Security, Funded by is a weekly intelligence briefing of the public and private economic activity in the cybersecurity market. This week’s issue is brought to you by Endor Labs and Prowler.
Well, nothing like a little Claude-led hacking of the Mexican government, a little World War III, more tariffs, and a fictional Substack article that tanked (the already down bad) public markets on new AI displacement fears! ¯\_(ツ)_/¯
The good news, at least, is that the public cyber companies have rebounded about halfway from their precipitous fall in the prior week. If you missed last week’s issue, I covered my take on all of that in the opener.
Read through this as part of monitoring the situation.
PARTNER
40+ AI Prompts for Secure Vibe Coding
Make Code Safer with Every Prompt
AI coding assistants make writing code easy, but they also introduce risky and hard-to-identify dependencies and security flaws. This prompt library from Endor Labs contains over 40 prompt templates (and counting), plus more than a dozen rules to follow for more secure vibe coding.
Learn best practices or copy-paste specific examples.
Table of Contents
😎 Vibe Check
Click the options below to vote on whether you are a practitioner, founder, or investor. Feel free to leave a comment, and I'll feature the best takes in next week’s write-up!
Given all of the AppSec excitement last week, where is the next likely place that frontier AI labs will attack the security stack?
Last issue’s vibe check:
Plot twist: What's actually good about vendor consolidation?
🟨🟨🟨🟨🟨⬜️ Fewer vendors to manage
🟨🟨⬜️⬜️⬜️⬜️ One throat to choke when things break
🟩🟩🟩🟩🟩🟩 Tools that actually integrate
🟨🟨🟨⬜️⬜️⬜️ Fewer security questionnaires to fill out
Integration is the name of the game, but just having fewer vendors to manage is also a huge selling point. That is, of course, if they actually integrate products well and aren’t leaving you with massive coverage gaps. I suspect this has a lot more to do with the painful third-party risk management and vendor procurement process at most companies than anything else. 🤔
Who is building the agentic AI vendor procurement and onboarding platform of the future?? (Only partially said in jest 👀)
Some of the top comments from last week’s vibe check:
💬 “Microsoft does this shockingly well.“
💬 “Managing fewer vendors is not a win if you have gaps in coverage. Broadcom is the counter example for the “one throat to choke” argument. You have no idea how the consolidated company will act. It takes years, if not decades, for vendors to fully integrate beyond some superficial logo updates.”
💰 Market Summary
Private Markets
11 deals from 10 companies across 2 countries raised $221.3M across 8 unique product categories
Average deal size was $27.7M (median: $18.6M)
100% of funding went to product companies
5 companies from 3 countries were acquired across 5 unique product categories
60% of M&A activity went to service companies
Public Markets
1 public cyber company [$ZS ( ▲ 1.08% )] had an earnings report last week
As of markets close on February 27, 2026.
📸 YoY Snapshot
Rolling 13-week charts that compare funding and acquisitions week over week, year over year, comparing the end of 2024 vs. 2025 with the start of 2025 vs. 2026.
While overall deal volume has tapered off over the last few weeks, the deals landing are still really exciting.
M&A activity continues to stay ahead of the momentum from the same time last year, and I suspect 2026 will bring even more acquisitions than 2025.
PARTNER
What Security Teams Actually Need From AI in 2026
633 cybersecurity professionals across 9 countries told us what's actually broken in cloud security. Spoiler: it's not detection. Teams are drowning in incidents, burning half their time stitching context across tabs, and losing institutional knowledge every time a security engineer leaves.
We built Prowler to fix exactly this. 45M+ downloads, 13K+ GitHub stars, and 300+ contributors worldwide make Prowler the world's most widely used open cloud security platform.
🔭 Zooming Out 🆕
Stories hidden in the numbers
CTEM's Moment: Three companies in the threat and vulnerability management space raised simultaneously this week, making it officially the latest buzzword that is now dead. When multiple startups in the same category raise at the same time, it signals deep investor conviction and also signals future consolidation pressure.
