The Rundown
The first quarter of 2025 has been nothing short of transformative. The Trump Administration has signed a flurry of executive orders, reshaping government sectors and setting the country on a new path.
The on-again, off-again tariffs led to market confusion and instability, stalling momentum after a strong start that continued the rebound from Q4 2024. Once again, we look under the hood to make sense of the quarter’s cybersecurity investing data, providing unique analysis and insights into the areas of cybersecurity investment making the greatest impact.
Q1 Delivered a Mixed Bag of Results
After a strong start with both capital investment and deal count rising year-over-year, success tapered off throughout the quarter, with March closing nearly 20% down in deal volume compared to January. For early-stage deals, overall deal volume dipped while cybersecurity rose. Growth stage deal volume saw mixed results, while Series A pre-money valuations saw continued growth, with the broader market breaking the previous record for the round—though cybersecurity valuations slightly cooled. The median valuation step-up from Seed to Series A has improved this quarter for both cyber and the broader market, with cyber step-ups reaching their highest level since Q2 2023.
The Next AI Frontier – Proprietary Data
The AI boom has created a market where performance differences among top-tier models are shrinking significantly. While foundational models will likely continue to be trained on public data for broad, horizontal use cases, the next frontier is training models not just on more data, but on different data. Proprietary datasets that are unavailable to the rest of the world will lead to breakthroughs in the future.
The Blurring Line of OT and IT Security Requires a New Defense Strategy
The line between Operational Technology (OT) and Information Technology (IT) security is blurred thanks to the pursuit of efficiency, convenience, and the continued “smartification” of industrial controls. Today, many attacks that impact OT systems start in the IT domain. Defending against these attacks requires a converged security strategy that addresses the needs of OT environments and IT systems.
That QR Code Unlocked a Menu – and National Security Threats
Hackers using QR codes to access devices and eavesdrop on government secrets isn’t the plot of a summer blockbuster movie; it’s an everyday threat. Recent threat intel reports reveal that multiple Russia-aligned hacking groups have exploited convenience features to attack the U.S. government. Technologies such as QR codes don’t just unlock new ways for us to digitally engage with each other, they’re creating a new battleground for cyber criminals to target unsuspecting victims.
Google and Wiz Sitting In a Tree….A Deep Dive on Cyber’s New Power Couple
Google’s $32 billion acquisition of Wiz sent shockwaves throughout the cybersecurity industry. Together, they are redefining the future of cloud security and reinforcing how central security has become to cloud strategy. There’s also a lesson for other cybersecurity startups – the opportunity for growth is massive, the bar is rising, and the stakes have never been higher.
Introduction
The first quarter of 2025 was uneven. Compared to Q1 2024, capital investment and deal volume rose, down rounds fell considerably from Q4, and the excitement around AI remains very high. However, market instability amid ongoing trade conflicts caused deal volume to fall significantly later into the quarter.
Without a crystal ball, it’s impossible to know which story will prevail. We’ll have to wait until the end of Q2 2025 to know for sure whether the market remains strong or uncertainty rules the day.
Here is an in-depth overview of cybersecurity investing trends in Q1 2025.
While overall seed activity has remained relatively stagnant over the past year, cybersecurity experienced a more pronounced recovery than the greater venture market.
The cybersecurity market also outperformed the venture market at Series A, reaching its highest investment levels since Q3 2022. The median valuation step up from Seed to Series A has improved this quarter for both cyber and the broader market, with cyber step-ups reaching their highest level since Q2 2023.
Interest in AI spurred cybersecurity investing at the seed stage, and AI remains the leading investment theme with more than 83% of seed investment in the cybersecurity sector flowing into companies building AI into their products.
Fraud prevention also stood out as a key growth segment, attracting the largest share of seed-stage investments. These startups leverage artificial intelligence to reduce financial fraud, counter impersonation on social media, and detect deepfakes in video conferencing.
Similarly, compliance-focused companies maintained strong investor interest. These companies rely on AI for automating traditionally manual compliance processes.
The market continued to see strong momentum in AI-powered SOC analyst solutions with investors increasingly confident in the potential to automate much of the Tier 1 security analyst’s workload.
