Validation and defensibility: Why cybersecurity investors are getting disciplined
Cybersecurity VC hasn’t dried up – but the rules have changed. Here’s what that means for founders and the future of defence.
Read MoreThe flight to quality in cyber VC 2025
by Black Hat Middle East and Africa
on
Take your cybersecurity career to the next level with weekly insights, inspiration, and exclusive interviews from the global Black Hat MEA community.
This week we’re focused on…
Data from Pitchbook about cybersecurity VC trends in Q1 2025.
Why?
Because we’re exploring the past, present and future of cybersecurity investing this month, to help you plan for 2026. And a close look at this year’s Q1 holds clues as to where future investments are heading.
The new rules of cybersecurity investing
After the peak of 2021, cybersecurity funding felt unstoppable. But inevitably, the brakes came on.
The question for founders through 2023 and 2024 was whether venture capital would ever return to its earlier pace. And PitchBook’s Q1 2025 Cybersecurity VC Trends report gives a clear answer: the money is still here – but it’s moving differently.
In the first quarter of 2025, cybersecurity startups pulled in USD $3.3 billion across 182 deals. That’s almost identical to Q4 2024’s dollar total, but dramatically fewer deals than a year ago – 182 this quarter compared with 248 in Q1 2024.
So value is up 6.5% year-on-year, but deal count has fallen by more than a quarter. In other words, investors aren’t writing as many cheques – but when they do, the values are higher.
Rising valuations, fewer investments
The valuation picture tells the same story. Median pre-money valuations climbed from $28.7 million in 2024 to $40 million this year, and late-stage step-ups have leapt from 1.4× to 2.5× – that’s an 82% jump. This is the flight to quality: fewer investments overall, but far richer pricing for the startups that can prove themselves.
Where are the funds going?
Look closer at where those dollars went. According to PitchBook, the security operations segment was the biggest winner, attracting about $922 million across 40 deals. Identity and access management followed with $813 million across 29 deals, and application security stayed hot with $555 million across 47 deals.
Network security, on the other hand, barely moved the needle: just $175 million in 10 deals, as buyers increasingly rely on integrated cloud-platform controls instead of point products.
Stage matters too. Almost half of total deal value went to late-stage Series C and D rounds, especially in security operations, where a handful of large deals dominated. Early-stage investors still like areas such as application and endpoint security (where APIs, containers, and distributed endpoints create new attack surfaces) but the cheques there are more selective, and go to companies showing real traction fast.
Exits stayed quiet in Q1
Those hoping for an IPO boom at the beginning of 2025 would’ve been disappointed by subdued exit numbers. Q1 saw just $0.8 billion in exit value across 34 deals – well below the historical first-quarter average of $1.8 billion.
Most of that $0.8 billion came from acquisitions, not public listings. The quarter’s standout exits (NVIDIA’s $320 million acquisition of Gretel, bringing synthetic training data in-house; and CyberArk’s $165 million buy of Zilla Security for AI-driven identity governance) show how strategic buyers are filling product gaps rather than public markets doing the heavy lifting.
For founders, discipline is critical
As Moataz Salah (CEO at CyberTalents) told us in an interview for the blog:
“I believe that idea validation is crucial for the success of any startup, especially in the cybersecurity sector…many founders come from a technical background and may have a great idea, but they often lack the business experience to validate it.”
Today’s VCs want evidence: validated demand and clear revenue paths.
Culture matters too. As Mohammed Almeshekah said at Black Hat MEA 2022, “don’t build a team that is very homogenous because you’re going to miss opportunities…if people only have homogenous networks it doesn’t create a multiplying effect.”
And Emre Kulali (Strategic Partnerships at AccuKnox) pointed out in another interview for the blog that the market is highly saturated and competitive – so “one common mistake is growing their teams and operating costs too quickly, which can lead to premature depletion of resources and runway.”
And for investors, focus on clarity and pricing power
If you’re an investor, none of this is bad news. The excess of 2021 created noise and hype. Now the market is more defined: valuations are rising for winners, and capital can flow into companies with real defensibility.
PitchBook’s data shows those late-stage winners commanding 2.5× valuation step-ups in 2025. That’s serious pricing power when the product and the proof are there.
Keep exploring…
On the blog this week we’ve been digging into investment and budget data in the Middle East and globally.
Read more:
Compliance to confidence: A shift in Middle East cybersecurity investments
Building your 2026 cybersecurity spending guide
Cybersecurity still needs innovators. But as the bar for funding gets higher, investors and founders must fine-tune their focus.
Meet the leaders defining the future of cybersecurity markets at Black Hat MEA 2025.
Sign up for more like this.
Join the newsletter to receive the latest updates in your inbox.
Related articles
From Blade Runner to the boardroom
Explore how AI is reshaping cyber conflict – attackers use it to deceive, defenders use it to protect. And for investors, this is where ROI meets risk.
Read More
How AI protects your favourite movies
Dan Meacham (VP, Cyber and Content Security at Legendary Entertainment) explains how user behaviour analytics, technology sentinels, and forensic watermarking protect the movies you love.
Read More