DataTribe Insights Q4 2024 - Cyber Activity Reigns: Typhoons, Breaches, and a Stolen Key ... But Cyber Investing was a Mixed Bag

January 30, 2025

The Rundown

2025 has arrived, and with it comes a new Congress, a new presidential administration, and some anticipated seismic changes in our national cybersecurity strategy, the role of cyber in national security, and conflicts with nation-state adversaries.

The fourth quarter of 2024 gave us mixed signals with robust activity for growth-stage investments, but Seed activity lagged behind previous years and quarters. Once again, we look under the hood to make sense of the quarter’s cybersecurity investing data, providing unique analysis and insights into the areas of cybersecurity investment making the greatest impact.

Post Covid-Boom Investments Reaching End of Runway

The fourth quarter of 2024 marked a notable rebound in the overall venture market, with increased capital investment and deal volume across most stages, except for Seed and Series E. In contrast, the cybersecurity sector faced significant headwinds, with year-over-year declines in capital invested and mixed deal volume results. Down rounds hit their highest levels in a decade, highlighting the challenges faced by companies that raised capital during the post-COVID boom and are now approaching the end of their cash runways.

Salt Typhoon Marks China’s New Foray into Virtual Infrastructure

An ocean-spray-filled wind has blown across the Pacific. Salt Typhoon’s recent infiltration of the telecommunications industry underscores that China’s interests extend beyond controlling critical infrastructure in the physical world (like that electric storm we call Volt Typhoon). With Salt Typhoon, they’ve expanded their reach into the virtual world’s critical infrastructure, where telecom networks and software supply chains reign supreme.

Data Breaches Now Risk Physical Security

Unlike stolen financial data that leads to fraud or social engineering risks, the recent Gravy Analytics breach introduced new threats: stalking, physical harassment, discriminatory targeting, and even blackmail. Imagine an AI-powered adversary using 15 years of location history to predict and manipulate your daily routines.

Back Doors to Treasury

By exploiting vulnerabilities in BeyondTrust’s remote support software (a trusted third-party provider), they managed to snag an API key and waltz past security protocols. Once inside, they accessed several employee workstations tied to sensitive offices like the Office of Foreign Assets Control (OFAC) and the Office of Financial Research. Officially, only unclassified documents were compromised, but given the high-value targets, you have to wonder.

Introduction

There were some green shoots in the cybersecurity sector, such as a rebound in valuation step-ups for Series A and Series B, with multiples surpassing the 2.5x mark for the first time since 2022. Next year, we may see these cybersecurity green shoots blossom.

Growth-stage investments, particularly Series B, saw a significant uptick, with deal volume and capital invested surging over 190% quarter-over-quarter. While overall Series C also improved modestly, cybersecurity companies in these stages lagged behind the broader recovery. The mixed performance highlights the uneven pace of recovery within the cybersecurity market compared to the overall venture landscape.

Autonomous security remained the top cybersecurity investment category in Q4, driven by interest in applying AI to application security, SOC workflows, and automation. Compliance also gained traction, with GRC platforms capturing their largest share of deal volume to date.

While cybersecurity lagged behind broader venture market trends in Q4, pockets of recovery and sustained interest in key areas suggest the potential for a stronger 2025. Investors appear poised to re-enter the market selectively, creating opportunities for growth in both traditional and emerging cybersecurity categories.

Our full analysis of Q4 VC cyber investment data follows.

Q4 State of the Market – Cyber Deal Activity

In the fourth quarter of 2024, the venture market experienced substantial rebounds across most investment stages, with notable increases in capital investment and deal volume—except at Seed and Series E. The slowdown at the Seed stage is likely due to investors adopting a cautious approach, prioritizing more established startups as they re-enter the market. Should venture capital see a broader rebound in 2025, Seed investments will likely catch up with other rounds.

The cybersecurity market did not fare as well this quarter. Capital investment declined significantly year-over-year, and deal volume delivered mixed results. Down rounds also continued their upward trajectory, building on already elevated levels from the previous quarter. However, despite these ongoing headwinds, the positive momentum in the broader venture market and a few emerging green shoots within the cybersecurity sector suggest the potential for a recovery. These early signals of growth could mark the beginning of a more sustained upturn in 2025.

