Hello Cyber Builders 🖖
Every February, Mike Privette drops his State of the Cybersecurity Market report on Return on Security. Four years running. Text-first. Data-driven. No logo slides, no vendor spin.
This year, I asked Mike to walk me through it.
Mike spent nearly two decades building security programs at banks, insurers, and enterprises before turning his practitioner lens on the market itself. Today, he studies how money moves through cybersecurity — who’s funding what, who’s acquiring whom, and what it signals about where security is actually heading. That background is why investors, startups, and governments trust his read. He publishes the data that the industry lacks.
He’s also an American who lives in Europe, which gives him a rare dual lens on a market that’s increasingly splitting along geographic lines. His newsletter tracks the business of cybersecurity week by week, and every year he synthesises it into a single report that I consider the most honest read on where the industry actually stands.
We spent 40 minutes together going through the 2025 numbers. What follows is my summary of that conversation — with his own words wherever possible — plus the data points I found most relevant for you as a founder, investor, or security leader operating in, or looking at, Europe.
Let’s get into it.
Would you be at RSA Conference 2026 – Meet me there – Message me, and we’ll sync up a slot for a coffee?
The 2025 numbers are genuinely impressive.
$25.1 billion raised across 743 deals. That’s up 59% in dollars from 2024, and surpasses the 2022 peak. $76.4 billion in M&A across 320 deals — up 66% in value. The average deal size jumped 37%, from $29.9M to $40.9M.
The industry went through its correction (2023), its stabilisation (2024), and in 2025, it came back with conviction.
But here’s Mike’s qualifier — and it’s the most important sentence in the report:
“The cybersecurity market recovered in 2025, but not evenly.”
When you look at where the money went, it went to a very small number of companies. 48 mega-rounds ($100M+) captured 65% of all funding. The top 5 funding events of the year were all debt rounds from already-public companies. The market healed — but it healed mostly at the top.
If you’re an early-stage founder outside the US, “cyber is back” might not feel that way to you. And the data explains why. Please check out Mike’s deep dive for full stats.
Let me start with the finding that surprised me most — even though it probably shouldn’t have.
AI Security captured 2.6% of cybersecurity funding in 2025. It’s not even a top-10 category. Identity and Access Management alone generated four times as much.
How did the market get this so wrong?
Mike draws a sharp distinction that most reports miss:
“There’s security for AI, and there’s AI for security. Security for AI is actually securing the use of AI models themselves — prompt injection, model distillation attacks, making sure the models don’t give up their weights. That market is going to go very quickly, and there are only a few companies who actually care about that deeply.
AI for security — using AI to make existing security products and workflows better — that market is going to be as big as the rest of the cyber industry. But it’s not a market unto itself. It’s just a way of doing business.”
The “AI Security” category that every report, every investor thesis, and every vendor pitch deck calls the story of 2025? It grew 75% year-over-year. But it went from $377M to $661M. In a $25B market. That’s not really significant.
And yet, the hype dominates every conference, every pitch deck, every LinkedIn post. I mentioned this to Mike, and his response was sharp:
“It’s nice to step away from Twitter or LinkedIn every now and then to realise that most people don’t think the way the content you see portrays. We are a very, very long way from some of these things.”
What’s actually happening is the same thing that happened with cloud from 2010 to 2020. By 2015, every product said, “cloud-native.” By 2020, nobody mentioned it because it had become the default way of doing business. AI is following the same path — just much faster. The absorption is already visible in the data: AI is being folded into Identity, Network Security, Security Operations — not sitting alongside them as a separate line item.
Side note: I published a series of posts on how AI is “distilled” into all major cybersecurity platforms. Check out the final wrap-up post here
The real AI story in cyber is not a new standalone market. It’s the transformation of the service layer.
