A Year of Disruption and Resilience: The Cybersecurity Market in 2023

Table of Contents

• Introduction to the 2023 Cybersecurity Landscape

• The TL;DR

• Analyzing Funding Rounds and M&A Trends

• Quarter-by-Quarter Breakdown of 2023

• The Worldwide Perspective on Cybersecurity Funding

• The Impact on Different Funding Stages

• Analyzing the Shifts in Cybersecurity Funding Dyna …

• Deep Dive into Cybersecurity Product Categories

• The Major M&A Movements in 2023

• Final Reflections and Key Takeaways

• About Return on Security

• Data Methodology and Sources

Introduction to the 2023 Cybersecurity Landscape

Each year, Return on Security monitors, analyzes, and publishes data and insights on the cybersecurity market. This happens predominantly by way of the newsletter each week, but I like to pull back and analyze what happened each year in an annual report.

2023 was a year to remember (or forget).

The year saw a combination of factors that made it challenging, including the unwinding of policies and actions from the COVID era of 2020 and 2021, massive interest rate hikes and the dramatic market slowdown from 2022, wave after wave of layoffs across all sectors, the collapse of the preferred bank of Venture Capitalist - Silicon Valley Bank (plus a few other banks), fresh geopolitical troubles and war, and the sharp return of private and public markets demanding efficient businesses (businesses that make money instead of just grow).

The TL;DR

• Overall: 2023 funding was down in volume and total spending.

• Globally: Europe took the biggest hit, followed by the US. Israel had the smallest impact despite geopolitical tensions and conflicts.

• Product categories: Spoiler alert: AI went from zero to hero.

• Funding Stages: Late-stage companies were propped up, but bets were still made on many early-stage companies. Middle / growth-stage companies took the biggest hit.

• M&A: 2023 saw the biggest acquisition in cybersecurity history.

It was a complex and volatile year. And yet, despite all those challenges, the cybersecurity industry still had a bit of shine.

Let's dive into the data and see what it can show us.

As a reminder: I collect as much funding data as possible every week through the newsletter, but since deal specifics often change after the fact or things aren’t reported correctly, it’s possible to miss things. If you want to follow along and get insights in real time, click the button below to subscribe to the newsletter. 

Analyzing Funding Rounds and M&A Trends

Overall in 2023, the cyber industry felt much of the same pain as the broader economy. The total amount of funding, the total volume of funding transactions, and the amount of mergers and acquisition (M&A) activities for cybersecurity companies decreased in 2023 compared to 2022.

2023 at a glance: 

• 684 funding rounds across 100+ unique product categories worth ~$12.7B

• 259 M&A transactions across 70+ unique product categories worth ~$40.5B

Compared to 2022: 

• 2023 Funding rounds decreased ~12% (from 774 in 2022), and M&A transaction volume dropped ~3% (from 266 in 2022). 

• Total 2023 funding dollars dropped ~38% from the ~$20.6B in 2022, and overall M&A decreased ~21% from the ~$51.2B in 2022. 

• In short, fewer companies received funding, and those that did get funding saw much smaller checks. 

These stats show a sharp reversal from the heights in 2021 and 2022  when there was still massive global momentum for cyber investments despite economic setbacks. We saw this momentum begin to wane in Q3 of 2022.  

Quarter-by-Quarter Breakdown of 2023

Looking across 2023, we can see the drastic effects of increased interest rates and deal scrutiny at the beginning of the year.

2023 brought a big downturn in cybersecurity funding.

In the second quarter of 2023, people started to feel a bit more positive, and the economy showed some small signs of improvement. This positive vibe continued into the third quarter but dropped again in the fourth quarter. Investors were still hesitant, leading to a less favorable outcome than at the start of 2023.

Reflecting on 2022, the third quarter was a low point for how the cybersecurity market was doing. This was when we saw a big drop in venture capital money for all kinds of businesses, and the cybersecurity and tech areas were hit particularly hard.

The Worldwide Perspective on Cybersecurity Funding

Now let's examine the global economies in 2023, focusing on the three key regions for cybersecurity funding:

• The United States

• Israel

• Europe

United States

The United States dominates, with about 80% of global cybersecurity funding and the majority of cybersecurity companies based there. Given the increasing interest rates and looming recession fears through 2022 and most of 2023, it's unsurprising that funding there fell by around 30% to $10.6B in 2023 from $15.1B in 2022.

