Insights

The Most Active Private Equity Firms in Cybersecurity (2026)

The 14 PE firms driving cybersecurity buyouts in 2026, from Thoma Bravo to Crosspoint, with portfolios, dated deals, and the multiples PE pays vs strategics.

By Alexej Pikovsky  ·  Updated

The most active private equity firm in cybersecurity is Thoma Bravo, and it is not close. It owns or has owned Proofpoint, SailPoint, Sophos, Ping Identity, Imprivata, Exabeam and Darktrace, a security portfolio no rival sponsor comes near. Private equity in cyber means buyout and growth firms that take control of security software and services companies, either taking public ones private or rolling up private ones, then repricing and reselling them a few years later. The list of firms doing this seriously is shorter than the marketing suggests: about fourteen names carry almost all of it.

2025 was the year this went from a theme to a wave. Cyber M&A hit roughly $96 billion across 400 disclosed deals, more than doubling 2024's $46.1 billion, with PE completing 165 of them on Momentum Cyber's year-end count. Read that 165 carefully, because it is a broad number that counts add-ons by PE-backed platforms; on a narrow definition of large take-privates the figure is closer to 18. I read all of this from an operator's seat: I spent a decade in investment banking and private equity, sat on a board through a $300M+ PE exit, and now run growth for MSPs and cyber firms, so I care less about the logos than about who buys, what they pay, and what changes for the companies afterward. This piece sits alongside the cybersecurity market map and a companion on the most active cybersecurity VCs, which cover the venture side of the same money.

Two kinds of cyber private equity

The fourteen firms split cleanly into two groups, and the split matters because it predicts how they behave once they own you.

The first group is cyber-dedicated. Symphony Technology Group, Crosspoint Capital, Haveli Investments and the boutique Option3 raise funds specifically to buy security and infrastructure software. Crosspoint was founded by a former Symantec CEO; Option3 does nothing but cyber and national security. These shops know the sector cold and tend to run tighter operational theses.

The second group is generalist software buyers who farm cyber as one vertical among several. Thoma Bravo, Vista, Francisco Partners, Clearlake, Permira, Advent, TA Associates, Insight Partners (really a growth-equity house that also shows up on the buyout side), Turn/River, Vitruvian and KKR all fit here. The European names in that list sit inside a wider regional picture I map in the European cyber investor landscape and its UK counterpart. They bring bigger balance sheets and deeper take-private muscle, and they treat security software the way they treat any recurring-revenue category: then run the standard sponsor playbook as I have watched it play out: standardize the go-to-market, revisit the pricing, hold, then sell. The generalists write the largest checks. The specialists bring sector operators and product-level diligence the generalists have to hire in.

One note on candor before the roster. Several names you might expect are quieter than their reputation implies: EQT, GTCR, Silver Lake (whose cyber history is basically legacy Symantec), Warburg Pincus (one growth check into Nord Security) and Bain Capital (cyber mostly through its venture arm) have no active control-deal cyber franchise in 2025 or 2026, so they are not on this list.

The 14-firm roster

Thoma Bravo

The benchmark. Thoma Bravo runs about $183 billion and has acquired more than 490 companies representing roughly $265 billion of enterprise value over two decades by its own count. Its cyber roster is the deepest in the business: Proofpoint, SailPoint, Sophos, Ping Identity, Imprivata, Exabeam and Darktrace. It took Darktrace private for $5.3 billion in October 2024, then had Sophos buy Secureworks for $859 million in February 2025, and merged Exabeam with LogRhythm the same year. It also knows how to exit: it floated SailPoint again in 2025 and sold Venafi to CyberArk for $1.54 billion. Buy the category leader, tuck in adjacent products, professionalize, then re-float or sell to a strategic.

Vista Equity Partners

Vista runs more than $103 billion and treats security software as a core vertical. Its cyber holdings include KnowBe4, which it took private, plus Infoblox, Menlo Security, the MDR provider Critical Start, and Securonix, where Vista led a growth investment of more than $1 billion in 2024. Vista is heavier on operational engineering than most sponsors: standardized sales motion, pricing discipline, a long hold. For a founder, a Vista deal usually means a rebuild of the commercial engine rather than a quick flip. It is also one of the names reportedly circling Varonis, which sits in the pending column below.

Francisco Partners

Francisco has done thirteen cybersecurity acquisitions among more than a hundred tracked deals, which makes it one of the most prolific buyers in the sector. It co-acquired Black Duck (the former Synopsys Software Integrity Group) with Clearlake for $2.1 billion in October 2024, and agreed to buy the Apple-device security firm Jamf for $2.2 billion in October 2025. Earlier holdings run through Sumo Logic, Blancco and Forcepoint. Francisco tends to buy unloved or carved-out assets, clean them up, and either bolt them together or resell them.

Clearlake Capital

Clearlake runs about $90 billion and has been in cyber since it backed Ivanti in 2018. It co-owns Black Duck with Francisco and DigiCert with TA Associates, and it was raising up to $15 billion for its next flagship in 2025. Clearlake likes consortium deals and shared control, which spreads risk on the larger take-privates but can slow decision-making at the portfolio companies. Its recent Pathway Capital acquisition roughly doubles the platform, though that figure blends in a fund-of-funds business, so treat the headline AUM with care.

Permira

Permira is a European generalist with real cyber weight. It took Mimecast private for $5.8 billion in 2022, bolted Code42 onto it in 2024, and bought a majority of the fraud-detection firm BioCatch at a $1.3 billion valuation in September 2024. Permira runs a patient hold and leans on its European relationships. Mimecast under Permira is the template: take a public email-security vendor private, then expand it into a broader platform through add-ons.

