Summary
- Global cybersecurity spending is projected to hit $213 billion in 2025, yet cybersecurity seed deal volume fell 56% in 2023 and deal flow in 2024 dropped to its lowest count in years.
- The money is flowing to three incumbents. Palo Alto Networks, CrowdStrike, and Microsoft are capturing consolidation spend through multi-year platform contracts that actively crowd out new vendors.
- Enterprise buyer psychology has shifted from capability evaluation to risk-minimization. Running an unknown startup’s tool in production is now a career risk for CISOs, not just a procurement risk.
- The startups that survived this cycle, Wiz and Abnormal Security among them, built technically specific wedges that platform vendors could not replicate with a fast follow. That is the only GTM model that holds under consolidation pressure.
Global cybersecurity spending hit $193 billion in 2024. Gartner forecasts $213 billion in 2025, and $240 billion by 2026. Every macro signal says the market is healthy, growing, and flush with enterprise demand.
Meanwhile, cybersecurity seed deal volume dropped 56% year-over-year in early 2023. Funding in Q1 2024 fell 20% from the prior year. Deal flow across 2024 was down 22% from 2023 and 37% from 2022. Fewer cybersecurity startups are getting funded. Of those that are, most of the capital is concentrated in a handful of late-stage companies.
The money is there. It is just not flowing where most founders think it is.
| Metric | 2021 (Peak) | 2024 | 2025 | Direction |
|---|---|---|---|---|
| Global cybersecurity end-user spending | $150B | $193B | $213B | Up 42% since 2021 |
| Cybersecurity VC funding rounds (annual) | ~860 | ~639 | 2025 rebound, late-stage led | Down 26% from peak |
| Cybersecurity seed deal volume (Q1 YoY) | Baseline | -56% vs. 2022 | Stabilising | Collapsed then flattened |
| Rounds of $100M+ closed annually | ~18 | 29 | Capital concentrating | Fewer companies, bigger bets |
| CISO vendor consolidation as top priority | Not tracked | 50% of CISOs | 40% actively consolidating | Structural shift |
| Average cost of a data breach (global) | $4.24M | $4.88M | Forecast rising | Up 15% since 2021 |
| Cybersecurity M&A deal value | – | $46B | $96B disclosed | Consolidation accelerating |
Sources: Gartner Information Security Forecast (2024, 2025). Crunchbase Cybersecurity Funding Reports. Pinpoint Search Group (2024). Lightspeed Venture Partners Cyber60 CISO Survey (2024-2025). Fortra State of Cybersecurity Survey (2025). IBM Cost of a Data Breach Report (2024). Momentum Cyber M&A Report (2025).
Security Budgets Are at Record Highs. So Why Are Startups Starving?
Palo Alto Networks has platformized roughly 1,550 enterprise accounts, each consolidating what used to be multiple point-solution vendors into a single Palo Alto contract. Net revenue retention among those accounts sits at 119%, with low single-digit churn. CrowdStrike’s median enterprise customer now runs seven or more Falcon modules. Microsoft cleared $20 billion in security revenue in a single fiscal year, much of it from E5 licensing that bundles Defender, Purview, and Sentinel into contracts enterprises are already paying for.
This is the mechanism. Enterprise procurement teams, under pressure to cut vendor count and simplify renewals, are consolidating spend into vendors they already have contracts with. The CFO approves expanding a Palo Alto agreement far more readily than approving a pilot with a Series B startup. Legal has templates for the incumbent. Security has runbooks for the incumbent. IT does not have to retrain anyone for the incumbent.
A 2025 Fortra survey found that 40% of organizations had already begun consolidating cybersecurity vendors, with another 21% planning to. Lightspeed’s CISO survey found vendor consolidation was a top priority for 50% of CISOs at companies with $500 million or more in revenue. Gartner’s own data suggests 75% of organizations will consolidate to fewer infrastructure security vendors by 2026.
The spend is growing. The number of vendors capturing it is shrinking.
The Funding Trap That No Pitch Deck Models
Here is what the VC pitch deck never models: the chicken-and-egg problem that emerges when your target buyers are actively removing vendors, not adding them.
A security startup typically needs a pilot to build case studies. It needs case studies to raise a Series A. It needs a Series A to hire the enterprise sales team. But the enterprise is currently in a consolidation cycle. The CISO who would have run a pilot 18 months ago is now managing a two-year program to cut from 50 vendors to 30. New pilots require a board-level exception.
