- Return on Security
- Posts
- 💰 Security, Funded #215 - There's No Governance in this Dojo
💰 Security, Funded #215 - There's No Governance in this Dojo
Get cybersecurity market and intelligence insights, including key trends and industry analysis, for the week of October 6, 2025.
Mike Privette
October 14, 2025 • Reading Time: 13 minutes
Hey -
I hope you had a great weekend, and a long one if you’re reading from the U.S.!
Last week, I had the chance to attend the UK Cyber Flywheel event in London, organized by Harmonic Security.
We were standing on business 😤 👊
It was a top-notch event, and the conversations were long overdue for the local ecosystem. I really enjoy events like these, because they can bring together a cross-section of people and companies in the cybersecurity economy, which is often hard to get together otherwise. Already looking forward to the next one!
QUICK ASK: Are you using this newsletter for any cool automations or data enrichment projects? I’d love to hear about what you’re building - Let me know!
PARTNER
Does your work browser work for AI?
Sometimes changing one thing, changes everything.
Most companies face a tough choice:
Block AI, stymie innovation, and fall behind fast-moving competitors
Leave AI ungoverned and open the business to new risks
All because the place where users work with AI wasn't designed to work with AI.
But what if it was?
With Island’s Enterprise Browser, you don’t have to choose. You can say “Yes” to AI by extending last-mile control and policy to all sanctioned and unsanctioned AI usage. In short, you turn shadow AI into managed AI.
Stop choosing. Start enabling.
Table of Contents
😎 Vibe Check
Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!
What level of AI governance oversight are your customers and third parties requesting? |
Last issue’s vibe check:
How would you describe your organization's approach to overseeing third-party AI vendors?
🟩🟩🟩🟩🟩🟩 Comprehensive AI vendor risk assessment program
🟩🟩🟩🟩🟩🟩 Standard vendor process with AI considerations
🟨⬜️⬜️⬜️⬜️⬜️ Basic due diligence, minimal AI-specific review
🟨🟨🟨🟨🟨⬜️ Same process as any other vendor
Some pretty interesting results, with a two-way tie accounting for 62% of the votes, between comprehensive programs for AI vendor risk and just the standard treatment.
On the one hand, it makes sense because companies find managing third-party risk to be easier than managing their own risk. If you remember vibe check issues, only 19% of respondents self-identified as having a strong internal AI governance program. It’s the classic security story all over again, where it’s easier to audit vendors than fix your own house.
Now, it could be that existing third-party management capabilities are still lacking from what you can do first-hand at your own company, and it’s easier to fall back on compliance and contractual obligations than to deeply probe your vendors.
Either way, this week’s question flips the script.
Some of the top comments from last week’s vibe check:
💬 "I’m not at an F100 with deal sizes that drive change in the vendor’s roadmap. Anything bespoke/deep diving must have a solid security ROI.”
💬 “Maturing toward operationalizing this, but the thought is there. ”
💰 Market Summary
Private Markets
10 companies from 3 countries raised $94.6M across 10 unique product categories
Average deal size was $9.5M (median: $6.5M)
78% of funding went to product companies
6 companies from 4 countries were acquired for $450.0M
67% of M&A activity went to product companies
Public Markets
No public cyber companies had an earnings report
As of market close on October 10th, 2025.
📸 YoY Snapshot
Rolling 12-week charts that compare funding and acquisitions weekly in a year-over-year (YoY) view between 2024 and 2025.
Funding activity over the past 12 weeks totaled $2.3B across 145 deals (mean: $18.3M, median: $8.5M), a 30% decrease compared to the same period last year when $3.3B was invested across 135 deals.
M&A activity last week cooled a bit compared to the last few weeks, but there have been 64 acquisitions completed over the trailing 12 weeks (averaging 5.3 per week).
PARTNER
CVSS Says Critical. EPSS Says Context.
Security teams can’t fix every issue - research shows most only remediate 10-15% of vulns each month. The challenge is knowing what’s truly urgent. That’s why more teams are adopting EPSS, which predicts which vulns are most likely to be exploited in the next 30 days.
Paired with CVSS, CISA KEV, and expert context in the Intruder platform, it’s proving to be the smarter way to prioritize — helping lean teams spend less time debating what to fix and more time reducing risk.
☎️ Earnings Reports
This analysis is personal research and opinions only. This is not financial or investing advice. Do your own due diligence before making investment decisions.
