Table of contents

• Key takeaways
• Regulations
• Funding
• Product updates
• Partnerships
• M&A
• Appendices

Key takeaways

• Regulations

  • Four states enacted privacy legislation: The count of states with privacy laws rose to 18 in Q2 2024, as Kentucky, Nebraska, Maryland, and Minnesota enacted privacy legislation. Another attempt at a national privacy law was brought this quarter, with the American Privacy Rights Act (APRA) debated at committee hearings. The APRA is the latest attempt at a unified privacy framework in the US; if passed, it would alleviate pressure on cross-state companies to keep up with multiple state privacy laws.
  • In other news, the European Data Protection Board (EDPB) adopted an opinion on the non-compliance of Pay or Okay models for behavioral advertising, and companies on both sides of the pond found themselves running afoul of privacy regulations.

• Funding

  • Q2 funding was buoyed by a USD 1 billion Wiz round: Cybersecurity startups raised USD 2.1 billion across 33 rounds during Q2 2024, up ~24% QoQ. Around half of this came from cloud security firm Wiz’s USD 1 billion in late-stage funding. A small number of growth funding rounds made up the bulk of the other half of funding. This contrasts last quarter, where we observed numerous mega deals comprising the majority of funding. Funding on an upward trend in the last few quarters and consistently large deals each quarter may signify a return to highs seen in the last few years, with investors focusing on late-stage startups.

• Product updates

  • CrowdStrike unveiled some key features for Falcon: We did not observe any major product launch trends in Q2 as with secure access service edge (SASE) and GenAI in previous quarters, with most participants seemingly preferring to bolster their existing products through feature and functionality upgrades. CrowdStrike was the exception by 1) announcing an insurer-focused version for Falcon, 2) updating its security information and event management (SIEM) platform with GenAI and automation capabilities, and 3) unifying application security posture management (ASPM) with Falcon Cloud. 
  • Notably, Alphabet was the only Big Tech with notable product updates this quarter, announcing the integration of its Gemini AI model with Mandiant and VirusTotal.

• Partnerships

  • We saw numerous updates from Alphabet and Microsoft focusing on improving existing platforms and extending services across environments: While Big Tech once again came to the forefront of collaboration, we observed a decline in partnerships (28 in Q2 vs. 42 in Q1) during the quarter. Most of these partnerships focused on the integration of existing products, extending services to new environments, or adding on features and functionality. Alphabet, via Google Cloud, was the most active company, announcing nine partnerships in Q2 ranging from threat intelligence integrations to infrastructure alliances, while Microsoft announced a number of IAM partnerships. Other incumbents like Amazon and Cisco were also active during the period, which saw minimal disruptor participation.

• M&A

  • Darktrace leads mammoth deal season: The British cybersecurity company announced it was being acquired by private equity firm Thoma Bravo in a USD 5.4 billion take-private deal in a quarter that saw two more acquisitions exceeding the billion mark: CyberArk acquiring Venafi and Fortinet acquiring Lacework. We also observed a number of other deals focusing on synergies between platforms.

• Outlook

  • Investor confidence in the sector appears to be on an uptrend, with a fairly healthy quarter in terms of funding and a general upward trend across the last two quarters following a sluggish period, particularly toward late-stage startups. This was evident by the USD 1 billion investment in mature cloud security player Wiz.
  • In July 2024, Alphabet was reported to be in talks to acquire Wiz for a blockbuster USD 23 billion, mirroring Cisco’s acquisition of Splunk in Q3 2023 and signifying strong interest from tech giants in the cybersecurity sector. This also aligns with investor interest in late-stage cybersecurity startups; they want to lock down their piece of the pie before the startups are snapped up by Big Tech or go public as was the case with SentinelOne and CrowdStrike. 
  • Strong M&A activity also signifies an ongoing trend of consolidation within the cybersecurity space, as incumbents and larger disruptors look to expand their product offerings and provide one-stop solutions.
  • Furthermore, Canalys forecasts total cybersecurity spending to grow 12% in 2024, signaling growth expectations in the upcoming months, against a backdrop of 6% growth in overall IT spending during the same year.

Regulations: US national privacy law discussion heats up; state law count rises to 18

Analyst Take: It was a fairly eventful quarter for state privacy laws in the US, with four states passing privacy laws, bringing the total count to 18. This was just shy of Q2’s count last year when we observed five states sign privacy legislation. There was also a new development in the effort to establish a nationwide privacy framework, with the introduction of the APRA. The latest attempt at regularizing privacy in the US, the APRA is a bipartisan, bicameral piece of legislation that aims to provide a common framework for privacy across the nation, alleviating pressure on organizations that operate across state lines to keep up with multiple privacy laws.

