Security, Funded by is a weekly intelligence briefing of the public and private economic activity in the cybersecurity market. This week’s issue is brought to you by Palo Alto Networks.
Buongiorno, this week’s issue was written live and direct from beautiful Italy! 🇮🇹 ⛷
While I was attempting to ski, public markets got absolutely clapped again last week, and this time it was the major public cyber companies who took the beating. Nothing like trying to monitor the situation on a gondola! 😅
The reason public cyber companies were “securitymogged” last week is that Anthropic launched Claude Code Security, a new set of capabilities that “scans codebases for security vulnerabilities and suggests targeted software patches for human review, allowing teams to find and fix security issues that traditional methods often miss.”
As a result, public markets freaked out, declared cyber as a “solved problem,” panic sold, and wiped out about $15 billion in market cap from the top public cyber companies.
It’s not surprising that Anthropic is going after application security; they absolutely have to. Given that so much code is now completely AI-generated, it only makes sense to start securing the code the AI models are already writing. It’s a welcome advancement, and I can’t wait to start testing it, but it also reveals what has to be true for AI companies, regardless of the market they target. Every major frontier lab will have to push deeper and deeper into the application stack to realize the value of the massive investments they’ve made.
To put it into perspective, Anthropic and OpenAI alone have raised over $140 billion to date, more than Palo Alto’s market cap. The frontier labs have to try to eat the world, and they’ve got the funding and talent to make that true in as many verticals as possible. We’re going to continue to see this play out in other markets with AI, and it’s both welcome and scary to see so much competence destruction and competence enhancement happening.
That aside, what is surprising, rather, is the market’s disconnect from the reality of cyber. The major selloff shows that public market investors have no idea what cyber is.
You know how, when you’re using AI on a topic you know really well, you can easily spot things that are either false or completely off-base? And how the opposite is true when you’re using AI on a topic you don’t know anything about? Yeah, that’s what’s happening here in the public markets.
There is no winner-take-all in the public market for the cyber industry, and especially not in the private market. What we’re seeing now is short-term fear among tourist investors in a market they don’t understand.
You’ve heard that the stock market is not the economy, and the same is true for the cybersecurity economy. Will the AppSec market change even more than it has over the last few years? Absolutely. Does that mean AppSec is dead and that all private and public companies should pack up and go? Absolutely not.
The top public cyber companies really won’t be affected by this release in the medium- and long-term, and the large number of private companies across the AppSec space are already responding to this news and adapting. I suspect the industry will be singing a different tune in another two quarters.
The saying from the great Warren Buffett, “Be greedy when others are fearful,” comes to mind now and should be helpful in these times.
Let us all get this bread, family. 🥖 🥐 😤 👊
PARTNER
Executive Guide: Securing AI-Generated Code
AI-assisted development is accelerating innovation—and expanding risk. Learn how AI-generated code introduces new vulnerabilities, impacts your software supply chain, and what leaders can do to reduce exposure without slowing development.
Get practical guidance to secure AI-driven innovation at scale.
Table of Contents
😎 Vibe Check
Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!
Plot twist: What's actually good about vendor consolidation?
Last issue’s vibe check:
RSA Innovation Sandbox now requires $5M seed for all finalists. This is:
🟨⬜️⬜️⬜️⬜️⬜️ Game-changing for early-stage cyber
🟩🟩🟩🟩🟩🟩 Creates perverse incentives
🟨🟨⬜️⬜️⬜️⬜️ Good marketing, questionable ROI
⬜️⬜️⬜️⬜️⬜️⬜️ Helps level the playing field
🟨⬜️⬜️⬜️⬜️⬜️ Doesn't matter, only execution does
Well, that’s quite the resounding answer for last week’s vibe check, and the comments didn’t hold back. 😳
So much has changed in the industry since the competition started 21 years ago. Big conferences like RSA, analyst firms, and a few media outlets were really the only ways anyone in cyber could learn about innovation in the industry.
The number of companies started, and the number of investors funding them, has grown an order of magnitude since then, and you don’t have to wait once a year to learn about what’s new and up and coming on the current issues the industry cares about.
Now add on the incentive of investing, and that calculus starts to change for what the industry trusts. Practitioners today will need a lot more proof than winning a competition to become invested, which, for many, is a welcome change.
Some of the top comments from last week’s vibe check:
💬 “It’s appealing. Cash is king, and I doubt any group of founders will turn down the check. What I’ll be curious to see is if it’s “smart money” or does the investment help or hamper the ability to attract institutional investors.“
💬 "This is now less an industry event about actually rewarding the more interesting and innovative companies, and more about creating deal flow for the VC in question. Also, try to put yourself in the place of a startup disrupting a particular segment - what if Crosspoint Capital is already invested in your main competitor? Essentially this means once they pick a winner in one category, it makes it very unlikely other players in that category will apply in the future. Eventually, the event runs out of categories and becomes irrelevant. Horrible, horrible decision.”
💰 Market Summary
Private Markets
10 companies from 4 countries raised $121.0M across 9 unique product categories
Average deal size was $15.1M (median: $7.3M)
100% of disclosed funding went to product companies
7 companies from 3 countries were acquired for $400.0M across 5 unique product categories
86% of M&A activity went to service companies
Public Markets
1 public cyber company [$PANW ( ▼ 3.07% )] had an earnings report last week
As of markets close on February 20, 2026.
📸 YoY Snapshot
Rolling 13-week charts that compare funding and acquisitions week over week, year over year, comparing the end of 2024 vs. 2025 with the start of 2025 vs. 2026.
