It is expensive to build important cybersecurity companies. —Gili Raanan
How's that for a bold proclamation?!
Whether you agree or disagree with Gili Raanan and the Cyberstarts regime, this observation is spot on.
And the evidence keeps on mounting.
Raanan's full commentary was in the context of Wiz and their $1 billion Series E round last year, but it broadly applies to many other later-stage cybersecurity companies.
Even more so lately.
Earlier this month, Cyera became one of the five most highly funded companies in cybersecurity history. The $540 million Series E round they announced in June put them at $1.3 billion of total capital raised.
Less than a month later, Cato Networks announced a $359 million Series G round that put them at just over $1.1 billion in capital raised — the sixth highest total ever by a cybersecurity-related company.
This recent funding activity brought me back to Raanan's observation — and behind it, one of our industry's most important questions:
How much capital does it take for a cybersecurity company to go public?
A lot more than it used to, that's for sure. But how much, exactly?
I teamed up with Altitude Cyber to find out. We analyzed two decades of financing to give you a nearly precise answer and the supporting data to answer this exact question.
First, let's rewind the clock and taking a look at the fundraising journey of our current public companies.
Navigating M&A: What Every Security Leader Needs to Know by 1Password
Handling the security side of an M&A transaction can be just as difficult as the commercial parts. Especially when you factor in the long tail of work (and risk exposure) that happens after the deal closes.
I've been on both the security and corporate development sides of the equation several times now. I have a ton of empathy for everyone involved.
Navigating security during M&A is one of the hardest things to do in all of cybersecurity. It's a unique blend of business and technical acumen, capital, and pressure that you don't find many other places in business.
So, how do you function in such a high-stakes situation?
That's exactly what Dave Lewis, Wendy Nather, and Kane Narraway recently discussed on 1Password's Navigating M&A webinar.
The full replay is available now if you missed it live. Check it out.
How much capital did our current public companies need to go public?
None of the cybersecurity-related companies listed in public markets today required a billion dollars of capital to reach public markets.
Here's how much funding most of them (excluding several smaller cap companies) raised before going public:
The companies who went public a decade ago (or more) all raised less than $100 million total. This includes Palo Alto Networks, the first cybersecurity company to reach a $100 billion valuation.
Varonis did it with ~$30 million (give or take, might be off by a little).
CrowdStrike, Cloudflare, Tenable, Okta, and Zscaler all raised a lot of capital too, but not the massive totals we're seeing today.
SentinelOne raised $697 million on its way to being the largest cybersecurity IPO ever (by money raised and pre-market valuation).
Rubrik is the only other cybersecurity-related public company who raised over $500 million. They're one of our most recent IPOs, so this tracks with the overall trend.
And then there's SailPoint (not included in the chart above, but worth mentioning).
The company went public for the first time in 2017 with only $26.1 million in total financing, including $4.8 million in debt. For the sake of discussion, this tracks consistently with the data we have on other cybersecurity-related companies who went public in 2017 or earlier.
SailPoint was later taken private (and recapitalized) by Thoma Bravo for $6.9 billion, then went public again in Q1 2025 at a $12.8 billion valuation.
They were remarkably efficient the first time, but...guess what?! Setting themselves up to be an important cybersecurity was still expensive. The expensive part just happened the second time around with private equity sponsorship. Still a great outcome, but expensive.
We're going to see the SailPoint movie over again for an entire segment of private companies in the current IPO pipeline. Companies who went public (generally raising significant but modest amounts of capital by today's standards) were taken private, recapitalized, and are preparing to follow SailPoint's path back to public markets.
In context, you could infer Gili Raanan's observation was about high growth startups following the traditional venture-backed path to public markets. It's also going to end up applying to companies who were taken private, just with a different wrinkle of significant private equity financing to get them back to public markets for the long run.
It's still expensive to build important cybersecurity companies — regardless of whether the capital is coming from venture capital or private equity.
This has never been more true than it is for our current private companies. Let's talk about them next.
A majority of the most-funded cybersecurity companies ever are still private
Here's a telling stat about why the next generation of important cybersecurity companies is on a completely different planet financially:
Eight of the 10 (and 26 of the 30) most-funded cybersecurity companies of all time are still private.
Let that sink in.
Here's the dataset for the top 30¹:
Lacework raised the most equity funding by any company in the industry so far. You know the story.
Wiz raised $1.9 billion in total before Alphabet's (still pending) infamous $32 billion acquisition announced in March.
Netskope has raised $1.4 billion and looks to be among our top IPO candidates this year if public markets hold steady.
Cyera raised two of the largest rounds in 2024 and just added another $540 million this year.
ReliaQuest jumped into the top five with a private equity round earlier this year.
Cato Networks jumped into the top ten last month after a wild sequence of speculation and denial of a potential sale earlier in 2025.
OneTrust, Snyk, and Tanium are all later-stage companies who are holding steady after raising significant capital. They haven't disclosed raises since 2023 (or earlier).
Fireblocks is debatable as a cybersecurity-related company, but I decided to include them. They build security and governance infrastructure for Web3/cryptocurrency. No additional funding has been disclosed since a $550M round in late 2021.
Cybereason made the top ten with its Series H round this March. You know the story here, too.
The list goes on. Arctic Wolf, 1Password, and many others are promising companies in our IPO pipeline who are preparing and patiently awaiting their turn to go public.
So far, it's been a wide distribution of fortunes for our most-funded companies. Wiz had a great exit.² Lacework didn't.
The fate of the other 28 cybersecurity companies on this list (and dozens of more well-capitalized startups right behind them) is still to be determined. Some companies have grown into their massive valuations. Others look pretty even. A few may never live up to expectations.
That's the hell of it: raising massive amounts of capital alone is necessary but insufficient for achieving a large outcome.
Raising more money means raising the stakes
So, what does all of this mean for our industry?
It has never been more expensive to build important cybersecurity companies.
And, in general, it's just going to keep getting more expensive.
"Important" is relative, of course. Significant impact and good exits have been accomplished with far less capital than the companies we discussed here.
We'll see an occasional Saviynt — an IPO-track company who has been remarkably capital efficient — but examples like these are clear anomalies in a mass of data that clearly shows a pattern of rising capitalization.
But to reach the exceptionally rare pinnacle of business, a generational company who produces billions (or more) of economic value, significant capital has to be invested.
In many cases, our next wave of public companies are going to require $1 billion or more to reach public markets.
Why is this happening?
Companies are staying private longer. Competition is more intense than ever. Growth is happening faster. Lots of other reasons.
Large capital raises and massive funding totals mean something else, too:
It's more important than ever to remember that funding doesn't equal success.
As Marc Andreessen said:
Raising money is never an accomplishment in and of itself — it just raises the stakes for all the hard work you would have had to do anyway: actually building your business.
We forgot about the 'actually building your business' part for a while, but he's right.
This is exactly the stage many of the companies in our industry are at right now — actually building businesses with very high stakes.
Acknowledgements
Thank you to Dino Boukouris, John Gould, and the team at Altitude Cyber for partnering with me on the research and data analysis for this piece.
Footnotes
¹RSA Security has technically raised the most total financing (~$2B) if you include debt. We wanted to keep this analysis focused on equity funding rounds for private companies, so we excluded debt.
²Assuming the transaction closes, which still seems promising but...who knows.