Themes From (And Beyond) Altitude Cyber's 2024 Cybersecurity Year In Review

Altitude Cyber released the 2024 edition of its legendary Cybersecurity Year In Review report at the end of January. It's the best of the best information for the commercially-minded people in our industry.¹

It's so good that I poured my whole month of research this February into analyzing the report.

I've either reviewed or helped produce the report five times now.² After a thousand-some hours in total, I'm dialed in on spotting subtle trends and anomalies in the data.

An added bonus for this year is our new content partnership, which gives me access to the full resources of the Altitude Cyber team for this article, social media posts, and more.

It's a rare opportunity for me to look behind the data, think about what all of it means, and tell you what we've found together.

Here are the ten most interesting insights I found and what they mean for the industry, starting with Altitude Cyber's specialty — M&A.

M&A: Activity is stable, but the mix of buyers and targets are shifting

The tale of cybersecurity M&A is "smooth sailing with strong undercurrents."

For all the choppiness on the financing side (we'll get to that), and <name your favorite reason why tech M&A has been unstable>...cybersecurity-related M&A activity has been remarkably steady in the past four years.

We've just been chugging along at ~280 deals and $50-ish billion of (disclosed) dollar volume per year.

Smooth sailing, right? Kind of, but there's a lot more to the story.

M&A hit an inflection point in 2021, then stabilized.

The multi-year cybersecurity M&A activity trend is more interesting than any single year alone. 2021 accelerated M&A activity in a big way, and it's stayed relatively high ever since:

Annual dollar volume (the total of all disclosed cybersecurity-related M&A transactions) averaged $21.5 billion per year for the five-year period from 2016 to 2020. It spiked to $80.9 billion in 2021, then settled in at a $58.5 billion per year average since then.³

The average is still at $51 billion per year without 2021, though. That's over double the average dollar volume from 2016-2020.

It's a similar story for annual deal counts (the literal count of cybersecurity-related transactions, disclosed or not):

The average count from 2016-2020 was 178 deals. We hit an inflection point, and 2021-2024 was much busier at 280 deals per year.

Sure, 2021 was peak hype for both cybersecurity and tech — but we've clearly settled into a new normal for cybersecurity M&A. We're going to see a sustained increase in both total deals and dollars spent on acquisitions.

It's smooth sailing now, but here's where the "strong undercurrents" part comes in.

Strategic buyers are more active than they've ever been.

Strategic buyers accounted for 62% of all deals in 2024 (174 total) — the highest total deal count ever recorded.

It's a subtle but significant shift. We're talking about hundreds of transactions and billions of dollars here.

Strategic buyers always have more total acquisitions per year than financial buyers (there are more of them). But since 2020, the proportion had been shifting towards private equity — until this year:

Put another way: we had a stretch where financial buyers were more active in the industry than they were historically. This was partly due to a major increase in take-private activity, and also because investors took a shine to acquiring cybersecurity companies.

Strategic buyers are back. I expect the trend to continue as valuation expectations adjust and many of the ZIRP-era companies look for reasonable exits.

There's a bigger picture interpretation of this trend that could be even more significant, though.

A macro-level shift back towards strategic buyers is one thing, but the overall mix of the strategic buyers tells us even more about the future of cybersecurity M&A.

The biggest acquisitions were made by non-cybersecurity buyers.

The current shift back towards strategics includes a growing minority of "non-traditional" buyers.

Case in point: most of the largest M&A transactions that occurred during the year were led by cybersecurity-related companies, not pure-play cybersecurity companies.

Half of the ten largest acquisitions from 2024 were made by strategics with a majority of revenue generated outside of cybersecurity. Only one of the ten largest acquisitions (CyberArk's $1.5B acquisition of Venafi) was by a pure-play cybersecurity company.⁴

Another example is the trend of financial services buyers acquiring cybersecurity-related companies. It's a multi-year trend, but Mastercard's $2.65 billion acquisition of Recorded Future was one of the largest deals of 2024.

I take these data points as signals that cybersecurity capabilities are starting to be viewed as core components of broader business strategies, not just an isolated field.

