Welcome to the 72nd week of January, everybody! 😵💫
I’ll keep this week’s opener short, as I’ve been heads down working on the annual State of the Cybersecurity Industry report. I plan to release it later this week, so stay tuned.
Also, I’ve added a new section I’m testing out called “Zooming Out,” and would love any feedback you have!
PARTNER
Real-Time Visibility for Modern Security Teams
Drata helps you stay audit-ready and resilient—continuously.
In a world where cyber threats evolve faster than manual audits, visibility and automation are key to reducing risk. Drata empowers security & compliance teams to continuously monitor and prove compliance across frameworks like SOC 2 and ISO 27001, without slowing business operations.
Our platform integrates with existing tech stacks to surface real-time risk insights, streamline evidence collection, and eliminate the manual overhead of compliance readiness.
Protect your organization’s reputation and build trust with customers and stakeholders.
Table of Contents
😎 Vibe Check
Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!
How much do you actually care if a security product is using AI vs. not?
Last issue’s vibe check:
What security problem is criminally underfunded?
🟨🟨🟨🟨⬜️⬜️ Open-source security
🟨🟨🟨⬜️⬜️⬜️ SMB security
🟩🟩🟩🟩🟩🟩 OT/ICS/critical infrastructure
🟨⬜️⬜️⬜️⬜️⬜️ Security workforce/education
“In today’s modern, connected, and digital world, it’s more important than ever to…”
Nah, I’m just kidding, nobody wants to read stuff written like that. I’ve got to agree with the vibe check results from last week here. A lot of us who don’t live in the OT world really take for granted things like “power” and “running water,” and how they just work, but it’s shocking to see how fragile they could be.
Some of the top comments from last week’s vibe check:
💬 Our cameras, cars, TV, fridge, and washing machine can all disclose protected information about us, and there is nothing being done about it.
💬 Open source often is critical infrastructure. I wish it were so easy
💰 Market Summary
Private Markets
11 companies from 5 countries raised $403.8M across 10 unique product categories
Average deal size was $44.9M (median: $10.0M)
100% of funding went to product companies
3 companies from 3 countries were acquired for $37.5M across 3 unique product categories
100% of M&A activity went to product companies
Public Markets
No public cyber companies had an earnings report in the first few weeks of 2026
As of markets close on January 23, 2026.
📸 YoY Snapshot
Rolling 13-week charts that compare funding and acquisitions week over week, year over year, comparing the end of 2024 vs. 2025 with the start of 2025 vs. 2026.
Funding continues this year at a breakneck pace compared to this time last year.
M&A is also still ripping along compared to this same time last year.
PARTNER
Extended Identity and Access Management
Why should you need separate identity and access for humans and non-humans? For employees and customers? Across different applications and endpoints?
authentik is building towards XIAM and expanding beyond the traditional Identity Provider, encompassing the full spectrum of modern identities, access patterns, and environments.
🔭 Zooming Out 🆕
Stories hidden in the numbers
Category Momentum: Operational Technology (OT) Security is having a breakout moment amid fears over critical infrastructure security. Companies in this category have raised $200.0M this week across 2 deals, or 12x the 13-week weekly average. The “criminally underfunded” segment gets some love.
Raised from the Dead: RSA Security (yes, that one) is giving itself quite the makeover with its first publicly-noted funding round in many years (decades?). AI just might be able to bring even the oldest companies back to life.
AppSec Remediation Competition: The AppSec market is fragmenting into "fix vulnerabilities" vs. "prevent vulnerabilities" camps. Expect consolidation pressure on one of these models within the next 12 months.
Leading the Charge: Ten Eleven Ventures continues its streak as one of the most active early-stage cyber investors. They've now led or participated in 4 of the last 13 weeks' seed rounds.
☎️ Earnings Reports
This analysis is personal research and opinions only. This is not financial or investing advice. Do your own due diligence before making investment decisions.
