Insights

What Momentum Cyber's Cybersecurity Almanac means for a $3M MSP

Momentum Cyber's Almanac tracks $96B in cybersecurity deals. Here's what its buyer, multiple, and consolidation signals actually mean for a $3M MSP.

By Alexej Pikovsky  ·  Updated

Momentum Cyber's Cybersecurity Almanac is the banker's annual scorecard for the whole cyber M&A market, and the 2026 edition (covering 2025) tracked 400 deals worth $96.1B. If you run a $3M managed services business, your first honest reaction should be that none of that is about you. The median disclosed deal in the report was $117M. You are two to three orders of magnitude below that. You are not in this report, you will not be in this report, and you do not need to be.

What the Almanac is good for, if you own a small MSP, is direction rather than price. It tells you who is buying, what they are paying up for, and which parts of the security stack are consolidating fastest. Read that way, it is one of the better free reads on where your buyer pool, your tool vendors, and your own eventual exit are drifting over the next 18 months. Read the other way, as a valuation benchmark for your business, it is useless and a few lead-gen sites will happily mislead you with it.

This piece translates each headline signal from the report into what it actually means for a generalist $3M MSP owner. I read it from an operator's seat, because I spend my time on where the margin and the buyers actually land in this market. Where I am giving you my read rather than the report's numbers, I say so plainly. And I rebuild this page every January, when Momentum Cyber and the supplementary trackers drop their year-end figures, so the block below is dated on purpose.

The 2026 Cybersecurity Almanac in one block (Momentum Cyber, 2025 data)
Signal2025 figure
Total M&A transactions400 (record; deal count up 22% year over year)
Total disclosed M&A value$96.1B (record; value up 270% year over year)
Median disclosed deal value$117M
Billion-dollar-plus deals8; plus 38 deals over $100M
Strategic (corporate) buyers92% of disclosed value, 59% of deal count
Private equity deals165 (41% of the 400 total)
Most active M&A sectorSecurity Services, 126 deals
Total financing$20.7B across 820 rounds (up 52%)
New cybersecurity unicorns10+ (Saviynt, Cyera, ReliaQuest, Armis, Cato and others)

Source: Momentum Cyber, Cybersecurity Almanac, 2025 Cybersecurity M&A and Capital Markets Report, January 2026, its sixth annual edition. Everything below is a translation of that data, dated as of the 2026 Almanac.

First, is Momentum Cyber independent or part of Houlihan Lokey?

This trips people up, so clear it before you read a single number. Momentum Cyber is an independent, veteran-owned boutique investment bank, founded in 2014, based in Austin, Texas, with a couple of dozen people plus senior advisors. It has not been acquired. Houlihan Lokey is a separate, larger, unrelated bank that also runs a cybersecurity coverage team and also publishes cyber M&A commentary. The two get confused precisely because they cover the same beat, but there is no ownership link between them. When you cite the Almanac, cite Momentum Cyber, and do not let anyone tell you it is a Houlihan Lokey product.

The headline numbers, and why they are not about you

The record year is real. 400 deals, $96.1B, deal value up 270% on the year, eight deals over a billion dollars. The names driving it are the ones you would expect: Google buying Wiz for $32B, Palo Alto taking CyberArk private for $25B, HPE and Juniper at $16B, ServiceNow buying Armis for $7.7B. Strategic corporate buyers took back the lead they had ceded to private equity, capturing 92% of disclosed value.

Now the translation. That $96B headline is banker bait. It is the number the report leads with because its audience is the CEOs and investors of venture-scale companies, and the median deal of $117M tells you exactly where that audience sits. A $3M MSP transacts in a completely different market, priced on a multiple of owner earnings, in the low millions, usually to a regional consolidator or another MSP. The Almanac's price signals describe a market roughly two to three orders of magnitude above yours. The one useful thing the median does for you is calibrate your skepticism: any site quoting the Almanac to tell you what your $3M MSP is worth is misusing a large-cap dataset. For the number that does apply to you, see the breakdown of MSP valuation multiples and the median MSP deal in the lower-middle market, which is a different report entirely.

The 92% strategic-buyer figure is worth one more note, because it is easy to misread. It does not mean private equity stopped buying. PE still closed 165 deals, 41% of the whole year, more than any single strategic acquirer. The 92% is a value share, and value share is a large-cap story: a handful of $10B-plus corporate deals dwarf a hundred smaller PE platform add-ons. I come back to what that means for your buyer pool below, because it is the single most misread signal in the report for a small operator.

Does the Almanac even cover MSPs?

This is the most important caveat in the whole translation, so read it slowly. The Almanac's single most active M&A sector in 2025 was "Security Services" with 126 deals. It is tempting to see that and think the report is tracking businesses like yours. It is not.

