Quarterly Report, Q1 2025: Cyber Security Vendor M&A and Funding News
Published by Pinpoint Search Group — the cybersecurity executive search firm that tracks every disclosed vendor funding round and acquisition in the sector.
At a glance
Get the full Q1 2025 dataset — every named company, round, investor, segment, and acquisition.
Highlights and Analysis
In Q1 2025, our team tracked 103 transactions, including 86 funding rounds, 16 M&A events, and 1 IPO. Disclosed funding totaled $2.22B, broadly steady against the $2.31B recorded in Q1 2024, while round count rose from 78 to 86 — a quarter in which company formation continued to broaden even as headline funding held flat.
Early-stage activity remained the dominant driver of volume: 53 of the 86 funding rounds were Seed or Series A. Capital concentration at the late end was modest in dollar terms relative to recent quarters, with six rounds clearing $100M — Island ($250M Series D+), Aura ($140M), Tines ($125M Series C), Cybereason ($120M), Dream Security ($100M), and Semgrep ($100M).
The quarter's defining transaction sat in the M&A column. Google's $32B acquisition of Wiz is the largest pure-cyber acquisition the workbook has recorded and the largest hyperscaler-led cyber acquisition by a wide margin, repricing how cloud-security platforms are valued at the top of the market. Alongside that deal, SailPoint returned to the public markets in February — the first cyber IPO of 2025 and a notable re-emergence after the vendor's 2022 take-private.

Funding Overview
The 86 funding rounds tracked in Q1 2025 highlight a market in which early-stage formation is broadening while late-stage capital remains selective.
Six rounds cleared $100M — Island ($250M), Aura ($140M), Tines ($125M), Cybereason ($120M), Dream Security ($100M), and Semgrep ($100M). Below that band, growth-stage activity stayed steady across SpecterOps ($75M), Sardine ($70M), Pentera ($60M), and a long tail of $50M Series A and B rounds. Late-stage capital remained available, but investors continued to favor vendors with established traction over diffuse thematic exposure.
What stands out in Q1 2025 is where that capital is clustering. A meaningful portion of investment is concentrating around:
- Identity and access infrastructure, which led the segment mix with 13 transactions, with Aura's $140M round and continued early-stage formation reflecting identity's position as a primary control plane
- Vulnerability and application security, which together accounted for 20 transactions, including Semgrep's $100M Series D+, SpecterOps' $75M Series B, Pentera's $60M Series D+, and Oligo Security's $50M Series B
- Detection, response, and automation, where Tines' $125M Series C, Dream Security's $100M Series B, and continued investment in workflow-driven security operations point to growing buyer demand for operational tooling
- Endpoint and browser security, where Island's $250M Series D+ and Cybereason's $120M round reinforce that workspace-layer and endpoint platforms continue to attract late-stage capital
This distribution reflects a market in which capital is moving toward categories with clear enterprise demand signals, rather than spreading thinly across emerging themes.

Market & Macro Signals
Several structural dynamics are visible in the Q1 2025 transaction record.
First, hyperscaler-led consolidation reset the cyber M&A benchmark. Google's $32B acquisition of Wiz sits at the top of the workbook's cyber M&A column, exceeding the prior leader (Cisco/Splunk at $28B). The transaction signals that hyperscalers are willing to underwrite full-platform cyber acquisitions at scale, not just tuck-in capability buys.
Second, funding held steady year-over-year while round count expanded. Disclosed funding of $2.22B sits broadly even with Q1 2024's $2.31B, while round count rose roughly 10% from 78 to 86. The shift suggests that company formation continued to widen even as headline dollar totals stayed flat.
Third, identity remained the most contested strategic category. Identity led the segment mix in funding transactions and also drove M&A activity, with CyberArk's acquisition of Zilla Security ($165M), Jamf's purchase of Identity Automation ($215M), and JumpCloud's acquisition of Stack Identity (undisclosed) all reinforcing the platform-consolidation theme.
Finally, undisclosed M&A continues to do significant work. Of the 16 acquisitions, 10 came without disclosed prices, including strategic moves by Veracode (Phylum), Darktrace (Cado Security), 1Password (Trelica), Menlo Security (Votiro), and Varonis (Cyral). The breadth of acquirer activity signals continued platform-building across AppSec, forensics, SaaS security, and data security.