Our full analysis of Q1 VC cyber investment data follows.
Q1 State of the Market – Cyber Deal Activity
The first quarter of 2025 started off on the right foot. The previous quarter had closed with significant increases in capital investment and deal volume as the market appeared to be climbing out of the malaise that had plagued it since the end of the pandemic. However, as Q1 drew on, deal volume fell considerably as trade conflict threatened stability in the broader market. Despite this, there may still be cause for optimism, as down rounds plummeted at Series A and the excitement around AI grew higher than ever.
Deal Count and Capital Investment Fall from Q4 Levels
Source: PitchBook
On the surface, Q1 appeared to be well in line with the levels of capital investment and deal volume seen throughout the previous year. Deal volume dropped 10% and capital investment fell by nearly half as the beginnings of a recovery faded over the course of the quarter. This is explored further in the chart below, which tracks deal volume by month over the first quarter of each of the last three years.
Deal Volume Falls Considerably From January to March
In Q1, deal volume dropped consistently month-over-month as hope of a recovery slowly faded amidst headlines of tariffs and market instability. This trend is especially pronounced when compared to previous years, where deal volume either remained flat or fluctuated throughout the quarter. In this case, the steady decline, totaling nearly 20%, was enough to bring levels back in line with 2024 averages. If January levels had instead held, the resulting deal volume would have been the highest since Q3 of 2023 and the market may have been well on its way to a turnaround.
At the Early Stage, Overall Deal Volume Dips and Cybersecurity Rises
Source: PitchBook
Seed investment volume saw a minor increase this quarter from the lows of the previous period, though overall seed activity has remained relatively stagnant over the past year. In contrast, cybersecurity experienced a more pronounced recovery at the seed stage. Still, both overall and cyber deal volume remain well short of pre-pandemic levels.
Overall Series A investment was worse, declining from a near-term peak in Q4. On the bright side, it did remain more than 27% higher than Q1 2024. Again, cybersecurity outperformed the venture market at Series A, reaching its highest investment levels since Q3 2022.
Growth Stage Deal Volume Sees Mixed Results
Source: PitchBook
The overall growth-stage market delivered mixed results this quarter. Series C continued its upward trajectory, posting its strongest performance since Q2 2023. In contrast, Series B deal volume plummeted to the lowest level in years, coming off a significant bounce in the previous quarter. Given the new data, Q4 appears to be an anomaly, as Q1 2025 fell back into the same range seen throughout 2023 and 2024.
In cybersecurity, Series B deal volume mirrored the broader market’s downward trend from the previous quarter. At Series C, deal activity in the cybersecurity sector remained flat, despite the upturn in the overall Series C market. However, the limited sample size for Series C cybersecurity deals makes any conclusions difficult to draw.
Market Sees Mixed Results After a Strong Start to the Year Tapers Off
Volume and Capital Invested Changes by Stage – Source: PitchBook[1]
[1] Cells without data represent comparisons where there was no deal volume or capital investment in the referenced quarter.
Series A Valuations Reach New Highs
Source: PitchBook
At Series A, pre-money valuations continued their climb this quarter culminating in the overall market breaking the previous record for the round. Cybersecurity, however, did not fare as well, seeing slight declines as valuations appear to stabilize after significant volatility in 2023 and early 2024.
At the seed stage, pre-money valuations saw a slight pullback, though the gradual upward trend appears to continue. Cybersecurity likewise maintained its upward trajectory, likely spurred on by increasing seed investment into companies leveraging capital-intensive AI models—a trend explored in greater detail later in this report.
The Down Round Flurry has Vanished at Series A
Source: PitchBook[2]
[2] Down and flat round data are reflective of all verticals due to insufficient data to perform cybersecurity-only analysis.
The median valuation step up from Seed to Series A has improved this quarter for both cyber and the broader market, with cyber step-ups reaching their highest level since Q2 of 2023. Notably, both segments crossed the 2x multiple threshold—a positive signal for early-stage momentum.
The more striking development, however, was the sharp decline in down and flat rounds across the broader market, falling to levels not seen since 2022. While this would traditionally signal a market turnaround, it is more likely that the decline reflects a natural clearing of the pipeline—many companies that raised capital during the boom of 2021 and 2022 have now either secured follow-on funding or ceased operations.