While Capital Investment Recovered from 2023, Deal Count Fell Considerably

A graph with blue line and black lines

AI-generated content may be incorrect.

Source: PitchBook

During 2024, capital invested recovered to pre-pandemic levels despite a significant pullback in the number of deals. Part of this discrepancy can be attributed to particularly strong capital investment numbers this quarter, up nearly 75% from Q4 of 2023. Additionally, rising valuations and increased megadeals (deals over $100 million) account for much of the change.

Series A Recovers as Seed Falls Further

A graph of a growing graph

AI-generated content may be incorrect.

Source: PitchBook

Series A investment saw a considerable bump to end the year, with deal volume more than doubling and a 68% rise in capital invested. The A-round cybersecurity market fared equally well, increasing more than 100% from Q3. Though these increases were significant, Series A investment still remained below pre-pandemic levels. At Seed stage, deal volume fell even further from the near-record lows of the previous quarter. With later-stage capital recovering, Seed will likely follow suit in the coming quarters as investors’ appetite for risk returns.

Deal Volume Rebounds for Growth Stage Capital, but Cyber Lags Behind

Source: PitchBook

Growth stage capital bounced back significantly this quarter, particularly at Series B, where deal volume increased 193% from Q3 of 2024 and more than 200% from Q3 of this year. This spike in volume brought levels back in line with those seen during the pandemic. Series C saw a more modest increase, rising 34% from the previous quarter. Growth-stage cybersecurity companies did not fare as well this quarter, with a modest increase at Series B and a significant drop at Series C. While the market for growth stage capital appears to have rebounded, it remains to be seen whether this is a proper recovery or simply an after-effect of the large number of companies that raised Seed and A rounds in 2021 and 2022.

Deal Volume and Capital Investment Rebound Nearly Everywhere but the Seed Stage

Volume and Capital Invested Changes by Stage – Source: PitchBook

Note: Cells without data represent comparisons where there was no deal volume or capital investment in the referenced quarter.

Seed Valuations Continue to Climb, as Series A Sees Slight Decreases

Source: PitchBook

Unlike deal volume, pre-money valuations at Seed round correlate little to the overall market. They have risen steadily over the last six years despite large changes in valuations at other stages. This quarter was no exception, seeing valuations continue to climb despite deal volume struggling. At Series A, pre-money valuations saw more mixed results, increasing from Q4 of 2023, but decreasing from the previous quarter of 2024. In cybersecurity, Series A valuations rebounded from the previous quarter, but overall trended down during 2024 from the highs of Q3 2023. At the Seed stage, cybersecurity valuations remained relatively flat with a slight upward bias.

Step Ups in Cybersecurity Rebound, While Down Rounds Remain Elevated

Source: PitchBook

Note: Down and flat round data are reflective of all verticals due to insufficient data to perform cybersecurity-only analysis.

During the quarter, the median step-up in valuation from Seed to Series A in the broader market remained steady, holding around the 2x mark since the sharp decline in 2022. In contrast, cybersecurity valuation step-ups, which had been declining throughout the year, rebounded significantly in the fourth quarter, climbing back above a 2x multiple.

Since the market downturn in late 2022, down and flat rounds have remained elevated. Despite the uptick in Series A investment, Q4 continued the trend, recording the highest level of down rounds in ten years. This is likely due to the large number of companies that raised funds during the post-COVID boom now reaching the end of their cash runway, coupled with Series A deal volume that, while showing signs of recovery, remains well below average levels.

Median Step-ups Rise Driven by a Decrease in Down Rounds

Source: PitchBook

The story of the quarter was the across-the-board improvement for Series B investment. In addition to the rise in capital invested and deal volume, down rounds fell significantly, and valuation step-ups rose. Notably, cybersecurity multiples experienced a sharp spike, surpassing the 2.5x mark for the first time since 2022. This rise in valuations, coupled with increased deal activity, indicates that investors are re-entering the market and driving greater competition.

Where Was Cyber Investment Flowing

Source: PitchBook

Q4 saw a continued interest in autonomous security, with application security and SOC workflows emerging as primary areas for automation. This marks a return to the baseline from Q3, which also saw an outsized number of companies in this category, but with a focus on penetration testing. Notably, while the broader market was heavily focused on AI during the quarter, companies in this space accounted for only 14% of cybersecurity deal volume—unchanged from the previous quarter.