Momentum Cyber's "Security Services" category is cybersecurity-pure-play services and consultancies: MSSPs, MDR providers, incident-response shops, and compliance consultancies. The names it lists as active in the category are firms like Bridewell, Clearwater, MorganFranklin Consulting and WithSecure. These are specialists whose whole business is security, being rolled up mostly by strategics and PE platforms. A generalist IT-MSP that bundles helpdesk, cloud, and network management with a slice of security is adjacent to this category, not counted inside it. You are near the fire, not in it.

The report does not help you here beyond that aggregate count. It publishes no valuation multiples for the services segment, no deal-size breakdown below the named mega-deals, and no buyer-profile analysis for MSSPs specifically. Its only comps table covers 20 large public vendors like Palo Alto, CrowdStrike and Zscaler, priced on forward revenue (median 6.3x EV/Revenue), which has nothing to do with how a private services business is priced. So the honest statement is this: the Almanac is the best banker-grade overview of the entire cyber M&A market, but a $3M MSP owner needs the supplementary trackers to see anything resembling their own business in the data.

The trackers disagree, and the disagreement is the useful part

Here is where a careful read beats the sites that just repeat one bank's press release. Four reputable trackers counted the exact same calendar year and produced four different totals. That is not a mistake by any of them. It is what happens when "cybersecurity deal" has no standard definition.

Four trackers, one year (2025 cybersecurity M&A), four numbers
Tracker2025 M&A deal count2025 disclosed value
Momentum Cyber400$96.1B
SecurityWeek426 (334 pure-play)$92.5B disclosed across 74 deals; $84B pure-play
Return on Security320$76.4B
Altitude Cybernot separately disclosed~$62.9B

The spread is real: 320 to 426 deals, and $62.9B to $96.1B. Each firm draws its universe differently. SecurityWeek counts every deal with a cybersecurity component, including announced-but-not-yet-closed deals, which is why its 426 tops Momentum Cyber's 400. Return on Security, published by Mike Privette, runs a stricter cyber-only universe and lands at 320. Altitude Cyber's narrower cut comes in lowest at roughly $62.9B. None of them is wrong. They are counting different things, and knowing that is what stops you from treating any single figure as gospel.

Two of those trackers carry the numbers that actually speak to a services owner, and both are better sourced for that purpose than the Almanac. Return on Security found that 47% of 2025 cyber M&A deals were services companies, MSPs, MSSPs, and consultancies being rolled up by PE, which its author frames as a shift toward buying security outcomes rather than standalone tools. SecurityWeek separately counted 125 deals in 2025 involving managed-security providers, up from 119 in 2024 but still below the 150-plus seen in 2022 and 2023. Put those together and you get the honest answer to "is MSSP consolidation accelerating": services roll-ups are a large, near-half share of deal count, but the 2025 pace has not beaten the 2022 to 2023 peak. Attribute each figure to the tracker it came from, because they do not reconcile to each other and are not meant to.

What this actually means for a $3M MSP

Everything above is sourced data. What follows is my operator read on what that data implies for a small generalist MSP. This is judgment, not something the Almanac states, and I have separated it deliberately. Treat it as analysis to pressure-test against your own situation, not as fact from the report.

Your real buyer is still PE-backed, not a Fortune 500 strategic

The 92% strategic-value headline will tempt you to think the big corporates are the buyers to court. For a $3M MSP, they are not. Google, Palo Alto and ServiceNow are buying billion-dollar platforms, not sub-$5M generalist shops. Your realistic 2025 to 2026 buyer pool is overwhelmingly PE-backed platforms and larger MSPs doing tuck-in acquisitions, which is exactly the 165-deal PE lane the report almost buries under its large-cap value figures. The direction to take from the Almanac is not "strategics are hot," it is "consolidation capital is abundant and patient." That is the same engine behind private equity's move into cybersecurity and the roll-up pattern in the wider market. When you plan an exit, model a PE-backed platform buyer, not a strategic.

A credible security layer is becoming table stakes, not a nice-to-have

Security Services (126 deals) and Security Operations (38 deals) are both among the most active M&A categories, and AI Security was the most active financing sector with 144 raises. My read: buyer appetite is concentrating in exactly the outcome-based security capabilities a generalist MSP tends to underinvest in. If you want premium buyer interest rather than a commodity price, a real MDR or SOC layer is moving from optional to expected. I want to be careful here. The Almanac does not prove a valuation lift for adding MDR, and I am not going to invent a multiple. The actual premium for bolting on genuine security has to come from valuation research, not from bank deal counts. But the directional signal is not subtle: the money is chasing security outcomes, and a helpdesk-plus-patching MSP with a thin security story is drifting toward the discount end of the buyer's spreadsheet.

Watch what is consolidating in your own tool stack

Here is a risk the Almanac never discusses from your seat, because its readers sit on the other side of it. Heavy buyer interest concentrated in Identity & Access Management (40 deals), Risk & Compliance (63 deals), and Data Security (29 deals) means the vendors you resell and bundle are themselves being bought and merged at pace. When your IAM vendor, your compliance tool, or your backup provider gets acquired, you can inherit price changes, forced platform migrations, and lost partner-program economics, none of which the acquirer designs around your margin. This is a live operational risk, not a hypothetical. Read the M&A activity table as a heads-up on which corners of your stack are most likely to change hands and reprice on you in the next year, and keep a second option warm for any vendor that sits in a hot consolidation lane.

