💰 Security, Funded #209 - Summer's Over, Time to Lock In

Hey -

Hope you had a great and long weekend if you’re tuning in from the US!

Summer is officially over here in the UK, as in many other places in the Northern Hemisphere. I hope that you’ve had the chance to take a break this summer and do some fun and interesting things.

One of the coolest things for me is that I get to write this newsletter from just about anywhere in the world, and boy, did I test those boundaries this summer!

For my European homies (and those who like to travel) - if you’re considering attending Cybersec Netherlands 2025 next week, I’ll be giving one of the keynote talks on the state of the Cybersecurity Economy in Europe. You can register here if you’re interested.

A little over one quarter left in the year. It’s time to lock in. 😤👊 

💡 _{Share the newsletter in one click}

😎 Vibe Check

Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!

Last issue’s vibe check:
Which compliance requirement makes the least actual security sense?
🟨🟨⬜️⬜️⬜️⬜️ 📝 Annual security training videos
🟩🟩🟩🟩🟩🟩 🔐 Password rotation every 90 days
🟨🟨🟨⬜️⬜️⬜️ 📋 Documenting the documentation
🟨🟨⬜️⬜️⬜️⬜️ ✅ All of the above (and more!)

Password rotations stole the show far and away here. I thought the annual security training would have seen more hate love, documenting the documentation (for compliance documents in the document repository, of course) came in a distant second. Even NIST no longer recommends forced password rotations for users unless there is evidence of a password compromise or breach.

When will the compliance world catch up?

Some of the top comments from last week’s vibe check:

💬 “Password rotation just ends up confusing people and being decorative. It should be implemented only if it can be done completely automatically without human interference. Password rotation for service accounts that are never logged into by a human? Yes please. Password rotation for a human? Fusty crusty policy. Better to use a password manager, or even passkeys stored in a password manager, accompanied with a separate authentication factor.”

✍🏽 _{Have a question you want answered? Ask Return on Security.}

💰 Market Summary

📸 YoY Snapshot

Funding activity over the past 12 weeks totaled $5.2B across 122 deals (mean: $50.0M, median: $6.9M), representing a 40% increase compared to the same period last year when $3.7B was invested across 130 deals.

M&A activity remained strong with 71 acquisitions completed over the trailing 12 weeks (averaging 5.9 per week). This represents a 15% increase from the 62 acquisitions during the same period in the previous year.

_{Partner With Us}

☎️ Earnings Reports

🧩 Funding By Product Category

• $20.0M for Confidential Computing across 1 deal

• $5.5M for Security Awareness across 1 deal

• $4.6M for Endpoint Detection and Response (EDR) across 1 deal

• $750.0K for Threat and Risk Prioritization across 1 deal

• $200.0K for Digital Rights Management (DRM) across 1 deal

• An undisclosed amount for Breach & Attack Simulation (BAS) across 1 deal

• An undisclosed amount for AI Governance across 1 deal

• An undisclosed amount for Data Loss Prevention (DLP) across 1 deal

🏢 Funding By Company

Product Companies:

• HUB Security, an Israel-based confidential computing platform, raised a $20.0M Post-IPO Equity. (more)

• Moxso, a Denmark-based security awareness training and phishing simulation platform, raised a $5.5M Seed from Seed Capital Partners. (more)

• Vali Cyber, a United States-based endpoint detection and response (EDR) platform focused on Linux, raised a $4.6M Venture Round. (more)

• ThreatCaptain, a United States-based threat and risk prioritization platform for MSSPs, raised a $750.0K Pre-Seed from Founderville.VC.

• Honeycake, a United States-based secure file sharing and rights management platform, raised a $200.0K Angel from SilverCircle and various angels.

• RedMimicry, a Germany-based breach and attack simulation platform, raised an undisclosed Seed from HTGF (High-Tech Gruenderfonds). (more)

• TrustWorks, a Spain-based AI data governance and privacy platform, raised an undisclosed Seed from Elkstone Ventures. (more)

• InnerActiv, a United States-based insider risk and data loss prevention platform, raised an undisclosed Venture Round from Blu Ventures Investors and North Coast Ventures. (more)

Service Companies:

• None

🌎 Funding By Country

• $20.0M for Israel across 1 deal

• $5.5M for the United States across 4 deals

• $5.5M for Denmark across 1 deal

• An undisclosed amount for Germany across 1 deal

• An undisclosed amount for Spain across 1 deal

🤝 Mergers & Acquisitions

Product Companies:

• Axiom, an Israel-based cloud identity and access management (IAM) automation platform, was acquired by Okta for $100.0M. Axiom had previously raised $7.0M in funding. (more)

• ONUM, a Spain-based security analytics and data observability platform, was acquired by CrowdStrike for $290.0M. ONUM had previously raised $28.0M in funding. (more)

• Zorse Cyber, a United States-based email security and anti-phishing platform, was acquired by ImageSource for an undisclosed amount. Zorse Cyber has not previously disclosed any funding events. (more)

Service Companies:

• Trifork Security, a Denmark-based professional services firm focused on security and observability data consulting, was acquired by Wingmen Solutions for an undisclosed amount. Trifork Security has not previously disclosed any funding events. (more)

• Risk Crew, a United Kingdom-based professional services firm focused on governance, risk, and compliance consulting, was acquired by Red Helix for an undisclosed amount. Risk Crew has not previously disclosed any funding events. (more)

📚 Great Reads

🧪 Labs