Compliance also emerged as a key area of focus, with GRC platforms gaining momentum among investors. Fourteen percent of deals during the quarter fell into this category, representing compliance’s largest share of deal volume to date.

Cloud Security, Data Security, Blockchain, and IAM tied for the third largest category during the quarter, each making up 9% of deal volume. The quarter also saw small numbers of investments in a handful of other categories including software supply chain security, IP protection, fraud prevention, and penetration testing.

AI Dominates the Top Cybersecurity Investment Areas in 2024

Source: PitchBook

In the overall venture landscape, AI dominated 2024. According to Pitchbook, AI deals accounted for more than 35% of total VC investment during the year. Unsurprisingly, Autonomous Security emerged as the top category in cybersecurity. These companies leverage AI in various ways, from automating vulnerability fixes for AppSec teams to streamlining penetration testing and prioritizing alerts. This category is poised for further growth in 2025 as advancements in AI enable autonomous solutions to expand into new areas and gain traction in existing ones.

As AI surged early in the year, investors rushed to fund solutions aimed at securing its use. The year’s first half saw significant investments in AI security companies addressing this need. However, this momentum waned significantly by the end of the year, with no new investments in the category recorded during Q4. This dearth contributed to AI Security dropping to fifth place among cybersecurity categories for 2024. Given the competitiveness of the market and the ability of established AIOps players to easily create similar solutions, it’s likely that this downward trend in pure-play AI Security companies will continue into 2025.

Another category to mention was Identity and Access Management (IAM), which saw notable investment activity in Q2 and Q3, particularly in solutions designed to manage the growing number of machine identities in enterprise IT. As the adoption of first-party AI accelerates within enterprises, the number of machine identities is set to balloon. This demand ensures that investment in tailor-made IAM solutions will continue to rise in the coming year.

Salt Typhoon: Telecoms Caught in the Undertow

What Did Salt Typhoon Do?

This Chinese advanced persistent threat (APT) group was discovered in major U.S. telecommunications giants such as AT&T, T-Mobile, Verizon, and Lumen (among others) in Q4 of 2024. Still, they are suspected of being in these networks since at least mid-2023. By breaching this industry, they gain access to the very heartbeat of our digital world.

This group has alarmingly exploited the telecom industry’s lawful intercept systems, originally designed to help “good” governments monitor criminal activities. These CALEA-mandated systems, intended as tools of justice, can also operate as powerful backdoors. Salt Typhoon’s hack shows the chilling reality that surveillance mechanisms can be co-opted by malicious actors to access sensitive metadata and communications at an unprecedented scale, turning the oversight tools into espionage instruments.

It’s All About the Virtual World’s Supply Chain

Salt Typhoon’s actions, along with other recent APT attacks like the BeyondTrust breach that enabled the infiltration of the Treasury Department, highlight an uncomfortable truth: the infrastructure and platforms that power and secure our virtual world—telecommunications, online software products, and especially cybersecurity software—are irresistible targets for attackers (more on the BeyondTrust breach later). These incidents highlight a troubling pattern in many major hacks over the past several years: the virtual world’s supply chain is the primary attack path.

What Can We Do?

How do we respond to this trend? While the government’s response is best left to the intelligence community, we must prioritize innovation in three key areas:

Secure-by-Design Software: Start where the code is born. Software factories—those responsible for the software we rely on—must mature their processes. Cybersecurity software products, in particular, should be at the top of this list. Much like the total quality management (TQM) movement of the 1980s, we need automation and processes emphasizing security and resilience as first-order requirements. Continuous improvement and supplier collaboration must also be embedded into the software development life cycle (SDLC) across the entire software supply chain.
Secure-by-Design Network Protocols: Internet protocols were designed in an era when they connected only a handful of top research universities and select defense agencies. Back then, anyone with access to the network was considered somewhat trustworthy. Today, with nearly 70% of the world’s population online, the dynamics have changed drastically.

While security layers have been retrofitted onto these older protocols, they often fail to address the complexities of the modern environment. In many cases, a bottom-up rethink is overdue. Concepts like default end-to-end encrypted payloads, better-secured packet routing metadata, and more verifiable name resolution mechanisms are increasingly critical. Efforts to tackle these challenges are ongoing, with significant experimentation happening in spaces like Web3—an area often dismissed by cyber veterans as being filled with crazy kids.
Improved Real-Time Network Visibility: Modern networks are incredibly complex. Half the time, organizations struggle to identify what’s on their networks, let alone discover exploitable vulnerabilities. Innovation in network mapping, automated penetration testing, and real-time asset tracking is essential for today’s perimeter-less enterprise networks.

