A total of 178 cybersecurity-related merger and acquisition deals were announced in the first half of 2024, representing the least busy half year since SecurityWeek started tracking M&A deals in 2021.
SecurityWeek saw the highest number of M&A deals in the second half of 2021 and the number has been steadily decreasing ever since.
Of the 178 deals, 111 involved pure-play cybersecurity companies. The other transactions involved firms that offer security in addition to other IT services.
North America continues to lead, with 135 deals, followed by Europe. A vast majority of the North American M&A transactions involve companies in the United States, which is not surprising considering that companies here are most likely to enter M&A deals as part of an expansion or exit strategy.
Data collected by SecurityWeek shows 133 deals involving US firms, roughly the same as in the first and second half of 2023.
The number of mergers and acquisitions involving European companies, however, has dropped to 49 in H1 2024 — compared to 71 in H1 2023 and 57 in H2 2023. While UK firms were involved in 29 deals, roughly the same as in the previous year, other European countries such as Sweden and Ireland were far less active than in the previous two halves.
Canada, Australia, Israel and Germany have remained steady, each accounting for 8-14 deals in the first half of 2024, approximately the same as in the previous year.
SecurityWeek is not aware of any cybersecurity deals involving companies in Africa in the first half of the year.
Financial details are known for 33 deals for a total value of $33.5 billion. Twenty-two deals involved pure-play cybersecurity companies for a total disclosed value of $12.1 billion.
Six deals were valued at over $1 billion. The list includes HPE acquiring Juniper Networks for $14 billion, Synopsys selling its Software Integrity Group for $2.1 billion, CyberArc acquiring Venafi for $1.54 billion, HG acquiring AuditBoard for $3 billion, IBM acquiring HashiCorp for $6.4 billion, and Cohesity buying Veritas’ data protection businesses reportedly for $3 billion.
It’s worth pointing out that the number of deals exceeding $1 billion is already the same as in the entire year of 2023.
In terms of the types of companies involved in mergers and acquisitions in the first half of 2024, managed security services providers (MSSPs) continue to lead, with 50 deals, but it’s worth noting that only a dozen are pure MSSPs, with the rest also offering other IT services besides cybersecurity.
This number is significantly smaller than the 82 MSSP deals announced in the first half of 2023 and the 155 deals announced for the full year.
Companies offering governance, risk management and compliance (GRC) solutions and services were involved in 30 acquisitions, which is roughly the same as H1 and H2 2023.
The third position in H1 2024 is occupied by application security, with 19 deals, followed by data protection and incident response. Last year, application security did not make the top 10.
On the other hand, the identity category, which last year occupied the third position with 40 deals, dropped to the seventh position in H1 2024, with only 14 deals.
Mergers and acquisitions involving consulting companies are also down, with only four deals announced in the first half of the year, compared to 17 announced in the same period of last year.
Sixteen cybersecurity acquisitions announced in the first half of 2024 involved government contractors, roughly the same as in 2023.
As for private equity companies, they were involved in nine deals. This number has halved compared to H1 and H2 2023.
The ‘specialized’ category, which includes companies that provide highly focused cybersecurity services, had nine deals in H1 2024, nearly half compared to H1 2023. This year, the category includes companies specializing in cryptocurrency, accounting, hardware, orchestration, events, and certification.
Monthly summaries of cybersecurity H1 2024 M&A deals: January, February, March, April, May, June.
Methodology: The data was collected through news distribution services, Google searches and pitches from PR companies. The data includes companies that issued press releases announcing or mentioning acquisitions, as well as deals that have been privately reported to SecurityWeek. All deals that had a cybersecurity component have been taken into account for this study. Mergers and acquisitions that did not have an English-language announcement may not be included. The data could also include some deals that may have not been completed after they were announced.
The GRC category includes governance, compliance, risk management, audit, assessment, vulnerability management, penetration testing, attack surface management, and cyber insurance. Network security includes endpoint security, MDR, XDR, NDR, and SASE. Identity includes IAM, PAM, secure access, authentication, and authorization. Incident response includes SOAR, SIEM, SOC, and forensics. ‘Other (specialized)’ includes hardware, blockchain, quantum, payment, healthcare, PR, education, certification, design, workforce, communications, and automotive. Data protection includes encryption/cryptography, VPN, privacy and backup. MSSP includes cybersecurity solution distributors and companies that do not develop their own products or solutions.