I pushed Mike on this: what about AI SOC analysts, AI pen testers, AI red teamers — the players trying to replace human expert work with AI-powered services? He agreed that’s where the real disruption lands:
“Services are typically very human-based, very time-consuming. But now things are repeatable at scale that previously weren’t. You see companies like LimaCharlie making their managed service operating system with Claude or with whatever model you want — for free — so you can manage hundreds or even thousands of clients. It just wasn’t possible before.”
Even the biggest cyber vendor has barely touched the market that AI-powered services could eventually absorb. But Mike was careful not to oversell the timeline:
“The more you use AI, the more you realise just how much work it takes. It’s not magic. And that means it won’t be magic for security either.”
And he added something that I think is genuinely underappreciated:
“Cyber is a bit more unique than some other industry verticals. It’s a vertical, it’s got its own market — but it’s also a horizontal in that it’s a part of every industry. You can’t really do AI without all the data and technology underneath it, but you probably shouldn’t be doing AI without security either. It’s everywhere, everything all at once.”
That framing matters. Cyber doesn’t just compete for a slice of the tech budget. It’s embedded in every industry vertical that AI is entering. The opportunity is much larger than the category numbers suggest.
The M&A story of 2025 is even more striking than the funding numbers. And it’s not just about the scale — it’s about who is buying whom.
Google acquired Wiz for $32 billion — the largest acquisition in cybersecurity history. That single deal accounts for 42% of all disclosed M&A value in 2025.
Palo Alto Networks acquired CyberArk for $25B. ServiceNow acquired Armis (IoT security) for $7.8B and Veza (identity governance) for $1B+. Mitsubishi Electric acquired Nozomi Networks (OT security) for $1B.
Notice what’s happening. It’s not just cyber companies buying cyber companies. It’s:
– IT buying cyber (ServiceNow/Armis)
– Manufacturing entering security (Mitsubishi/Nozomi)
– Cyber expanding into IT management (CrowdStrike pushing into CIO and CTO budgets)
Mike calls this The Great Bundling — and he says it’s just getting started:
“There are horizontal and vertical expansions happening at more and more turns, and the cyber industry is permeating more and more parts of life. These companies from outside of cyber entering this world through acquisition or product expansion will have many contacts and potential buyers that security companies may not already have.”
The boundaries between cyber, IT, and operational technology are dissolving. Everyone is reaching for not just the CISO budget, but the CIO and CTO budgets too.
The implication for founders: the enterprise sell just got more complex. But the opportunity is bigger. There’s a natural extension play into IT, OT, and security adjacencies that creates new leverage — if you think about it early.
Now for the part I care about most — and the part I want to be honest with you about.
Europe raised $1.33 billion in cybersecurity funding in 2025. That’s up 81% from $734M in 2024. The ecosystem is genuinely improving. Europe ranked 2nd or 3rd at every stage from Series A through Growth, and overtook Israel in Series C and Growth Stage rounds.
That’s the good news.
Here’s the honest picture: the US raised $18.5 billion. The US and Israel together accounted for 91% of global cybersecurity funding. Europe is at roughly 5%.
The M&A gap is even starker. Europe had 54 acquisitions — 16.9% of global deal volume. But only $290 million in disclosed value, versus $75.3 billion for the US. That’s not a gap. That’s a different planet.
I asked Mike directly: Is Europe catching up, or falling further behind? His answer:
“The growth is real and consistent. Europe showed remarkable consistency, ranking 2nd or 3rd at every stage from Series A through Growth.
The ecosystem sustains companies through later stages, even if it doesn’t produce the same concentration of mega-rounds. But the largest cybersecurity companies are overwhelmingly American — and sometimes that’s through Israeli companies that move to the US, so it’s not always clear-cut.
Until Europe produces more companies that can stay European and reach a billion-dollar scale, the value gap persists.”
One of the most important findings in Mike’s report is about the direction of money flows — not just the amounts.