The Salt Typhoon incident is a prime example: it took over a year for some of the world’s most advanced network operators to identify the group and the vulnerabilities they exploited. Companies like SixMap drive innovation in this area, automating and continuously discovering what exists on a network. Their tools efficiently map attack paths to assets and uncover the most likely vulnerabilities to be exploited, allowing network operators to address these issues before bad actors find them.

A 2×4-Up-Side-The-Head Wake-up Call

Salt Typhoon’s total ownership of the U.S. telecommunication industry is a dramatic reminder that adversaries are targeting both the virtual world and the physical world’s critical infrastructure. Telecommunications, mass-adopted software products, and cybersecurity platforms are jackpot targets, making innovation to harden and protect these industries an absolute necessity.

Stick ‘Em Up – Your Data and Your Life: A Cybersecurity Imperative

What’s the verdict? Have the number and severity of data breaches increased this year? While comprehensive statistics for 2024 are still being finalized, the vibes point to an upward trend. Let’s take a step back for perspective: in 2015, there were 781 recorded breaches in the United States. Fast forward to 2023, and that number had ballooned to 3,205. The trajectory is clear, and the stories from the past year underscore this alarming growth.

In August 2024, National Public Data (NPD) confirmed a catastrophic breach that had started nine months earlier, in December 2023. This breach, attributed to the threat actor “USDoD,” compromised a staggering 2.9 billion records, impacting as many as 270 million people. Stolen data included sensitive personal information such as Social Security numbers, full names, family details, and physical addresses. The root cause? An unprotected zip file containing backend passwords found on NPD’s own website.

The repercussions were severe. Financial losses mounted, reputational damage spiraled, and by October 2024, NPD filed for bankruptcy—a cautionary tale of what happens when companies fail to safeguard their data.

NPD’s downfall might be unique in its scale and consequences, but it was not an isolated event. The Change Healthcare/United Healthcare hack and the AT&T data breach of 2024 stand out as additional examples of massive data exposures. Although these companies avoided bankruptcy, the breaches caused significant harm, from operational disruptions to the exposure of millions of customers’ sensitive information.

Fast-forward to January 2025, and the Gravy Analytics data breach hit the headlines. In this attack, a Russian-speaking threat actor exploited a misappropriated AWS access key, exfiltrating 17 terabytes of location data. Unlike breaches focused on financial or identity data, this incident targeted the real-time movement data of millions of smartphone users collected via online ad bidding processes.

The implications are chilling. Unlike stolen financial data that leads to fraud or social engineering risks, the Gravy Analytics breach introduced new threats: stalking, physical harassment, discriminatory targeting, and even blackmail. Imagine an AI-powered adversary using 15 years of location history to predict and manipulate your daily routines. This breach shows that some types of stolen data aren’t just about identity theft but physical safety and control.

So, what protections exist to prevent these incidents? Several regulations aim to safeguard sensitive data and enforce privacy protections:

The U.S. Privacy Act of 1974: Regulates how federal agencies collect, use, maintain, and share personal information to uphold privacy.
The Health Insurance Portability and Accountability Act (HIPAA): Sets national standards for securing sensitive health information.
The Children’s Online Privacy Protection Act (COPPA): Protects personal information collected from children under 13 via online services and websites.
The Gramm-Leach-Bliley Act (GLBA): Requires financial institutions to disclose data-sharing practices and implement robust safeguards.

Additionally, state-level regulations like the California Consumer Privacy Act (CCPA), inspired by Europe’s General Data Protection Regulation (GDPR), add more layers of oversight and penalties. Yet, despite these measures, breaches continue to grow in size, frequency, and complexity.

The reality is stark. Data breaches don’t just endanger virtual lives; they also impact people in the physical world. Companies like NPD, United Healthcare, AT&T, and Gravy Analytics all show that the current regulatory and technological landscape is failing to keep pace with evolving threats.

