Quarterly Report, Q1 2026: Cyber Security Vendor M&A and Funding News
Published by Pinpoint Search Group — the cybersecurity executive search firm that tracks every disclosed vendor funding round and acquisition in the sector.
At a glance
Get the full Q1 2026 dataset — every named company, round, investor, segment, and acquisition.
Highlights and Analysis
In Q1 2026, our team tracked 159 transactions, including 128 funding rounds and 31 M&A events. Disclosed funding totaled $4.62B, more than doubling the $2.22B recorded in Q1 2025 — one of the strongest first-quarter funding totals the workbook has recorded since the 2021–2022 peak cycle.
Early-stage activity continued to drive the majority of transaction volume — 75 of the 128 funding rounds were Seed or Series A — reflecting ongoing company formation across emerging categories. At the same time, capital concentration remained a defining feature of the market: a small number of large rounds accounted for a disproportionate share of total dollars raised, signaling continued investor preference for platforms and technologies with clear differentiation and enterprise relevance.
Strategic acquirers were equally active, with 31 M&A events anchored by Palo Alto Networks' $25B acquisition of CyberArk, the largest cybersecurity transaction of Q1 2026 and one of the largest identity-platform deals the workbook has recorded. The combination of accelerating funding totals and outsized strategic consolidation marks Q1 2026 as a quarter where both venture conviction and acquirer appetite returned in force.

Funding Overview
The 128 funding rounds tracked in Q1 2026 highlight a market that is both active and selective.
Capital concentration at the top of the market was pronounced. Multiple rounds exceeded $100M — including Cloaked ($375M), Upwind ($250M), TENEX ($250M), Armadin Security ($190M), Claroty ($150M), Torq ($140M), Defense Unicorns ($136M), Kai ($125M), Oasis Security ($120M), XBOW ($120M), and Cape ($100M) — collectively accounting for a significant portion of total funding. This reinforces a familiar pattern: fewer companies are capturing a larger share of investment as investors prioritize scale, execution, and category ownership.
What stands out in Q1 2026 is where that capital is flowing. A meaningful portion of investment is clustering around:
- Governance, risk, and compliance, which led the segment mix with 22 transactions as enterprises continued operationalizing AI policy, audit, and vendor-risk programs
- Vulnerability and application security, which together accounted for 31 transactions, reflecting persistent exposure across modern application environments and continued buyer demand for both pre-production and runtime controls
- Identity and access infrastructure, where Oasis Security's $120M Series B and a steady stream of Identity-segment funding (13 transactions) continue to position identity as a central control plane across environments
- Fraud, AI/LLM, and data security, where Cloaked's $375M growth round and Kai's $125M Series A signal that automation, AI-native defense, and data-layer protection are absorbing growth-stage capital at meaningful scale
This distribution suggests that while innovation remains broad, capital is increasingly aligning with areas that directly impact enterprise risk, cost structure, and operational scalability.

Market & Macro Signals
Several structural dynamics are visible in the Q1 2026 transaction record.
First, capital is moving in larger, more selective bets. Eleven funding rounds exceeded $100M this quarter, with the top three (Cloaked, Upwind, TENEX) each clearing $250M. The pattern signals that investor conviction is concentrating on vendors with established traction and clear differentiation rather than being diffused across early thematic exposure.
Second, strategic consolidation is accelerating at the top end. Seven disclosed M&A deals totaled $26.9B — nearly six times the quarter's disclosed funding capital. Palo Alto Networks' $25B acquisition of CyberArk alone accounts for the bulk of that figure and resets the price benchmark for identity-platform M&A.
Third, governance and control layers are becoming more pronounced. GRC led the segment mix with 22 transactions, more than any other category. As organizations deploy AI-driven workflows and expand machine identities, existing frameworks for access control, policy enforcement, and auditability are struggling to keep pace — reflected here in the volume of funding directed toward GRC-aligned platforms and identity-centric solutions.
Finally, undisclosed M&A continues to do significant work. Of the 31 acquisitions, 24 came without disclosed prices, including recognizable strategic moves by Check Point (Cyata, Rotate), CrowdStrike (SGNL, Seraphic Security at disclosed values), Delinea (StrongDM), Proofpoint (Acuvity), Zscaler (SquareX), and Sophos (Arco Cyber). The breadth of acquirer activity signals continued platform-building across identity, browser, detection/response, and AppSec.