Offensive Security Is Having a Year: 16 deals in the past 12 months is 8.0x the prior year's pace. This product category barely existed two years ago (not offensive security services, but products). The rise of AI may have, for the first time in recent memory, driven an offense-first product arc as the threat landscape demands it more now than ever.
🧩 Funding By Product Category
$75.0M for Third-Party Risk Management (TPRM) across 1 deal
$61.0M for Data Protection across 2 deals
$50.0M for Continuous Threat Exposure Management (CTEM) across 2 deals
$16.1M for AI Governance across 2 deals
$12.0M for Security and Compliance Automation across 1 deal
$7.2M for Continuous Controls Monitoring (CCM) across 1 deal
An undisclosed amount for Security Operations across 1 deal
An undisclosed amount for Threat and Risk Prioritization across 1 deal
🏢 Funding By Company
Product Companies:
UpGuard, a United States-based third-party risk management platform, raised a $75.0M Series C from Springcoast Capital Partners. (more)
Gambit Security raised $56.0M Series A from CyberStarts, Kleiner Perkins, Spark Capital and $5.0M Seed. (more)
Astelia, a United States-based continuous threat exposure management platform, raised a $25.0M Series A from Index Ventures. (more)
ThreatAware, a United Kingdom-based continuous threat exposure management platform, raised a $25.0M Series A from One Peak. (more)
Trustwise AI, a United States-based AI governance, compliance, and safety platform, raised a $12.1M Venture Round. SEC Filing
Secfix, a United States-based continuous security and compliance company, raised a $12.0M Series A from Alstin Capital. (more)
Spektrum, a United States-based continuous controls monitoring platform, raised a $7.2M Convertible Note. SEC Filing
Evoke Security, a United States-based agentic AI discovery, governance, and threat modeling platform, raised a $4.0M Pre-Seed from Crosspoint Capital Partners. (more)
Prophet Security, a United States-based AI-assisted security operations platform, raised an undisclosed Venture Round from Amex Ventures and Citi Ventures. (more)
Zafran Security, a United States-based threat and risk prioritization platform that uses your existing tool stack to show risks and mitigations, raised an undisclosed Venture Round from Amex Ventures. (more)
Service Companies:
None
🌎 Funding By Country
$196.3M for the United States across 10 deals
$25.0M for the United Kingdom across 1 deal
🤝 Mergers & Acquisitions
Product Companies:
1touch.io, a United States-based Data Aware Security, was acquired by Pure Storage for an undisclosed amount. 1touch.io had previously raised $14.0M in funding. (more)
Sevco Security, a United States-based attack surface management (ASM), was acquired by Arctic Wolf for an undisclosed amount. Sevco Security had previously raised $53.7M in funding. (more)
Service Companies:
Astralas, an Australia-based professional services firm focused on security architecture and engineering, was acquired by Bastion Security Group for an undisclosed amount. Astralas has not previously disclosed any funding events. (more)
📚 Great Reads
The changing buy vs. build calculus for security - Frank Wang discusses the structural shift happening now for some security teams with the ease and access to innovative AI tools. In all cases, buy vs. build isn't a simple decision anymore.
Knowing what good looks like in agentic security - Zack Allen shares what he's seen on building and using agentic workflows for security operations, what it means to know what "good" looks like, and the increasing knowledge gap.
*A message from our partners
🧪 Labs
It’s super simple, really.
Security ROI > Coffee ROI
Get value every week? Back the mission.
Or send your smart friends a referral.
Data Methodology and Sources
All of the data is captured point-in-time from publicly available sources.
All financial figures are converted to U.S. Dollars (USD) at the current spot rate at the time of collection.
Company country locations are pulled from publicly available sources.
Companies are categorized using the Return on Security system.
Sometimes the deal details, such as who led the round, how much was raised, or the deal stage, may be updated after publication.
Let us know if you spot any errors, and we’ll fix them.