Earnings reports from last week: None
Earning reports to watch this coming week: None
🧩 Funding By Product Category
$58.0M for Threat Intelligence across 1 deal
$22.0M for Secure Networking across 2 deals
$15.0M for Security Analytics across 1 deal
$12.0M for Remote Browser Isolation across 1 deal
$9.3M for Data Protection across 1 deal
$8.3M for Application Security across 1 deal
$3.3M for Managed Security Services Provider (MSSP) across 2 deals
$3.3M for Continuous Automated Red Teaming (CART) across 1 deal
$2.3M for Data Privacy across 1 deal
An undisclosed amount for Fraud and Financial Crime Protection across 1 deal
An undisclosed amount for Password Management across 1 deal
An undisclosed amount for Professional Services across 1 deal
🏢 Funding By Company
Product Companies:
Filigran, a France-based cyber threat intelligence platform, raised a $58.0M Series C from Eurazeo. (more)
Realm.Security, a United States-based security and cloud data aggregation and analytics platform, raised a $15.0M Series A from Jump Capital. (more)
Authentic8, a United States-based remote browser isolation platform, raised a $12.0M in Debt Financing from Vistara Growth. (more)
Pantherun Technologies, an India-based encryption-in-use network platform, raised a $12.0M Series A from Sahasrar Capital, Lucky Investment Managers. (more)
Sitehop, a United Kingdom-based secure networking hardware platform, raised a $10.0M Series A from Northern Gritstone. (more)
DigiCert, a United States-based digital certificate provider, raised a $9.3M in Debt Financing from Runway Growth Capital. (more)
Arcjet, a United States-based runtime application security as code platform, raised a $8.3M Series A from Plural Platform. (more)
Mind The Hack, a Greece-based continuous automated red teaming platform, raised a $3.3M Seed from Deep Capital Group. (more)
Nymiz, a Spain-based privacy platform focusing on GDPR regulations, raised a $2.3M Pre-Series A from TIIN Capital. (more)
1Password, a Canada-based password management platform, raised an undisclosed Secondary Market from Halo Experience Company. (more)
ThreatFabric, a United States-based fraud threat intelligence platform, raised an undisclosed Corporate Round from OneSpan. (more)
Service Companies:
Talion, a United Kingdom-based managed security services provider (MSSP), raised a $2.7M Seed from NPIF – Mercia Equity Finance. (more)
CBRX, a Lithuania-based managed SOC-as-a-Service platform, raised a $624.7K Pre-Seed from Coinvest Capital. (more)
Noventiq, a United Kingdom-based professional services company focused on cybersecurity and digital transformation, raised an undisclosed Private Equity Round from Niobrara Capital Partners. (more)
🌎 Funding By Country
$58.0M for France across 1 deal
$44.6M for the United States across 5 deals
$12.7M for the United Kingdom across 3 deals
$12.0M for India across 1 deal
$3.3M for Greece across 1 deal
$2.3M for Spain across 1 deal
$624.7K for Lithuania across 1 deal
An undisclosed amount for Canada across 1 deal
🤝 Mergers & Acquisitions
Product Companies:
devOcean Security, an Israel-based cloud threat aggregation platform for security operations teams, was acquired by Pentera for an undisclosed amount. devOcean Security had previously raised $6.0M in funding. (more)
Inky, a United States-based email security platform, was acquired by Kaseya for an undisclosed amount. Inky had previously raised $31.8M in funding. (more)
Service Companies:
📚 Great Reads
10 Lessons Learned from Scaling - The CEO of SecurityScorecard, Aleksandr Yampolskiy, shares his 10 most impactful lessons he learned while building and scaling SecurityScorecard.
*The Great Vendor Lock-in Escape: Cribl’s Guide to De-risked SIEM Migration - Read Cribl’s 8-step guide to mitigate the costs and risks of SIEM migration. Modernize your security strategy and decouple your data from vendor lock-in.
SaaS Is Dead. Long Live Service-As-A-Service - The age of AI is ushering in nothing less than the great servicification, where product-led-growth gives way to an outcomes-obsessed model.
*A message from our partner
🧪 Labs
Who is she?? 😍
i’m so jealous of her
— horse dentist (@equine__dentist)
3:20 PM • Aug 21, 2025
Security ROI > Coffee ROI
Get value every week? Back the mission.
Or send your smart friends a referral.
Data Methodology and Sources
All of the data is captured point-in-time from publicly available sources.
All financial figures are converted to U.S. Dollars (USD) at the current spot rate at the time of collection.
Company country locations are pulled from publicly available sources.
Companies are categorized using the Return on Security system.
Sometimes the deal details, such as who led the round, how much was raised, or the deal stage, may be updated after publication.
Let us know if you spot any errors, and we’ll fix them.
Reply