After a four year hiatus Momentum Cyber, the industry’s top investment banking firm, has published its Cybersecurity Almanac again. Free to download with no forms to fill out. This impressive report documents the entirety of 2025 in 100 pages of data and charts. It includes lists of all the acquisitions as well as funding rounds. Who needs Security Yearbook when you have this?

The highlights:

• In 2025, $96B deployed across 400 M&A transactions – both the highest marks ever

• ❑ Deal value was up 270% in 2025, while deal volume was up 22%

• ❑ Q1 2025 marked the largest pure play cybersecurity M&A deal of all time for $32B (Google acquiring Wiz)

• ❑ Q2 2025 witnessed the highest quarterly transaction activity on record with 109 deals

• ❑ Q3 2025 witnessed the largest M&A deal volume ever with a total value of $44.2B

• ❑ Cloud-native / SaaS deals accounted for 59% of the volume and 97% of M&A capital deployed

• ❑ Strategics are back and retook the M&A mantle from Private Equity, accounting for 92% of disclosed M&A value and 59% of deal count

Four hundred transactions means that 10% of the entire industry turned over in one year. That is amazing.

What about new investments? Look at these numbers:

$20.7 billion invested, $2 billion more than IT-Harvest projected earlier in the year. That marks the best year in cybersecurity investments since the record 2021.

One of the most impressive things to me is the effort Momentum put into revamping their taxonomy. Here it is:

You can see the taxonomy applied to the vendors they track here. You can also download the massive infographic of 1,000 logos arranged to this taxonomy.

This is a momentous work. Congrats to the authors!

The first awards for the IT-Harvest Cyber 150 went out last January. Let’s check in to see how they did. The purpose of pulling together this list was to demonstrate the value of a data-centric approach to studying the cyber security industry. We simply take a look at all the vendors in the size range of 50-500 people. Then we sort them by growth and take the top 150. If you were an investor or PE firm this would be a great place to start.

After a complete year:

These seven have graduated out of consideration for the 2026 award because they exceeded 500 people.

Cyera, the data security posture management (DSPM) leader grew 115% and just announced yet another round of $400 million, bringing their total investment to $1.7 billion. Calcalist reports they are valued at $9 billion.

With the Cyera investment the total received in 2025 for 39 of the Cyber 150 surpassed $4 billion. Over their collective lifetimes the Cyber 150 have taken in $11.5 billion in investments.

121 of these vendors continued to grow this past year. In 2024 they all grew over 24% but 29 of the 150 retrenched in 2025. Some are cause for concern and their investors should be calling for status updates. The biggest losers were actually all winners because the drop in headcount was the result of being acquired!

Check back in to see the 2026 Cyber 150 list shortly. Or, if you are a subscriber to the IT-Harvest Dashboard, you can set up a filter on companies between 50 and 500 employees and look at the top 150 fastest growing.

First, the bad news. There will be no Security Yearbook 2026. What would have been the seventh edition of the only history and directory of the cybersecurity industry was not picked up by my publisher.

I had already come to the conclusion that, in the age of AI, it was too risky to the IT-Harvest business model to publish a complete up-to-date directory of all 4,000+ cybersecurity vendors every year. The amazing value we have built into the IT-Harvest Dashboard rests on an accurate list of all vendors, a list that took 5,000 hours of my time (not to mention the team’s time) to create and maintain. I envision some entrepreneur grabbing a free copy from one of the book signings at RSAC, scanning the directory, and creating their own database of the vendors, categories, locations, size, and growth rates that appear in the back of the book. It would be the fastest way to jump start a marketplace or compete directly with IT-Harvest. So the decision was made earlier in the year to stop publishing the Directory. Security Yearbook 2025 is the last edition to include the full Directory of 4,000+ cybersecurity vendors.

Every year I clear a week in November to pull together Security Yearbook. Then, when the final data is captured at the end of December, I finalize the manuscript and get it to the book designer by January 15 so we can print the book in time for the RSA Conference. What was I to do with that week I had scheduled in a cheap hotel in Mackinaw City?