We're going to keep seeing more convergence and "hybrid" acquisitions where cybersecurity is wrapped into adjacent offerings (cloud, data analytics, payment networks, etc.).

Buyers from outside the industry aren't the only change in the mix of strategic buyers, though. We're seeing some familiar names get back into the M&A game in a big way.

Once-quiet security giants are emerging as more frequent buyers.

It's no surprise to find companies like Cisco and Palo Alto Networks among the most active strategic acquirers in the industry. What's surprising is how active some companies that aren't typically viewed as buyers have been — especially in 2024.

Perception lags reality here. Many of these "quiet" players have been steadily active for years but kept under the radar.

Companies like Zscaler, Check Point, Fortinet, and other companies are rising up the charts again:

Zscaler had a steady run of 1-2 small acquisitions per year, then made a splash with their ~$350M acquisition of Avalor in 2024.

Check Point took 2022 off from M&A, then came roaring back with Perimeter 81, Atomsec, and Cyberint for close to a billion in combined deal value.

Fortinet hadn't done a single deal since 2021 until it shocked the world with its acquisition of Lacework. It followed that deal up with two other deals for Next DLP and Perception Point in 2024, which put them in a tie with CrowdStrike at seven acquisitions over a five year period.

Throw in Rapid7 and Tenable at six acquisitions apiece, and we've got a pretty interesting mix of strategic buyers beyond the likes of Cisco and Palo Alto Networks.

The dynamics among buyers are changing, but there's also an interesting shift happening with the companies who are being acquired.

Startups are getting acquired earlier than ever before.

Does it feel like cybersecurity startups are just getting acquired younger and younger?

Don't worry, it's not just you getting old. (Okay, we might be getting old, but still...)

You're right. The data shows that early-stage startup exits are increasing:

Acquisitions of companies younger than three years old jumped from 10% to 15% of deals in 2024. Early stage acquisitions are still a minority of deals by proportion, but a 5% jump is still a big deal.

We could be seeing the beginning of a "glass ceiling" phenomenon where hot early-stage startups get acquired at massive premiums before they get a chance to grow into our next big cybersecurity companies. This starts looking even more plausible when you include the targets in the 3-5 year age range.

So, why is this happening? Lots of reasons, but here are two.

Large acquirers want novel capabilities quickly. Rather than waiting for companies to scale, they make "preemptive" acquisitions and buy them early. Avalor, Gem, Dazz, Eureka, Flow, and Oxeye were all among the leaders in emerging markets who were acquired in 2024.

The other reason is relative value. Earlier stage companies who have raised less capital than comparable later stage companies in the same market aren't as expensive to acquire. Resmo, PingSafe, Vantyr, Wib, and BreachQuest are all examples from the year.

If the story of M&A in 2024 was all about micro-level changes, the plight of financing was a hard reset. Let me tell you why.

Financing: More activity, and a shift towards safe or speculative

The best possible news about cybersecurity financing in 2024 is that both deal count and total funding are up from 2023.

I know this seems like a small win, but trust me — we needed a small win.

We were in a pretty vicious downward spiral since cybersecurity industry financing peaked in 2021. Investment levels were still well above average in mid-2022, then cratered towards the back half of the year.

There were really no meaningful signs of recovery in 2023. A tiny, tiny bit of hope returned in 2024. Any positive trend is huge, and we got it last year.

Let's talk some more about what our new reality looks like.

A reset to the pre-boom baseline.

It's (unfortunately) safe to say that cybersecurity financing has returned (regressed?!) to pre-2021 levels. Total funding in 2024 was $13.2 billion, up 40% from 2023's abysmal $9.4 billion. Deal count was also up 16%.

2024 was a much more active year, for sure. But historically, total dollar volume looked a lot more similar to 2019 (and earlier) than 2021:

An interesting quirk was total deal count, which was 24% above the average from 2017-2020 despite relatively comparable dollar volume:

But in general, the takeaway is that we're back to the pre-2021 baseline for financing.

