EPISODE 15: MIKE PRIVETTE

In this episode of Cyber Thoughts, Lucas Nelson is joined by Mike Privette, founder of Return on Security, for a data-driven look at the state of cybersecurity funding and M&A. Mike breaks down why Q3 was such a strong quarter, how mega-deals like Wiz fit into the broader trends, and what his latest analysis reveals about the real role of AI in security. He also shares where he sees the most interesting opportunities emerging and what he’s tracking next in his deep-dive reports.

Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.

Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.

Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.

PODCAST TRANSCRIPT

Lucas Nelson

Hi, welcome to Cyber Thoughts, where we explore the world of cyber scary through leaders in the field. Today is my great pleasure to bring back Mike Privette Hey, Mike.

Mike Privette

Hey, Lucas, thanks for having me back.

Lucas Nelson

Well, thanks for joining us. for those who don't remember, don't know, Mike leads Return on Security which is a treasure trove of information. It's a newsletter. Well, Mike, why don't you describe what you do first and we'll kick it off from there.

Mike Privette 

Yeah, it's, it's really a market intelligence firm is what I like to call it. but I, I take a sort of a threat intelligence approach to tracking all of the economic activity in the cybersecurity industry for both public and private markets. And the most common way people interact or receive all that kind of information and data is through the weekly newsletter, ⁓ called security funded and where I just recap everything that happened last week. know, behind the scenes, I'm always collecting data, building out a bunch of charts and graphs and just trying to track trends largely across our industry. And then I've shared out for free because I love data.

Lucas Nelson

Awesome. just to start off with, I read your newsletter religiously because it is just such a great source of data and it's a primary source for me at least. So why don't we kick it off with Q3? What was Q3 like for cyber investing, for mergers acquisitions? Just give us a feel for how Q3 was.

Mike Privette 

Yeah. Q3 honestly was a really big quarter for this year. And honestly, the whole, the whole ⁓ year has been strong in momentum and it continued on through Q2 and Q3. So a lot of funding dollars went into Q3 quite a bit more, over, over a $5 billion just invested in Q3 for public and private companies, which is huge. And I expect that trend to honestly just keep continuing still strongly into Q4, but I don't think we'll necessarily get the entirety of that much as the year winds down, but it's still like, there was also a big month or big quarter for acquisition. So more activity in general already in 2025 and 2024 just through Q3 year to date. And so we're just continuing to see that upper momentum that's just rising as the rest of tech and the rest of AI pushes much of the industry up.

Lucas Nelson

So that's a little bit surprising to me because where I sit, the M &A market felt a little weak in the first half of the year. So has it come roaring back in Q3 and this year is good because of Q3 or was it steadier along the way and I just wasn't attuned to it?

Mike Privette 

No, so Q1 was pretty weak, but slightly better than the previous year. But Q2 was a breakout. That's where most of the transaction was almost double the previous year's Q2 total. And then Q3 just kind of kept up with the strong momentum. And then now Q4, even though we're barely into Q4, it's already surpassed all of last year's Q4. So it's just a continuing trend. And to be honest, most of these transactions are not the gigantic flashy very, huge tickets that you see some of these companies do. Most of them are just undisclosed, small, one service company buying another service company or one MSSP buying a professional services company or product company. And so they're small, but my goal is try to capture it all, even if it's smaller or service-based instead of just the big sexy flashy stuff we see.

Lucas Nelson

Gotcha. And know, whiz happened. ⁓ Does that skew the numbers? Is that a giant piece of it? Because I mean, you're talking about a bunch of stuff, but whiz is what? 30 some odd billion dollars. I it's a big deal.

Mike Privette 

Yeah, it definitely is. mean, 32 billion, is I think almost 75 % of what all of last year's, and A's were just one, one transaction. So I try to track volume in terms of like how many, and then also of course, you know, what's the dollar transaction. So it's, it's both. both are up, was, you know, of course, incredibly skews it the last year, the, the second or biggest deal.

Which was previously the first biggest deal was when HP bought Juniper for 14 billion, which also skewed the numbers. ⁓ but there's, there's so much, this unknown, like so, so many transactions do not have disclosed terms, probably because they're not that, interesting or from a, an exit multiple or, or thing like that. there, a lot of them just are private.

