to form. Deal volume never recovered to 2022 levels, but dollars and average deal size did.

When capital returned to cybersecurity in 2025, it returned with conviction, but that conviction went to a relatively small number of companies. 

Mega-rounds ($100M+):

The average deal size jumped 37% globally, from $29.8 million to $40.9 million.

Not all funding events come with disclosed amounts. Tracking disclosure rates tells us something about market confidence.

Transparency jumped 4.5% after holding flat through the correction years. Companies disclose amounts when they're proud of the raise and want the attention that comes with it.

Here’s the thing we learned over the last few years: distribution is the best moat a startup can create in 2025 and beyond. The companies that learned to own their distribution during the lean years are the ones making the biggest splashes now. A $50M Series B announcement hits differently when you've already built the audience to hear it.

The old playbook of raising money and then buying attention doesn’t work anymore. The new playbook is to build distribution first through the channels people actually seek out and trust. The funding announcement just amplifies what you already have. 

Either way, the disclosure is just the starting gun. The difference is whether you're lighting a fire or feeding one.

Series B funding doubled, signaling a renewed appetite for scaling proven early-stage winners. Series C grew the slowest, reflecting the "graduation problem" where companies struggle to reach the metrics needed for late-stage checks or early-stage acquisitions.

The "Other" category includes post-IPO debt, convertible notes, grants, and rounds that don't map neatly to traditional stages. We track all capital movement into cybersecurity companies, not just the rounds that fit VC reporting conventions.

The quartile distribution shows what it takes to stand out at each stage, and what’s “normal.” At Seed, the median round was $5.7M—but the top 1% raised $51M, nearly 9x the median. The spread widens dramatically at later stages:

These distributions matter for benchmarking. If you're raising a $25M Series A, you're at the top quartile, but not the “top-top.” A $100M Series B puts you in the top 5%. Understanding where you sit in the distribution helps founders and investors calibrate expectations.

In 2025, cybersecurity companies raised 48 transactions of $100 million or more, up from 40 in 2024 and 28 in 2023. Of these, 20 companies raised $200 million or more, and 9 raised over $500 million.

The top 10 cybersecurity funding rounds from 2025 combined for a total of $10.0 billion in funding:

The top 5 funding events in 2025 were all debt rounds by publicly traded cybersecurity companies. This marked a significant shift from previous years and signaled that even the largest cybersecurity players needed capital to make AI initiatives a reality and to fund future acquisitions.

These numbers show a return closer to the ZIRP-era highs of 2021-2022, when nearly 60 transactions exceeded $100 million.

See a bigger version of this chart here

When we look at the top 10 categories this year, and compare them to previous years, we can see a really interesting shift in what is perceived as valuable. Funding itself does not guarantee customer traction, of course, but all funding is a form of a bet. Founders and investors are constantly making bets about what the industry will care about, based on the past, the changing threat landscape, and developments in the broader tech world. It’s essentially a slow-moving prediction market that we may not see materialize for years to come.

When we look closer at these top 10 categories and how they’ve changed over the last few years:

Looking at the table, here are just a few things that the market cared about:

2025 wasn't about new breakout categories, and it wasn’t purely about “Security for AI.” It was about capital flowing back to the proven winners in foundational security and the “boring” stuff. We say “boring” tongue-in-cheek here because, despite all the tech advances, the industry still faces the same challenges. New tech, same problems. 

People say, “History doesn’t repeat itself,” but in the cyber industry, it really does.

From a volume standpoint, there were some significant changes in 2025 compared to previous years.

Early-stage funding volume rebounded significantly in 2025. After falling from 464 deals in 2022 to just 339 in 2024 (a 27% drop), early-stage funding rebounded to 408 deals in 2025. The AI wave drove this increase in part by making it easier to build new ideas, and by investors making more early-stage bets in a rapidly shifting market. Founders are getting funded again, just more selectively.

Growth-stage deals barely budged from 212 (2024) to 219 (2025). This stallout is the "graduation problem" in action. In the cybersecurity industry, you either get acquired at the Series A/B stage or go for broke and raise a lot more funding to try to become the next Wiz. This cohort is always in the most challenging situation. They are often too small to go against the largest companies, but are old enough to get outcompeted by an early-stage company if they are not careful. This is the second make-or-break phase in a company’s lifespan.

The late-stage market neither expanded nor contracted. Capital went to proven winners rather than speculative bets. Public companies had a field day in 2025 and were tapping debt markets for acquisition war chests.

