Q1 2026 — Current Pulse¶
Covering January through March 2026. Last updated: March 12, 2026.
1. Major Funding Rounds¶
Headline Round
Cyera raises $400M Series F at $9B valuation (January 8, 2026). Just six months after its $500M Series E, the data security platform tripled its valuation from a year prior. Led by Blackstone with participation from Accel, Coatue, Sequoia, and others. Cyera now secures data for 20% of the Fortune 500 with over 1,100 employees across 15 countries. Source: TechCrunch
Broader Q1 2026 funding trends:
- Cybersecurity venture funding continues to concentrate in large private rounds, with AI security startups commanding premium valuations and faster fundraising cycles compared to non-AI peers. Source: Help Net Security
- Identity and access management and security operations drew the most capital through late 2025 and into early 2026. Source: Vestbee
- The IPO pipeline is building but has not broken open. Snyk ($300M+ ARR), 1Password, Abnormal Security, Cohesity, and Veeam are widely tracked as likely 2026 candidates, though none filed in Q1. Source: PitchBook
2. M&A Activity¶
Headline Deal
Google completes $32B acquisition of Wiz (March 11, 2026). The largest cybersecurity acquisition in history closed after a year-long regulatory process, with EU antitrust approval arriving in February 2026. Wiz joins Google Cloud and will maintain its brand and multi-cloud commitment. Wiz is trusted by 50% of the Fortune 100. Source: TechCrunch
Other notable Q1 2026 M&A activity:
42 cybersecurity M&A deals were announced in February 2026 alone. Key transactions include:
| Date | Deal | Significance |
|---|---|---|
| Feb 2026 | Arctic Wolf acquired Sevco Security | Adds attack surface management to Arctic Wolf's security operations platform. |
| Feb 2026 | Varonis acquired AllTrue.ai (~$150M) | Adds AI trust, risk, and security management (TRiSM) capabilities. Source: SecurityWeek |
| Feb 2026 | Zscaler acquired SquareX | Extends Zero Trust security to unmanaged devices via browser-level protection. |
| Feb 2026 | Booz Allen Hamilton acquired Defy Security | Expands cybersecurity services footprint in the UK and EU. |
| Feb 2026 | Sophos acquired Arco Cyber (UK) | Adds AI-powered cybersecurity governance through its CISO Advantage offering. |
Structural trend: 47% of 2025 M&A deals targeted services companies, MSPs, MSSPs, and consultancies — reflecting a market shift from "buy tools" to "buy outcomes." This momentum carried into Q1 2026. Source: Return on Security
3. Notable Breaches & Incidents¶
Q1 2026 saw a sustained wave of breaches across consumer brands, financial services, government agencies, and media platforms.
January 2026:
- Panera Bread — Data breach exposed personal information for 5.1 million customer accounts. ShinyHunters claimed responsibility. Multiple class-action lawsuits followed. Source: PKWARE
- Illinois Department of Human Services — System failure exposed personal data of nearly one million people, with sensitive information reportedly visible publicly for four years before discovery. Source: CM Alliance
- Ledger — Customer data breached through e-commerce payment partner Global-e. No crypto assets stolen, but stolen data was used in subsequent phishing campaigns. Source: CM Alliance
- Crunchbase — ShinyHunters claimed responsibility for file exfiltration. No operational disruption reported. Source: CM Alliance
February 2026:
- Substack — Disclosed a security incident on February 5 exposing email addresses, phone numbers, and internal metadata for approximately 663,000-697,000 users. Source: Security Boulevard
- FICOBA (French national bank account registry) — Breached in late January, with potentially 1.2 million accounts compromised. Source: Security Boulevard
- Wynn Resorts — Ransomware group listed the company on its leak site claiming data exfiltration. Later removed. Source: Security Magazine
Pattern Note
ShinyHunters appeared in multiple Q1 2026 incidents (Panera Bread, Crunchbase), suggesting sustained operations by this threat actor group through the quarter.
4. Vendor Announcements¶
Notable product launches and platform moves in Q1 2026:
| Vendor | Announcement | Category |
|---|---|---|
| Avast | Launched Scam Guardian (mobile) and Deepfake Guard (Windows) — AI-powered deepfake audio detection in video content. | Consumer security |
| Armis | Released Armis Centrix for Application Security, unifying AppSec across the SDLC. | Application security |
| Aikido Security | Unveiled Aikido Infinite — continuous AI penetration testing that autonomously validates and remediates vulnerabilities. | Automated pen testing |
| SpecterOps | Launched BloodHound Scentry for accelerating attack path management and reducing identity risk. | Identity security |
| Gremlin | Released Disaster Recovery Testing for zone/region/datacenter failover validation. | Resilience |
Themes: AI-native security tooling dominated Q1 launches. Autonomous vulnerability detection, deepfake defense, and AI governance reflect vendors racing to address risks introduced by widespread AI adoption.