Lucas Nelson

So to your mind so far this year, whiz obviously, but what are kind of the bigger, more important acquisitions or even investments if you've got ideas on where you think the real interest is?

Mike Privette 

Well, I mean, this year we're seeing, I'd say more consolidation on things outside of,  you know, kind of the traditional things that are getting funded. So, you you often will see this wave of companies who, or products or markets that'll get funded a lot. And then, you know, every two to three years later, they start getting acquired by, you know, the larger incumbents and the private or public companies that want to buy the innovation and, buy the, buy the revenue or the.

or in their way into our market this year, you know, it always comes back to some of the like basic, I would say blocking and tackling. So, you know, interestingly enough with the data I've been tracking, there's, there's been more email security acquisitions this year than any other type of acquisition outside of like professional services. So that's, that's an unusual, kind of anomaly, I would say,  and then followed quickly by anything in like the identity security space. So those two core pieces of cyber identity and email are still very much in demand.

Lucas Nelson

when you think about the buyers, I often think about the platforms as being, know, know, crowd strike or Paola or Microsoft or Zscaler as being kind of the, the, the big buyers. Are you seeing a lot of action from them or is it other things? It's P shops putting things together where, know, where are you seeing that?

Mike Privette 

Yes. I mean, the big ones are buying, but they're usually buying what's the latest,  like they're buying the AI security company, and then they all buy some, similar version of AI security companies, ⁓ to kind of keep pace with that or be, be involved in that market. But by and large, most of the, know, most of the volume happens well outside of that. It's, it's a regional rollups. So it's like large MSSP in one region wants to enter another either country or region.

That's a great way to great role of strategy is PE firms. or it's just, you know, companies who are, product companies who are in a space, but want to be in an adjacent space to try to like more round out, ⁓ portfolio play around out like a platform play. They're the ones who are doing most of the buying.

Lucas Nelson

Totally interesting. And on the funding side, I assume that's sort of the regular players, i.e. if you look at the league tables, Andreessen is the inventor, kind of the biggest investor. Are they also the biggest investor in cybersecurity?

Mike Privette 

They're pretty big, but you you, you look at like the evolution equities and the insight partners, like these companies who've raised, know, very large, you know, multi-billion dollar funds. They're, know, they have a lot of money to deploy. So they have to be in almost everything. so they, they do a lot of big deals and they do a lot of teaming up with like corporate venture capital groups. ⁓ and so they're extremely active, I would say. And then, you know, there's a lot, there's a lot of VCs who would just get in on, a lot of deals. And so they just, they, they partner smartly. that's, that's the.

And you always see like kind of like once who operate in unison or tag along, like there's a couple that follow along KKR and others whenever they make an investment. So it's, you can see patterns that way, but it is still many, much of the same like core collection of a few hundred VCs globally, kind of investing in a space with a couple of new entrants.

Lucas Nelson

Very, very cool. All right, so we've mentioned AI already, gotta talk about it. ⁓ And you I were just, you were showing me some really interesting data. ⁓ Why don't I let you walk through that? this is just fascinating. So you've got a dashboard that you're looking at.

Mike Privette 

Yeah. Yeah, I'll share it here. 

Here we go.

Lucas Nelson

Got it. So explain this to anyone listening, especially if you're watching, you get to see it. But if you're listening, what do you got here?

Mike Privette 

Alright, so this.

Yes. So is the dashboard I've been working on, in, know, just in taking the quick step back on, the data front. So part of return on security, the goal for me is to track all of the financial inputs and outputs in the industry. So everything down from like a grant stage from like a company you've never heard of in a country you didn't know had any cyber presence all the way up to the largest doing like post IPO equity or, or debt rounds and things like that.