The most dramatic change to the security industry is in the early stages of impacting everything. We only started tracking “AI Security” as a separate category in early 2024. In preparation for writing week I went back to look at the 512 vendors founded in 2022-2025. I looked at every one of those to extract all the vendors that are leveraging AI to either provide security for AI, or apply AI to security tasks. There are 290 in total.

Here then, is the good news. I am writing Guardians of the Machine Age: Why AI Security Will Define the Future of Digital Defense.

I am in the get-words-on-the-page stage so not ready to reveal the ToC or complete details. One thing will stand out though. This is the first time that all the players in an industry category will be included in an extended market scope. Instead of cherry-picking representative vendors in a report, this book will summarize our data on all 290 companies that make up the AI Security space. It will probably have to be updated next year as at least 50 of these will be acquired by then, to be replaced by at least 50 funded startups.

Guardians of the Machine Age will go on sale in mid-January. You will be able to get a signed copy from one of the sponsors’ booths at RSAC in March.

Over the years I have worked with a lot of resellers. It is pretty obvious that the key to having a successful reseller business in cybersecurity is to be able to pick the winners early. Many of today’s biggest resellers/distributors started out selling Check Point firewalls. The ones that sold Crowdstrike early are doing quite well.

So, the most common use case among resellers for the IT-Harvest is “find the next Crowdstrike.” Since we strive to curate data on all cybersecurity vendors (4,011 today), ours is the best platform for identifying the rising starts early. The Cyber 150, published every year in the Security Yearbook, is a quick and dirty way to track the up and comers. It is comprised of cybersecurity vendors with between 50 and 500 employees sorted by growth rate.

But there are other measures.

Is at least one of the founders a successful entrepreneur with multiple exits?

Is the company backed by venture capital with a track record of backing unicorns?

Resellers, unlike VCs, are not looking to invest their efforts in a quick flip. They want to build a partnership that generates long-term returns. Like a Check Point, or Crowdstrike, it must grow and IPO, and stay independent.

Researching the space for rising stars was always a primary use case for the Dashboard. But this past week I discovered another.

Using Stack Analysis for Reseller Portfolios

A mature reseller likes to have a complete portfolio. That could mean coverage of all the Categories with expansion into subcategories. At least 18 vendors then, one for each of the 18 Categories.

There are many subcategories under these for which specialized vendors are needed. Under Data Security for instance there are vendors of encryption, key management, HSMs, and erasure.

I recognize that most resellers evolve and grow with customer demand. They add tools to their portfolio over time as certain threats rise in importance or a new regulation arises.

So the new use case, similar to Security Stack Analysis, introduced last week, is to analyze a reseller’s portfolio for overlaps and gaps in coverage.

I created a representative reseller portfolio by adding all the products from 18 vendor partners to a Stack.

Our tool automatically maps the 41 products to subcategories and shows the mix of countries they come from.

Another useful view is our layered defense framework.

You can also look at MITRE ATT&CK coverage for all the products.

And finally, NIST CSF 2.0 mapping.

It’s pretty easy to glance at these images and see the primary focus of a reseller’s portfolio. This one is concentrated on Protect. Perhaps the company should be looking at more partners to broaden its coverage.

If you think about it. Resellers and MSPs are going to use the Stack Analysis Tool to help their customers make sense of their own Security Stacks. The reseller will identify gaps. Wouldn’t it make sense to have products in their portfolio to fill all those gaps as they are revealed?

Ludovic Leforestier was kind enough to quote me in this piece he published today titled What is The Role of Industry Analysts in an AI-Driven Market? Ludovic is the co-founder and board member of the International Institute for Analyst Relations (IIAR). He also founded Starsight, an industry analyst influence agency.

When it comes to the question of what impact AI is going to have on the analyst industry, Ludovic proposes and assigns probabilities to three “plausible directions.”

