Security, Funded by is a weekly intelligence briefing of the public and private economic activity in the cybersecurity market. This week’s issue is brought to you by Pixee and Cribl.

Well, well, well, if it isn’t the consequences of my actions coming back to haunt me.

I don’t know about you, but that whole “let’s circle back after the new year” thing is really rearing its ugly head for me these first few weeks of the year. 🥴

2026 just started, but the year has already kept up the acceleration and momentum that 2025 brought. The battle over the future of agentic and AI identity security is currently the hottest contested space in the industry, followed quickly by the evolution of security operations, and I see no signs of either slowing down any time soon.

Speaking of having no chill, 2026 is already ramping up in a big way for me and Return on Security, so be on the lookout for some new forays, mediums, and ventures throughout the year.

One of those new things is happening next week, when I’m sitting down with Maxime Lamothe-Brassard from LimaCharlie for a conversation about where AI in security operations is actually heading and what the agentic future of SecOps will look like. Max and his team have been quietly building something different: infrastructure that enables AI agents to operate directly, with the same access and capabilities as human analysts.

Our conversation will be part of a larger launch with many more talks, so make sure to sign up here!

Also, one more thing! If Return on Security has been helpful for you, no matter how long you’ve been reading, I would really value your input on this 2-minute survey:

👉 https://forms.gle/LBA1RhNnFrLMLmmR7 👈

💡 Share the newsletter in one click

PARTNER

The Math That Killed "Fix All Criticals"

AI code just broke it faster

66% of organizations have 100,000+ vulnerability backlogs. 252-day average remediation. Keeping up was already impossible. Then AI made it worse. 34% of code is now AI-generated, and 48% of code ships with vulnerabilities.

But some teams are still shrinking their backlogs. This 30-page analysis from Pixee shows how.

Get the 30-page analysis →

Partner With Us

Table of Contents

😎 Vibe Check

Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!

Last issue’s vibe check:
What metric should we finally stop tracking in 2026?
🟨🟨🟨🟨⬜️⬜️ Number of vulnerabilities patched
🟩🟩🟩🟩🟩🟩 Phishing test click rates
⬜️⬜️⬜️⬜️⬜️⬜️ Tool/asset coverage
🟨⬜️⬜️⬜️⬜️⬜️ Cyber risk quantification

I really like how the votes landed last week, and how literally no one voted for tool/asset coverage. That was a false flag, and it is likely more important than ever before.

Perhaps a saving grace for using AI in cyber will be the evolution of what we should care about vs. what we have historically had to care about through rote stats.

Sadly, the phishing tests will continue until morale improves.

Some of the top comments from last week’s vibe check:

💬 “Most CVEs can’t be exploited. Worthless stat that wastes the time of most people involved. New stat should be exploitable vulns patched.

💬 “Please stop the phishing simulation madness, I beg of you.”

💬 “Test ability to report phishing, and get that to 100%” (⬅️ I like this one a lot)

💰 Market Summary

Private Markets

  • 4 companies from 1 country raised $189.1M across 4 unique product categories

  • Average deal size was $47.3M (median: $24.0M)

  • 100% of funding went to product companies

  • 10 companies from 5 countries were acquired for $740.0M across 7 unique product categories

  • M&A activity was evenly split between product and service companies

Public Markets

  • No public cyber companies had an earnings report in the last few weeks of 2025

As of markets close on January 9, 2026.

📸 YoY Snapshot

Rolling 13-week charts that compare funding and acquisitions weekly in a year-over-year (YoY) view between 2024 and 2025.

This is a lower-volume time of year on the funding front, but even so, 2026 is starting off with a bang compared to 2025.

A very strong start to the year on the M&A front. The public giants are back at it again, starting this year as they finished the last.

☎️ Earnings Reports

This analysis is personal research and opinions only. This is not financial or investing advice. Do your own due diligence before making investment decisions.