This is not a temporary hesitation. It is a structural change to how enterprise procurement works.
The startups most exposed are those in categories already covered by the platform vendors: endpoint, SIEM, SASE, XDR, identity, and cloud workload protection. If you are building a point solution in any of those spaces, you are not competing against another startup. You are competing against a line item on a contract your target customer signed with Palo Alto Networks three years ago.
The funding data reflects this reality. While total VC dollars rose in 2024 (Crunchbase tracked $11.6 billion, up from $8.1 billion in 2023), only 639 rounds were closed, the lowest deal count in years. The distribution was extreme: 29 rounds of $100 million or more, compared to 18 in 2023. Capital concentrated into a small number of companies with proven traction. Companies without it faced a dead market for Series A and B raises.
How the CrowdStrike Outage Rewired Enterprise Procurement Logic
Security buyers used to evaluate tools on capability. The question was: does this do the job better than what I have?
That question has not disappeared, but it has a second clause now: and is the switch worth the operational cost?
The CrowdStrike outage in July 2024 changed the calculus for risk-averse procurement teams. An estimated 8.5 million Windows devices went down. Boards that had never previously asked detailed questions about vendor concentration started asking them. The lesson most CISOs took away was not “diversify your endpoint vendors.” It was “know exactly what you are running and make sure your vendors are big enough to survive a crisis.” That logic advantages incumbents, not startups.
There is also an accountability dimension. If a breach happens and the security team is running tools from CrowdStrike, Microsoft, and Palo Alto Networks, the CISO can defend the decision. These were the category leaders. Due diligence was done. If the breach happened on a tool from a 150-person startup with no Fortune 500 references, that is a harder conversation with the board.
This is not irrational behavior. It is rational self-preservation inside large organizations. But it creates a procurement moat around incumbents that no amount of feature parity can easily breach.
Wiz and Abnormal Show What Survives: The Unbundleable Wedge
The companies that have grown through this cycle share one characteristic: they found a problem the incumbent platform vendors either could not solve or had not yet gotten around to solving.
Wiz is the clearest example. Cloud-native application protection platforms existed before Wiz. Prisma Cloud, Aqua, Sysdig, and Check Point were all in the space. What they had not done was connect risk signals across cloud resources into a unified graph that showed “toxic combinations,” paths where a misconfiguration plus an over-permissioned identity plus an exposed secret combined into a critical blast radius. Wiz called this a security graph, built it into a product that required no agents to deploy, and went from zero to $100 million ARR in 18 months. By August 2024, ARR was at $500 million. Google acquired the company in March 2025 for $32 billion.
The wedge was not “cloud security.” The wedge was a specific technical insight — cross-cloud contextual risk correlation — that nobody else had productized, packaged into an agentless architecture that removed the deployment friction that killed adoption for competing tools.
Abnormal Security did something similar in email. Microsoft Defender for Office 365 and Proofpoint both offer email protection. Neither baseline product was built around behavioral AI that modeled normal communication patterns per user and per organization. Abnormal’s anomaly detection engine analyzes over 45,000 signals to build that baseline, then flags deviations. The result: it catches business email compromise and social engineering attacks that rule-based or signature-matching tools miss by design. By August 2024, Abnormal had crossed $200 million ARR, sustained 100%+ year-over-year growth, and closed a $250 million Series D at a $5.1 billion valuation.
Neither Wiz nor Abnormal was a feature on an existing platform. Both solved a defined problem in a way that the incumbent’s architecture could not easily replicate.
That is what an unbundleable wedge looks like.
Three GTM Patterns That Hold Under Consolidation Pressure
The consolidation era has made the TAM slide in a pitch deck nearly meaningless. A large addressable market does not help if the buyers in that market are locked into multi-year platform agreements.
The GTM question has changed. It used to be: how do we reach the right CISO? Now it is: why would a CISO on a consolidation mandate make room for us?
There are three patterns that produce credible answers.
The gap that platforms cannot close. Platform vendors build horizontal. They cannot go deep in every vertical or problem domain. Find the specific problem that requires depth over breadth. Wiz’s graph-based risk correlation was too novel and compute-intensive to be a fast follow for Prisma Cloud. Abnormal’s behavioral baseline required training data and modeling time that Proofpoint could not bolt onto its existing ruleset without rebuilding from scratch. If an incumbent can ship a competing feature in one engineering sprint, the wedge is not real.