M&A Activity & Strategic Movement
Q1 2025 recorded 16 M&A transactions, anchored by a single category-defining deal. The most notable transaction was Google's acquisition of Wiz for approximately $32B, the largest pure-cyber acquisition in the workbook and a transaction that resets the price benchmark for cloud-security platforms across the hyperscaler tier.
Additional activity across the quarter reinforces this direction:
- Drata acquired SafeBase ($250M), deepening trust-management and vendor-risk capabilities
- Jamf and CyberArk each pursued identity-focused acquisitions, with Jamf adding Identity Automation ($215M) and CyberArk acquiring Zilla Security ($165M) to extend identity governance into adjacent control surfaces
- Tenable acquired Vulcan Cyber ($150M), reinforcing its position in exposure management and vulnerability prioritization
- Armis acquired Otorio ($120M), extending its asset-visibility footprint into OT and industrial environments
- Veracode, Darktrace, 1Password, JumpCloud, Menlo Security, Varonis, Chainalysis, and Quorum each completed targeted acquisitions (Phylum, Cado Security, Trelica, Stack Identity, Votiro, Cyral, Alterya, and Kivu respectively) without disclosed pricing, signaling continued platform-building across AppSec, forensics, identity, SaaS security, and data security
Across these transactions, the buyer cohort split is unusually clean: one hyperscaler-led megadeal at the top, a layer of disclosed mid-market strategic acquisitions in the $120M–$250M band, and a long tail of undisclosed platform tuck-ins. Identity, vulnerability management, and data security remain the most contested categories.
The scale of the Wiz transaction in particular reframes how cloud-security platforms are valued at exit, and is likely to influence acquirer behavior across the rest of the year.

Looking Ahead
Q1 2025 sets a clear tone for the year: hyperscaler appetite for cyber platforms is unambiguous, identity remains the most actively consolidated category, and growth-stage capital continues to favor vendors with proven enterprise traction.
We expect the following dynamics to continue through 2025:
- Hyperscaler-led M&A will continue testing platform valuations, with the Wiz transaction establishing a new ceiling that other cloud-adjacent platforms will be measured against
- Identity and vulnerability consolidation will remain the dominant strategic theme, as platform vendors absorb adjacent capabilities to broaden control coverage
- Early-stage capital will continue concentrating around AI-native, automation, and cloud-security categories, where buyer demand signals are clearest and category structures are still forming
From a go-to-market perspective, the implications are increasingly clear. The Wiz transaction will not be the last category-defining acquisition of 2025, but it sets a benchmark for how much capital incumbents are willing to deploy to own a control layer. Vendors entering growth stages will need to demonstrate clear differentiation, measurable enterprise traction, and a coherent platform thesis to compete for that level of acquirer attention. The interplay between hyperscaler appetite, strategic consolidation, and growth-stage selectivity will continue to shape both funding outcomes and competitive positioning across the cybersecurity ecosystem.
The full Q1 2025 dataset — every named company, round, investor, segment, and acquisition — is in the data feed. Get the full Q1 2025 dataset →
Methodology
Every transaction in this brief was sourced from a primary public report and dedupe-checked against the master Pinpoint funding workbook, which now contains ~2,600 transactions back to May 2020. Funding totals reflect disclosed capital only; acquisition values are included where publicly available.
Each deal is classified against Pinpoint's normalized cybersecurity segment taxonomy — read directly off what the company says they protect and mapped to one of the canonical segments. The taxonomy has been maintained continuously since 2020 and currently covers roughly 55 segments. Identity, Data, Detection / Response, and Threat Intel have been tracked from the first month of the series; AppSec and GRC entered the following month; emergent categories (AI/LLM, Supply Chain, Quantum, Browser) are added when they first appear in vendor positioning. That normalization layer is what makes multi-year, cross-segment comparisons possible against an otherwise inconsistent vocabulary in the broader market.
About Pinpoint Search Group
Cybersecurity innovators work with Pinpoint Search Group to identify, attract, and land professionals that enable maturation, scale, and successful outcomes. As start-ups continue raising millions in funding and established vendors make acquisitions to round out their offerings, Pinpoint Search Group is keeping track.
Get the underlying data
The narrative above is the free version. The paid Pinpoint Cyber Funding Data feed gives you every named transaction, every disclosed investor, every segment classification — exportable, filterable, and updated as the deals close.