When it came to funding, 2025 showed a market healing from the bottom up.

TL;DR: M&A activity surged with 320 deals worth $76.4 billion in disclosed value, up 16% in deals and 66% in dollars from 2024. The 26 mega-deals ($100M+) captured virtually all disclosed value. Average disclosed deal size jumped 82% from $1.36B to $2.47B. Disclosure rates dropped to 9.7% as more PE and strategic deals happened quietly.

2025 was the year that acquisitions ripped again in the cybersecurity industry.

And it wasn't just one cyber company buying another, nor was it just cyber companies being taken private by a PE firm (although there was plenty of that). No, 2025 was the year the industry started to expand and branch out into other domains.

Highlights:

We saw cyber companies buying IT and Observability companies. We saw IT companies buying cyber companies, either to expand their growing cyber businesses or to enter the market. We saw manufacturing and electronics companies buying cyber companies.

Here are a few of the "non-standard" acquisitions that happened in 2025 (which also happen to be some of the largest):

There are horizontal and vertical expansions happening at more and more turns, and the cyber industry is permeating more and more parts of life.

The pattern mirrors funding: deal volume increased modestly (+16%), but dollars surged (+66%) as average deal size nearly doubled. Mega-deals drove the growth, with Google's $32B Wiz acquisition alone accounting for 42% of all disclosed value.

The US dominated both volume (55%) and value (98.6% of disclosed dollars). This reflects the reality that the largest cybersecurity companies are overwhelmingly American. Sometimes that's through Israeli companies that move to the US, so it’s not always clear-cut.

Palo Alto Networks continued its aggressive platform expansion, making three acquisitions totaling $28.4 billion. ServiceNow emerged as a surprising consolidator, making two billion-dollar security acquisitions after years of organic investment.

In 2025, 26 acquisitions exceeded $100 million, up from 21 in 2024. The top 10 combined for $73.0 billion, 96% of all disclosed M&A value:

Google's acquisition of Wiz wasn't just the largest cybersecurity deal of 2025, and the largest in industry history.

The $32 billion price tag for a company that raised $2 billion in venture funding represents a 16x multiple on capital raised. More importantly, it signals that the hyperscalers are done building security in-house. Google tried. They launched Chronicle, acquired Mandiant for $5.4 billion in 2022, and invested heavily in their own cloud security tools. None of it worked the way Wiz did.

Wiz built what Google (or any of the hyperscalers) couldn't: a holistic cloud security platform that enterprises actually adopted. The deal closed the chapter on whether cloud providers would own security or buy it. They're buying it.

This acquisition alone accounted for 42% of all disclosed M&A value in 2025. Google's acquisition of Wiz wasn't an isolated move, either. It was part of a larger pattern that defined 2025 and saw boundaries blurring.

These cross-industry acquisitions are signaling that the boundaries between cyber, IT, and OT are dissolving.

We also saw this at the product level. In 2025, we saw some of the largest public cybersecurity companies, like CrowdStrike ($CRWD ( ▲ 4.86% )), push heavily into IT management and infrastructure. Moving upstream to capture not just the CISO budget, but also the CIO and CTO budgets. As these roles are converging in some organizations, it makes sense for companies to punch above their weight to grab a bigger piece of a bigger pie.

What this means is that everyone just got a whole lot more stakeholders to sort through.

These companies from outside of cyber entering this world through acquisition or product expansion will have many contacts and potential buyers that security companies may not already have. It means the art of the enterprise sell will carry more gravity if there's a natural extension play into IT, OT, and security adjacencies.

We call this The Great Bundling era, and it's just getting started.

TL;DR: No. Despite the hype, AI Security captured just 2.6% of cybersecurity funding in 2025—not even in the top ten categories. The real story is AI being absorbed into every existing security category, not emerging as a standalone market. Identity and Access Management alone raised 4x more than all AI Security combined.

"AI Security" was supposed to be the story of 2025. Every market report, every investor thesis, every vendor pitch deck predicted it would dominate. The data, however, tells a different story. AI Security captured just 2.6% of cybersecurity funding in 2025. 

Even with 75% year-over-year growth, from $377 million in 2024 to $661 million in 2025, AI Security remains a rounding error in the broader market. Despite expectations and claims from many outlets and firms that "AI Security" was the most active financing category in the cybersecurity industry in 2025, the numbers just don't add up.