Mike had a theory when writing this year’s report — and the fact that he lives on both sides of the Atlantic gave him a different vantage point:
“Being an American who lives in Europe, you bring a different perspective and you keep an eye on what’s happening in the US, but you’re learning what’s happening where you live and how countries fundamentally approach these things differently. I had a theory that there would be some massive changes in the way people invested in cyber and where startups happen — that countries would start to say, we should probably invest more in our own ecosystem.”
The data confirmed it completely.
“The US went very insular and invested way more money locally than they did in other places. Consequently, their investments in Europe and the UK either stayed flat or went down. Europe stopped investing in the US as much. It invested in itself more. And then the UK had a very similar pattern — it didn’t invest as much outside the US, did a bit more in Europe, and surprisingly did a bit less on itself, which was concerning.”
The numbers behind this: intra-European cybersecurity funding grew +209%. European investors deployed 68% more capital at home in 2025 than in 2023. US investors’ appetite for European deals stayed flat. Cross-Atlantic flows from Europe to the US collapsed.
For Europe, this is potentially transformative — but only if the momentum holds. Initiatives like EU Inc. (making it simpler to operate across all member states) are exactly the kind of structural change that, as Mike put it, “will make this more appealing and easier to do and will concentrate things in Europe, but also broaden it.”
The virtuous circle that built Silicon Valley — exits generating capital, capital funding new companies, new companies generating talent, talent founding more companies — has to start somewhere. The data suggests 2025 may have been a genuine inflection point.
The UK story deserves its own section because it’s genuinely strange.
UK startup formation is growing. UK cybersecurity funding hit $580M (+41% YoY). Strong early-stage pipeline. But UK investors quadrupled their investments in the US (from $200M to $800M) and grew European investments 5x (from $63M to $300M) — while UK-to-UK funding stayed flat at roughly $60M annually.
UK investors are funding everyone else’s ecosystems. Not their own. Mike’s read:
“UK startup formation is growing and getting stronger, but UK on UK funding stayed flat at around $60M annually — meaning UK investors aren’t deploying domestically at scale.
Instead, UK capital is still leaving home. UK founders are building companies, but UK investors are still funding everyone else’s ecosystems.
Post-Brexit independence cuts both ways. UK founders face harder choices about where to scale, and they’ll ultimately look to the US and Europe for growth capital — and may move there too.”
It’s a chicken-and-egg problem. And unless a few major UK exits happen and seed the next generation of local investors, it’s hard to see the pattern breaking.
I pushed Mike on exits — the part of the ecosystem loop that’s most broken in Europe.
“There’s still not much, to be honest. Most exits still happen either in Israel or in the US. More than half of the deals involve one service company buying another.
There are a couple of prolific MSSPs in Europe that are just buying every other MSP they can find.
But the large, flashy tech company buying a large cyber company? That still happens in the US or Israel.”
I shared my own experience here. When I sold my company (Sentryo) to Cisco, the value wasn’t in our revenue metrics. It was in what our technology could do to Cisco’s existing industrial network offering — putting security into hardware they were already selling at massive scale. The strategic leverage was what mattered, not the P&L.
Mike’s observation cut right to the issue:
“That highlights why there aren’t any large tech businesses in Europe making those acquisitions. The big service providers — Thales, Orange — are buying consultancies to roll up.
If there could be a large tech presence in Europe, they could start that momentum.
They should take a page out of the service provider’s book — these small companies might have little revenue, but it’s the access, the contracts, the geographic positioning that goes well beyond just a product SKU.”
European acquirers look at company metrics. They should be looking at strategic impact. That’s the mindset shift the ecosystem needs.
One thing I want to push back on — for the benefit of European founders reading this.
There’s a running mantra in European startup circles that you have to get to the US as fast as possible. That’s where the customers are, where adoption is faster, where capital flows more easily. Go early or go home.
Mike didn’t fully disagree. But he offered a more nuanced frame:
“You still can’t ignore the largest market. I still know of companies moving to the US because they have large financial services customers in New York — they feel compelled to move where those customers are.
