Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

SecurityWeek Study: Over 430 Cybersecurity Mergers & Acquisitions Announced in 2021

More than 430 cybersecurity-related mergers and acquisitions were announced in 2021, according to a study conducted by SecurityWeek.

SecurityWeek 2021 Cybersecurity Mergers and Acquisitions Report

GRC, MSSP firms powered cybersecurity M&A activity in 2021

More than 430 cybersecurity-related mergers and acquisitions were announced in 2021, according to a study conducted by SecurityWeek.

An analysis of the cybersecurity M&A deals of 2021 shows that of the 435 deals made public by companies, a majority involved organizations in North America and Europe.

Regional breakdown of cybersecurity M&A in 2021

A majority of the transactions involved firms based in the United States, followed by the United Kingdom and Israel.

Country breakdown of cybersecurity M&A in 2021

Financial details have been made public for 88 deals, including 11 where companies were acquired for more than a billion dollars. More than 60 acquisitions involved tens or hundreds of millions of dollars.

Billion-dollar plus deals include STG’s acquisition of McAfee Enterprise and FireEye, Permira acquiring Mimecast ($5.8B), Thoma Bravo acquiring Proofpoint ($12.3B), Okta acquiring Auth0 ($6.5B), and NortonLifeLock acquiring Avast ($8.6B).

Financial breakdown of cybersecurity M&A in 2021

After the COVID-19 outbreak was declared a pandemic in March 2020, the volumes and values of global technology deals seemed to be taking a hit. However, they bounced back in the second half of 2020, a trend that has continued throughout 2021, when they reached record highs.

Cybersecurity M&A deals have aligned with this general technology trend, with 451 Research reporting an aggregate transaction value of nearly $50 billion for the first three quarters of 2021, compared to roughly $12 billion in the same period of 2020. (451 Research uses a different methodology, but their data confirms SecurityWeek’s own findings). 

The rise in cybersecurity M&A activity has largely been driven by the pandemic (enterprises have invested more in cybersecurity and cloud architecture due to employees working remotely) and major cyberattacks.

M&A activity breakdown by type of company

In terms of field of expertise, many M&A deals in 2021 involved governance, risk management and compliance (GRC), managed security services provider (MSSP), network security, identity, and cloud security firms. More than 40 mergers and acquisitions involved government contractors, and 19 involved private equity companies.

Cybersecurity M&A in 2021 based on company type

The steps taken recently by the U.S. government to improve its cyber capabilities will lead to increased spending on cyber solutions and services. As a result, IT and cybersecurity contractors are scrambling to extend and enhance their capabilities through strategic acquisitions that are likely to pay off down the line.

Spending is expected to significantly increase in the private sector as well over the next few years, and private equity firms are betting big on cybersecurity — they are buying cybersecurity firms for hundreds of millions and even billions of dollars. 

MSSPs are also using acquisitions to extend their capabilities and reach, as they come to realize that offering a wider range of services and solutions will likely pay off long term.

On the other hand, it’s not surprising that many companies have agreed to be acquired. An M&A exit strategy, particularly for smaller companies, is much more feasible compared to an IPO, especially in such uncertain times. 

SecurityWeek predicts that M&A activity will continue to increase and we will see at least 400 deals in 2022 as well.

Monthly summaries of cybersecurity M&A deals: January, February, March, April, May, June, July, August, September, October, November, December.

Methodology: The data was collected from news distribution services, Google and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. A majority of announcements that mentioned “cybersecurity” have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement are likely not included.

The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, threat detection, and SASE. Identity includes IAM, PAM, secure access, authentication, authorization. Incident response includes SOAR, SIEM, SOC, and forensics. “Specialized” includes blockchain, cryptocurrency, quantum, encryption/cryptography, lawful surveillance, and automotive. Data protection includes privacy and backup.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...


More than 450 cybersecurity-related mergers and acquisitions were announced in 2022, according to an analysis conducted by SecurityWeek


Forty cybersecurity-related M&A deals were announced in January 2023.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...