Median Step-ups Continue Rise at Series B
Source: PitchBook
Although Series B volume fell this quarter, the valuation step-ups from Series A to B continued to rise, with cybersecurity in particular experiencing significant gains, reaching the highest levels since Q4 of 2022. Down rounds remained relatively stable, though still well below the peaks seen earlier in 2024. While this indicates a more competitive market, these are lagging indicators, and given the ongoing volatility in the market, it is unlikely that these trends will persist into Q2.
Cybersecurity or AI?
This quarter, more than 83% of seed investment in the cybersecurity sector flowed into companies building AI into their products. These startups covered a wide range of focus areas—application security, fraud detection, and security operations—with AI playing different roles under the hood. Still, in most cases, AI took center stage in their messaging.
Given the popularity of embedding AI into products, the high costs of training and fine-tuning models are likely fueling the continued rise in seed round sizes and valuations—the latter of which hit record highs this quarter in cybersecurity.
The big question: has AI truly become table stakes for cybersecurity innovation, or are we watching another wave of hype inflate an already hot market?
In response to these shifts, we’ve updated our cybersecurity ontology. The “autonomous security” category has been retired. Companies once under that label have been reclassified into their core verticals, and we’ve introduced a new category for AI SOC analysts—now one of the most common and clearly defined use cases within the autonomous security space.
Where (Else) Was Cyber Investment Flowing
Source: PitchBook
Q1 marked a notable shift in investor priorities compared to the core focus areas of 2024. Most significantly, interest in Identity and Access Management (IAM) solutions declined from the peak levels seen in Q2 and Q3 of last year. This pullback comes despite the continued proliferation of machine identities, suggesting investors may view the market as oversaturated with potential solutions.
Similarly, investment in smart contract security continued its downward trajectory, with no seed-stage funding recorded in the vertical during the quarter.
As attention moved away from these areas, new priorities emerged. Fraud prevention stood out as a key growth segment, attracting the largest share of seed-stage investments. These startups leverage artificial intelligence to reduce financial fraud, counter impersonation on social media, and detect deepfakes in video conferencing.
In parallel, compliance-focused companies maintained strong investor interest. These firms also leaned heavily on AI, particularly for automating traditionally manual compliance processes.
Finally, the market continued to see strong momentum in AI-powered SOC analyst solutions (previously tracked under autonomous security). Investors appear increasingly confident in the potential to automate much of the Tier 1 security analyst’s workload.
The Evolution of AI: Powered by Proprietary Data, Not Just Bigger Models
OpenAI released ChatGPT in late 2022, and everything changed. The spark caught, and a wave of AI innovation followed—one that feels every bit as transformational as the early Internet boom.
Hundreds of billions of dollars have since flooded into data centers, NVIDIA silicon, model training, and foundational AI infrastructure. Meanwhile, LLM capabilities have advanced so rapidly it’s hard to keep up. Just one metric: the top model scores on Hugging Face’s LLM Leaderboard climbed from ~85% in May 2023 to ~92% by May 2024. That kind of performance leap is good news for businesses and consumers alike.
But here’s the catch: performance differences among top-tier models are shrinking. As more models converge toward a high-performing mean, commoditization is setting in. The era of easy wins from scaling compute or training on more internet data is drawing to a close.
So, where do the next breakthroughs come from? Our bet: proprietary data.
Today, nearly all LLMs are trained on overlapping public datasets. That’s one reason we’re seeing increasing model parity. What’s driving the subtle performance differences we still see? It comes down to factors like:
- Dataset scale (how many tokens)
- Dataset composition (the type and mix of data)
- Preprocessing techniques (for example – data inclusions and exclusions)
- Training strategies (like weighting by data type)
- Post-model training activities (think reinforcement learning with human feedback (RLHF))
But even those levers are losing their edge. While foundation models will likely continue to be trained on public data for broad, horizontal use cases, the next frontier is training models not just on more data—but on different data. Specifically, proprietary datasets that are unavailable to the rest of the world.