• Four states enacted comprehensive privacy laws over Q2 2024
  • The Governors of Kentucky, Nebraska, Maryland, and Minnesota signed into law each state’s respective privacy legislation, bringing the count of US states with a comprehensive privacy law to 18. The new laws all have similar eligibility criteria to existing state privacy legislation and provide for similar consumer rights and controller obligations.

Privacy legislation signed into law in Q2 2024

• In April 2024, members of the House Committee on Energy and Commerce and the Senate Committee on Commerce, Science, and Transportation introduced the APRA in an effort to consolidate the existing patchwork of state privacy laws into a unified federal framework.
  • Although still in the early stages of committee hearings, the APRA, if enacted, would provide consumers across states uniform rights and control of how their data is collected and processed. The law would also give consumers a private right of action, whereas most privacy laws limit enforcement powers to state agencies. 
  • The Act would relate to any data that identifies or is reasonably linked to an individual and would apply to “covered entities,” which determine the purpose and means of processing this data, including businesses under the jurisdiction of the Federal Trade Commission.
  • Some main requirements of the APRA include data minimization, transparency, consumer controls, and opt-out rights.

• The EDPB issued an opinion on Pay or Consent models for online platforms
  • The EDPB adopted the opinion that online platforms would not comply with the GDPR’s definition of valid consent, as consent would not be given freely if users are given a choice between giving consent to process their personal data and paying a fee. 

• We also saw a number of fines during the quarter, both in Europe, under the GDPR, and in the US, including the following:
  • A collective USD 200 million in fines leveled at the top wireless carriers in the US by the Federal Communication Commission for sharing customer location data without their consent.
  • A USD 15 million fine targeted at Avast by the Czech Data Protection Authority for the unauthorized sale of private customer data through its Czech subsidiary, Jumpshot, between 2014 and 2020. The Federal Trade Commission fined Avast for the same incident last quarter.

Funding: Wiz deal dominates cybersecurity funding

Analyst Take: The Cybersecurity vertical raised over USD 2 billion in Q2 2024, with nearly half of this figure being accounted for by a late-stage investment in cloud security firm Wiz. Besides this round, the funding market in Q2 witnessed a number of smaller but sizable deals, including USD 100 million+ funding rounds from Island and Huntress. Q2 also saw the highest funding by value since Q4 2022. Overall funding has been on an upward trajectory over the last few quarters, following a lull last year: this, combined with consistently large deals each quarter, potentially signifies a return to the funding highs of 2021/2022, with investors focusing once again on late-stage startups. 

Cybersecurity (Q2 2024): Funding summary

• Bolstered by a massive USD 1 billion Series E investment in cloud security company Wiz, the Cybersecurity vertical raised nearly USD 2.1 billion across 33 funding rounds in Q2 2024. This is a 101.0% YoY increase in terms of value and a 44.1% YoY decrease in the number of rounds compared with Q2 2023 (~USD 1.0 billion across 59 rounds). 

• The Next-gen Cybersecurity industry raised USD 1.9 billion, making up 91.1% of all cybersecurity funding by value during the period and reaching its highest since Q1 2022. Overall funding across the vertical has also been on an upward trajectory across the last few quarters.

Cybersecurity (Q2 2024): Funding by industry

• The Next-gen Cybersecurity industry saw the most growth this quarter, a USD 1.2 billion (166.4%) increase YoY. Other sectors did not see the same kind of growth, with IAM and Next-gen Email Security experiencing declines in funding compared with Q2 last year (51.5% and 73.4%, respectively). Digital Privacy Tools funding increased marginally (11.4%) and Cyber Insurance startups raised no funding during the period.

• Overall cybersecurity funding in Q2 2024 grew 23.8% in terms of value and shrank 34.0% in terms of number of rounds compared with USD 1.7 billion raised across 50 rounds during Q1 2024. We observed Next-gen Cybersecurity funding increase by 63.3% QoQ although all other industries saw declines: Digital Privacy Tools, IAM, and Next-gen Email Security saw funding fall by 42.8%, 68.7%, and 80.0%, respectively.

Average deal size by industry (USD million)

• Overall deal size grew ~230% YoY compared with Q2 2023, with significant expansion in Next-gen Cybersecurity (~307%) and notable growth across Digital Privacy Tools (~39%) and IAM (~70%). The Next-gen Email Security deal size shrank ~47%.