But I think it will cause people to think more about a dual or multi-continent strategy. They may hire engineering talent in Europe or Australia, and do sales and go-to-market in the US where most of their customers are. I’ve seen a few companies do this pretty well.”
And the key line, which I want every European founder to hear:
“Be thoughtful about it instead of assuming that’s where you have to go. Because it’s an increasingly connected world.
A change of scenery doesn’t mean you all of a sudden get product-market fit. There are foundational things you have to do first that may not work in some regions — or at all.”
My take: you can be European-rooted and US-ready.
You don’t have to choose.
Build your engineering in Europe, raise your first rounds there, prove your business model works at a pan-European scale — and then deliberately scale into the US market.
We discussed that building an ecosystem takes 20 years. You build the first companies, have success, then hire more people, do the first exits, provide a good multiple to investors, and go on.
That’s also my personal story. I led as a CTO for a firewall vendor that exited to Airbus. Then I co-founded a startup that was acquired by Cisco. Now, I have built a venture builder for cyber. We are investing in a new generation of cyber founders and the next wave of companies.
His response:
“Yeah, that’s great. So you’re doing it. You’re making it better. You have to start somewhere. I see it changing in the UK; I see earlier-stage VCs forming, angel groups getting more structured.
I see the same thing in Europe. It’s the very beginning of a virtuous circle. The US has already had much of that happen many times over, so it’s a gravitational thing — where the money is, that’s where the companies and talent are. But you have to start somewhere.”
From 5 companies, you move to 20, from 20 to 100. It takes time. But it’s happening.
I asked Mike for his 2026 predictions. Three things stood out.
Borrowing from the AI industry playbook — companies raising massive Seed and Series A rounds in stealth, then trying to make a giant splash.
The risk: everyone is competing for the same security budgets with similar-looking products. As Mike put it:
“Surely with a $100 million start, they’ll be better than the last one, who only raised $60 million.”
The market will normalise.
Mike was direct:
“I don’t think we’ll see any IPOs. It’s a terrible time to IPO — tech has not been good and the stock market is far too volatile at the whims of geopolitics.
Secondary sales are going through the roof.
And I think we’ll start to see the cannibalization of some of these markets where 20 to 50 companies look and feel very similar, and there are only so many exits there can be.”
The exit pressure is real — and it’s building. Secondary sales are the pressure valve. For now.
This is the prediction that surprised me most:
“I think we’re heading into an offensive security-led year, which I don’t think I’ve ever been able to say before. It’s usually very defensive.
I think we’ll see a lot more people doing red team stuff — and I wouldn’t be surprised if an AI red team or adversarial AI company is acquired because now everything can become an app very easily.
That’s going to come with a lot of security issues.”
The attack surface is exploding. AI agents, MCP servers, autonomous workflows — each one is a new vector. The security industry has always been reactive. But for the first time, Mike sees offensive capability leading investment.
One last moment from our conversation: I mentioned that Yann LeCun, the French AI researcher, had just announced a €1 billion seed round in Europe.
Mike’s reaction: “Yes. That’s amazing. That’s the kind of thing that needs to happen.”
He’s right. It does.
If you’re a European founder: The ecosystem is genuinely improving. Raise in Europe first — the capital is there and growing. But have a global mindset, expand quickly in EU countries, and plan your US go-to-market strategy early and separately. You can be both.
If you’re a European investor: The inward turn is an opportunity, not just a trend. The companies being built now on European soil with European capital are the ones that will generate the exits that fund the next generation. The virtuous circle has to start somewhere.
If you’re a CISO: The AI for security wave is coming, but it’s not going to replace your team overnight. It’s going to make your service providers dramatically more capable. Start thinking now about how you evaluate AI-augmented vendors — because they’re going to look very different from the ones you contracted three years ago.
The 2025 State of the Cybersecurity Market report is published in full on Return on Security. Subscribe to Mike’s weekly newsletter for year-round cybersecurity market intelligence.
Meet me at RSA Conference 2026!
Laurent 💚
