Cybersecurity's IPO pipeline for 2026 and beyond might be even more interesting than the 2025 candidates.
Several of our best companies are (likely) a couple years out from going public. And, let's face it: several of the 2025 IPO candidates are going to slide into 2026.
Public markets just aren't going to have the stomach to ingest 16 cybersecurity-related companies (plus dozens of other software companies) all at once.
It's definitely still worth gazing off into the distance to see what cybersecurity's longer-term IPO pipeline looks like.¹
Companies further out in our pipeline are going to keep becoming more and more influential. It's like you're seeing the next A-list celebrities perform at a small club before most of the world knows their name.
Don't forget about the macro side of this, either. IPO windows also last more than a year. If 2025 is the de facto start of our next window, we're going to see a multi-year run.
We're going to need a multi-year run. On top of the 16 companies who are IPO candidates in 2025, at least 38 more have realistic shot at going public in 2026 or later.
I used time ranges here because making predictions multiple years out is an inexact science. As we've painfully learned, a lot can change (good or bad) in a year or two.
Just like the 2025 candidates, the distinction (and incentives) between private equity owned and venture-backed companies affects the timing. But this time, the venture-backed companies are the star of the show.
We have a lot of companies to talk about here. Let's get to it.
Venture-backed companies
There are 24 venture-backed companies in the IPO pipeline for 2026 and beyond:
This is a flat out amazing group of companies. They're our Forbes Cloud 100-winning, large round-raising, high valuation-seeking superstars. Not all of them will go public, of course — but any of them could (someday).
Part of the criteria we have to go with for venture-backed companies is what they've said about their intent to go public and the timeline. Of the 25 companies in this part of the pipeline, 14 of them have spoken publicly about IPO plans:
There are too many companies here to discuss them all, but I wanted to highlight five.
1Password
1Password is one of my favorite stories. Over nearly two decades now, they've grown from a bootstrapped company in a once-obscure market to a potential decacorn.
In total, the company has raised $920 million in capital, most recently at a $6.8 billion valuation. They launched a full identity suite earlier this year. 1Password is clearly one of our top IPO candidates and feels like a lock for 2026, if not sooner.
Abnormal Security
Abnormal Security recently targeted "being able to operate as a public company" in Q4 2025 after raising a $250 million Series D at a $5.1 billion valuation.
Taken at face value, going public in late 2025 is definitely in range — and if not, early 2026 seems like a lock if markets are ready.
Timing may also depend on when Proofpoint, a direct competitor in email security, decides to re-enter public markets.
Cribl
Cribl is a cybersecurity-related company who is part of the emerging security data fabric market. They raised $200 million at a $3.5 billion valuation earlier this year and signaled clear intent to go public in the near future.
Their potential IPO is notable for several reasons, one being the creation of a new market segment for data fabric products. This helped clear the way for several other earlier stage companies I've covered this year.
Saviynt
Saviynt has been an under-the-radar company for most of its existence, but they put themselves squarely into the IPO pipeline with a recent disclosure of $185 million in ARR.
They've raised a very low amount of capital to date — $375 million in total, which includes $205 million in debt financing. Their latest disclosed valuation is $100 million in 2018...which, needless to say, is well over 10x higher today based on revenue.
CEO and founder Sachin Nayyar also led Securonix to a billion-dollar private equity exit in 2022, then rejoined Saviynt to (presumably) do the same or better.
Some of the disclosed numbers might not add up, but judgment wins out here. They have the revenue, leadership, enterprise customers, channel parterships, and tailwinds in a stellar identity security market. This is either going to be a major strategic acquisition or a public company.
Tanium
Tanium is one of the most perplexing companies in the entire IPO pipeline. They've looked like a no-doubt IPO candidate for a long time — yet here they are, still a private company with no definite timeline for going public.
They're valued at $9 billion with over $700 million in revenue. They basically have everything they need to go public. Will it be 2025? 2026? Later? I honestly don't know.
The VC-backed part of our long-term pipeline is by far the most dynamic segment. Timelines can change quickly. Other companies will definitely join the list. This is just the view we have right now.
The private equity part of the list is a bit more systematic. Let's cover these companies next.
Private equity owned companies
There are 14 private equity owned companies in the pipeline for 2026 and beyond:
The profile of this group is a bit different than the PE-owned candidates for 2025, though.
The 2025 group is unique because it includes several formerly private companies who were already at hundreds of millions or a billion in revenue scale. It's unusual to have companies like these in private markets. They won't be for long.
The 2026 and beyond group also has some formerly public companies, but the rest are a bit more typical.
Former public companies
There are still five former public companies (Barracuda, KnowBe4, McAfee, Ping Identity/ForgeRock, and Trellix), but each had challenges that are more common for private equity to address.
KnowBe4 and Ping Identity (including ForgeRock) were both subscale companies who didn't quite have the growth or operating metrics to keep up with the top performers.
Fast forward to today: Ping Identity just announced it's closing in on $800 million of ARR (with ForgeRock's revenue). They still have some product portfolio overlap and SaaS transition hurdles to overcome, which is why they're not a 2025 candidate. 2026 or 2027 feels very realistic.