1. Brave new world: (Gen)AI becomes the interface for research. Clients browse, query and consume insights through intelligent platforms — and every interaction leaves a trace. (.3)

2. Gartner disrupts itself, moving faster than anyone else. It leverages AI to streamline and reskill its teams and outpace the competition. (.5)

3. AI makes raw research a commodity, and only analysts with sharp advisory skills or a strong personal brand thrive. (.7)

I want to expand on number two above: the idea that Gartner disrupts itself.

Gartner is lucky in that the majority of its customers self-attest to being late adapters. That means Gartner has plenty of time to wake up, develop different approaches, even make an acquisition if a competitor cracks the AI nut and starts to disrupt Gartner’s stranglehold on the market for advisory services. As long as Wall Street can exhibit patience, Gartner does not have to move fast.

But what is the disruption that is coming? It is most emphatically not vectorizing research reports in a RAG to power a chatbot. If Gartner analysts were to publish an AI Readiness Maturity Model (AIRMM) the zero stage would be having a RAG chatbot. (For the record, that’s where IT-Harvest was on January 21, 2023. Read: Catching the ChatGPT Wave.)

As a reminder, I have written two popular books on the world of industry analysts. They are:

UP and to the RIGHT: Strategy and Tactics of Analyst Influence.

and

Curmudgeon: How to Succeed as an Industry Analyst.

Since we are talking about Gartner let me propose what they would call a stalking horse:

The future of the industry analyst business is the long tail. Corollary: scaling to cover all of the vendors in technology requires the assistance of AI.

The analyst industry was born when computers entered the business world. Gideon Gartner left Wall Street in 1979 with the concept that his startup would offer Buy-Hold-Sell advice to clients in the market for technology. Think about the tech space back then. Apple did not go public until 1980 and Microsoft IPO’d six years after that. Gartner analysts were experts on the enterprise technologies of the day. IBM, Ahmdal, Burroughs, Honeywell, Univac, NCR, and Control Data Corp battled it out for enterprise sales.

Big business had to make multi-million dollar choices and they called on Gartner to guide them. (Or IDC, Forrester, Yankee Group, etc.)

If you step back and look at the model it was solely focused on acquiring deep expertise in the dominant market players and charging significant fees for decision advise.

Gartner was built — and thrived off of — the forever growing technology market. Every new generation of technology creates demand for advisory services.

Gartner grew dramatically along side the tech space. When I left Gartner in the summer of 2004 its stock (IT) was trading at 12. By the beginning of 2020 it was at a high of 160, a 12.3X increase. After a short correction due to Covid it rocketed up to its all time high of 538.54 at the beginning of this year. But it dropped steadily until August 5th when an earnings call raised questions about the impact of AI on Gartner’s business. Wall Street was not happy with that call. The stock dropped an additional 28% the same day and hovers around 250 today.

I believe its the explosion in technology solutions that is causing a problem for industry analyst firms. There are too many vendors for analysts to cover. In the niche of cybersecurity I count 3,966. HRtech is comprised of 7,000 vendors. Marketing tech has 14,106. Fintech has tens of thousands of vendors. I can’t even begin to estimate the number of AItech companies, but one vendor in AI Governance counts 2 million artifacts that indicate if an enterprise is using AI products.

In cybersecurity Gartner only covers 144 vendors in Magic Quadrants. The long tail is the other 3,822 vendors. George Colony, CEO of Forrester has publicly confirmed that they will not cover a vendor if its revenue is less than $50 million, the exact opposite of a long tail strategy.

The model of covering only the large vendors means a limited customer base. Gartner has 15,000 or so enterprise customers. That’s a great number, it implies $400K in revenue per customer. But which analyst firm can serve the other million or so enterprises world wide?

During a time of rapid technological advance there is extremely high interest in emerging tech. Even stodgy old companies have pockets of innovation. They track developments in quantum computing, AI, robotics, and space systems. Where are they going to get guidance and advice?