Not only was the broader umbrella category for "AI Security," which includes "AI for Security" and "Security for AI," not the top category, but it wasn't even in the top ten for the year. For perspective, Identity and Access Management alone pulled in $2.75 billion in 2025, more than four times the entire AI Security category. The "boring" stuff keeps winning.

Despite the headlines, it was one of the least-funded areas in all of cyber in 2025.

The deal sizes tell the story, too. AI Security averaged $11 million per round in 2025, up from $7-8 million in prior years, but still no breakthrough mega rounds. The category is growing, but it's not scaling as an independent category that will stand on its own and command security team budgets the way that cloud security, email security, and endpoint detection and response have.

Somewhere out there, in the vast nothingness of space, an investor sheds a single tear.

AI, as it relates to the cybersecurity industry, is being adopted as a foundational technology. Is something really a differentiator when everyone is using it?

When you zoom in and look at the details, almost every cyber company has an AI story. They have to; there's no avoiding it, given customer and investor pressures alike. Every cyber company was adding AI in 2023 and 2024, because it looked as if "AI Security" would become a standalone category that would garner a lot of budget. As AI itself has matured and the capabilities of what is possible have grown, that once-perceived differentiation has started to disappear.

"AI Security" is being absorbed and integrated into every existing category at roughly the same rate AI is being adopted into business operations. This isn't a bad thing. We're lucky to live in a time when we can see the evolution of technology in industry.

The same thing happened with the cloud from 2010 to 2020, but AI innovation has compressed the timeline. By 2015, every product added "cloud" to its positioning. By 2020, many had quietly dropped it because the cloud had become the default way of doing business.

AI is following the exact same path, just much faster.

Beyond the funding data, there's a larger geopolitical reality shaping AI security's future. The AI security question is forcing nations into an uncomfortable choice between America's open but increasingly isolationist tech ecosystem and China's closed civil-military fusion model. Neither path is clean.

As I wrote in Understanding the AI Arms Race, the winner won't be determined by who builds the most powerful models. Instead, it will come down to who earns the world's trust to secure it. That trust is still up for grabs, and security is what will ultimately tip the scales.

In 2026, we're being more judicious about the "AI Security" product category and label. Most companies aren't securing AI, they're using AI to accelerate existing security workflows. In our view, there's a meaningful distinction between "Security for AI" (protecting models and AI applications) and "AI for Security" (using AI to improve traditional security operations). 95%+ of companies in this domain are in the AI for Security bucket.

If you're reading reports that claim Security for AI was the breakout theme and dominant category in 2025, dig into how that's being defined. When every website and pitch deck with "AI" gets lumped together, the numbers can say whatever you want them to say. Methodology matters here, but the incentives behind those methodologies matter even more.

TL;DR: US-to-US funding dominated, jumping 125% from $5.9B to $13.3B (2023 to 2025). European investors dramatically shifted homeward (+209% intra-Europe growth), while cross-Atlantic flows stayed relatively flat. The data suggests regional tech ecosystems are strengthening rather than globalizing.

After the market correction of 2022-2023, 2025 delivered the answer we've been waiting for. The United States recovered and surpassed its previous peak. The trajectory from $10.7B in 2023 to $11.1B in 2024 to $18.5B in 2025 represents a 66% year-over-year increase and signals that the correction period is firmly over.

In short: yes, we are very much back.

Highlights:

The ranking chart above clearly tells the concentration story. A few observations:

How did new isolationist policies and the rise of American Dynamism shift where money went and where startups were formed?

Looking at the data, the answers are nuanced, but clear theme.

The US kept its capital home in 2025. US on US funding grew 56% over three years, from $8.2B to $12.8B, and US investors remain kingmakers at the growth stage, with larger follow-on capital and global scaling playbooks. The cross-Atlantic deployment to Europe remained steady but flat. Most notably, US investors showed almost no appetite for UK deals, dropping from $170M to $140M.

Europe deployed more at home (+68% from 2023 to 2025), while almost entirely pulling back from the UK. Europe's funding to the UK collapsed from $43M to just $9M. European investors still write checks to US companies, but the trend is clearly homeward. Movements like EU Inc. will only make this more appealing and easier to do, and we expect this to not only concentrate things in Europe but also broaden it.

The UK tells the most interesting story. While UK startup formation is growing and getting stronger, the figures are still very low. UK on UK funding stayed flat at ~$60M annually, meaning UK investors aren't deploying domestically at scale. Instead, UK capital is still leaving home. UK Investments in the US quadrupled from $200M to $800M, and UK investments in Europe grew 5x from $63M to $300M.