I take this as both good and bad news.

The bad news is mostly for founders, investors, and employees who are still clinging to the hope that 2021-like financing activity (and valuations) will return. They won't — at least not any time soon.

Things got super out of hand from 2021-2022. That's an anomaly.

Bad things happen when too much capital is flowing into an industry and valuations get inflated. We've hit a point where there's no (good) way out for a material part of an entire generation of companies who are fighting to live up to their valuations.

The good news is that our current baseline is probably where we should be. Companies that have raised or will be seeking capital at post-2022 levels are (for the most part) raising at more responsible amounts and reasonable valuations.

Accepting our new baseline is the practical and mature way of looking at financing going forward. Sure, it stings — but it's a lot better than down rounds, layoffs, fire sales, and other alternatives.

That's not to say cybersecurity companies can't raise large rounds, though.

Massive financing rounds are more rare, but they're still happening.

Given our new reality in financing, it shouldn't be a surprise that the number of massive ("massive" = ~$200-million-plus for cybersecurity) financing rounds is down compared to 2021-2022 levels.

2024 did have a few, though — another small but important win.

There were ten cybersecurity-related rounds at $200 million or higher, including two $300 million rounds by Cyera alone:

Wiz’s billion-dollar round more or less overshadowed everything else, with the next largest round (Kiteworks at $466M) at less than half the size.

The story of financing in 2024 gives us a pretty good idea of how big the reset was. Here's the story in visual form:

There were way, way fewer large financing rounds in 2024 than the tail end of the ZIRP era. Wiz's billion-dollar round still stacks up against the largest rounds in history, but we're not going to see the frequency of large rounds we had in 2021 any time soon.

Why?

In 2024, companies that would have been raising $200M+ during that period did rounds in the $100 million range instead...or not at all.

Going forward, it's going to be a story of outliers. Abundant capital is available for cybersecurity companies with big momentum and clear aspirations of scale. But those are the outliers, not the norm.

Expect ten (or so) large financing rounds per year. That's about where we've been, and where we should be in a healthy and rational version of the industry.

This isn't all about large financing rounds, though. Other stages make up most of the activity — and where the activity is happening has been changing.

Early or late, not mid.

The shifts in the number of capital raises by stage in cybersecurity have been subtle, but the implications are important:

Series A funding was basically flat in 2024, and Series B funding activity was still a little bit down. Early-stage and late-stage activity are on their way back up.

Total dollar volume trends are a similar story, but the differences are even more pronounced:

Series A funding in 2024 was down almost a billion dollars compared to 2022. Series B funding was less than half of 2022.

The Series A and B crunch might seem bad, and I'm sure it feels bad for individual founders and employees at companies caught up in the crunch and struggling to raise.

If we zoom out to the industry level and beyond, we're doing okay given the circumstances.

Across the rest of tech, it's been hard to raise Series A and Series B rounds. Peter Walker at Carta is the authority on this topic.

The punch line of his team's research is graduation rates at these stages are significantly lower than the ZIRP era. Companies are taking much longer to raise rounds, and many still haven't raised them yet. Some never will.

This Altitude Cyber report didn't go all the way down the rabbit hole into graduation rates, but total capital raises and dollar volume are a decent proxy. Cybersecurity's mid-stage funding decline has been very modest compared to the crater that happened with the rest of tech.

The later stage recovery is the least surprising stage. It's a reflection of the times. As we discussed in the last section, relatively abundant capital is available — but companies have to earn it. Those who do are safe bets.

The recovery of early stage financing isn't a huge surprise to me, either. There's never a shortage of people wanting to start cybersecurity companies. We also have a healthy set of early stage investors across both industry specialists and larger agglomerators. Promising early stage companies will keep getting funded.

The investor landscape and activity levels are shifting, though. Things are starting to look different now that the industry hype is back to reasonable levels.

Which investors are staying or leaving?

Two of the most interesting observations I noticed in the entire report were how many of the most active investors from 2021-2024 dialed back their activity in 2024, and how many others ramped up activity:

I'd be careful about reading too much into this without a detailed look into the data, but it does make me curious about why all of this happened.

Here's what I mean.

Insight Partners has been the most active cybersecurity investor since 2021 with 74 total investments. They were still one of the ten most active in 2024, but their eight investments were down almost half over their five year average.

Ten Eleven, SYN Ventures, Bessemer, and Tiger Global are top ten investors (by volume) since 2021, but not in 2024.

Activity from Sequoia, Accel, and Lightspeed was all stable.

Meanwhile, Andreessen Horowitz, Index, Evolution Equity Partners, and Vertex all cracked the top ten in 2024.

Again, I wouldn't read too much into this based on positive or negative activity variances in a single year. Ten Elevan and SYN Ventures are cybersecurity industry specialists — they're not going anywhere, and they're still doing a lot of deals.

I'm very interested in what the next five years are going to look like, though.

The big question is how many investors (especially the larger agglomerators who are investing in more than cybersecurity) are going to lean in or pull back from our industry based on everything that has changed since 2021-2022.

One cybersecurity market defied all forms of reason and logic in 2024. This goes beyond just M&A or financing. Let's talk about data security.

The anomaly: data security had a moment in 2024

For the first time ever, the data security sector led all industry capital raises. Data security companies raised $2.94 billion in 2024, up 2.5x from $1.16 billion in 2023.

It wasn't just financing. M&A activity was also high, doubling from 12 transactions in 2023 to 24 in 2024.

Altitude Cyber's sector classification includes backup and recovery alongside traditional data security areas like data classification, DLP, DSPM, encryption, and other things you'd expect. As it happened, 2024 was a very active year for basically all of these areas.

Cyera alone raised $600 million. Several other DSPM companies were acquired or raised capital. The backup and recovery market had its most active year ever.

This might only be the beginning of the data security story, too.

Data security is a top priority (and concern) with AI and transformation programs, especially in larger companies. DeepSeek just stress tested the current state of security controls for AI in every large enterprise. The verdict wasn't good.

We're going to keep hearing stories like this on repeat.

We still have a long way to go on figuring out how to securely use AI. Data security is the best set of tools we have.

2024 was the year data security had a moment, but we're going to look back on this as the inflection point where its trajectory changed for good.

Settling into our new reality

If there was any doubt left about the direction our industry was heading in the post-ZIRP era, 2024 eliminated most of it.

M&A activity is stable, even with subtle shifts happening among buyers and the profile of their acquisitions.

Financing activity is down from 2021-2022 levels, and it's going to stay down for a while. This is healthy.

Abundant capital is available for our top companies who have earned the right to scale. It's still there for promising early stage companies, too.

Macro trends are as important as ever. This is never going to change. In 2024, the notable one was AI driving data security market activity. Trends like these take years to play out, so we're going to keep seeing this one in 2025 and beyond.

If I had to summarize the vibe heading into 2025 in one sentence, it's this: The cybersecurity industry is maturing.

Our adolescence is behind us. We’re entering a period of thoughtful, disciplined growth — exactly what we need to build stronger companies and a more resilient industry.

Acknowledgements

Thank you to both the Altitude Cyber and Momentum Cyber teams for years of hard work on this industry research.

Footnotes

¹Hat tip to Mike Privette at Return on Security, who writes another epic annual report on the industry. Several of the observations from my research here align with things he's already said in other ways.

²Including both the Altitude Cyber version and its predecessor, Momentum Cyber's Cybersecurity Almanac.

³One caveat for the 2024 dollar volume data: it includes HPE's $14 billion acquisition of Juniper Networks. This is a caveat for multiple reasons, one being that some people don't consider either a cybersecurity company. I'm in the "hybrid" camp here. More importantly, the deal hasn't technically closed, and depending on how the Department of Justice intervention plays out, it may never close. I think it eventually will, but the total could get skewed quite a bit if it doesn't.

⁴The other four (Darktrace-Thoma Bravo, Acronis-EQT, Auditboard-Hg, and the Synopsys software integrity carveout) were made by financial buyers.