We’re seeing this play out already, in two key ways:
1. Fine-Tuned LLMs
Start with a powerful base model (like GPT-4 or an open-source alternative) and fine-tune it on a company’s internal knowledge or a specific industry’s data. GitHub’s Copilot, fine-tuned on proprietary codebases, is a prime example.
2. Specialized Language Models (SLMs)
Rather than fine-tune a general model, train a new one—trained primarily on a specialized (often proprietary) corpus. BloombergGPT is a good example. Trained on financial data, it achieves elite performance with just 50 billion parameters—orders of magnitude smaller (and cheaper) than ChatGPT-4’s 1.5 trillion.
Which path will prove most effective long-term? It’s too early to say. But one thing is clear: incorporating proprietary data consistently delivers major performance gains—typically boosting outcomes by 40–50%.
This shift is already reshaping the investment landscape. Enterprises sitting on troves of proprietary data are waking up to its value. Some are productizing it. Others are licensing it out. The latter will spark a wave of AI startups focused on a diverse set of specialized markets.
So what does this mean for cybersecurity? A lot.
Where there’s proprietary data, there are risks: privacy concerns, data leakage, intellectual property threats. Many of these “proprietary” datasets are even derived from public sources via OSINT methods. Strider Technologies, for example, excels at this—transforming public data into strategic intelligence on geopolitical and relationship risk using proprietary analytics and AI.
The most exciting startups we see emerging today aren’t just building better AI—they’re pairing strong models with exclusive data to unlock new platforms, applications, and business models. Their data is their moat.
From Air-Gapped to Under Siege: The Blurring Line Between IT and OT Security
It wasn’t all that long ago that operational technology (OT) and industrial control system (ICS) security were thought to be a niche sector of cybersecurity—a specialty where just understanding your OT asset inventory was one of the biggest challenges: What are the different types of programmable logic controllers (PLCs) in your plant and how are they tied together with the physical world motors, hydraulics, and sensors? Connections of these systems to ethernet networks or to the public internet were limited, if not physically air-gapped.
Fast-forward to today, and names like Volt Typhoon strike fear in national security leaders and energy-sector CISOs alike. Multiple ICS security unicorns such as Dragos, Claroty, and Armis now serve a booming market, with companies spending billions on OT security. So, how did we get here?
Driven by the pursuit of efficiency, convenience, and the continued “smartification” of industrial controls, OT systems are now more intertwined with IT networks. This connectivity enables real-time analytics, remote monitoring, and predictive maintenance. But it also opens the door to attackers. While OT and IT systems still have different dynamics and technology stacks, from a security standpoint, they are converging.
Today, many attacks that impact OT systems start in the IT domain. A recent report from Telstra International and Omdia found that 75% of cyber incidents impacting manufacturing firms in the past year involved both OT and IT environments. One striking example is Volt Typhoon’s 2023–2024 campaign against U.S. infrastructure. According to a March 2025 Dragos report, as part of this campaign, the group infiltrated IT systems at a small public utility in Massachusetts, then pivoted to extract sensitive OT system data.
Security strategies need to match the architecture they protect. Critically, convergence doesn’t mean applying IT security tools and practices wholesale to OT environments. OT systems prioritize uptime, safety, and deterministic behavior. Unlike IT systems, they often can’t tolerate frequent patching, scanning, or downtime. A converged security strategy must reflect those realities.
An example of this balanced approach can be seen in the work of Frenos. Their attack path analysis platform can identify how adversaries could move from IT systems into OT environments but does so on a simulated digital twin—ensuring no disruption to real-world operations.
As the boundaries between OT and IT continue to dissolve, so too will the lines between the companies, tools, and teams that protect them. The attack surface is converging. Our defenses must converge too—intelligently, collaboratively, and with respect for the distinct nature of each domain.
The Cost of Convenience: How a Coffee Shop Menu Can Compromise National Security
Ever scanned a QR code for a coffee shop menu or to join a Wi-Fi network? Of course you have—we all have. But what if that same convenience could let foreign adversaries eavesdrop on government secrets? Sounds like the start of a sci-fi thriller, right? Welcome to reality.
