Quarterly Report, Q1 2021: Cyber Security Vendor M&A and Funding News
Published by Pinpoint Search Group — the cybersecurity executive search firm that tracks every disclosed vendor funding round and acquisition in the sector.
At a glance
Get the full Q1 2021 dataset — every named company, round, investor, segment, and acquisition.
Highlights and Analysis
In Q1 2021, our team tracked 117 transactions, including 67 funding rounds and 50 M&A events. Disclosed funding totaled $3.84B, while the quarter's largest dollars moved through M&A rather than funding: Okta's $6.5B acquisition of Auth0 — the largest disclosed acquisition the workbook has tracked, eclipsing the prior high of Advent International's $1.43B take-private of Forescout — anchored disclosed deal dollars alongside the broadest acquisition count the workbook had recorded in any quarter to that point.
Identity sat at the center of both halves of the market. It was the quarter's most active funding segment (16 rounds) and the most active consolidation category, with Okta–Auth0 joined by TPG Capital's $1.4B combination of Thycotic and Centrify — a merger of two privately held privileged-access vendors, not a public take-private — and STG's $4B carve-out of McAfee's enterprise business, the largest PE-sponsored deal of the quarter. Of the 50 acquisitions, only 13 disclosed prices; those 13 totaled $13.25B, with Auth0 and McAfee Enterprise alone accounting for 79% of disclosed deal value.
Late-stage capital was available and at scale. Sixteen rounds cleared $100M, led by Lacework's $525M Series C — the quarter's largest disclosed funding round — followed by Snyk's $300M and Orca Security's $210M Series C. Early-stage activity still drove a meaningful share of round count, with 29 of the 67 funding rounds at Seed or Series A.

Funding Overview
The 67 funding rounds tracked in Q1 2021 highlight a market in which late-stage capital concentrated in a handful of cloud-and-application-security platforms while early-stage formation continued at a steady pace.
Capital concentration at the top was moderate. Sixteen rounds cleared $100M: Lacework ($525M), Snyk ($300M), Orca Security ($210M), Feedzai ($200M), SecurityScorecard ($180M), Coalition ($175M), Tanium ($150M), Jumio ($150M), Aqua Security ($135M), Wiz ($130M), Armis ($125M), and a tail of $100M rounds. The disclosed top three together (Lacework, Snyk, Orca) accounted for roughly $1.03B — about 27% of the quarter's disclosed funding.
What stands out in Q1 2021 is where that capital is clustering. A meaningful portion of investment is concentrating around:
- Cloud and container security, where Lacework's $525M Series C — the quarter's largest disclosed round — sat alongside Aqua Security's $135M and Wiz's $130M Series B, reflecting concentrated late-stage appetite for cloud-native protection platforms
- Application security, where Snyk's $300M growth round reinforced developer-first AppSec as a durable late-stage thesis
- Identity and access, where Jumio's $150M identity-verification round and continued formation across the segment reflected identity's standing as the quarter's most active funding category
- Risk, ratings, and cyber insurance, where SecurityScorecard's $180M and Coalition's $175M bracket a single thesis: quantified risk and insurable exposure are absorbing meaningful growth-stage capital
This distribution reflects a market in which late-stage capital is concentrating on cloud, application, and identity platforms with clear enterprise traction, while early-stage formation continues to broaden across emerging segments.

Market & Macro Signals
Several structural dynamics are visible in the Q1 2021 transaction record.
First, strategic acquisition reached a new dollar tier. Okta's $6.5B acquisition of Auth0 is the largest disclosed acquisition the workbook has tracked, more than quadrupling the prior high (Forescout at $1.43B). The all-stock transaction folds a developer-facing identity platform into Okta's workforce-and-customer identity stack and signals that identity consolidation is now operating at a scale not previously seen in the dataset.
Second, private equity entered at the carve-out tier. STG's $4B carve-out of McAfee's enterprise business and TPG Capital's $1.4B combination of Thycotic and Centrify show PE sponsors assembling cyber portfolios from divested business units and privately held vendors. Neither is a public take-private — McAfee remained publicly listed and Thycotic and Centrify were already PE-owned — but together they mark PE's arrival as a multi-billion-dollar acquirer cohort alongside strategic buyers.
Third, late-stage capital concentrated in cloud and application security. Sixteen rounds cleared $100M, led by Lacework, Snyk, Orca, and Aqua Security. The pattern reflects a market in which growth-stage venture capital is actively deployed across category leaders in cloud-native, container, and developer-first security.
Finally, undisclosed M&A did significant work. Of the 50 acquisitions, 37 came without disclosed prices, including recognizable strategic moves by CrowdStrike (Humio), Palo Alto Networks (Bridgecrew), SentinelOne (Scalyr), Tenable (Alsid), and Rapid7 (Alcide). The breadth of acquirer activity signals broad platform-building across SIEM, cloud security, and application security.