KnowBe4 is likely over $500 million in revenue, and it's not even two years into its PE holding period. If they can grow at a 20-30% rate and keep adding tuck-in acquisitions, they'll be on their way to $1 billion of revenue by the end of their holding period.
Barracuda, Trellix, and McAfee are closer to the typical private equity story, even with their atypically large scale. Here's the quick summary of their activity:
Barracuda has almost completely transitioned into a cybersecurity company. Thoma Bravo sold them to KKR in 2022. They're now two years into the KKR holding period.
Trellix is the result of a merger between FireEye and McAfee's enterprise business unit in 2022.
The standalone version we now know as McAfee is the company's remaining consumer business.
I put a 2-3 year timeline on this group of companies because of their scale. Trellix has over a billion in revenue. McAfee has two billion. It's been a long time since Barracuda disclosed revenue, but rough math says they're likely over $500 million as well.
Private companies
The nine other PE-owned companies in the pipeline all have fairly unique journeys that could eventually lead to public markets.
Acronis and Armis are growth stage companies. Both are majority-owned by private equity firms, which are functioning more like growth equity investors in this situation. These companies need more time to hit revenue scale, which may happen quickly if they can sustain their high growth rates.
BeyondTrust just disclosed $400 million in revenue and acquired Entitle. They're reasonably competitive against CyberArk, Okta, and the large identity security platforms. They're also seven years into their holding period, which means an exit could happen soon.
Fortra was founded in 1982 (!!!) and has since evolved into a cybersecurity-focused company. They casually disclosed² $800 million of revenue back in 2022, which likely means they're at or above $1 billion now. That's public company scale.
The situation with LastPass is the most tumultuous of any company in the entire IPO pipeline:
-
They were acquired by LogMeIn for only $110 million back in 2015 when LogMeIn was a public company.
-
LogMeIn itself (including LastPass) was acquired and taken private by Francisco Partners in 2020.
-
In the midst of all this, people finally realized password management is a big market! LastPass became a valuable asset. LogMeIn's PE sponsors announced they were spinning out LastPass as a standalone company in late 2021.
-
...until multiple security issues derailed the plan.
-
The separation finally completed in May 2024. LastPass is now a standalone, PE-backed company with hundreds of millions in revenue.
When 1Password (another 2026-2027, maybe even 2025 candidate) goes public, it potentially opens the door for LastPass to follow.
Optiv was ready to go out before the current economic downturn. Reuters also reported a potential sale or IPO by KKR. Depending on how you feel about passthrough VAR revenue and Optiv's business model, and cybersecurity services companies in general, Optiv could an IPO-able company in the next 2-3 years.
Veeam is another cybersecurity-related company (backup and data protection) owned by Insight Partners who has the scale to go public soon. They reported $1.5 billion in revenue in late 2024 and just closed a $2 billion secondary round with TPG in December. With Rubrik performing well and Cohesity on its way to an IPO, it seems likely that Veeam will follow in 2026 or earlier.
Four other PE-backed companies seem destined for 2028 or beyond.
Acronis was publicly considering an IPO before a majority acquisition by EQT in August 2024. This pushes their timeline out to the end of a typical PE holding period.
Armis shared IPO plans for 2024-2025 and later disclosed $200 million in ARR. They announced a $200 million growth equity round in late 2024 with a five year strategic plan.
Exabeam talked about IPO aspirations back in 2021, then merged with LogRhythm under Thoma Bravo earlier this year. The combined company is sizeable, but it's going to take a few years before they're ready.
NetSPI looks like a long shot right now, but they're an interesting company to watch. KKR did a $410 million majority recap in 2022. The company is transitioning from offensive security services to products. This might all be coming together for them at the right time.
There's a lot going on with the private equity side of our IPO pipeline, both near-term and long-term.
The implication of so much private equity activity in the industry over the past five-plus years is that the acquired companies will eventually need to exit. We may start to see this play out in 2025, but the real action is going to be in 2026 and beyond.
This is all great, but two-plus years is an eternity
It's fun to look at IPO lists, but all of this is going to take years to get sorted out.
Don't take this list too literally, though. Several of these companies will go public. Others will get acquired. A few might falter.
Two-plus years is an eternity.
Any of the 100+ cybersecurity-related companies valued at a billion or more could technically be considered IPO candidates. Life comes at you fast though — for better and worse.
Just ask anyone at Lacework, who easily would have been considered an IPO candidate 2-3 years ago. They now have the dubious distinction of being one of the most spectacular meltdowns in the history of tech.³
The flip side is also true. Cybersecurity is building large and highly-valued companies faster than ever.
There will definitely be companies we didn't talk about today that will be obvious IPO candidates in a couple years.
Like I said, two-plus years is an eternity.
For now, let's celebrate that the cybersecurity IPO pipeline is alive and well. The timeline will align when it’s ready.
Footnotes
¹Doing this is more speculative, of course. It's hard to accurately predict IPOs even one year out, let alone two or more. Some of my analysis is bound to be wrong in retrospect. Consider this a starting point that we'll adjust over time.
²As humble, understated Minnesotans do.
³Although very salvageable within the friendly confines of Fortinet. This wasn't an FTX or Theranos situation — just blitzscaling gone sideways.