What needs to change? Should there be heavier penalties (the stick) or more incentives (the carrot) to encourage better cybersecurity practices? Are existing cyber frameworks and architectures sufficient, or do we need something entirely new? Should companies even be allowed to collect and store certain types of data?

The search for answers continues. But one thing is clear: the stakes are higher than ever. Companies must evolve their cybersecurity postures before the next breach becomes yet another headline—or worse, another casualty in the battle for digital safety.

China’s Cyber Heist: How the U.S. Treasury Got Robbed with Its Own Spare Key

In December 2024, the U.S. Treasury found itself in the crosshairs of yet another state-sponsored cyberattack, allegedly masterminded by Chinese Advanced Persistent Threat (APT) actors. These hackers didn’t kick down the door—they found the spare key under the mat. By exploiting vulnerabilities in BeyondTrust’s remote support software (a trusted third-party provider), they managed to snag an API key and waltz past security protocols. Once inside, they accessed several employee workstations tied to sensitive offices like the Office of Foreign Assets Control (OFAC) and the Office of Financial Research. Officially, only unclassified documents were compromised, but given the high-value targets, you have to wonder: What’s the real endgame here?

This isn’t the first time we’ve seen this playbook. As we discussed previously, Chinese APT groups have a habit of zeroing in on critical U.S. government agencies and private enterprises. The pattern is unmistakable from the 2014 OPM breach—where 21.5 million federal employees’ data was stolen—to the 2017 Equifax hack that exposed the financial records of 147 million Americans. The goal seems clear each time: gather information to fuel economic, geopolitical, or military objectives. The Treasury breach, focusing on sanctions policy and systemic financial data, adds another alarming chapter to this ongoing saga. Its potential implications for America’s economic strategy and diplomatic negotiations cannot be overstated.

Patterns in the Chaos

Zooming out, the Treasury breach mirrors broader trends in China’s cyber campaigns. Operation Cloud Hopper (2014-2017) demonstrated their ability to infiltrate managed service providers globally, while the 2021 Microsoft Exchange Server exploit impacted tens of thousands of organizations. And then there’s Salt Typhoon, which we previously explored in depth. By targeting lawful intercept systems in U.S. telecom networks, Salt Typhoon revealed how even systems designed for oversight can be twisted into espionage tools. The lesson? The supply chain is a weak link in today’s interconnected global market—an Achilles’ heel that China is all too eager to exploit.

What sets the Treasury breach apart is the strategic value of the offices targeted. OFAC, for instance, oversees U.S. sanctions, a cornerstone of American foreign policy. Insights into its operations could help adversaries anticipate or counter sanction strategies, potentially undermining global enforcement efforts. Meanwhile, the Office of Financial Research handles systemic financial risks, meaning any data compromise could expose vulnerabilities within the U.S. financial system. These weren’t random hits but surgical strikes aimed at maximizing strategic advantage.

Diplomatic Fallout and the Limits of Deterrence

The Treasury breach also underscores the growing complexity of U.S.-China cyber relations. For years, Chinese cyber campaigns have strained diplomatic ties. In 2015, the U.S. and China even brokered an agreement to curb economic cyber espionage. But like an expired warranty, the pact didn’t last. Subsequent breaches—from attacks on COVID-19 vaccine research to the more recent Salt Typhoon operations—demonstrate the difficulty of enforcing such agreements in the face of persistent, state-backed threats. This breach is yet another reminder of the limits of deterrence when dealing with adversaries that play the long game.

Lessons Learned: Securing the Ecosystem

For policymakers and engineers alike, this breach isn’t just a blip—it’s a wake-up call. Tighter controls on third-party vendors, stronger safeguards for API keys, and robust supply chain security must become non-negotiable.

The interconnected nature of today’s infrastructure means that a weak link can threaten national security. OFAC and the Office of Financial Research weren’t random targets; they were deliberate selections designed to exploit those connections. This isn’t just about stopping the bad guys from getting in—it’s about securing the entire ecosystem.

Strategic Cyber

The Treasury breach’s ripple effects are far from over. It’s a stark reminder that cybersecurity isn’t just a technology issue—it’s a critical component of economic and geopolitical strategy. As adversaries like China continue to refine their methods, the U.S. must adapt, not just react. Whether through innovation in secure-by-design technologies, stricter regulations to protect supply chains, or more robust international agreements, the path forward requires urgency and coordination.