M&A Activity & Strategic Movement
Q1 2021 recorded 50 M&A transactions — the broadest acquisition count the workbook had tracked in any quarter to that point — with disclosed-deal dollars concentrated in identity and endpoint. The most notable transaction was Okta's $6.5B acquisition of Auth0, the quarter's largest deal and the largest disclosed acquisition the workbook has tracked.
Additional activity across the quarter reinforces this direction:
- STG completed the $4B carve-out of McAfee's enterprise business, the largest PE-sponsored deal of the quarter and a marker for private equity assembling cyber platforms from divested business units
- TPG Capital combined Thycotic and Centrify ($1.4B), merging two privately held privileged-access vendors into a single identity-security platform
- CrowdStrike acquired Humio ($400M), bringing log management and observability data into the Falcon platform
- PayPal and Dropbox added Curv ($200M) and DocSend ($165M) respectively, extending into crypto-custody security and secure document workflows
- Palo Alto Networks, SentinelOne, and Tenable each completed targeted acquisitions (Bridgecrew, Scalyr, and Alsid respectively) to strengthen cloud security, log analytics, and identity exposure
Across these transactions, a consistent pattern emerges: identity is the quarter's most contested consolidation category at both the strategic and PE tiers, while private equity establishes itself as a multi-billion-dollar acquirer cohort through carve-outs and roll-ups. Endpoint, cloud security, and SIEM round out the most active areas for targeted strategic tuck-ins.

Looking Ahead
Q1 2021 opens the year with strategic acquisition reaching a new dollar tier and private equity entering at scale, against a funding backdrop in which late-stage capital concentrated in cloud and application security.
We expect the following dynamics to continue through 2021:
- Identity consolidation will continue across both strategic and PE acquirers, as platform buyers and sponsors compete to assemble workforce, customer, and privileged-access capability into integrated stacks
- Private equity will continue acquiring at the multi-billion-dollar tier, pursuing carve-outs of divested business units and roll-ups of mature vendors across identity, endpoint, and email
- Late-stage capital will favor cloud and application-security leaders, particularly across cloud-native protection, container security, and developer-first AppSec where Q1 saw the heaviest concentration
From a go-to-market perspective, Q1 2021 marks a quarter in which acquirer activity reached a new dollar scale and venture capital concentrated around cloud and application security. The interplay between strategic identity consolidation, an emerging PE acquirer cohort, and late-stage cloud-security funding will continue to shape both funding outcomes and competitive positioning across the cybersecurity ecosystem.
The full Q1 2021 dataset — every named company, round, investor, segment, and acquisition — is in the data feed. Get the full Q1 2021 dataset →
Methodology
Every transaction in this brief was sourced from a primary public report and dedupe-checked against the master Pinpoint funding workbook, which now contains ~2,600 transactions back to May 2020. Funding totals reflect disclosed capital only; acquisition values are included where publicly available.
Each deal is classified against Pinpoint's normalized cybersecurity segment taxonomy — read directly off what the company says they protect and mapped to one of the canonical segments. The taxonomy has been maintained continuously since 2020 and currently covers roughly 55 segments. Identity, Data, Detection / Response, and Threat Intel have been tracked from the first month of the series; AppSec and GRC entered the following month; emergent categories (AI/LLM, Supply Chain, Quantum, Browser) are added when they first appear in vendor positioning. That normalization layer is what makes multi-year, cross-segment comparisons possible against an otherwise inconsistent vocabulary in the broader market.
About Pinpoint Search Group
Cybersecurity innovators work with Pinpoint Search Group to identify, attract, and land professionals that enable maturation, scale, and successful outcomes. As start-ups continue raising millions in funding and established vendors make acquisitions to round out their offerings, Pinpoint Search Group is keeping track.
Get the underlying data
The narrative above is the free version. The paid Pinpoint Cyber Funding Data feed gives you every named transaction, every disclosed investor, every segment classification — exportable, filterable, and updated as the deals close.