Earnings reports from last week: None

Earning reports to watch this coming week: None

🧩 Funding By Product Category

Chart image date range from 2025-12-22 to 2026-01-18

  • $140.0M for Security Orchestration and Automated Response (SOAR) across 1 deal

  • $28.0M for Trust & Safety across 1 deal

  • $20.0M for Software Supply Chain Security across 1 deal

  • $1.1M for Secure Communications across 1 deal

🏢 Funding By Company

Product Companies:

  • Torq, a United States-based cybersecurity platform that provides advanced protection and threat detection capabilities, raised a $140.0M Series D from Merlin Ventures. (more)

  • Blackbird.AI, a United States-based narrative and disinformation threat intelligence platform, raised a $28.0M Venture Round from Ten Eleven Ventures. (more)

  • Interos, a United States-based risk management and supply chain monitoring platform, raised a $20.0M Private Equity from Blue Owl and Structural Capital. (more)

  • Sekur Private Data, a United States-based secure communications and privacy-focused collaboration suite, raised a $1.1M Post-IPO Equity. (more)

Service Companies:

  • None

🌎 Funding By Country

They say a picture is worth 1,000 words ¯\_(ツ)_/¯

  • $189.1M for the United States across 4 deals

🤝 Mergers & Acquisitions

Product Companies:

  • SGNL.AI, a United States-based privileged access management (PAM) platform focused on just-in-time (JIT) access, was acquired by CrowdStrike for $740.0M. SGNL.AI had previously raised $42.0M in funding. (more)

  • IriusRisk, a Spain-based automated threat modeling platform, was acquired by ThreatModeler for an undisclosed amount. IriusRisk had previously raised $38.7M in funding. (more)

  • Privacy Pal, a United States-based web browser privacy tool for limiting sensitive data disclosed to AI applications, was acquired by Vocodia for an undisclosed amount. Privacy Pal has not previously disclosed any funding events. (more)

  • Seald, a France-based end-to-end encryption and cryptographic identity management SDK, was acquired by OVHcloud for an undisclosed amount. Seald has not previously disclosed any funding events. (more)

  • SIMS Software, a United States-based platform that tracks and identifies insider threats in the federal workspace, was acquired by TechnoMile for an undisclosed amount. SIMS Software has not previously disclosed any funding events. (more)

Service Companies:

  • Advantus360, a Canada-based professional services firm focused on network, cloud, and endpoint security, was acquired by Integrity360 for an undisclosed amount. Advantus360 has not previously disclosed any funding events. (more)

  • AssurancePoint, a United States-based professional services firm focused on compliance framework assessments, was acquired by Axiom GRC for an undisclosed amount. AssurancePoint has not previously disclosed any funding events. (more)

  • Fortreum, a United States-based professional services firm focused on security and compliance services for the U.S. federal sector, was acquired by Gryphon Investors for an undisclosed amount. Fortreum has not previously disclosed any funding events. (more)

  • Ntirety, a United States-based managed security services provider (MSSP), was acquired by 11:11 Systems for an undisclosed amount. Ntirety had previously raised $1.0M in funding. (more)

  • Panacea Infosec, an India-based professional services firm focused on payment card security and PCI-DSS auditing, was acquired by SGS for an undisclosed amount. Panacea Infosec has not previously disclosed any funding events. (more)

📚 Great Reads

  • Zero Trust for OT in Manufacturing - Frank DePaola shares a practical path for applying zero-trust principles to modern operational technology and industrial security.

  • *The Coming Shockwave of AI-Generated Data - Five predictions for how AI will reshape the economics, security, and architecture of data in the coming years — and what leaders must do now to prepare.

  • 3 Basic Things Killing Your AI Usage for GRC - Ayoub Fandi shares how GRC professionals are making three basic mistakes when using AI for GRC work, along with ways to fix your prompts, add context, and use system instructions more effectively.

*A message from our partners

🧪 Labs

You don’t need more friends, you need more data

Security ROI > Coffee ROI

Get value every week? Back the mission.

Or send your smart friends a referral.

Data Methodology and Sources

  • All of the data is captured point-in-time from publicly available sources.

  • All financial figures are converted to U.S. Dollars (USD) at the current spot rate at the time of collection.

  • Company country locations are pulled from publicly available sources.

  • Companies are categorized using the Return on Security system.

  • Sometimes the deal details, such as who led the round, how much was raised, or the deal stage, may be updated after publication.

  • Let us know if you spot any errors, and we’ll fix them.

Reply

or to participate

Keep Reading

No posts found