Quarterly Report, Q3 2022: Cyber Security Vendor M&A and Funding News
Published by Pinpoint Search Group — the cybersecurity executive search firm that tracks every disclosed vendor funding round and acquisition in the sector.
At a glance
Get the full Q3 2022 dataset — every named company, round, investor, segment, and acquisition.
Highlights and Analysis
In Q3 2022, our team tracked 79 transactions, including 57 funding rounds, 21 M&A events, and 1 IPO. Disclosed funding totaled $1.86B, down 49% from the $3.65B recorded in Q3 2021, while round count contracted from 75 to 57. Year-to-date funding has reached $11.54B through three quarters, broadly flat compared with the same period in 2021. The quarter's sole public-market listing came from ZeroFox, which reached the market in August through a SPAC merger (Nasdaq: ZFOX) rather than a conventional IPO — a route that grew more common as the traditional IPO window narrowed. The quarter also marks the lowest disclosed funding quarter of 2022 by a wide margin, with transaction volume also at the year's low.
Late-stage capital remained available but selectively distributed. Four rounds cleared $100M — Coalition's $250M Series F, Talon Cyber's $100M Series A, Malwarebytes' $100M growth, and Bitwarden's $100M growth — followed by Halborn ($90M Series A), Fortanix ($90M Series C), Bishop Fox ($75M Series B), Swimlane ($70M Series C), TXOne Networks ($70M Series B), Cymulate ($70M Series D+), Deep Instinct ($62M Series E), and DataGuard ($61M Series B). Early-stage activity remained the dominant share of round count, with 29 of the 57 funding rounds at Seed or Series A.
The M&A column carried structural weight despite a lighter deal count. Twenty-one acquisitions included four disclosed transactions totaling $4.54B, anchored by Thoma Bravo's $2.8B take-private of Ping Identity — the third-largest pure-identity acquisition the workbook has tracked and the second-largest pure-identity take-private of 2022 — and Centerbridge Partners' $1.6B take-private of Computer Services Inc, the largest MSSP-segment acquisition the workbook tracks by a wide margin.

Funding Overview
The 57 funding rounds tracked in Q3 2022 highlight a market in which late-stage capital concentrated more narrowly than in the first half of the year, while early-stage formation continued at a measured pace.
Capital concentration at the top was modest. Four rounds cleared $100M: Coalition ($250M), Talon Cyber ($100M), Malwarebytes ($100M), and Bitwarden ($100M). Below that band, growth-stage activity stayed dispersed across Halborn ($90M), Fortanix ($90M), Bishop Fox ($75M), Swimlane ($70M), TXOne Networks ($70M), Cymulate ($70M), Deep Instinct ($62M), DataGuard ($61M), and a long tail of $25–$55M Seed and Series A rounds. The disclosed top four together accounted for roughly $550M, about 30% of the quarter's disclosed funding.
What stands out in Q3 2022 is where that capital is clustering. A meaningful portion of investment is concentrating around:
- Cyber insurance, where Coalition's $250M Series F — the quarter's largest disclosed funding round — reinforced continued investor appetite for the cyber-insurance category
- Identity and password management, where Bitwarden's $100M growth round and continued early-stage formation across the identity stack reflect persistent enterprise demand for credential management and identity infrastructure
- Browser, endpoint, and workspace security, where Talon Cyber's $100M Series A — sizing well above typical Series A — and Malwarebytes' $100M growth round signal continued investor appetite for workspace-layer protection across enterprise browser and endpoint surfaces
- Detection, response, and SOAR, where Swimlane's $70M Series C, Cymulate's $70M Series D+, and a tail of detection-and-response funding reflect continued enterprise demand for managed-detection and security-orchestration platforms
This distribution reflects a market in which capital is concentrating more selectively than in the first half of 2022 — favoring vendors with clear category positioning across cyber insurance, identity, workspace security, and managed detection.

