Market report · Cyber M&A

The cyber M&A landscape: identity at the center, post-quantum on the horizon.

A consolidation wave is reshaping cybersecurity, and identity has become its center of gravity. An operator's read on where the value is moving, and what is coming next.

SME Investment Intelligence · June 2026. Figures as reported by the sources cited below.


Cybersecurity is consolidating in public. After several quieter years, deal value returned to multi-year highs, and the headlines were driven less by venture-stage growth bets than by platform-scale consolidation. By SecurityWeek's count, the sector saw roughly 426 announced deals in 2025, up about 5% over 2024, with value concentrated in a handful of very large transactions rather than spread evenly across the market.

Two megadeals set the tone. Google completed its $32 billion all-cash acquisition of Wiz, its largest ever, and Palo Alto Networks announced an agreement to acquire CyberArk in a transaction valued at roughly $25 billion. The message for investors is not just that money is moving. It is where it is moving, and why.

Identity has become the control plane

For most of the last decade, identity and access management was one category among many. It is now the organizing principle. Palo Alto's move on CyberArk, a privileged access leader, was explicitly framed as a bet on identity security as the control plane for a zero-trust, AI-driven enterprise. The reason is structural: as enterprises deploy AI agents, the number of non-human identities is exploding, and access control becomes the last line of defense. Identity vendors now describe identity as the control plane for the agentic enterprise, with machine identities already vastly outnumbering human ones.

For a sponsor, that reframing matters. A target that touches identity governance, privileged access, or machine-identity management is no longer in a niche. It sits on infrastructure every other security control increasingly depends on. That can justify a premium, and it can also mask how narrow a given company's actual position is.

The identity playbook, proven in public

The clearest value-creation case study in the sector is Thoma Bravo's identity roll-up. The firm took Ping Identity private for about $2.8 billion and ForgeRock for about $2.3 billion, then merged the two, and separately acquired SailPoint. The proof point came in early 2025, when SailPoint returned to the public markets at $23 per share, a valuation well above the $6.9 billion Thoma Bravo paid in 2022. Take private, sharpen the operating model, re-list or sell at a higher multiple. The playbook works when the operating improvement is real, and it is exactly the kind of value creation that lives or dies on execution between signing and exit.

What it means for an identity target's value

The risk in a hot category is paying for the label rather than the business. Three questions decide the difference, and none of them resolve from a data room. First, which identity problem does the company actually own? Workforce identity, customer identity, privileged access, and governance are different markets with different buyers, and a leader in one may be marginal in another. Second, how much of the revenue is durable product versus implementation services that do not scale the same way? Third, how dependent is the company on a single platform ecosystem whose partner terms or roadmap could shift? Read those correctly and a category premium is justified. Miss them and you have paid a control-plane multiple for a point product.

Post-quantum on the horizon

The next structural shift is already visible. In August 2024, NIST finalized its first post-quantum cryptography standards, FIPS 203, 204, and 205, ending an eight-year process. Federal guidance now points toward deprecating today's public-key algorithms by 2030 and completing the transition by 2035. The threat is not purely future-dated: adversaries can harvest encrypted data now and decrypt it once quantum capability matures, which makes long-lived sensitive data a present-tense concern.

For investors, post-quantum is moving from a research topic to a diligence line item on two fronts. For a security vendor, post-quantum readiness is becoming part of what customers ask for, which makes it a roadmap and competitive-positioning question. For any target holding long-lived sensitive data, the migration ahead is a cost and a risk that belongs in the model. The right question at diligence is not alarmist. It is whether the company knows what cryptography it depends on and whether its architecture is crypto-agile enough to change algorithms without a rebuild.

The SME read

Two themes will define cyber M&A over the next several years: identity as the control plane, and post-quantum as the next mandatory migration. Both reward investors who can tell a real position from a labeled one, and who can underwrite the execution between signing and exit. That is the operator's read, applied to the investor's question, and it is exactly where we work.

Sources: SecurityWeek, 2025 cyber M&A report; Cybersecurity Dive, Google completes $32B Wiz deal; Palo Alto Networks, agreement to acquire CyberArk (~$25B); SecurityWeek, Thoma Bravo merges ForgeRock with Ping; Renaissance Capital, SailPoint IPO pricing; Okta, identity as the control plane for AI agents; NIST, FIPS 203/204/205 approved.

← Back to Insights

Considering a cyber investment?

Get an operator's read before the LOI.