My contention is that an analyst firm should track all tech companies and their products. I estimate there are 250,000 vendors and somewhere around a million products. It would be unwieldy and probably not profitable to attempt to cover all of them with today’s methods.

AI and automation to the rescue.

We know exactly how to put AI and automation to work to tackle this problem. It took us three years to figure out. Even within the microcosm of the cybersecurity niche it’s expensive. Because of that head start, we think it could be done in 24 months. Investment to develop the tooling could be as high as $30 million. But with careful planning, and tackling each segment sequentially, the data gathered could be quickly monitized.

What about the threat from the foundational models? Will OpenAI, Anthropic, Perplexity, or Google, discover that there is a $50 billion market for technology data and advisory services? That’s a small number compared to the trillions represented by material science, or medical innovation. But there is always the risk that one of the LLMs will just be good enough. I test every model when it comes out.

Here is a simple test: I asked GPT-5, “create a list of all the hardware security modules (HSMs) on the market today. Be exhaustive, create a csv file listing the product name, company name, country of headquarters.”

GPT-5: I’m sorry — I’m unable to create an exhaustive CSV list of all hardware security modules (HSMs) on the market today.

Would you like me to pull together a representative list of major HSM products (say ~20-30), including product name, company, and HQ country, and provide it in CSV format?

When I said “sure” we get:

Product Name,Company,Country

nShield 5c,Entrust,USA

nShield 5s,Entrust,USA

nShield Connect,Entrust,USA

Luna Network HSM,Thales Group,France

Luna PCIe HSM,Thales Group,France

Luna USB HSM,Thales Group,France

PayShield 10K,Thales Group,France

YubiHSM 2,Yubico,Sweden

YubiHSM 2 FIPS,Yubico,Sweden

CryptoServer CP5,Utimaco,Germany

Atalla AT1000 (Payment HSM),Utimaco,Germany/USA

Vectera Plus (General-Purpose HSM),Futurex,USA

Excrypt Plus (Payment HSM),Futurex,USA

SecureKey HSM (Atalla line embedded),Utimaco (Atalla),USA

IBM 4769 (PCIe Cryptographic Coprocessor),IBM,USA

IBM 4768 (PCIe Cryptographic Coprocessor),IBM,USA

Not bad. 16 products from five vendors. Our answer? There are 139 HSM products from 71 vendors world wide in our database. If you are shopping for a HSM I believe starting with an exhaustive list, not a representative list, is the best approach.

Gartner creates whole new categories at a tremendous clip. One of my pet peeves is that an analyst will recognize a few similarities in the briefings they sit in on with emerging vendors. They make up a new category, implying that someday there will be a Magic Quadrant. They then pick 10 or 15 “representative” vendors to illustrate their thesis that there is a new category. Today the three letter acronym space (TLA) has been exhausted so they are starting to dip into four letters, thus ASPM, DSPM, CSPM, or even five letters, CAASM (Cloud Asset Attack Surface Management).

What they don’t do, because they don’t have the data, is publish a complete list of all the vendors that fall under that category. Take for instance Cloud Security Posture Management (CSPM), coined several years ago. We re-ingest cybersecurity product data from 4,000 vendors every quarter or so. As vendors update their marketing, they self identify as having products in the new category and only then do our search results match the new acronym. Here is the current search result for CSPM.

There are 109 CSPM products from 92 vendors. If an analyst firm is going to create a new category they should be in a position to acknowledge all of the players in the space and track them all the way to IPO, acquisition, or death.

Wake up call.

When trillions of dollars are being spent and created, when massive data center projects are kicking off to support it, when thousands and thousands of startups are jumping on the AI bandwagon, old school businesses should sit up and pay attention. We are at the very beginnings of the biggest technological upheaval of our time.

AI, even in its early stages of utility, is the most impactful of technology changes to occur since the 1947 invention of the point-contact transistor.

As during every other technological revolution, the old guard will pass away to be replaced by the innovators. Looking at the analyst industry it is obvious to many that it is ripe for change.