A quieter week on the funding front, but there's still a lot happening with the deals being made. We are now within the lull before the RSA storm, however, so I expect this to explode again in the next few weeks.
M&A continues to rip however, with the public cyber companies again leading the way on high-profile acquisitions. While services businesses make up most of the acquisitions each week, AI Governance and PAM companies are in high demand this year.
🔭 Zooming Out 🆕
Stories hidden in the numbers
Platform Predator: Palo Alto Networks acquired Koi this week, its 4th cyber acquisition in 2 years (QRadar, ProtectAI, CyberArk, Koi and not counting Chronosphere, which is non-cyber). Each addresses a different capability gap in SIEM, ML security, identity, and endpoint security. Koi raised $48M just five months ago and probably never got to spend it.
TVM Isn’t Dead: Threat & Vulnerability Management is the hottest category in cyber right now, with $201M across 21 deals in the last 12 weeks, up 414% year-over-year.
Compliance Goes Global: Two security and compliance automation startups raised the same week from opposite sides of the world. With NIS2, DORA, Saudi PDPL, and more, every region is writing its own rules, and every region seems to need its own compliance platform.
🧩 Funding By Product Category
$42.0M for Threat & Vulnerability Management (TVM) across 1 deal
$25.0M for Threat Intelligence across 1 deal
$25.0M for Privileged Access Management (PAM) across 1 deal
$9.5M for Security and Compliance Automation across 2 deals
$7.5M for Application Security Posture Management (ASPM) across 1 deal
$7.0M for Anti-Bot across 1 deal
$5.0M for Hardware Security across 1 deal
An undisclosed amount for Software Supply Chain Security across 1 deal
An undisclosed amount for Managed Detection and Response (MDR) across 1 deal
🏢 Funding By Company
Product Companies:
Cogent Security, a United States-based AI-agent-enabled threat and vulnerability management platform, raised a $42.0M Series A from Bain Capital Ventures. (more)
VulnCheck, a United States-based threat intelligence platform for exploits, vulnerabilities, and initial access brokers, raised a $25.0M Series B from Sorenson Capital. (more)
BlueFlag Security, a United States-based software security and governance platform, raised a $7.5M Venture Round. SEC Filing
Copla, a Lithuania-based security and compliance automation platform, raised a $7.1M Series A from Iron Wolf Capital. (more)
Darwinium, a United States-based bot-detection and abuse prevention platform, raised a $7.0M Venture Round. SEC Filing
Caspia Technologies, a United States-based hardware security and supply chain security platform, raised a $5.0M Venture Round. SEC Filing
Solidrange, a Saudi Arabia-based security and compliance automation platform, raised a $2.4M Seed from Sharaka Capital. (more)
Zenyard, a United States-based automated malware reverse engineering and software security platform, raised an undisclosed Pre-Seed from Mindset Ventures. (more)
Service Companies:
DeltaSpike, a Singapore-based managed detection and response provider for Southeast Asia, raised an undisclosed Venture Round from VentureTECH. (more)
🌎 Funding By Country
$111.5M for the United States across 7 deals
$7.1M for Lithuania across 1 deal
$2.4M for Saudi Arabia across 1 deal
An undisclosed amount for Singapore across 1 deal
🤝 Mergers & Acquisitions
Product Companies:
Koi, an Israel-based endpoint protection platform focusing on unmanaged and self-installed software like packages, containers, extensions, and local AI models, was acquired by Palo Alto Networks for an undisclosed amount. Koi had previously raised $48.0M in funding. (more)
Service Companies:
Defy Security, a United States-based managed services firm focused on penetration testing, operational technology security, and security program management, was acquired by Booz Allen Hamilton for $400.0M. Defy Security had previously raised $8.0M in funding. (more)
Abile Group, a United States-based professional services firm focused on systems engineering, networking, and cyber services, was acquired by Valiant Solutions for an undisclosed amount. Abile Group has not previously disclosed any funding events. (more)
IronCircle, a United States-based cybersecurity training, education, and certification company, was acquired by QuickStart Inc. for an undisclosed amount. IronCircle has not previously disclosed any funding events. (more)
Stripe OLT, a United Kingdom-based Microsoft-based managed security services provider (MSSP) for the UK, was acquired by Little Fish for an undisclosed amount. Stripe OLT has not previously disclosed any funding events. (more)
Tech Superpowers, a United States-based managed security services provider (MSSP), was acquired by IT Solutions Consulting for an undisclosed amount. Tech Superpowers has not previously disclosed any funding events. (more)
Velonex Technologies, a United States-based managed services provider (MSP), was acquired by Future Standard for an undisclosed amount. Velonex Technologies has not previously disclosed any funding events. (more)
📚 Great Reads
The problem isn’t OpenClaw. It’s the architecture. - Matt Jay breaks down the underlying architecture problems with OpenClaw and agentic AI more broadly, and how you can't prompt your way out of systemic issues.
Corsair - An open-source tool from Ayoub Fandi that can turn compliance evidence into cryptographically signed and verifiable proofs. The goal is to prove that a given set of security controls was assessed and that the test results are tamper-proof.
*A message from our partners
🧪 Labs
Think of all those poor OpenClaw agents! 😩
Security ROI > Coffee ROI
Get value every week? Back the mission.
Or send your smart friends a referral.
Data Methodology and Sources
All of the data is captured point-in-time from publicly available sources.
All financial figures are converted to U.S. Dollars (USD) at the current spot rate at the time of collection.
Company country locations are pulled from publicly available sources.
Companies are categorized using the Return on Security system.
Sometimes the deal details, such as who led the round, how much was raised, or the deal stage, may be updated after publication.
Let us know if you spot any errors, and we’ll fix them.