A total of 405 cybersecurity-related merger and acquisition deals were announced in 2024, the smallest number since SecurityWeek started tracking M&A deals in 2021. 

However, there was a surge in cybersecurity M&A deal volume in the second half of 2024. The number of deals in that period reached 227, which is the highest number of transactions since the first half of 2022.

SecurityWeek’s analysis shows that of the 405 deals, 269 involved pure-play cybersecurity firms. The other transactions involved companies whose offering includes, but is not limited to, security. 

A geographical analysis shows that a majority of deals (286) involved North American companies, followed by Europe with 124 cybersecurity M&A deals. There are no significant changes compared to 2023. 

In terms of countries, the biggest percentage of deals involved companies in the United States, followed by the UK, Australia, Israel, Canada, and Germany. Compared to the previous year, the UK saw a significant increase in the number of acquisitions, from 48 to 67, while Ireland and Sweden saw fewer cybersecurity deals — both countries with less than 10 deals in 2024.

In 2024, financial terms were disclosed for 68 cybersecurity acquisitions, for a total value of $50.75 billion. Of these, 52 deals involved pure-play cybersecurity companies for a total disclosed value of $28 billion. 

In comparison, in 2023, financial details were disclosed for 58 deals for a total disclosed value of $50.4 billion. Financial information was made public for 41 deals involving pure-play cybersecurity companies, for a total disclosed value of $14.3 billion.  

Eleven of the deals announced in 2024 exceeded $1 billion, including Gen Digital’s acquisition of MoneyLion ($1 billion), Mastercard’s acquisition of Recorded Future ($2.7 billion), Salesforce’s acquisition of Own ($1.9 billion), CyberArk’s acquisition of Venafi ($1.54 billion), Hg’s acquisition of AuditBoard ($3 billion), Thoma Bravo’s acquisition of Darktrace ($5.3 billion), and HPE’s acquisition of Juniper Networks ($14 billion). It’s worth noting that the HPE/Juniper deal may not go through. 

Eight of the $1 billion+ deals involved pure cybersecurity companies. In the previous year, only six deals were valued at more than $1 billion, and four of them involved companies that offer only security solutions.

Of the 25 mergers and acquisitions ranging between $100 million and $1 billion, 22 involved pure cybersecurity companies. In 2023, there were 20 M&A deals in this price range, including 15 involving pure security firms. 

Our data shows that 119 deals involved managed security solutions providers (MSSPs) in 2024. This includes product distributors and companies that offer other products and services in addition to cybersecurity. Of these MSSPs, only 43 were pure cybersecurity providers.

The number of deals involving MSSPs dropped in 2024 compared to 2023, when there were 155 such transactions. 

While it’s important to keep track of MSSP deals as these companies play a significant role in the cybersecurity industry, we are tracking them separately in an effort to get a better view of the other categories.    

Excluding MSSPs, the category with the highest number of transactions was governance, risk management and compliance (GRC), which saw 68 deals in 2024, exactly the same number as in 2023. In addition to companies offering GRC solutions and services, this category includes assessment, audit, vulnerability management, penetration testing, attack surface management, and cyberinsurance.  

After GRC, the highest number of deals involved companies offering data protection solutions and services, with 44 transactions in 2024. Data protection was in the fourth spot in 2022, but then dropped to the eighth position in 2023, and it’s now back in the top 3, with nearly twice as many deals as in the previous year. 

Network security takes the third position, the same as in the two previous years, with roughly 40 deals every year.

Dozens of deals involved incident response companies, a category that includes SOAR, SIEM, SOC, and forensics. The number of transactions involving incident response firms increased from 26 in 2023 to 38 in 2024. 

The same number of deals, 38, involved government contractors, which is roughly the same as in the previous year. However, a larger percentage when compared to 2023 (nearly half) are pure cybersecurity companies. 

Application security firms were involved in 31 deals last year, compared to 18 in 2023. 

Identity-related solutions and services providers however dropped from second place in 2023 (41 deals) to seventh place in 2024 (28) deals. 

Private equity firms were also significantly less active in terms of M&As in 2024. Only two dozen deals involved private equity companies, compared to 37 in 2023.  

One area that saw an increase was industrial, with 16 deals, up from 9 in 2023. On the other hand, consumer security firms were involved in only two deals, down from nine in 2023, and consulting dropped from 24 deals in 2023 to 12 deals in 2024. 

There haven’t been any significant changes in the number of deals involving cloud security, threat intelligence, fraud, training, and web and email security companies. 

In this year’s report we have also added an AI category. Eight deals added to our M&A database involved AI security companies. We also created a separate category for blockchain security, with three deals seen in 2024. 

The ‘specialized’ category, which in 2024 included 27 deals, covers firms that provide highly focused cybersecurity services. This can include services related to accounting, specific hardware, orchestration, physical events, certification, surveillance, insider threat, healthcare, media, maritime, and cryptocurrency.   

Monthly summaries of 2024 cybersecurity M&A deals: January, February, March, April, May, June, July, August, September, October, November, December.

Methodology: The data was collected through news distribution services, Google searches and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include some deals that may have not been completed after they were announced. 

The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, offensive security, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, and authorization. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, quantum, payment, healthcare, PR, education, certification, design, workforce, communications, and automotive. Data protection includes encryption/cryptography, VPN, privacy, backup and blockchain. MSSP includes cybersecurity solution distributors and companies that do not develop their own products or solutions.