Market & Macro Signals
Several structural dynamics are visible in the Q3 2022 transaction record.
First, PE-orchestrated take-private activity extended into the identity-and-MSSP cohort. Thoma Bravo's $2.8B take-private of Ping Identity is the third pure-identity take-private the workbook tracks, following TPG's $1.4B take-private of Thycotic/Centrify in Q1 2021 and Thoma Bravo's own $6.9B take-private of SailPoint in Q2 2022. Centerbridge Partners' $1.6B take-private of Computer Services Inc is the largest MSSP-segment acquisition the workbook tracks by a wide margin. Together, the two transactions extend the year's PE-acquirer pattern into a second identity vendor and into the managed-security delivery tier.
Second, funding volume contracted materially. Disclosed funding of $1.86B and round count of 57 both mark the lowest of 2022 by a meaningful margin. The shift reflects a combination of smaller late-stage round sizes and lower overall transaction volume, consistent with a broader mid-2022 venture environment in which late-stage capital became more selective.
Third, strategic tuck-in M&A continued at moderate volume. Of the 21 acquisitions, 17 came without disclosed prices, including strategic moves by Thales (OneWelcome), Huntress (Curricula), Cloudflare, and a tail of mid-market consolidators. The breadth of acquirer activity signals continued platform-building across identity, security awareness training, and managed-security delivery.
Finally, undisclosed M&A continued to do significant work. Seventeen of the 21 acquisitions came without disclosed prices, reflecting continued strategic-platform tuck-in activity even as disclosed-deal counts contracted. The pattern signals that platform vendors continue targeted capability expansion at moderate volume even when headline M&A dollars concentrate in a small number of large PE-orchestrated transactions.

M&A Activity & Strategic Movement
Q3 2022 recorded 21 M&A transactions, with disclosed-deal dollars concentrated heavily in two PE-orchestrated take-privates. The most notable transaction was Thoma Bravo's $2.8B take-private of Ping Identity, the quarter's largest deal and the third-largest pure-identity acquisition the workbook has tracked.
Additional activity across the quarter reinforces this direction:
- Centerbridge Partners completed the $1.6B take-private of Computer Services Inc, the largest MSSP-segment acquisition the workbook tracks and a meaningful extension of PE-orchestrated take-private activity into the managed-security delivery tier
- Thales acquired OneWelcome ($118M), extending its identity-and-access-management portfolio into customer identity
- Huntress acquired Curricula ($22M), adding security-awareness training delivery to its MSP-focused platform
- Cloudflare, Akamai, and a tail of mid-market consolidators completed targeted strategic acquisitions without disclosed pricing, extending platform reach across CDN-aligned security, edge protection, and managed-security delivery
Across these transactions, the structural pattern is clear: PE-orchestrated take-privates continued to absorb the majority of disclosed deal value, with Thoma Bravo returning to the identity-acquirer column for a second time in 2022 and Centerbridge Partners entering at the MSSP tier. Strategic-platform tuck-ins continued at moderate volume across identity, training, and managed-security delivery.

Looking Ahead
Q3 2022 marks the year's volume low for both funding and M&A while disclosed deal dollars concentrated in a small number of large PE-orchestrated transactions.
We expect the following dynamics to continue through the remainder of 2022:
- PE-orchestrated take-privates will continue to anchor the disclosed-M&A column, as PE sponsors continue testing mature mid-cap cyber vendors across identity, managed security, and email
- Late-stage capital will remain selective, concentrating on vendors with measurable enterprise traction across cyber insurance, identity, workspace security, and managed detection
- Strategic tuck-in M&A will continue at moderate volume, as platform vendors absorb adjacent capabilities across identity, training, and managed-security delivery
From a go-to-market perspective, Q3 2022 marks a contraction in volume rather than a structural shift. The interplay between PE-orchestrated take-private acquisition, continued strategic-platform tuck-in activity, and increasingly selective late-stage venture capital will continue to shape both funding outcomes and competitive positioning across the cybersecurity ecosystem.
The full Q3 2022 dataset — every named company, round, investor, segment, and acquisition — is in the data feed. Get the full Q3 2022 dataset →
Methodology
Every transaction in this brief was sourced from a primary public report and dedupe-checked against the master Pinpoint funding workbook, which now contains ~2,600 transactions back to May 2020. Funding totals reflect disclosed capital only; acquisition values are included where publicly available.
Each deal is classified against Pinpoint's normalized cybersecurity segment taxonomy — read directly off what the company says they protect and mapped to one of the canonical segments. The taxonomy has been maintained continuously since 2020 and currently covers roughly 55 segments. Identity, Data, Detection / Response, and Threat Intel have been tracked from the first month of the series; AppSec and GRC entered the following month; emergent categories (AI/LLM, Supply Chain, Quantum, Browser) are added when they first appear in vendor positioning. That normalization layer is what makes multi-year, cross-segment comparisons possible against an otherwise inconsistent vocabulary in the broader market.
About Pinpoint Search Group
Cybersecurity innovators work with Pinpoint Search Group to identify, attract, and land professionals that enable maturation, scale, and successful outcomes. As start-ups continue raising millions in funding and established vendors make acquisitions to round out their offerings, Pinpoint Search Group is keeping track.
Get the underlying data
The narrative above is the free version. The paid Pinpoint Cyber Funding Data feed gives you every named transaction, every disclosed investor, every segment classification — exportable, filterable, and updated as the deals close.
