The persistence and evolution of cybercrime across the US is reshaping M&A in the cybersecurity sector. Driven by escalating threats, increasing costs and liability to businesses, and a growing and more defined regulatory framework, the cybersecurity market is witnessing a flurry of dealmaking activity, with 2025 already outpacing last year.
Though the Middle Eastern conflict introduces great uncertainty to global dealmaking, the growing number of headline-making breaches, increasing regulatory fines and consumer settlements, and intensifying demand for digital defenses have been leading investors and strategic acquirers to reposition to capitalize on the need for stronger security infrastructure.
A rising tide of threats
Cybercrime cost victims more than US$16 billion globally in 2024, according to the FBI’s latest Internet Crime Report—a 33 percent increase over 2023. In the US, the nature of attacks has ranged from low-tech scams to highly coordinated ransomware campaigns that have disrupted critical infrastructure and public services. The year began with a major ransomware strike on Change Healthcare, a unit of UnitedHealth Group, which ultimately cost the company more than US$2.8 billion in response and triggered more than US$6 billion in downstream assistance to affected providers.
Other incidents, such as the December 2024 attacks on US telecom giants AT&T, Verizon and Lumen Technologies by Chinese hackers Salt Typhoon, underscored sector-wide vulnerabilities and the geopolitical dimensions of cybercrime. Meanwhile, Check Point Research reported a 70 percent year-on-year increase in attacks targeting US utilities—one of the most sensitive areas of national infrastructure.
These incursions are not just becoming more frequent, but also more complex. Reports of phishing attacks are estimated to have surged by more than 4,000 percent since the release of ChatGPT in late 2022, driven by generative AI tools that make scams more convincing. Internet of Things malware attacks were up 124 percent in 2024, and ransomware continues to impact a majority of businesses, with 59 percent of organizations affected last year.
Market on the move
Given the scale and growth of the threat, it is no surprise that the US cybersecurity market is expanding in lockstep. According to Statista, the market is projected to reach US$88.3 billion this year, growing at a compound annual growth rate of 7.1 percent through 2029, when it is expected to hit US$116.2 billion. Some estimates are even more bullish, with one projection estimating the market will balloon to US$166.7 billion by 2032, from US$73.1 billion in 2025—a 12.5 percent compound annual growth rate.
This rising demand is powering big-ticket and mid-cap dealmaking activity alike. In 2024, US cybersecurity M&A saw 77 transactions worth a combined US$4.9 billion, a slower year by historical standards but still significant given the macroeconomic backdrop. Major deals included Mastercard's US$2.7 billion acquisition of threat intelligence provider Recorded Future and CyberArk's US$1.5 billion acquisition of Venafi, a machine-identity management company.
Activity measured by value rebounded sharply in 2025, thanks in large part to a standout megadeal: Google parent Alphabet’s acquisition of cloud security unicorn Wiz for US$32 billion including net debt.
At the tail end of March, EQT and ABKRR announced the US$500 million acquisition of Tampa-based ReliaQuest, a security operations platform focused on threat detection and response. Just days earlier, Island Technology, a cyber company best known for its enterprise browser product, was acquired for US$250 million by a consortium led by Coatue and Marlin Equity. Both PE deals highlight the continued financial interest in mid-market cybersecurity targets with differentiated IP and strong enterprise traction.
Alphabet’s acquisition of Wiz, which is not only the largest cybersecurity deal on record but also the technology giant’s biggest play to date, lifted cyber M&A value to US$32.9 billion in Q1, nearly seven times the value recorded in all of 2024, despite there being a relatively modest 14 transactions made in the three-month period.
Regulations ramping up
A number of powerful forces are propelling this activity. Chief among them is the regulatory shift underway in direct response to the Salt Typhoon attacks. The Federal Communications Commission has called on US telecom companies to shore up their defenses, adopting new rules. FCC chair Jessica Rosenworcel stated in January, "Our existing rules are not modern. It is time we update them to reflect current threats so that we have a fighting chance to ensure that state-sponsored cyberattacks do not succeed."
In March, the FCC established a new Council on National Security tasked with utilizing the agency’s full range of regulatory, investigatory and enforcement powers to address foreign threats, with a particular focus on risks posed by China to the US technology and telecommunications sectors. Its goals include reducing reliance on foreign adversaries in supply chains and mitigating vulnerabilities to cyberattacks and espionage.
A wider wave of compliance-focused scrutiny is likely to impact other critical industries in the coming months. There has been heightened activity in Congress, where legislation has been reintroduced in the House of Representatives aimed at assessing and mitigating cyber threats from China that target US critical infrastructure more broadly. Congressional committees have been holding hearings and pressing federal agencies such as the Department of Homeland Security and its Cybersecurity and Infrastructure Security Agency on their response to these threats and the overall security posture of the nation.
In addition, the Department of Justice finalized rules at the end of 2024 imposing cybersecurity compliance requirements on US entities transferring or permitting access to sensitive data to certain countries, including China, Russia and Iran, with enforcement slated to begin on July 8, 2025.
The road ahead
Despite the sector’s obvious tailwinds, cybersecurity M&A still faces some challenges. Macroeconomic growth uncertainty and elevated interest rates have curbed risk appetite, particularly for leveraged transactions. Valuations in some parts of the market remain frothy, with heavy competition for assets creating mismatches between buyer and seller expectations. The escalating Middle Eastern conflict could also put the brakes on dealmaking.
For the time being, however, all signs point to an acceleration in dealmaking in the space. The scale, sophistication and impact of cyberattacks continue to grow, and AI is emerging as a key battleground. As attackers adopt new intelligent tools to breach systems and manipulate users, defenders will need to match them in capability and speed.
This demands ongoing investment, not just in technology but in talent and intelligence. M&A will remain the primary means for companies to acquire these capabilities at scale, while PE is demonstrating sustained interest in this long-term growth area. While macro conditions may dampen deal activity in other sectors, cybersecurity appears to be entering a new cycle of strategic urgency. With more and bolder breaches, rising regulatory scrutiny, and threat and response innovation constantly evolving, cybersecurity M&A in the US will be a key area of opportunity—and necessity.
[View source.]