UK founders are building companies, but UK investors are still funding everyone else's ecosystems. There are a number of growing exceptions to this rule in the UK, but founders there will ultimately look to the US and Europe for growth capital, and may move there too.

The US and Europe are building self-sufficient cybersecurity economies, and regional tech ecosystems are strengthening rather than globalizing.

TL;DR: Pure-play cybersecurity stocks underperformed the broader market in 2025. The RoS Cyber Index returned -6.5%, trailing the S&P 500. The largest platform winners (CrowdStrike, Zscaler) thrived while point products struggled. Both 2025 IPOs, SailPoint and Netskope, are underwater.

To track the health of public cybersecurity markets, we created the RoS Cyber Index, an equal-weighted index of 14 pure-play cybersecurity companies. "Pure-play" means 80%+ of revenue comes from security products and services. This filters out tech giants with security divisions (Microsoft, Google, Amazon) whose stock movements reflect broader enterprise trends rather than security-specific dynamics.

The 14 companies (at the time of writing this): Palo Alto Networks, CrowdStrike, Fortinet, Zscaler, Check Point, CyberArk, Okta, SailPoint, Netskope, Qualys, SentinelOne, Varonis, Tenable, and Rapid7.

If you read the newsletter, you’ll recognize this index from the public markets update section, giving a snapshot of the past week’s performance.

Why equal-weighted? Market-cap weighting would let CrowdStrike and Palo Alto dominate the index, but there’s a lot more to cyber than that. Equal weighting gives a clearer picture of how the average public cyber company performed, and in 2025, that picture wasn't pretty.

Only 5 of 14 pure-play cyber stocks finished the year in the green.

We also track cyber-adjacent companies in the infrastructure, cloud, and data recovery names where security is a growing revenue driver. These stocks often signal where the market is headed before pure-play cyber catches up.

One of the biggest stories in public cyber wasn't earnings or product launches; it was Palo Alto Networks' $25 billion acquisition of CyberArk in July.

This wasn't just consolidation. It was the market's largest bet on agentic identity.

As AI agents proliferate across enterprises, the question of "who gets access to what" becomes exponentially more complex. CyberArk's privileged access management (PAM) capabilities, historically focused on human administrators, become critical infrastructure for managing machine identities, service accounts, and autonomous agents. Palo Alto paid a ~26% premium to own that position.

The deal hasn't closed yet, but this transaction signals where the platform giants think value is consolidating. Whoever controls agent identity controls the AI security stack.

Both 2025 IPOs came from companies returning to public markets after previous PE take-privates. Neither took off very well, but that story has been repeating itself in the broader tech market as well. 

SailPoint's identity governance story didn't resonate the way CyberArk's PAM story did. Netskope's SSE platform faces margin pressure from CrowdStrike and Zscaler, bundling similar capabilities into broader platforms.

TL;DR: We got 6.5 out of 9 predictions right (depending on how you score PE vs. strategics). We missed on AI-enabled cyber valuations, the talent market, and the PE vs. strategics call was a coin flip.

Last year, we made these predictions, and here is how we fared:

2025 was a year of consolidation and concentration. 2026 will be a year of reckoning for public market expectations, for point product companies, and for the globalization thesis. The money is still flowing. The question is where it lands.

Here's what we expect to see happen in 2026 and beyond:

If you're a buyer, expect more vendors, shorter contracts, and faster cycles. AI has made POCs trivial, and switching costs are collapsing. If you're a founder, expect to pick a lane faster than you anticipate. Either get acquired early or swing for a platform play. If you're an investor, expect regional concentration and government money to reshape deal flow. The market is consolidating faster than the narratives can keep up.

If you made it this far, we can't thank you enough. If you enjoyed it, please consider sharing it with your network. This is the fourth year we've put together the Return on Security annual report, and honestly, the community that's grown around it is the reason we keep doing it.

We welcome your thoughts, questions, and feedback as we continue to monitor the constantly evolving cybersecurity landscape together.

Until 2027!

Return on Security is an independent research firm tracking cybersecurity funding, M&A, and market trends. Founded by Mike Privette, a cybersecurity economist with 18 years of experience, from security engineer to CISO.

This is the fourth annual State of the Cybersecurity Market report. Data comes from our proprietary database:

Spot an error? Let us know.