RSA 2025 and recent conversations: Key insights and takeaways

We present our key takeaways from RSA 2025 and other recent conversations with operators, chief information security officers, acquirers and investors across the cybersecurity ecosystem.

Enterprise adoption of agentic artificial intelligence (AI) is accelerating, creating a surge in non-human identities that are challenging existing identity governance models. This identity sprawl is fast becoming one of the most urgent — and under-secured — problems in the enterprise.

AI remains a central design theme in cybersecurity software, but vendors and buyers are increasingly focused on tangible efficiency outcomes: reduced analyst workload, faster response times and improved coverage with fewer resources.

Network security is regaining strategic relevance as attackers shift away from hardened endpoints and toward lateral movement, unmanaged systems and traffic flows that traditional tools miss.

Merger and acquisition and financing activity remains steady, but the bar for investor and acquirer interest has risen. Companies with strong customer retention, scalable go-to-market models, and credible platform expansion narratives are best positioned in this more selective market.

Non-traditional acquirers and strategics backed by private equity and venture capital have become more active transaction participants, even as public cybersecurity acquirers take a more measured approach to M&A.

RSA 2025 reaffirmed that cybersecurity remains one of the most dynamic and resilient sectors of the economy. This year’s conference drew more than 42,000 attendees and 700 exhibitors — marking a return to near-record levels of participation. Attendance and engagement across sessions, side meetings and the expo floor reflected a continued depth of interest across acquirers, software buyers, vendors, and investors.

Importantly, the energy at RSA was not concentrated around a single trend. Discussions covered a wide range of topics — from integration of AI into the security stack and the challenges of autonomous agents to the re-emergence of network visibility as a core control layer. Despite macroeconomic headwinds, there remains a robust pipeline of cybersecurity startups, a healthy pool of acquirers and sustained demand from chief information security officers working to modernize their defenses and improve operational efficiency.

Cybersecurity continues to receive strong budget prioritization. According to Piper Sandler’s 2025 RSA keynote, 89% of organizations expect to increase security spending this year, making it the top information technology budget category. This prioritization has supported relative strength in the public markets, where cybersecurity stocks have outperformed the broader enterprise software indices year-to-date. As of July 15, the First Analysis Cybersecurity Index had appreciated 33.8% — 22 points ahead of the S&P 500 and the Nasdaq. However, revenue growth expectations have moderated.

As we noted in our April report, the 2025 initial revenue growth guidance for public cybersecurity companies averaged 13.4%, down from actual 2024 growth of 17.2%. As top-line growth slows, capital markets have increased their focus on execution. Acquirers and investors increasingly emphasize gross revenue retention, gross margin, free cash flow generation, and scalable go-to-market strategies as key markers of business quality.

At the same time, the acquirer landscape is shifting. Traditional public cybersecurity strategic acquirers have been quieter. Piper Sandler noted that 16 of the 30 largest public cybersecurity vendors made no acquisitions over the past 18 months. In contrast, publicly traded companies that are not cybersecurity companies, such as Mastercard (acquirer of Recorded Future) and Crane NXT (acquirer of OpSec) have stepped in alongside private equity-backed and venture-backed platforms to drive continued transaction volume. With the exceptions of very large public technology companies with substantive cybersecurity offerings such as Microsoft, Cisco, Broadcom, and Google, publicly traded companies outside of cybersecurity have not historically been common acquirers of cybersecurity companies.

While the M&A market remains active, valuation discipline has become more pronounced. The median revenue multiple for cybersecurity transactions has declined approximately 20% — from 7.0 across 1,379 transactions in the years 2018 to 2023 to 5.6 across 314 transactions completed since early 2024.

This compression comes at a time when many private equity investments made between 2020 and 2022, which was a period of relatively high valuations, are approaching their expected exit timelines. With fewer initial public offerings and more selective acquirers, financial sponsors are increasingly focused on capital efficiency, strategic fit and financial durability. As a result, we expect further emphasis on realistic valuation frameworks and business fundamentals over the next 12 to 24 months.