Cybersecurity: Consolidation and competition

Focus areas: Cloud, identity, AI and threat intelligence
 

Cloud security and infrastructure

Google’s record‑breaking acquisition of Wiz underscored the strategic importance of platforms that secure cloud environments at scale, particularly as cloud and AI workloads become core to enterprise operations. Beyond Wiz, a number of transactions focused on strengthening cloud‑native security foundations, including threat detection, telemetry and response capabilities that operate across distributed environments.

Identity and zero trust acceleration

Identity emerged as a central theme in cybersecurity M&A during 2025, reflecting the accelerating adoption of zero‑trust security models in enterprise environments. As organisations continue to operate across distributed cloud platforms, remote workforces and increasingly automated systems, identity – not the network perimeter – has become the key defence against modern threats.

The acquisition of CyberArk by Palo Alto Networks exemplifies this shift, embedding identity and privileged access management more deeply into a broader security platform. Beyond large‑scale transactions, 2025 also saw a series of more targeted acquisitions aimed at strengthening specific layers of the identity stack. For example, Ping Identity’s acquisition of Keyless expanded authentication capabilities designed to counter AI‑driven impersonation and credential abuse. Meanwhile, Twilio’s acquisition of Stytch reflected growing demand for API‑native identity infrastructure, particularly in applications that interact with both human users and AI agents.

AI-powered security and automation

One of the defining themes of 2025 was the infusion of AI into cybersecurity products. Several transactions focused on embedding AI‑native automation into established security platforms. For example, Checkmarx’s acquisition of Tromzo reflects growing demand for AI‑driven remediation workflows that can prioritise vulnerabilities and automate response actions across modern application environments. These types of capabilities are increasingly viewed as essential to making security programmes scalable, particularly in large and complex digital estates.

Alongside the use of AI to improve security operations, 2025 also saw increased M&A activity aimed at securing AI systems themselves. As organisations deploy generative and autonomous AI more widely, new risk categories, including model misuse, data poisoning, code injection and prompt manipulation, have emerged. Red Hat’s acquisition of UK‑based AI security specialist Chatterbox Labs illustrates how infrastructure and platform providers are moving to address these issues by acquiring specialist expertise, rather than developing it in‑house.

More broadly, established cybersecurity vendors such as CrowdStrike, SentinelOne, Zscaler and F5 continued to consolidate AI‑focused capabilities through targeted acquisitions. Taken together, these transactions demonstrate how AI in 2025 shifted from being a differentiating feature to a core enabling layer within enterprise security platforms, driving both consolidation and strategic repositioning across the sector.

Risk and compliance

Another active segment was governance, risk and compliance technology (GRC), driven by mounting pressures worldwide. 2025 saw at least 63 acquisitions in the GRC category, as organisations looked to strengthen data protection, audit and regulatory compliance. With new cyber, data protection and operational‑resilience regimes moving from implementation to enforcement, compliance increasingly became a continuous operational requirement, rather than a periodic reporting exercise.

Heightened privacy and cybersecurity standards, including obligations relating to third‑party risk, incident reporting and data governance, have elevated cyber and compliance issues to the board and executive risk agenda. In response, organisations have sought more integrated and automated approaches to managing risk, prompting sustained acquisition activity in areas such as data privacy management, regulatory monitoring and third‑party risk assessment.

This trend was also seen on the services side, where global consultancies acquired specialist risk and compliance boutiques and managed security providers. These transactions reflect client demand for end‑to‑end solutions that combine advisory services with technology and managed execution, particularly in heavily regulated sectors. Taken together, these developments show that GRC is evolving from a standalone function into a core component of enterprise risk management, with M&A playing a central role in building the required scale, capability and integration.

A defining year for cybersecurity M&A

Looking ahead to 2026, cybersecurity M&A is expected to remain active, driven by increased cybersecurity demands rather than transient cyclical conditions. As security requirements are becoming even more deeply embedded into core business systems, particularly cloud‑based and AI‑enabled platforms, larger players are likely to continue using acquisitions to accelerate capability development and maintain relevance in an increasingly complex risk environment.

We expect areas such as data security, identity governance, critical infrastructure protection and compliance‑driven technology to remain focal points for deal activity. Demand in these segments is increasingly shaped by client expectations for demonstrable resilience and operational assurance, rather than standalone security products, favouring integrated platforms and supported services.

In particular, as AI is further woven into products and key systems and connected to sensitive data, larger security players will likely keep acquiring innovative startups to keep ahead. Regulatory pressures and client expectations for cyber resilience will also likely sustain demand for solutions, driving acquisitions in compliance, data security and critical infrastructure protection.