In the pursuit of seamless digital living, convenience has quietly become cybersecurity’s Achilles’ heel. The rise of QR codes and device syncing—plus the ease of biometric logins, one-tap recovery, and cloud backups—has opened new doors not just for users but for attackers. Platforms like Signal, built with security in mind, are ironically becoming more vulnerable as they lean into convenience.
Recent threat intel reports reveal that multiple Russia-aligned hacking groups have exploited these features to compromise Signal Messenger accounts. These efforts kicked into high gear after Russia’s 2022 invasion of Ukraine, with attackers aiming to intercept sensitive military and diplomatic chatter. Because Signal is used by everyone from generals to journalists, it’s become a high-value target.
And it’s not just Signal. The very tools that make our lives easier—QR codes, cross-device syncing, quick-link invitations—are turning into backdoors for threat actors.
A Growing Pattern of Exploitation
It began in 2022 when groups like UNC4221 created Signal phishing pages that tricked users into scanning fake QR codes. Once scanned, attackers silently linked their devices to the victim’s account—boom—instant spy access.
By 2023, APT44 (also known as Sandworm) ramped things up. They deployed malware like Infamous Chisel to scrape Signal app data and used the WAVESIGN batch script to exfiltrate messages from Signal Desktop.
By 2024, phishing campaigns had scaled. UNC5792 sent spoofed Signal group invites and fake versions of Kropyva — a battlefield mapping app used by Ukrainian forces. Victims scanned. Accounts were compromised. And that friendly-looking QR code? It was a Trojan horse.
And then came the main event: Signalgate.
When Convenience Hits the Highest Levels
In March 2025, National Security Adviser Mike Waltz accidentally added journalist Jeffrey Goldberg to a Signal group chat intended for top officials—including VP JD Vance and Defense Secretary Pete Hegseth. Nothing says “operational security” like a fat-fingered group chat containing sensitive, if not classified, details about upcoming U.S. military strikes in Yemen.
That single slip—powered by Signal’s seamless group sync and autofill—sparked bipartisan outrage. The Pentagon launched an investigation. Security pros sighed heavily. Critics pointed out what now seems painfully obvious: even an encrypted app can’t protect you from yourself… or your contact list.
The Department of Defense followed with a warning memo, stating that foreign threat actors had already exploited Signal’s linked device feature. Convenience, it turns out, isn’t just risky—it’s a national security hazard.
A Widening Pattern, Far Beyond Signal
This wasn’t an isolated vulnerability. Across platforms and industries, attackers have exploited the convenience we take for granted. In 2023, Russian threat group ColdRiver (also known as Star Blizzard) used spoofed WhatsApp Web login QR codes to compromise accounts belonging to European government officials. The interface looked familiar enough—and that’s exactly what made it effective.
In India and Southeast Asia, attackers disguised phishing and malware links as WeChat or PayTM payment QR codes. The social engineering was as simple as it was sinister: scan to pay, and hand over access in the process.
Even the remote work boom wasn’t safe. In 2021, fake QR-based Zoom invites led people to malware-laced login portals that quietly harvested enterprise credentials.
And in the retail world? Attackers layered fake QR codes on top of real posters for Starbucks and Dunkin’. Scan to get your latte points—and unknowingly give access to your account, wallet, or worse.
If there’s a QR code, there’s someone trying to hijack it.
Old Tricks, New Wrapping
What we’re seeing isn’t some newfangled cyber sorcery—it’s the same old phishing and social engineering dressed up in slick, user-friendly packaging. The psychology behind it hasn’t changed: if something looks familiar and doesn’t require much thought, most people assume it’s safe. That’s the trap.
QR codes, for instance, feel innocuous. They’re everywhere—from restaurant menus to billboards—and we’ve been trained to trust them. But that feeling of low risk is exactly what makes them so dangerous. With a single scan, attackers can silently link your device to theirs, granting them real-time access to your messages or sensitive data—no password required.
Then there’s credential harvesting. Fake login pages that look nearly identical to the real thing pop up mid-sync or after scanning a code. The user enters their info without hesitation, handing over the keys without realizing it.
And once attackers are in? They rarely stay put. They move laterally—phishing your contacts, stealing from your digital wallets, impersonating you on other platforms. It’s not just a breach; it’s a chain reaction.