5. Regulatory Developments¶
Headline Development
CMMC rule takes effect. The Department of Defense's Cybersecurity Maturity Model Certification (CMMC) final rule, issued November 2025, formally ties defense contract eligibility to demonstrated cybersecurity maturity. This is reshaping the defense industrial base supply chain in Q1 2026. Source: Morgan Lewis
State privacy laws:
- New state laws effective January 1, 2026: Kentucky, Rhode Island, and Indiana comprehensive privacy statutes went into force, bringing the total to 20 states with consumer privacy laws. Source: IAPP
- California CCPA expansion: New regulations for automated decision-making technology, risk assessments, and cybersecurity audits became applicable. Businesses must now have an executive management team member attest to the accuracy of risk assessments for certain processing. Source: Shook Hardy & Bacon
Federal enforcement trends:
- The FTC continues intensifying enforcement on children's data (updated COPPA), biometric information, and AI-driven data uses. Source: White & Case
- Fewer states retain cure periods, and rising inter-state collaboration is creating a more aggressive enforcement posture nationally. Source: Morgan Lewis
6. Market Signals¶
Critical Signal
CISA workforce reduced by over one-third. The agency dropped from ~3,400 to ~2,400 employees through layoffs, buyouts, and early retirements. The February 2026 federal government shutdown further reduced the agency to approximately 38% operational staffing. Key programs eliminated include the Election Security Program ($39.6M budget, 14 staff) and Cyber Defense Education and Training. Total program cuts exceed $84M. Source: TechCrunch
Critical Signal
Federal agencies boycott RSA Conference 2026. After RSAC hired former CISA Director Jen Easterly as CEO in January 2026, CISA, FBI, and NSA speakers were pulled from the conference agenda within eight days. CISA cited "good stewardship of taxpayer dollars." This breaks a 30+ year tradition of federal participation in the industry's largest gathering (40,000+ attendees, March 23-26, Moscone Center). Source: Cybersecurity Dive
Workforce and hiring:
- CrowdStrike cut ~500 roles (~5% of workforce). Cisco laid off 6,000 employees (~7%), including staff in its Talos threat intelligence unit. Source: Computerworld
- Despite these cuts, the U.S. has 500,000+ unfilled cybersecurity positions and the private sector continues aggressive hiring. The fastest salary growth is in roles combining security expertise with AI, governance, and architecture skills. Source: Iron Circle
Investment sentiment:
- VC markets are rewarding AI-first cybersecurity companies with premium valuations and faster fundraising cycles. Source: Help Net Security
- Cybersecurity spending globally is projected at $212B for 2026, up 15% year-over-year. Source: Cybersecurity Ventures
This pulse will not be updated further. The next edition will cover Q2 2026 (April-June).
Glossary¶
This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.
A¶
| Term | Definition |
|---|---|
| ACL | Access Control List — rules determining which users/systems can access resources |
| APT | Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access |
| ASM | Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets |
| ASPM | Application Security Posture Management — unified visibility and risk management across the application lifecycle |
| AV | Antivirus — software designed to detect, prevent, and remove malware |
B¶
| Term | Definition |
|---|---|
| BAS | Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls |
| BEC | Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data |
C¶
| Term | Definition |
|---|---|
| C2 | Command and Control — infrastructure used by attackers to communicate with compromised systems |
| CASB | Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers |
| CCPA | California Consumer Privacy Act — California state law granting consumers rights over their personal data |
| CIAM | Customer Identity and Access Management — managing and securing external customer identities and authentication |
| CIEM | Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments |
| CTEM | Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures |
| CNAPP | Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle |
| CSPM | Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks |
| CWPP | Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless) |
| CVE | Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities |
D¶
| Term | Definition |
|---|---|
| DAST | Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks |
| DCS | Distributed Control System — a control system for managing industrial processes across multiple locations |
| DLP | Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage |
| DORA | Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities |
| DSPM | Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments |
E¶
| Term | Definition |
|---|---|
| EASM | External Attack Surface Management — discovering and monitoring internet-facing assets for exposures |
| EDR | Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities |
| EPP | Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response |
F/G¶
| Term | Definition |
|---|---|
| FAIR | Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk |
| GRC | Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations |
| GDPR | General Data Protection Regulation — EU regulation on data protection and privacy for individuals |
H¶
| Term | Definition |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information |
I¶
| Term | Definition |
|---|---|
| IAB | Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers |
| IAM | Identity and Access Management — framework for managing digital identities and controlling access to resources |
| ICS | Industrial Control System — control systems used in industrial production and critical infrastructure |
| IDS | Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts |
| ITDR | Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises |
| IoT | Internet of Things — network of physical devices embedded with sensors, software, and connectivity |
| IPS | Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic |
L¶
| Term | Definition |
|---|---|
| LOTL | Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection |
M¶
| Term | Definition |
|---|---|
| MaaS | Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals |
| MDR | Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response |
| MITRE ATT&CK | MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques |
| MSSP | Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices |
| MFA | Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource |
N¶
| Term | Definition |
|---|---|
| NDR | Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns |
| NERC CIP | North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid |
| NGAV | Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection |
| NIS2 | Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk |
O¶
| Term | Definition |
|---|---|
| OT | Operational Technology — hardware and software that monitors and controls physical devices and processes |
| OWASP | Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance |
P¶
| Term | Definition |
|---|---|
| PAM | Privileged Access Management — securing, managing, and monitoring privileged accounts and access |
| PCI DSS | Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data |
| PII | Personally Identifiable Information — any data that could identify a specific individual |
| PLC | Programmable Logic Controller — an industrial computer used to control manufacturing processes |
R¶
| Term | Definition |
|---|---|
| RaaS | Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits |
| RGB | Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations |
S¶
| Term | Definition |
|---|---|
| SASE | Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud |
| SAST | Static Application Security Testing — analyzing source code for vulnerabilities without executing the application |
| SBOM | Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product |
| SCA | Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase |
| SCADA | Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely |
| SD-WAN | Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic |
| SEG | Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies |
| SIEM | Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance |
| SOAR | Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows |
| SOC | Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents |
| SOX | Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies |
| SSE | Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services |
| SWG | Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats |
T¶
| Term | Definition |
|---|---|
| TAM | Total Addressable Market — the total revenue opportunity available for a product or service |
| TCO | Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime |
| TIP | Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data |
| TLS | Transport Layer Security — a cryptographic protocol that provides secure communication over a network |
| TTP | Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations |
V¶
| Term | Definition |
|---|---|
| VM | Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities |
X¶
| Term | Definition |
|---|---|
| XDR | Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email |
Z¶
| Term | Definition |
|---|---|
| ZTNA | Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles |