Quarterly Report, Q1 2022: Cyber Security Vendor M&A and Funding News
Published by Pinpoint Search Group — the cybersecurity executive search firm that tracks every disclosed vendor funding round and acquisition in the sector.
At a glance
Get the full Q1 2022 dataset — every named company, round, investor, segment, and acquisition.
Highlights and Analysis
In Q1 2022, our team tracked 124 transactions, including 86 funding rounds and 38 M&A events. Disclosed funding totaled $5.30B, up 38% from the $3.84B recorded in Q1 2021, while round count rose from 67 to 86. The quarter recorded no cyber IPOs, but the M&A column carried structural weight: Google's $5.4B acquisition of Mandiant — the largest hyperscaler-led cyber acquisition the workbook has tracked and the largest Threat Intel transaction in the workbook by a wide margin — anchored disclosed deal dollars alongside a broader strategic-acquirer column running at high volume.
Late-stage capital remained available and at scale. Twelve rounds cleared $100M, led by Securonix's $1B growth round — the largest disclosed cyber funding round of the quarter — followed by 1Password's $620M Series C, eSentire's $325M, BlueVoyant's $250M Series D+, Axonius' $200M Series E, and Pentera's $150M Series C. Below that band, growth-stage activity stayed dense across Cheq ($150M Series C), Salt Security ($140M Series D), Island ($115M Series B), and a long tail of $25–$100M Seed through Series C rounds. Early-stage activity drove a meaningful share of transaction volume, with 46 of the 86 funding rounds at Seed or Series A.
The M&A column included 38 acquisitions, of which 10 disclosed prices totaling $7.91B. Google's $5.4B acquisition of Mandiant and SentinelOne's $616.5M acquisition of Attivo Networks together accounted for the bulk of disclosed M&A capital and signaled two parallel patterns: hyperscaler entry into the cyber-platform column at scale, and pure-cyber platform vendors absorbing adjacent detection-and-deception capabilities.

Funding Overview
The 86 funding rounds tracked in Q1 2022 highlight a market in which late-stage capital remained available at scale while early-stage formation continued at a steady pace.
Capital concentration at the top was pronounced. Twelve rounds cleared $100M: Securonix ($1B), 1Password ($620M), eSentire ($325M), BlueVoyant ($250M), Axonius ($200M), Pentera ($150M), Cheq ($150M), Salt Security ($140M), Island ($115M), Veriff ($100M), Human Security ($100M), and ThriveDX ($100M). Below that band, growth-stage activity stayed steady across Aqua Security ($90M Series E), Lacework follow-on activity, and a long tail of $25–$80M Seed and Series A rounds. The disclosed top three together (Securonix, 1Password, eSentire) accounted for roughly $1.95B — close to 37% of the quarter's disclosed funding.
What stands out in Q1 2022 is where that capital is clustering. A meaningful portion of investment is concentrating around:
- Detection, response, and SIEM infrastructure, where Securonix's $1B growth round — the largest disclosed cyber funding round of the quarter — anchored a category in which next-generation SIEM and managed-detection-and-response platforms continue to attract late-stage capital alongside BlueVoyant's $250M Series D+ and Pentera's $150M Series C
- Identity and access platforms, where 1Password's $620M Series C and Veriff's $100M Series C reflect continued enterprise demand across consumer-and-business identity and identity-verification
- Vulnerability and exposure management, which absorbed Axonius' $200M Series E alongside continued formation activity across the segment, reinforcing asset-visibility and continuous-control workflows as a durable late-stage thesis
- Browser, API, and application-layer security, where Island's $115M Series B, Cheq's $150M Series C, and Salt Security's $140M Series D bracket a single thesis: workspace-and-API control surfaces are absorbing meaningful growth-stage capital
This distribution reflects a market in which late-stage capital is concentrating on platforms with clear enterprise traction across detection/response, identity, vulnerability, and application-layer control, while early-stage formation continues to broaden across emerging segments.

Market & Macro Signals
Several structural dynamics are visible in the Q1 2022 transaction record.
First, hyperscaler-led cyber acquisition reached a new dollar tier. Google's $5.4B acquisition of Mandiant is the largest hyperscaler-led cyber acquisition the workbook has tracked and the largest Threat Intel transaction in the workbook by a wide margin (next is FireEye at $1.2B). The transaction folds threat-intelligence and incident-response capability into Google Cloud's security stack.
Second, late-stage capital ran at scale. Twelve rounds cleared $100M and disclosed funding of $5.30B sits 38% above Q1 2021. The pattern reflects a market in which growth-stage and late-stage venture capital remained actively deployed across category leaders in identity, detection/response, vulnerability management, and workspace-layer security.
Third, strategic tuck-in M&A continued at high volume. Thirty-eight acquisitions cleared the workbook this quarter — the broadest M&A count of any Q1 the workbook tracks. Disclosed prices stayed concentrated in a handful of large transactions (Mandiant, Attivo Networks, Zimperium, Siemplify, Tripwire), while the remaining 28 undisclosed deals included strategic moves by Cloudflare (Area1 Security), Recorded Future (SecurityTrails), Darktrace (Cybersprint), and Radware (SecurityDAM). The pattern signals continued platform-building across email, threat intelligence, vulnerability, and network security.
Finally, undisclosed M&A continued to do significant work. Of the 38 acquisitions, 28 came without disclosed prices, including recognizable strategic moves by Cloudflare, Recorded Future, Darktrace, Radware, Akamai, and several mid-market consolidators. The breadth of acquirer activity signals continued platform-building across email security, threat intelligence, vulnerability, and managed-security delivery.

M&A Activity & Strategic Movement
Q1 2022 recorded 38 M&A transactions, with strategic activity weighted toward hyperscaler-led cyber consolidation and platform-vendor tuck-ins. The most notable transaction was Google's $5.4B acquisition of Mandiant, the quarter's largest deal and the largest hyperscaler-led cyber acquisition the workbook has tracked.
Additional activity across the quarter reinforces this direction:
- SentinelOne acquired Attivo Networks ($616.5M), adding identity-threat-detection and deception capabilities to its Singularity platform and the quarter's largest pure-cyber strategic tuck-in
- Liberty Strategic Capital acquired Zimperium ($525M), returning the mobile-security vendor to private ownership and adding a mobile-threat-defense vendor to the PE-sponsored cyber portfolio
- Google added a second acquisition with Siemplify ($500M), extending Google Cloud security's SOAR footprint alongside the Mandiant transaction and signaling a coordinated platform build-out
- HelpSystems acquired Tripwire ($350M) from Belden, adding configuration management and integrity monitoring to the HelpSystems cyber portfolio
- Cloudflare, Recorded Future, Darktrace, and Radware each completed targeted strategic acquisitions (Area1 Security, SecurityTrails, Cybersprint, and SecurityDAM respectively) extending platform reach across email security, threat intelligence, attack-surface management, and DDoS protection
Across these transactions, the structural pattern is clear: hyperscaler-led cyber acquisition operated at a materially larger dollar scale than in prior years alongside continued strategic-platform tuck-ins from pure-cyber acquirers. Threat intelligence, identity-threat detection, mobile security, and configuration management were the most active consolidation categories this quarter.

Looking Ahead
Q1 2022 opens the year with a market in which both funding and M&A operate at high volume, with hyperscaler-led cyber acquisition reaching a materially larger dollar scale as the quarter's structurally distinctive shift.
We expect the following dynamics to continue through 2022:
- Hyperscaler-led cyber consolidation will continue to test the strategic-acquirer column, as cloud platforms absorb threat-intelligence, SOAR, and detection capability into integrated security stacks
- Strategic tuck-in M&A will continue at high volume, as platform vendors absorb adjacent capabilities across identity, detection/response, email security, and threat intelligence
- Late-stage capital will favor category leaders with measurable enterprise traction, particularly across detection/response, identity, vulnerability management, and workspace-layer security
From a go-to-market perspective, Q1 2022 marks a quarter in which both venture and acquirer activity ran at sustained intensity. Hyperscaler-led cyber acquisition at materially larger scale, continued late-stage capital deployment, and broad strategic-platform tuck-in activity will continue to shape both funding outcomes and competitive positioning across the cybersecurity ecosystem.
The full Q1 2022 dataset — every named company, round, investor, segment, and acquisition — is in the data feed. Get the full Q1 2022 dataset →
Methodology
Every transaction in this brief was sourced from a primary public report and dedupe-checked against the master Pinpoint funding workbook, which now contains ~2,600 transactions back to May 2020. Funding totals reflect disclosed capital only; acquisition values are included where publicly available.
Each deal is classified against Pinpoint's normalized cybersecurity segment taxonomy — read directly off what the company says they protect and mapped to one of the canonical segments. The taxonomy has been maintained continuously since 2020 and currently covers roughly 55 segments. Identity, Data, Detection / Response, and Threat Intel have been tracked from the first month of the series; AppSec and GRC entered the following month; emergent categories (AI/LLM, Supply Chain, Quantum, Browser) are added when they first appear in vendor positioning. That normalization layer is what makes multi-year, cross-segment comparisons possible against an otherwise inconsistent vocabulary in the broader market.
About Pinpoint Search Group
Cybersecurity innovators work with Pinpoint Search Group to identify, attract, and land professionals that enable maturation, scale, and successful outcomes. As start-ups continue raising millions in funding and established vendors make acquisitions to round out their offerings, Pinpoint Search Group is keeping track.
Get the underlying data
The narrative above is the free version. The paid Pinpoint Cyber Funding Data feed gives you every named transaction, every disclosed investor, every segment classification — exportable, filterable, and updated as the deals close.