• Growth rounds in Q2 2024 totaled USD 1.7 billion, representing ~82% of all funding by value. This is a growth of ~219% YoY compared with Q2 2023, a growth of ~53% QoQ compared with Q1 2024, and the highest level of growth funding by value in two years.

• Next-gen Cybersecurity was the main contributor to this uptick in growth funding, with USD 1.6 billion in growth rounds—80% of all funding across the Cybersecurity vertical during Q2. Growth rounds comprised ~88% of Next-gen Cybersecurity funding during the quarter compared with ~65% during the same period last year. 

• In the Digital Privacy Tools industry, funding was more evenly distributed across stages. IAM funding was focused on Other rounds, while Next-gen Email Security witnessed one early-stage funding.

• The increase in growth-stage funding was accompanied by contractions across all other funding stages, leading to overall growth in deal size. The average deal size has been rising steadily since Q2 2023, signifying a possible return to the heyday of mega deals from previous years due to increased interest in mature startups with proven products.

Cybersecurity (Q2 2024): Funding by stage

Top 10 funding rounds across Cybersecurity (Q2 2024)

• In addition to Wiz’s USD 1 billion deal, the Cybersecurity vertical saw four more funding rounds exceeding USD 100 million compared with seven the previous quarter.

• These included secure enterprise browser provider Island’s USD 175 million Series D funding round and network detection and response startup Corelight’s USD 150 million Series E.

• The other mega deals of the quarter were a USD 150 million Series D funding round raised by small business cybersecurity specialist Huntress and a USD 115 million Series D closed by ThreatLocker.

• The 10 largest startup funding rounds of Q2 2024 totaled over USD 1.8 billion or nearly 90% of the total funding raised. These were primarily growth rounds.

Product updates: Developments focus on feature updates for existing products

Analyst Take: It was a fairly muted quarter in terms of product updates, with disruptors and incumbents generally focusing on expanding features and functionality across existing products. There was no major trend as with SASE or GenAI across previous quarters. CrowdStrike was the most active participant, announcing a number of new products and enhancements, with Palo Alto Networks also making two announcements.

• CrowdStrike was the most active in Q2 in terms of product news, with three notable updates:
  • The company launched CrowdStrike Falcon for insurability, a version of its Falcon platform that allows insurers to provide cybersecurity to their customers at preferential rates, thereby minimizing their own underwriting risk.
  • CrowdStrike also announced Falcon Next-Gen SIEM, an updated release of its SIEM tool incorporating GenAI, workflow automations, rapid data ingestion, enriched incident information, and over 500 integrations.
  • It also announced the general availability of CrowdStrike Falcon ASPM as a directly integrated part of its Falcon Cloud security platform.

• Diversified cybersecurity incumbent Palo Alto Networks also announced product updates during the quarter, including the following:
  • Prisma SASE 3.0, an updated version of its SASE platform, incorporating a natively integrated enterprise browser, allowing the company to extend service to unmanaged devices.
  • New AI-powered updates to its suite of products based on its proprietary precision AI system, which combines GenAI, deep learning, and machine learning. The company also launched AI copilots for its Strata, Prisma, and Cortex platforms.

• In terms of Big Tech product updates, it was a fairly quiet quarter, with Alphabet being the only player to make any announcements:
  • The tech giant announced the integration of its Gemini AI model with its Mandiant cybersecurity suite and VirusTotal threat intelligence to bolster the operationalization of threat intelligence.

• BlackBerry and DarkTrace announced new AI-powered managed detection and response (MDR) products:
  • BlackBerry announced Cylance MDR, an enhanced version of its MDR solution powered by Cylance AI. The new offering combines human expertise with AI to bolster alert triage, investigation, managed threat hunting, digital forensics, incident response, and critical event management.
  • Cybersecurity AI specialist Darktrace launched a new AI-powered MDR service combining advanced AI detection capabilities with expert analysis, offering real-time threat containment, expert alert management, and comprehensive oversight of security environments.

• Other cybersecurity product updates were more varied compared with previous quarters, where activities were more focused toward a specific areas across the vertical:
  • Cloud security company Lacework announced the launch of a new data-driven security service edge (SSE) solution, expanding its expertise in cloud security to the network edge.
  • AppOmi, a SaaS security company, launched Zero Trust Posture Management to extend zero-trust security to the application layer, offering comprehensive visibility into SaaS applications, including configuration, security posture, and user behavior.
  • Fortinet launched a new GenAI assistant for IoT security.
  • Deep Instinct announced Deep Instinct's Artificial Neural Network Assistant, an AI malware analysis companion powered by LLMs, leveraging the collective knowledge of the cybersecurity community.

• BigID announced the only product update in the Digital Privacy industry:
  • The data security and compliance company announced an industry-first hybrid scanning technology for cloud-native workloads, combining side-scanning for quicker delivery and direct scanning for deeper insights.

• The IAM industry saw a number of announcements as well, with varying scope and functionality:
  • CyberArk launched new identity threat detection and response features and AI-driven enhancements to its identity security platform.
  • Amazon Web Services (AWS) announced the launch of passkeys for its IAM service, allowing users to use passwordless methods to access their AWS resources and services.
  • SailPoint announced the launch of AI-powered application onboarding for its platform, allowing customers to integrate business applications seamlessly while enhancing identity security.

Notable product updates by type during Q2

Partnerships: BigTech take back the spotlight after a muted first quarter 

Analyst Take: Partnership activity, like product news, was subdued this quarter, and collaborations that did take place mostly focused on improving existing platforms, extending services across environments, and integrations between existing solutions from various companies. Big Tech and other incumbents drove most activity this quarter, a rebound from Q1, where disruptor partnerships stole the spotlight.

• We witnessed 28 partnerships among monitored firms across all industries in the vertical through Q2 2024. The Next-gen Cybersecurity industry accounted for three quarters of these partnerships, and 93% of activity focused on product collaborations. Big Tech was once again at the forefront after taking a step back in the previous quarter. 

• Alphabet, through Google Cloud, was the most active in terms of partnerships during Q2, collaborating with a number of firms, including the following:
  • A partnership with Nozomi Networks to combine Mandiant threat intelligence with Nozomi Network’s operational technology (OT) threat intelligence tools.
  • A collaboration with Menlo Security to enhance its browser security solution for enterprises by leveraging Google Cloud’s global infrastructure.
  • A partnership with SSO provider Tools4Ever to enhance the capabilities of its IAM product for Google Suite users.
  • Google Cloud also partnered with Thales Group to launch a new global security operations center (SOC) platform with advanced detection and response capabilities, with Reliance Cyber to enhance cybersecurity for customers in the UK and Ireland, and with Accenture to combine the latter’s global capabilities with Mandiant incident response and threat intelligence.
  • CrowdStrike and Google Cloud teamed up to enhance cloud security operations by integrating CrowdStrike’s Falcon cybersecurity solution with Google Cloud’s Security Operations platform.
  • Additionally, the company announced collaborations with Cyberproof, to uplift the provider’s extended detection and response (XDR) services, leveraging Google Chronicle Security Operations, and with Cyrebro to enhance its MDR solution.

• Microsoft was also fairly active during the quarter:
  • The Big Tech firm announced a number of partnerships in the IAM space, including with HYPR, RSA, and Cisco Duo, to integrate their platforms with Microsoft Entra ID and allow customers to use their multi-factor authentication (MFA) methods.
  • Microsoft also partnered with ForeScout Technologies to enhance risk prioritization and mitigation by combining the latter’s asset visibility capabilities with its own security solutions.

• Other incumbent partnerships included the following:
  • Cisco partnering with Sentinel Technologies to integrate its XDR solution with the latter’s new FortisX MDR service.
  • NVIDIA partnering with Zscaler to enhance the latter’s zero-trust security capabilities through integration with Nvidia’s AI technologies.
  • A collaboration between AWS and CrowdStrike to unify AWS’ protection on the CrowdStrike Falcon platform.
  • Acronis partnering with Mulberri to provide cyber insurance to small and medium-sized businesses (SMBs) through the Acronis platform.
  • A partnership between endpoint management provider NinjaOne and endpoint protection specialist BitDefender to launch a new endpoint security suite.
  • Tata Consultancy Services partnered with CrowdStrike to combine the latter’s Falcon XDR with the former's global presence and cybersecurity expertise.
  • Exposure management company Tenable partnered with security solutions provider Sophos to launch the new Sophos Managed Risk service.

• In terms of disruptor activity, we observed the following:
  • NinjaOne partnered with CrowdStrike to offer comprehensive endpoint protection combining endpoint management, visibility, security, and remediation.
  • Aqua Security and Orca Security announced a partnership to combine Aqua’s run-time protection for cloud-native workloads and Orca’s multi-cloud visibility capabilities.

Notable Big Tech partnerships across Cybersecurity during Q2

M&A: Darktrace to go private; market bolstered by big-ticket deals

Analyst Take: We observed a number of large deals led by Thoma Bravo’s USD 5.3 billion move to take Darktrace private. Other large M&As in Q2 2024 included CybArk’s acquisition of Venafi and Fortinet acquiring Lacework, both exceeding the billion mark. We observed a total of 19 deals in our coverage of M&As, mostly in the Next-gen Cybersecurity industry, with participants generally aiming for synergistic acquisitions to expand or unify their product portfolios.

• The standout deal of the quarter was private equity firm Thoma Bravo’s ~USD 5.3 billion bid to take cybersecurity AI leader Darktrace private. The acquisition will involve delisting the LSE-listed cybersecurity firm, with the deal expected to close by the end of 2024 although still subject to shareholder approval. 

• We witnessed a number of other big ticket deals this quarter in the Next-gen Cybersecurity and IAM industries, including the following:
  • IAM company CyberArk’s acquisition of machine identity management provider Venafi from Thoma Bravo for ~USD 1.5 billion. The acquisition will allow CyberArk to offer a unified platform for end-to-end machine identity management at enterprise scale.
  • Fortinet acquiring cloud security specialist Lacework in June for ~USD 1 billion to integrate the latter’s cloud-native application protection platform (CNAPP) with its existing tools for API and web application security. The deal notably follows a failed bid by Wiz to acquire Lacework earlier in the quarter.
  • Cloud services and security firm Akamai acquiring API protection startup Noname Security for USD 450 million, a significant discount compared with the USD 1 billion valuation from its previous funding round.
  • The acquisition of Onfido, an identity verification firm, for reportedly more than USD 400 million, by identity, data, and payments security provider Entrust. The acquisition will reportedly allow Entrust to provide a comprehensive portfolio of AI-power, identity-centric security solutions.

• Looking at other M&As across the period, Next-gen Cybersecurity was once again the most active industry:
  • SIEM providers Exabeam and LogRhythm announced intent to merge, bringing together advanced technologies in the threat detection, investigation, and response segment.
  • Networking and security company Cloudflare acquired passwordless access company BastionZero to bolster its SASE capabilities.
  • Palo Alto announced it was in talks to acquire assets of IBM’s QRadar Security SaaS suite to strengthen its Cortex extended security intelligence and automation management platform, with the deal expected to close by September 2024.
  • Zero trust cybersecurity specialist Zscaler announced the acquisition of agentless segmentation provider Airgap Networks. Zscaler plans to combine its zero trust software-defined wide area network with Airgap’s technology to extend its SASE capabilities to facilities with critical operational technology infrastructure.
  • Lumifi, an MDR provider, acquired managed XDR company Netsurion to deliver enhanced security to the latter’s customer base.
  • Tenable acquired Eureka Security to add data security posture management to its CNAPP solution.
  • External attack surface management provider NetSPI announced the acquisition of Hubble Technology, a cyber asset attack surface management (CAASM) company to integrate the latter’s Asset Intelligence and CAASM product into the NetSPI platform.
  • Veracode, a software code analysis company, announced a deal to acquire Longbow Security, a seed-stage company working on a solution to automate the root cause analysis of critical vulnerabilities.
  • Information management solutions company Open Text acquired Pillr, a managed detection and response provider catering to managed service providers.

• We observed two deals in the Digital Privacy Tools space in Q2 2024:
  • DataGuard, a compliance and data privacy SaaS company, announced the acquisition of Stockholm-based privacy management solutions provider to enhance its offering and expand its geographical footprint mainly in the Nordics and the UK.
  • Security and compliance automation company Drata acquired intelligent user governance platform Harmonize.io to automate identity lifecycle management.

• Besides the blockbuster CyberArk–Venafi and Entrust–Onfido deals, the IAM industry saw an additional acquisition on the smaller end of the spectrum:
  • Intelligent identity access and security solutions company BeyondTrust announced the acquisition of privilege management solutions startup Entitle for ~USD 150 million.

• We also observed one solitary acquisition in the Next-gen Email Security segment:
  • Cybersecurity training company KnowBe4 acquired AI-powered email security provider Egress to combine the latter’s technologies with its awareness training and simulated phishing products to expand into new markets.

Trends in M&A activity

Appendices

1. Notable Big Tech partnerships across Cybersecurity

2. New startups that raised funding in Q4