Despite fewer funding deals, the average investment size in the U.S. only dropped about 21% ($22.1M in 2023 compared to $28M in 2022).

Israel

Next is Israel, a pivotal player in the cybersecurity industry. You can't think about the cybersecurity industry without thinking about Israel. While Israel doesn't have the same funding or transaction volume as the U.S., it's known for launching some of the most successful cybersecurity companies in history, with a very strong set of systems to support cyber founders.

Israel experienced an approximate 11% decrease in funding transactions, from 139 in 2022 to 124 in 2023. The average funding per deal only dropped 16% (from $23.9M in 2022 to $20.1M in 2023). This is a small drop compared to other markets despite new regional geopolitical tensions and conflicts.

Europe

Cybersecurity funding in Europe plummeted about 74% to $405.3M in 2023 from roughly $1.6B in 2022. The average investment per deal also saw a steep decrease of about 70% to $7.6M in 2023 from $25.9M in 2022.

Europe's situation is more complex. After spending half of 2023 in the United Kingdom engaging with cybersecurity professionals, startups, and investors, it’s clear that Europe's cybersecurity scene is still developing. The strong influence of the U.S. and Israel and varied regulations across European countries make it challenging for European companies to expand beyond the region. A challenge I know many are working tirelessly to overcome.

The Impact on Different Funding Stages

If we break the funding transactions down further by stage, we start to hone in on some obvious patterns.

We saw a big drop in funding for early-stage companies, but the biggest hit was to companies looking to raise "growth stage" funding rounds.

Looking at the tech industry overall, you can see that most layoffs were to companies in the “growth stage” as well. Generally, less money in the door meant workforce reductions. 

A quick look at the biggest layoffs in 2023 to cybersecurity companies. 

If you want to dig in more, Layoffs.fyi has more details on this data and the broader tech ecosystem to play around with.

Many cybersecurity firms that got Series B or C funding in 2022 or earlier found themselves in a tough spot. The prior decade saw bigger funding rounds, higher company values, and more startups joining the competition. But in 2023, these companies began to struggle, and the usual venture capital idea of growing no matter what began to seem unreasonable.

I had an opportunity to discuss more about job cuts and companies in the growth phase on Enterprise Security Weekly here:

Looking at how funding stages were different, we noticed a big change in the amount of money given from 2022 to 2023. Overall, the total money invested in 2023 was about 12% less than in 2022, but the amounts of individual investments varied a lot more.

Analyzing the Shifts in Cybersecurity Funding Dynamics

When we compare cybersecurity funding in 2023 with 2022, here’s what we see:

• Cybersecurity deals in 2023 between $10.0M and $250.0M saw the biggest drop, between 33%-52%, compared to 2022. This level of funding often correlates with growth-stage companies that struggled the most this year.

• Later-stage companies raising $250.0M to $500.0M saw about a 33% increase in deals in the form of taking on debt to continue their operations. These same companies would have probably been IPO-ready in 2021.

• Early-stage deals had a bang-up year! Deals up to $1.0M increased the most by around 67%. Investors put more money into new companies earlier than in previous years, signaling that the latest batch of startups would be the great hope for the industry.

I see two themes emerge here:

1: Some later-stage companies may have been thrown a lifeline 

The few companies that got mega checks in 2023 (just 4, compared to 3 in 2022) would have been preparing for IPO if this were 2021. Since times are tough, these companies are likely using the money to survive the downturn, become more financially and operationally smart, and adjust their values to match the current market. This prepares them to act when the market for public stock offerings gets better.

In 2023, when we look at funding that isn’t specific to any stage, companies got over $842.0M. This is similar to 2022’s $860.1M. With the value of public companies dropping, money being looked at more closely, and fewer deals in general, getting loans helped many businesses stay in the game. This also shows that some companies that might have gone public in the past are still hanging in there.

2: Early-stage cybersecurity founders are strong and creative

On the flip side, 2023 saw more early and small deals than most people thought would happen, especially after how 2022 ended. These early-stage companies are playing a whole different ball game. Both investors and the people starting these companies are now aiming to create strong, money-making businesses with realistic growth goals - a major shift from the past. I believe this move towards more investment in early-stage companies will keep going into 2024.

