Where Cyber Capital Actually Went

Most takes on the cybersecurity market this year are downstream of vibes — vendor floors, conference panels, what a CISO heard on a Slack thread. Mike Privette tracks the actual money. As the author of Return on Security, he watches the funding rounds, the M&A flow, the layoffs, and the graveyard with the discipline of an industry analyst who isn't paid by either side. His 2025 state of cybersecurity market report covers $25B in funding and $67B in M&A, and the picture it paints isn't the one you get from RSA.

This second appearance on Zero Signal goes after the disconnects. AI security as a standalone category got a tiny fraction of total dollars — not because AI doesn't matter to security, but because "AI security" stopped meaning anything specific the moment building in AI became the default. Identity, AppSec, the SOC, and a handful of legacy categories absorbed the spend. Meanwhile, ServiceNow buys Armis, Palo Alto buys Chronosphere, Datadog gets deeper into security, and the line between "cybersecurity company" and "IT platform" gets blurrier by the quarter.

The harder argument Mike makes is that the service economy is about to overtake product innovation as the place real returns get made. Private equity is rolling up MSSPs, large consultancies are buying capability and selling outcomes, and AI is finally letting service businesses scale on better unit economics than ever before. For a security leader trying to figure out where to spend, who's going to still be around in three years, and which categories are going to consolidate into something larger, this conversation is the map.

Thank you to our Sponsors:

Hampton North is the premier US based cybersecurity search firm. Start building your security team with Hampton North 

Sysdig is the leader in AI-powered real-time cloud defense; stop watching and start defending

Walk any major conference floor and you'd assume AI security is the dominant story of the year. The funding data says otherwise. Only 2.6% of 2025 cybersecurity dollars went to companies that could fairly be classified as "AI security." Identity alone pulled four times that. Mike's read on why is straightforward: the early definition of AI security was about securing the models themselves, the model companies got rapidly better at that, and the market squeezed shut. The pivot to "AI for security" — AI-powered detection, response, GRC — went the same way. It became the default substrate, not a category.

The honest reclassification matters. Mike now strips the "AI" prefix off products that are still solving identity governance, PAM, AppSec, or SOC problems and counts them in their actual category. The result is a much more accurate picture of where capital is moving, and it explains why so many "AI security" startups feel undifferentiated to buyers — they aren't selling AI, they're selling identity and SOC, just with a new build pattern.

The 2025 M&A list reads like a category boundary collapsing. ServiceNow buying Armis. Palo Alto buying Chronosphere. Datadog continuing to deepen its security posture. These aren't intra-cyber consolidation deals — they're IT and observability platforms expanding into security because AI and agents are producing more telemetry than any existing security stack was designed to handle, and securing that signal sits naturally inside an observability platform.

The implication for vendors is harsh: if every competitor can match every feature inside a quarter, the only durable moat is which platform you sit inside. The implication for buyers is more practical — the category called "cybersecurity" is starting to dissolve into IT, data, and observability spend, and that's where the next batch of CISO purchasing decisions is going to get made.

47% of 2025 M&A deals were services companies — MSSPs, MSPs, consultancies — getting rolled up by private equity. Mike's prediction for 2026 is that the largest exits will come from service platforms rather than product vendors. The reason is unit economics: AI lets a service business scale outcomes per analyst in a way that finally makes the cashflow attractive to traditional venture investors, not just buyout funds. Accenture, Cognizant, and the other large consultancies are on a buying spree precisely because they sell the last mile that customers actually need — bodies plus playbook plus throat to choke — and AI extends what that last mile can deliver.

The market is moving from buying tools to buying outcomes. For a CISO, that's an invitation to rethink what gets built in-house and what gets contracted as a managed outcome. For vendors, it's a warning: a product that doesn't slot into a service delivery model is going to lose budget to one that does.

The geography of cyber capital is changing. US-to-US funding jumped 125% from 2023 to 2025. Intra-European investment was up 209%. Cross-Atlantic flow stayed flat. The US and Israel between them absorbed 91% of all global cybersecurity funding and 68% of global deals. That isn't globalization — it's national and regional industrial strategy showing up in the funding flows.

For founders outside the US, the playbook is shifting. Mike, observing from the UK, sees more two-continent strategies — engineering local, sales US — and a slow build of regional VC ecosystems that are choosing to back local companies first. For governments outside the US and Israel that want cybersecurity capability inside their borders, the lesson is that the capital follows founder pride and policy incentives more than it used to, and the early formation of those local ecosystems is what determines whether a country gets to have its own cyber industry or just imports one.

The most useful frame from the conversation isn't about funding or M&A — it's about how to read 2026. AI stopped being a feature you bolt onto a product the moment cloud stopped being a marketing claim. To start a company in 2026 is to build with AI, the same way to start a company in 2015 was to build in AWS. The founders who still position themselves as "AI-powered" are leaning on a label that no longer differentiates. The founders who matter are the ones using AI to compress unit economics, expand what a single analyst can do, or solve a problem that wasn't economically tractable before. 

For a security leader, that reframes the buying question. Don't ask if a product is AI-powered — assume it is. Ask whether it has an opinion, whether it surfaces a risk you couldn't see before, and whether it slots into the platforms you've already standardized on. The bleeding-edge tech companies will always be doing something cool with raw model access. Most enterprises buying security in 2026 are not those companies, and the products that win at scale will be platforms with opinions — not raw LLMs and a UI.

Guests — Mike Privette, author of Return on Security, "the cybersecurity economist"

Books mentioned — none

Frameworks / models / tools named — Return on Security 2025 State of the Cybersecurity Market report; "the great bundling"; "features are no longer issues"; "cyber mag seven"; AI SOC; AppSec; PAM; identity governance; observability; Claude Code; Claude for Work

Other people / shows / resources referenced — Karl Mattson (prior Zero Signal guest); Keith Hoodlet (prior Zero Signal guest); ServiceNow / Armis acquisition; Palo Alto / Chronosphere acquisition; Datadog; Accenture; Cognizant; CrowdStrike acquisition spree; Microsoft (~$20B security business); Adobe / Figma deal; Skybox Security wind-down; JP Morgan Chase tier-one cyber tech list