The Stakes: From Consumers to Command Centers
These breaches cause IP theft, customer data leaks, and brand damage for businesses. In government? They compromise military ops and diplomatic relations. For individuals, it’s the collapse of trust in the very apps built to protect us.
Journalists, whistleblowers, public officials, and activists all rely on encrypted platforms like Signal. But as Signalgate made clear, even the most secure tools can’t compensate for sloppy defaults or human error.
So the next time you scan that QR code on the café table, pause for a second. Tilt your head. Ask yourself: “Do I need this coupon more than I need to avoid accidentally starting an international incident?”
Because convenience isn’t just a feature anymore, it’s the battleground.
Cloud Security’s New Power Couple: Google & Wiz
Google’s $32 billion acquisition of Wiz is one of the largest cybersecurity deals in history—and a defining moment for the cloud security landscape. For Google, it’s a major leap forward in the high-stakes battle for cloud dominance. For startups, it’s a new benchmark that could reshape how the market thinks about exits.
Google Cloud has long fought to gain ground against AWS and Microsoft Azure. One of the biggest barriers to enterprise adoption? Trust—especially when it comes to security. The acquisition of Wiz gives Google a shot at flipping that script.
Wiz isn’t just another security platform. It’s a leader in the Cloud-Native Application Protection Platform (CNAPP) category, known for its agentless approach and seamless visibility across AWS, Azure, and Google Cloud. By integrating Wiz into Google Cloud, Google is positioning itself as a security-first cloud provider—something enterprises increasingly demand.
This move also provides a clear differentiation. While Microsoft has invested heavily in in-house security tools and AWS continues to build its ecosystem, Google has now secured the fastest-growing independent cloud security platform on the market. It’s a direct response to customer concerns and a statement that security is no longer an afterthought—it’s central to Google Cloud’s value proposition.
The timing is telling. Wiz had reportedly considered an IPO after earlier acquisition talks with Google stalled. So why did Wiz circle back and why did Google pull the trigger now?
A few converging factors likely made this the moment:
- Escalating cyber threats, increasingly powered by AI, are pushing enterprises to demand unified, proactive security platforms.
- The rise of multicloud strategies makes Wiz’s cross-platform visibility more valuable than ever.
- Competitive pressure from Microsoft and Amazon has intensified, as both rivals continue to invest in cloud security to win enterprise trust.
- A more favorable regulatory climate in early 2025 may have helped pave the way for a smoother, faster transaction.
And finally, Wiz itself was too strategic a player to remain independent much longer. At over $350 million in ARR, it had both the scale and growth to command a premium. Google’s all-cash offer wasn’t just a purchase—it was a power move.
For the cybersecurity startup world, this is a shot of adrenaline. In the past six months, we’ve seen meaningful M&A activity—Turn/River Capital taking SolarWinds private, CyberArk buying Zilla Security to expand in identity governance, and Harness merging with Traceable in API security. But none of these deals match the scale or strategic weight of the Google-Wiz acquisition.
Here’s what it signals:
- Big exits are not only possible—they’re accelerating. A $32B all-cash deal for a four-year-old startup proves that category leaders can create extraordinary value in record time.
- Security has moved to the core of cloud strategy. Startups solving real cloud security problems—especially around multicloud, AI-driven threat detection, and unified visibility—are now directly in the path of strategic buyers.
- Consolidation is coming. Cloud providers, legacy vendors, and platform companies will be on the hunt for differentiated technologies and talent. The race to build the most comprehensive security stack is on.
Founders building in cloud security, extended detection and response (XDR), identity, and AI-native security are already seeing increased investor and acquirer interest. And this deal raises the bar: Wiz showed that you can scale fast, stay focused, and still drive a massive outcome.
The bottom line? Google and Wiz aren’t just making headlines—they’re redefining the future of cloud security as the industry’s new power couple. Their union underscores how central security has become to cloud strategy—and how far strategic buyers are willing to go to secure cloud-native, high-growth platforms. For cybersecurity startups, the message is clear: the opportunity is massive, the bar is rising, and the stakes have never been higher.
