Cybersecurity M&A Activity: Q1 2026
Cybersecurity M&A reached a record $84B across 420 plus deals in 2025, anchored by Google's $32B all-cash acquisition of Wiz at approximately 64x ARR and Palo Alto Networks' $25B CyberArk deal at roughly 13.5x EV/Revenue, collectively defining a strategic-buyer-led consolidation cycle that Q1 2026 activity is now extending. A structural valuation barbell has emerged, with AI-native security assets commanding 15 to 20x revenue multiples and CrowdStrike trading near 30x, while legacy and GRC assets clear only 2 to 4x, a bifurcation that is reshaping acquisition screening criteria across both strategic and sponsor buyers. The report covers subsector deal volumes, valuation methodology, the identity and NHI security M&A thesis, VC and PE capital deployment trends, and the implications of SailPoint's $12.5B IPO for the reopening public markets window.
- Sector
- Cybersecurity
- Focus
- M&A Activity
- Published
- January 15, 2026
- Length
- 30 slides
- Reading time
- 22 minutes
Key findings
- Cybersecurity M&A reached a record $84B+ across 420+ deals in 2025, surpassing the previous peak and driven by 8 mega-deals each exceeding $1B (SecurityWeek).
- Google's $32B all-cash acquisition of Wiz—cleared by the DOJ in November 2025—is the largest private cybersecurity acquisition in history, valued at approximately 64x ARR.
- Palo Alto Networks agreed to acquire CyberArk for approximately $25B at ~13.5x EV/Revenue, establishing identity as the central control plane for Zero Trust security.
- Global information security spending hit $212B in 2025, up 15.1% year-over-year (Gartner), with Cybersecurity Ventures projecting the market to exceed $520B by 2026.
- AI-native security assets command 15–20x revenue multiples while legacy and GRC assets trade at 2–4x, reflecting a structural 'barbell' valuation bifurcation across the sector.
- VC funding recovered to $3.3B across 182 deals in Q1 2025 and peaked at $4.0B in Q2 2025, with private equity holding over $1T in undeployed dry powder (PitchBook).
- SailPoint's February 2025 IPO raised $1.38B at a ~$12.5B valuation and Netskope raised $908M at ~$7.5B, confirming the reopening of the cybersecurity public markets window.
- ServiceNow acquired Armis for $7.75B to extend automation to OT/IoT and unmanaged devices, and separately acquired Veza for $1B to strengthen AI identity governance.
- CrowdStrike trades at approximately 30x EV/Revenue—the highest multiple among public cybersecurity peers—reflecting the market's shift from a Rule of 40 to a Rule of 60 standard.
- The NHI-to-human identity ratio is projected to reach 82:1 by 2026 (Palo Alto Networks), making non-human identity management one of the fastest-growing M&A target categories.
Methodology
This report aggregates transaction data from SecurityWeek's 2025 M&A Review, Kroll's Cybersecurity Sector Update (Fall 2025), Houlihan Lokey's Q1 and Q4 2025 cybersecurity analyses, and PitchBook's quarterly VC and PE datasets. Spending forecasts reference Gartner's 2025 information security figures and Cybersecurity Ventures' 2026 market projections. Public company valuation multiples are derived from FactSet, Capital IQ, and Multiples.vc using LTM revenue as of December 31, 2025. Primary deal terms were verified against company press releases (Google, Palo Alto Networks, ServiceNow) and Reuters reporting. Windsor Drake synthesized and triangulated these datasets, reconciled overlapping deal counts to arrive at the 420+ transaction figure, and applied proprietary calibration to subsector multiple ranges and the valuation barbell framework presented throughout.
Frequently asked questions
What were the biggest cybersecurity M&A deals in 2025?
The three largest deals of 2025 were Google's $32B acquisition of Wiz (cloud/CNAPP), Palo Alto Networks' ~$25B acquisition of CyberArk (identity security), and ServiceNow's $7.75B acquisition of Armis (OT/IoT). Together with five other billion-dollar-plus transactions, these 8 mega-deals accounted for the bulk of the record $84B+ in total disclosed deal value.
What revenue multiples are cybersecurity companies trading at in 2026?
Valuations are highly bifurcated. AI-native security and cloud/CNAPP platforms command 15–20x+ revenue multiples, identity and data security assets trade at 8–15x, and legacy or GRC point solutions compress to 2–4x. In public markets, CrowdStrike leads at approximately 30x EV/Revenue while legacy vendors like Rapid7 and Tenable remain in the 2–6x range.
Who is buying cybersecurity companies right now?
Strategic platform assemblers dominate, accounting for roughly 90% of disclosed mega-deal value in 2025. Key acquirers include Google, Palo Alto Networks, ServiceNow, CrowdStrike, SentinelOne, Zscaler, Check Point, and Veeam. Private equity firms—including Thoma Bravo, Francisco Partners, Vista Equity, and KKR—are active in take-privates and add-ons, with PE representing approximately 40% of deal volume.
What subsectors in cybersecurity are attracting the highest M&A premiums in 2026?
AI Security and Cloud/CNAPP attract the highest premiums (15–20x+ revenue) due to scarcity of mature assets and hypergrowth demand driven by GenAI adoption. Identity Security (IAM/PAM/NHI) is re-rating to 8–15x on the back of the $25B Palo Alto Networks/CyberArk deal and the explosion of non-human machine identities projected to reach an 82:1 ratio versus human identities by 2026.
Is the cybersecurity IPO market open in 2025 and 2026?
Yes—after a multi-year freeze, the IPO window definitively reopened in 2025. SailPoint raised $1.38B at a ~$12.5B valuation in February 2025 and Netskope raised $908M at ~$7.5B later in the year. A pipeline of 16+ candidates including Snyk, Cato Networks, Arctic Wolf, and Claroty are anticipated to test markets in 2026.
How is private equity approaching cybersecurity investments and take-privates in 2026?
PE firms are sitting on over $1T in dry powder and are shifting their focus from pure growth bets toward profitability and niche dominance. Notable 2025 activity included Francisco Partners acquiring Jamf for $2.2B via a take-private targeting operating leverage in the Apple device management ecosystem. PE typically pays 5–8x revenue with approximately a 20% control premium, well below strategic buyer levels of 12–18x.
What regulatory drivers are accelerating cybersecurity M&A in Europe?
The enforcement of NIS2 beginning January 2026 is forcing consolidation across the EU, with buyers acquiring sovereign compliance and reporting tools to meet strict governance standards. DORA is similarly driving mandatory spending in critical financial infrastructure. These regulations are creating valuation moats for compliance-by-design platforms and boosting demand for OT/IoT and data security assets, particularly in the 6–12x revenue multiple range.
Companies covered
Public and private companies referenced in this report.