When we take a closer look at the funding data, it's clear that 2023 was still a really good year for founders of new cybersecurity startups.

In 2023, seed funding for startups reached over $1.0 B across 229 deals. This is just a small 3% drop from the $1.3B in seed funding for 236 deals in 2022.

When we look at the more advanced growth stages, there was about a 52% drop in the total money for Series B rounds. It was $1.3B across 46 deals in 2023, down from $4.2B across 96 deals in 2022. Series C rounds took an even bigger hit, with a 60% drop in funding. It was $1.1B across 18 deals in 2023, compared to $3.5B across 45 deals in 2022.

How did the new companies fare? Despite all the worries and unknowns in the cybersecurity world in 2023, the companies getting funding for the first time last year received most of the money.

Even though the number of one-time investments was similar in both years, the total amount of money dropped 41% ($5.2B in 2023 compared to $8.9B in 2022).

First-time raisers got about 42% less on average than the prior year ($13.3M compared to $22.5M in 2022). The purse strings are clearly getting tighter in an industry more accustomed to blank checks.

More evidence of a cautious approach by investors: except for companies raising for the fifth time, there was a general decrease in the number of investments from 2022 to 2023. 

People often say that diamonds are created under a lot of pressure, and 2023 was a year full of it. I think this will lead to some really impressive companies over the next five years.

Quick reference for mapping funding stages to funding rounds: 

Deep Dive into Cybersecurity Product Categories

Competition in cybersecurity is constant. What's innovative today soon becomes the standard.

Buyers tend to make purchases based on categories, a trend driven by the industry at large. The subtle differences, overlapping functionalities between vendors, misleading (or generously, overly creative) marketing, and frameworks like the magic quadrants often spark much discussion and debate within companies.

To fully grasp the landscape, we have to dive into the nuance of cybersecurity product categories.

These product categories had a breakout year in funding dollar growth in 2023:

Another view from a funding transaction volume perspective:

In 2023, the AI Security sector saw remarkable growth, with funding increasing by approximately 4,000%, totaling around $95.2M. This was a significant jump from 2022's single transaction in this category. The year 2023 featured 12 such deals. 

Additionally, these numbers only partially capture the extensive investment in 'AI Security,' 'Security of AI,' and 'AI Privacy Assurance.' The numbers above also don’t show how much money the industry poured into injecting AI into existing security products or rebranding themselves as “AI Security.”

For reference, here is how I define these terms:

AI Security: Software platforms designed to maintain the integrity of AI systems and shield them from misuse.

Security of AI: Software platforms focused on securing AI applications from cyberattacks, unauthorized access, and manipulation.

AI Privacy Assurance: Software platforms focused on safeguarding sensitive data and personal information used in AI processes, ensuring the responsible use of AI systems.

These stats also do not include all the companies that pivoted to AI as their primary thing. I anticipate the overall AI trend to accelerate in 2024, although it's still small compared to the overall funding for AI technologies.

Spoiler alert:

Quick call out: Secure Networking had big funding increases due mainly to large investments in established companies like Akamai, which raised $1.1B in post-IPO debt. Hardware Security also had a big year, but that’s mostly because it didn’t have any traction in 2022, and the transaction amounts are still very small.

On the flip side, these twelve product categories saw the most significant contraction in funding dollars since 2022:

Another view from a funding transaction volume perspective:

The companies in the product categories that saw the biggest declines in 2023 are not necessarily in a bad position, but just trends have changed year over year, and there is a story that can be read here.

As an example, Cloud Security Posture Management (CSPM) really had its moment in the industry in 2020 and 2021. Since CSPM was announced to the world, there has been a Posture Managementification™️ of many subsequent disciplines. Overall, I think this is a good and important thing for the industry - to move to test-driven and trust-driven security tools - but CSPM was version one.

Since that time, many other products have climbed on the shoulders of CSPM and passed them by as standalone products:

In a market that changes slowly or is really new and technical, competition might be okay because you'll have time to create defenses and win customer loyalty. But in a fast-moving field like cybersecurity, the likelihood that you've built strong enough defenses by the time competitors show up is very small.