The new surface. Consolidation is backward-looking. It organizes existing vendors around known problem categories. New attack surfaces — AI-generated content manipulation, machine identity sprawl, non-human account compromise — do not have an incumbent owner yet. Early traction here does not require displacing anyone.
The buyer who is not the CISO. Security developers, DevOps teams, and cloud engineers buy tools. They have different evaluation criteria and shorter procurement cycles than enterprise security leadership. A product that achieves viral adoption inside engineering teams can create enough organizational dependency to survive the top-down consolidation mandate, or at least delay it long enough to build a compelling renewal case.
None of these is easy. All require a clear answer to the question every CFO is now asking: why can’t Palo Alto do this?
The Innovation Debt Nobody Is Counting
The consolidation narrative has a version that flatters the incumbents: enterprises are getting smarter, removing tool sprawl, and building more integrated defenses. There is truth in that.
But the version that does not get discussed as often: the innovation vacuum that consolidation creates. Every startup that cannot survive the pilot drought is a detection capability, a threat model, or an architectural approach that does not make it to production scale. The incumbents acquire the ones worth acquiring and let the rest die. What does not get built is harder to measure than what does.
The $96 billion in cybersecurity M&A disclosed in 2025, up from $46 billion in 2024, tells you that consolidation is accelerating, not plateauing. The startups entering the market now are raising capital into a funding environment where 2025 was the best year since 2021, but where two-thirds of rounds were seed and Series A, and where making it from seed to Series B without enterprise traction is significantly harder than it was four years ago.
The CISO budget paradox is not a market failure. It is the market working exactly as it is designed to work, concentrating resources into trusted incumbents during a period of heightened scrutiny. Whether that produces better security outcomes for enterprises, or just more manageable vendor relationships, is a question the industry has not yet answered. The breach data suggests the outcomes are mixed.
Security teams are running fewer vendors and spending more money. Breaches cost an average of $4.88 million in 2024, a 10% increase from 2023. The consolidation is happening. The risk is not going down proportionally.
That gap is where the next generation of security startups will either find oxygen or confirm that the window has closed.
Frequently Asked Questions
Is enterprise consolidation a permanent shift, or a cycle that will reverse when budgets loosen?
It is structural, not cyclical. Vendor consolidation is being enforced at the board and CFO level, not just by CISOs. Even when budgets expand, the organizational preference for fewer, deeper vendor relationships has been built into procurement policy at most large enterprises. The question is not whether the consolidation will reverse, but whether new attack surfaces grow fast enough to create categories where incumbents have no existing contract to expand.
How does Microsoft’s security bundling affect startups differently from Palo Alto or CrowdStrike?
Microsoft is the most disruptive because it does not require a separate security budget. A company already paying for Microsoft 365 E5 licensing gets Defender, Purview, and Sentinel included. That is endpoint, DLP, and SIEM bundled before the CISO has signed a single security-specific contract. Palo Alto and CrowdStrike still require dedicated security spend. Microsoft occupies a layer below that, making it harder for startups to compete even on price.
If Wiz got acquired for $32 billion, does that mean the exit for security startups is acquisition, not IPO?
For most, yes — and that changes the funding math significantly. If the expected exit is acquisition by a hyperscaler or a platform vendor at a $1B-$5B valuation, the return profile for VCs is different than a $20B+ IPO. That compresses the number of investors willing to fund capital-intensive security startups through multiple rounds. It also means the acquirer is likely one of the same platform vendors driving consolidation, which narrows the universe of buyers further.
What makes a security problem “unbundleable” in practice — and how would a founder know if they have one?
The test is straightforward: can the incumbent replicate this by reassigning two engineers for a quarter? If yes, it is a feature, not a wedge. An unbundleable problem requires either proprietary training data (Abnormal’s behavioral baseline built from years of communication patterns), an architectural decision the incumbent made differently (Wiz’s agentless approach vs. Prisma Cloud’s agent-dependent model), or a problem that sits outside the incumbent’s current commercial motion entirely. If the incumbent’s sales team does not currently have a SKU for it, that is a signal worth paying attention to.