How to read this every January

The Almanac is a January release, and this page is built to be rebuilt against it each year. The dated block near the top is the part that ages; treat any version of this page more than 12 months old as describing the prior year's market, not the current one. If Momentum Cyber's mid-year review turns up something that genuinely changes the picture, I will add a companion note, but the January cadence is usually enough.

The through-line does not change even as the numbers do. The Almanac tells a $3M MSP owner three things worth knowing: who has the capital to buy in your market (still PE, whatever the value headlines say), what the money is paying up for (security outcomes, not tool resale), and which vendors in your stack are most likely to get consolidated next. It does not tell you what your business is worth, and it never will. For that, start with the MSP valuation multiples that actually apply to the lower-middle market, then read who buys MSPs to size up the buyer across the table. If you want the bigger structural view of where all this capital is flowing, the cybersecurity market map lays it out.

I write these translations because the raw reports are aimed at bankers, not operators, and the gap gets filled with loosely-sourced content that quotes the wrong numbers off the right report. I run growth for MSPs and cyber firms, so if you own one and want a straight read on your market, buyer pool, or positioning before a sale, that is the work I do. Come back each January and the numbers will be current.

Frequently asked questions

Is Momentum Cyber still independent, or was it acquired by Houlihan Lokey?

Momentum Cyber remains an independent, veteran-owned boutique investment bank, founded in 2014 and headquartered in Austin, Texas. It has not been acquired. Houlihan Lokey is a separate, unrelated investment bank that also runs its own cybersecurity coverage team, and the two get confused because both publish cyber M&A commentary. There is no ownership relationship between them, so the Almanac is a Momentum Cyber product, not a Houlihan Lokey one.

Does the Momentum Cyber Almanac even cover MSPs or MSSPs?

It covers MSSPs and cybersecurity services firms at the sector level, counting 126 "Security Services" M&A deals in 2025, the most active category. But it does not break out generalist IT-MSPs, publish a valuation-multiple table for the segment, or give deal-size detail below its named mega-deals. That Security Services category is cyber-pure-play consultancies and MDR shops, not generalist MSPs bundling helpdesk and cloud with some security, so a $3M MSP is adjacent to the data rather than counted inside it.

What was the median deal size in the 2025 Almanac, and why does it matter to a small MSP?

The median disclosed M&A deal was $117M. That matters because it tells you the report's headline numbers, buyer behavior, and multiples describe a market roughly two to three orders of magnitude above where a $3M MSP transacts. Read the Almanac for direction, which is who is buying and what is consolidating, not for a price tag on your own business. For a price that applies to you, use MSP valuation research on the lower-middle market instead.

Did private equity or strategic buyers dominate cybersecurity M&A in 2025?

Strategic corporate acquirers took back the lead by value, capturing 92% of disclosed M&A value and 59% of deal count, per Momentum Cyber. But that is a large-cap story driven by a handful of $10B-plus deals. Private equity still closed 165 deals, 41% of the 400 total, more than any single strategic buyer. For a $3M MSP, the realistic buyer pool remains PE-backed platforms and larger MSPs, not a Fortune 500 strategic.

Is MSSP and managed-security M&A actually accelerating?

It is mixed. SecurityWeek counted 125 managed-security-provider deals in 2025, up from 119 in 2024 but still below the 150-plus seen in 2022 and 2023. Return on Security separately found that 47% of all 2025 cyber M&A deals were services companies, MSPs, MSSPs, and consultancies being rolled up by PE, which it frames as a shift toward buying security outcomes. Read together: services consolidation is a large, near-half share of deal count, but the 2025 pace has not beaten the 2022 to 2023 peak.

Why do different reports give different totals for the same year?

Because "cybersecurity deal" is not a standardized definition, so each tracker counts a different universe. Momentum Cyber counted 400 deals worth $96.1B for 2025. SecurityWeek counted 426, including non-pure-play and some uncompleted deals, with $92.5B disclosed. Return on Security counted 320 worth $76.4B in a stricter cyber-only universe. Altitude Cyber came in near $62.9B. None of them is wrong; they are counting different things, and knowing that keeps you from treating any single figure as the truth.

Do the Almanac's valuation multiples apply to a $3M MSP?

No. The Almanac's only multiples table covers 20 large public cybersecurity vendors priced on forward revenue, at a median of 6.3x EV/Revenue in 2025. Private lower-middle-market MSPs are priced on a multiple of owner earnings in an entirely different, much smaller deal market. Any site quoting the Almanac to value a $3M MSP is misusing a large-cap dataset. See this site's own MSP valuation multiples breakdown for the number that actually applies to you.