M&A Activity & Strategic Movement
Q1 2026 recorded 31 M&A transactions, continuing the trend toward strategic consolidation across the cybersecurity landscape. The most notable transaction was Palo Alto Networks' acquisition of CyberArk for approximately $25B, a deal that underscores the importance of identity as a foundational control layer and highlights the scale at which platform consolidation is now occurring.
Additional activity across the quarter reinforces this direction:
- CrowdStrike acquired SGNL ($740M) and Seraphic Security ($420M), expanding capabilities across identity and browser security
- Palo Alto Networks further expanded with the acquisition of Koi ($400M), reinforcing its endpoint and platform strategy
- Check Point was active with multiple acquisitions including Cyclops ($85M), Cyata, and Rotate, signaling continued investment in platform breadth across ratings, identity, and detection/response
- Varonis, ThreatModeler, Zscaler, Proofpoint, and Sophos each completed targeted acquisitions (AllTrue.ai, Irius Risk, SquareX, Acuvity, and Arco Cyber respectively) to strengthen specific areas of their portfolios
- Delinea, Semperis, Endor Labs, Radware, and Infoblox added identity, AppSec, API, and OSINT capabilities through targeted acquisitions of StrongDM, MightyID, Autonomous Plane, Pynt, and Axur
Across these transactions, a consistent pattern emerges: acquirers are not pursuing broad roll-ups, but rather targeted capability expansion aligned to platform coherence. Identity, data security, application security, and AI-driven capabilities remain central to this strategy.
The scale of the CyberArk transaction, in particular, reinforces a key theme from both funding and enterprise demand — control layers are becoming increasingly central to modern security architectures, and platforms that can own these layers are commanding significant strategic value.

Looking Ahead
Q1 2026 sets a clear tone for the year: capital is available, but it is being deployed with precision. The combination of strong funding volume, concentrated large rounds, and active M&A suggests a market that has moved beyond correction and into a more structured phase of growth.
We expect the following dynamics to continue through 2026:
- Early-stage innovation will remain robust, particularly in areas tied to AI, automation, and emerging risk categories
- Growth-stage capital will concentrate around platforms that can consolidate spend, deliver measurable outcomes, or establish control over critical layers such as identity and governance
- M&A activity will remain active, with strategic buyers continuing to fill capability gaps rather than pursuing broad consolidation
From a go-to-market perspective, the implications are increasingly clear. Companies entering growth phases will be expected to demonstrate not just technical differentiation, but operational clarity and measurable value delivery. The ability to align product capability with enterprise priorities — particularly around efficiency, risk reduction, and consolidation — will define which vendors successfully translate capital into scale. As the year progresses, the interplay between capital deployment, enterprise buying behavior, and platform consolidation will continue to shape both funding outcomes and competitive positioning across the cybersecurity ecosystem.
The full Q1 2026 dataset — every named company, round, investor, segment, and acquisition — is in the data feed. Get the full Q1 2026 dataset →
Methodology
Every transaction in this brief was sourced from a primary public report and dedupe-checked against the master Pinpoint funding workbook, which now contains ~2,600 transactions back to May 2020. Funding totals reflect disclosed capital only; acquisition values are included where publicly available.
Each deal is classified against Pinpoint's normalized cybersecurity segment taxonomy — read directly off what the company says they protect and mapped to one of the canonical segments. The taxonomy has been maintained continuously since 2020 and currently covers roughly 55 segments. Identity, Data, Detection / Response, and Threat Intel have been tracked from the first month of the series; AppSec and GRC entered the following month; emergent categories (AI/LLM, Supply Chain, Quantum, Browser) are added when they first appear in vendor positioning. That normalization layer is what makes multi-year, cross-segment comparisons possible against an otherwise inconsistent vocabulary in the broader market.
About Pinpoint Search Group
Cybersecurity innovators work with Pinpoint Search Group to identify, attract, and land professionals that enable maturation, scale, and successful outcomes. As start-ups continue raising millions in funding and established vendors make acquisitions to round out their offerings, Pinpoint Search Group is keeping track.
Get the underlying data
The narrative above is the free version. The paid Pinpoint Cyber Funding Data feed gives you every named transaction, every disclosed investor, every segment classification — exportable, filterable, and updated as the deals close.