Earnings reports from last week: None
Earning reports to watch this coming week: None
🧩 Funding By Product Category
$200.0M for Operational Technology (OT) Security across 2 deals
$135.0M for Identity and Access Management (IAM) across 1 deal
$23.5M for Cyber Insurance across 1 deal
$14.1M for Application Security across 2 deals
$10.0M for Secure Remote Access across 1 deal
$10.0M for Threat and Risk Prioritization across 1 deal
$7.0M for Security Orchestration and Automated Response (SOAR) across 1 deal
$4.2M for Digital Forensics and Incident Response (DFIR) across 1 deal
An undisclosed amount for AI Privacy Assurance across 1 deal
An undisclosed amount for Cybersecurity Education & Training across 1 deal
🏢 Funding By Company
Product Companies:
Claroty, a United States-based secure industrial, IoT, and healthcare network security platform, raised a $150.0M Series F from Golub Growth and raised $50.0M in secondary market financing. [more]
RSA Security, a United States-based suite of secure authentication and identity management tools, raised a $135.0M Debt Financing. [more]
Stoïk, a France-based cyber risk insurance company, raised a $23.5M Series C from Impala and Opera Tech Ventures. [more]
furl, a United States-based automated security and vulnerability remediation platform, raised a $10.0M Seed from Ten Eleven Ventures. [more]
Symbiotic Security, a United States-based application vulnerability and remediation platform, raised a $10.0M Seed from Alven. [more]
Zeroport, an Israel-based hardware-based secure remote access platform, raised a $10.0M Seed from lool ventures. [more]
AiStrike, a United States-based AI-assisted security automation platform, raised a $7.0M Seed from Blumberg Capital. [more]
Asymmetric Security, a United States-based AI-enabled digital forensics and incident response firm, raised a $4.2M Pre-Seed from Susa Ventures. [more]
Dam Secure, an Australia-based IDE-integrated application security guardrails platform, raised a $4.1M Seed from Paladin Capital Group. [more]
CyberNut, a United States-based cybersecurity education and training platform for K-12 school audiences, raised an undisclosed amount of private equity from Growth Street Partners. [more]
Nenna AI, a Germany-based platform that helps prevent data privacy issues with AI applications, raised an undisclosed seed round from dfv Mediengruppe and IBB Ventures. [more]
Service Companies:
None
🌎 Funding By Country
$366.2M for the United States across 8 deals
$23.5M for France across 1 deal
$10.0M for Israel across 1 deal
$4.1M for Australia across 1 deal
An undisclosed amount for Germany across 1 deal
🤝 Mergers & Acquisitions
Product Companies:
StandardFusion, a Canada-based governance, risk, and compliance management platform, was acquired by Wolters Kluwer for $37.4M. StandardFusion has not previously disclosed any funding events. [more]
AI Sonar, an Ireland-based AI application discovery and governance platform, was acquired by LatticeFlow for an undisclosed amount. AI Sonar has not previously disclosed any funding events. [more]
QTrino, an India-based quantum cryptography cyber risk readiness and hardware security modules, was acquired by Satin Creditcare Network for an undisclosed amount. QTrino has not previously disclosed any funding events. [more]
Service Companies:
None
📚 Great Reads
AI Code Security Anti-Patterns for LLMs - My friend Jason Haddix open-sourced a comprehensive security reference distilled from 150+ sources to help LLMs generate safer code.
*A message from our partners
🧪 Labs
Babe, wake up, a new cybersecurity acronym just dropped!
Security ROI > Coffee ROI
Get value every week? Back the mission.
Or send your smart friends a referral.
Data Methodology and Sources
All of the data is captured point-in-time from publicly available sources.
All financial figures are converted to U.S. Dollars (USD) at the current spot rate at the time of collection.
Company country locations are pulled from publicly available sources.
Companies are categorized using the Return on Security system.
Sometimes the deal details, such as who led the round, how much was raised, or the deal stage, may be updated after publication.
Let us know if you spot any errors, and we’ll fix them.