Looking briefly at the Password Manager category, it's hard to top the big rounds we saw in 2022 and earlier, so naturally, this looks a lot lower in 2023. If you remember, in 2022, 1Password raised $620.0M (after raising $100.0M in 2021), and BitWarden raised $100.0M. 

I imagine the investment thesis went something like this:

The Major M&A Movements in 2023

Did we witness The Great Cybersecurity Industry Consolidation™️? It seems not any more or less than in previous years.

2023 marked another significant year for M&A in the cybersecurity sector, with numbers almost matching those of 2022.

Various factors influence cybersecurity industry consolidation, and there's unlikely ever to be a single “Big Event" consolidating all security companies, leaving only a few options for customers (which no one would like, anyway).

I see cybersecurity industry consolidation similar to playing the accordion (not that I know how to do that, but I’m running with this analogy anyway). 🪗 

To make music, someone has to not only press the correct set of keys and buttons but also expand and contract the whole instrument at the same time to play the right notes. There are always new entrants into the cybersecurity industry because technology is constantly changing, and there are always new threats and adversaries to contend with. Different keys get played, buttons get pressed, and different parts of the accordion expand and contract, but the music of progress is always playing.

Notable M&A transactions of 2023: 

• Cisco acquires Splunk for $28.0B: This is the largest acquisition in the cybersecurity industry ever, surpassing SailPoint's $6.9B acquisition in 2022. With the meteoric rise of AI companies in 2023, everyone is scrambling to acquire data to build and train their own Large Language Models (LLMs) from, so many see this Cisco acquisition as a pure data play.

• Palo Alto spent over $1B to expand: They acquired Talon Cyber Security for $625.0M - the second remote browser isolation company to be acquired - the year after winning the RSA Innovation Sandbox in 2022 and raising nearly $150.0M. Next up, they purchased Dig Security for $400M. Palo Alto’s CEO, Nikesh Arora, stated that Palo Alto intends to continue their M&A cadence at roughly $1.0B/year.

If you want to read more about the importance of LLM security and how the new data security risk has changed: 

Other M&A trends in 2023 include:

• Attack Surface Management (ASM) companies beginning to exit, amounting to ~$376.0M (I see this shaping out the same way that the CSPM product space. It's a feature, not a standalone platform).

• Data Security Posture Management (DSPM) companies are fast-tracking exits totaling ~$710.0M. This is especially interesting given that the term was barely around for a year.

• Managed Security Service Providers (MSSPs) continued their streak with over 50 acquisitions totaling about $382.0M, a 50% increase from 2022.

• Secure Access Service Edge (SASE) companies were acquired for approximately $1.2B across four deals as traditional firewall providers play catch-up to changing market demands, with Palo Alto leading the way.

Final Reflections and Key Takeaways

2023 in cybersecurity was a year of recalibration. A few key points stand out when I reflect on the trends:

• The industry showed adaptability in the face of economic and geopolitical difficulties, with early-stage companies leading the way.

• Mergers and acquisitions played a major role, with some deals setting new records.

• Even with setbacks, the cybersecurity field continues to hold potential for future innovation, and you can see that through the shifts in funding and product categories.

2023 was a pivotal year for cybersecurity, marked by adaptability and strategic shifts. The industry's response in 2023 shows a bright future for innovation and growth.

About Return on Security

Return on Security stands at the forefront of cybersecurity analysis, offering data-driven insights and expertise about the cybersecurity market. The mission is to keep businesses, professionals, and enthusiasts ahead of the curve in understanding the ever-evolving industry landscape. The reports, analyses, and newsletters provide actionable insight into industry trends and challenges.

Please feel free to use any data, charts, or insights in this post, and please reference this URL and Return on Security when you do.

Data Methodology and Sources

• All of this data was captured point-in-time from publicly available sources, most often at publication, through the weekly newsletter.

• All financial figures were converted to U.S. dollars when collected.

• The classification of companies into specific categories is conducted based on Return on Security’s categorization system. I ensure that each company in the database addresses a cybersecurity challenge and correctly assigns it to the relevant category.

• The data used for this report includes managed and professional service organizations focused on cybersecurity, as they represent a significant part of the industry.

• Venture Capital is a fast-moving industry. Deals, round names, participants, and check sizes can change after initial reporting, especially at the end of the year, so some of the finer details may change. However, this data's overall trends and conclusions are directionally accurate.