And then I categorize everything and I group everything up in a way to let me observe some trends. And one of the more interesting pieces is obviously AI security. It's like, it's impossible to know, or possible to read anything on any platform that's dealing with security that does not also mention AI. And so, you know, I always find it fun to look closely at the data to see, you know, what, does it actually telling me? What am I seeing here? And how big of an input?

impact is it really. what I have here is a chart that shows the domain of AI security, which in my mind right now includes kind of two large buckets. So that's the security for AI. So securing the actual  LLMs and the foundation models and anything that makes ⁓ the usage of an AI platform be LLM or otherwise more secure. So that's one large bucket. And then the second bucket is

your AI for security. that's using AI to do any other security functions. So whether that's better log ingestion, whether that's better CD  determination, whether that's better vulnerability management  or threat hunting, you name it. That's, kind of the other large catchall category. And so I've been, I've been tracking those since 2023, when it really came out on the scene and company started

Uh, you know, investing in that or coming out of this, out of the, stealth saying, Hey, we do something specifically for AI in and around this space or with AI. Um, and so the chart here shows, uh, a three year look back. It's of 2023 to, uh, as of today, um, the day we're recording this in November, 2025 of data of just how much the, the entire industry is, has raised, uh, in funding, um, versus the domain of

AI security, includes those two sub domains, AI for security and security for AI. And when you, when you look at the, the, the data closely, you can, I've actually kind of gotten broken down into each category. So in 2023, you know, to be expected, it was, it was a small year because that was the year chat GPT came out and hit the scene. So a lot of people were just, you know, ready to react to that, but not many. So less than 2 % of all funding that year out of

out of 13 billion, which 2023 was a historically kind of low year after the collapse of the 2022 and the end of zero interest rate phenomenon and the end of free money and moving back to austerity measures. So not much, so not much in there. And then when you look at 2024, bit of a rebound year for the industry as a whole, more money.

Lucas Nelson

Goodbye, Zerb.

Mike Privette 

the percentage in AI security investing went up to almost over two and a half percent. So that's quite a big jump from under 2 % to, you know, two and a half percent. And, um, you know, and overall the industry had about 14 billion, uh, invested in it that year. And then jumping now to just year to date, 2025, a lot more money has been invested into, uh, or been funded into the cyber industry. We're now 17 and a half billion total. Uh, but it, but still even, even with all the hype and with all the, the everything going into AI security still only three and half under three and a half percent has been invested in AI security, ⁓ so far.

Lucas Nelson

So that's both security for AI and AI for security, which I found shocking because I can't look at a company that doesn't every company I speak to has some AI story. So is it, is that they don't have enough of an AI story to make your cut or no, it's just a really big industry and it's going to take some time.

Mike Privette 

That's right. Yes.

Yeah. So it's a little bit of both, but it's mostly, it's a really big industry. Uh, but also, so I think something different's happening, uh, and that it's what's instead of being like completely changing how we think about security, uh, in all aspects, I think it's actually being absorbed into just the rest of security. So, you know, now to, know, to build a company in this, in this day and age is to use the AI just the same way you'd use the cloud. Like it is a basic expectation of business building, a product building of feature development delivery. so it's now become companies have kind of realized that that's, it's less of a differentiating point. So yes, of course they need to be using it, but that, but often what they're doing with AI does not in and of itself change how they're like changes, how they're doing it, not what they're doing, if that makes sense. So, you know, as a, as an example, I always like to use using AI to improve the,

Efficiency and efficacy of data loss prevention. Is that an AI security company or is it a DLP company that uses AI to be much better than the other DLP companies? And it comes down to like a categorization and differentiation around that front. But I think buyers are kind of realizing that, you know, just slapping AI on a security product does not in and of itself change, you know, what it tries to do and also does not make it special. And so I think that's, that's part of it is.

I think that though some of those categorizations are much less important now because it's now just a normal way of operating instead of like, so unless you're, unless you're specifically securing a foundation model, you're probably not doing security for AI is, is, the takeaway.

Lucas Nelson

Yeah, like AI is like MSG. makes everything taste better,

Mike Privette 

Yeah, exactly. So that's, that's the way I'm framing and tracking it anyway, you know, they say, you know, all data is bad, but some of it's useful. And so that's, that's kind of the way I think about this.

Lucas Nelson

Thanks for watching.

No, it's really cool. I like, hadn't seen anything like this before. So, uh, know, kudos. It's, it's a really cool chart. So let me take it another way. Um, what areas do you personally find kind of interesting, right? So if, if I talk to the world at large, identity, like every CISO is talking about identity. There's a ton of identity startups. Um, doesn't mean it's a bad place to play, but it's an obvious place to be playing right now. You know, what are you, what are you, what's exciting you?

Mike Privette 

to be honest, like, I'm, I'm excited about a lot of different stuff and, and, ⁓ I'm honestly more, I'm excited just about the speed at which things can become true. ⁓ now that you can use AI to build things and it's no longer like the end product. Now you can make things possible that were not possible before that, like a much greater scale with like much, much less overhead and much less, you know, technical input required from the people in the teams who run it.

So I'll kind of always gravitate back to like, you know, how do you make the unsexy things, better and, and, and more or less unsexy and so like, you know, I'm excited when I, when I see tools, that are using, like making the, like the stuff that ha that falls out in between looking and running a tool every day to then.

How do I then take the output of that and then transform it into something that either another team can use or that I can report on to an executive about, or that I can like make a real decision about as opposed in outside of just, this needs to be patched. So I tend to have it, like I lean towards things like that, like things that make the, the process of doing GRC better. Like, so not SOC two, not these, not the compliance frameworks, but the

the, and this is more of bigger company problem, but like the, the practice of GRC, and running a business and helping companies understand like what they're doing with risk. think it's interesting, historically not sexy, but could be very sexy with the right, with the right AI.

Lucas Nelson

Here's a question for you. Sorry.

Yeah. So you mentioned large companies. I'm seeing a lot of people trying to play more in the mid market now as opposed to Fortune. Let's call it 1000, which has been the bread and butter of cybersecurity for a decade or more. like, are you seeing that in the data? And do you think that's because, you know, the above the security power of Orion has been done or is it just the attackers have moved? And so defense is moving like

How do you think about that?

Mike Privette 

I think, well, this may not be a popular answer, but I think that that dichotomy will always exist. I think chasing the mid market is a bit of like chasing a ghost in the machine  because there are so many of these like point product things that if they just capture X percent of the mid market, they'll be billionaires. And the trouble with the mid market is it's not like the large groups on the outside of the bell curve. It's not the Fortune 1000.

They're so heterogeneous. There are so many different companies and styles and approaches that that that mid space, that's where services live. Like that is that is service land through and through. And I think that's the only way you reach those, those people. But then even services, managed service, professional services are the are so incredibly different in their delivery and like what they're capable of doing that it's, hard to understand that space as well.

I've heard of more companies trying this and I think many of them end up saying, wow, that's really not worth the effort in return. I think we better go up the ladder a bit. And so I don't think that'll ever go away because, you know, truly the bigger companies have more time, people and resources to like think about these problems. they, they, they can, they can, they can think about what threat hunting is, whereas you'll never get somebody in mid market thinking about that when they have too many other things in security and IT to do.

So I think I'd, yeah, that's, this is my personal opinion.

Lucas Nelson

It's also more valuable to them, right? They've got willingness to pay for it it's a billion dollar company. They've got a lot more to lose where a $20 billion company or $100 billion company has a lot more to lose than a $50 million.

Mike Privette 

Yeah, and they have more people to like think about these things to like, and that, that, that goes a long ways. It's like, it's not that these people in mid-market probably don't care about some of these things. They just can't care about them all about the same like weight.

Lucas Nelson

Cool. So I'm going to briefly summarize. We're in a good spot this year, especially versus like last year. Q3 was a banger and Q4 is already better than a year ago Q4. So that should make those of us investing and hopefully selling companies in cybersecurity happy. And then, you know,

Mike Privette 

Mm-hmm.

Lucas Nelson

I thought that the data on AI was super interesting. So I'm going to keep watching you for that. Where can people find you? And then you do these deep dive reports, know, kind of what's coming out next from you.

Mike Privette 

Yeah, so people can find me at Return on Security.com or on LinkedIn under Mike, Mike Privette. And yeah, I'm always tracking for deep dive. I've always had many plates kind of spinning ⁓ in the air. One of which is services to be honest, because anything that's hard to dissect or it looks very ugly from the outside, like to look at some writing about that. And then also some pieces about data privacy as well.

just because that's, that's totally exploded, now and gotten much easier, to, run with from the, on the AI front. So yeah, that's the, and then many other things playing for next year already.

Lucas Nelson

Nice. Well, Mike, thank you so much for joining us. It's always a pleasure to see you. You have a great weekend.

Mike Privette 

Thanks for having me again.

Lucas Nelson

Cheers.

.