Turn/River Capital

Turn/River closed an oversubscribed $2.5 billion Fund VI in March 2025 and immediately made the year's biggest cyber take-private: SolarWinds, announced in February 2025 at $4.4 billion, or $18.50 a share, closed mid-year. It had already bought the firewall-policy firm Tufin in 2022 and later exited CoSoSys to Netwrix. Turn/River is a smaller, more focused shop than the mega-funds, and SolarWinds is a real test: a well-known brand carrying real baggage, exactly the kind of asset public markets punish and PE thinks it can quietly repair.

Crosspoint Capital Partners

Crosspoint is the purest cyber buyout shop of the group, founded in 2019 by former Symantec CEO Greg Clark and launched with a $1.3 billion debut fund, one of the largest first-time tech funds ever raised. Its buyouts include Forescout, Absolute Software, ExtraHop and McAfee's consumer business. Lately it has also been writing growth checks into the AI SOC wave, backing TENEX.AI, SynthBee, WideField and Glide Identity across 2025 and 2026. Crosspoint mixes control buyouts with minority bets, which is unusual, and its operating team knows the product side better than most sponsors ever will.

Symphony Technology Group

STG runs about $12 billion and is genuinely cyber-dedicated at the mid and large end. It bought RSA Security from Dell, then carved McAfee's enterprise business and FireEye's products out and stood them up as two companies, Trellix and Skyhigh Security, in 2022. In January 2025 it named a single CEO, Vishal Rao, to run both, which the market read as a possible re-merger signal. STG is the clearest live example of what a take-private does to a product line: split it into two focused products, and, if the single-CEO move means what it appears to mean, possibly reassemble it later.

Haveli Investments

Haveli was founded in 2021 by Vista co-founder Brian Sheth and closed a $4.5 billion debut software buyout fund in March 2025. Its signature cyber deal is ZeroFox, the digital-risk-protection firm it took private in a deal worth about $350 million of enterprise value, completed in May 2024. Haveli is young but well-capitalized and clearly built to do more of this. The ZeroFox take-private is a good small-cap template: pull a sub-scale public security company off the market, out of the quarterly spotlight, and give it room to retool.

TA Associates

TA runs about $60 billion and takes minority and shared-control positions rather than outright buyouts. It made a growth investment in Veracode, and co-owns Ivanti and DigiCert alongside Clearlake. Its cleanest 2025 move was selling Hornetsecurity to Proofpoint, a Thoma Bravo company, for $1.8 billion, a rare case of one PE firm's portfolio company being sold straight into another's. That deal is worth remembering, because it shows how consolidated the buyer side has become: the natural exit for a PE-owned cyber asset is now often another PE-owned platform.

Insight Partners

Insight straddles growth equity and buyout, and on the buyout side it belongs here. It closed Fund XIII at $12.5 billion in January 2025 and has made more than 80 cyber investments over its life. Its biggest recent exit was Recorded Future, sold to Mastercard for $2.65 billion in 2024, and it took a majority of Detectify the same year. Historically Insight sat inside the Datto and Veeam deals. It is the firm most likely to come in earlier and stay through to a strategic sale.

Advent International

Advent runs about $100 billion and was named among 2025's most active cyber buyers by Momentum Cyber. Its landmark cyber deal was Forescout, which it took private with Crosspoint in 2020. More recently it took a stake in Tinexta, an Italian digital-trust and cyber group, in August 2025. Advent is a true generalist that dips into cyber opportunistically rather than running a standing thesis, so it shows up on the biggest deals and sits out the mid-market.

Vitruvian Partners

Vitruvian is a European growth-buyout firm that Momentum Cyber lists among the most active cyber sponsors of 2025, alongside Thoma Bravo, TA and Advent. It bought the vulnerability-management firm Outpost24 and a majority of the managed-security provider Meriplex in 2022, took a growth stake in Bitdefender back in 2017, and was an early Darktrace backer. Vitruvian runs a multibillion-euro flagship and favors growth-stage security companies that still need capital to scale, a notch earlier in the life cycle than the pure take-private shops.

KKR

KKR is the mega-generalist on the list, managing hundreds of billions across every asset class, so its cyber franchise is small relative to its size but the checks are large. Its anchor cyber holding is Barracuda Networks, which it bought from Thoma Bravo for about $4 billion in 2022 to push into XDR and SASE, and which it still owns. KKR does not farm cyber the way Thoma Bravo does; it makes occasional platform bets when the scale justifies the attention. Barracuda is the one to watch, because a KKR exit there would be another test of what a mature, PE-owned security platform fetches in this market.

One boutique deserves a mention outside the main fourteen. Option3, founded in 2014, invests exclusively in cybersecurity and national-security companies, running mid-market buyouts out of a dedicated fund with nine portfolio companies and three exits to date. It is small, but it is the clearest example of a fund built for nothing but this sector.

The 14 most active PE firms in cybersecurity (2026)
FirmTypeNotable cyber holdingsMost recent major cyber deal
Thoma BravoGeneralistProofpoint, SailPoint, Sophos, Darktrace, ImprivataSophos buys Secureworks, $859M (Feb 2025)
Vista Equity PartnersGeneralistKnowBe4, Infoblox, Menlo, Securonix, Critical StartLed $1B+ Securonix growth round (2024)
Francisco PartnersGeneralistBlack Duck, Jamf, Sumo Logic, ForcepointJamf, $2.2B (announced Oct 2025)
Clearlake CapitalGeneralistIvanti, Black Duck, DigiCertBlack Duck co-acquisition, $2.1B (Oct 2024)
PermiraGeneralistMimecast, Code42, BioCatchBioCatch majority, $1.3B valuation (Sept 2024)
Turn/River CapitalGeneralistSolarWinds, TufinSolarWinds take-private, $4.4B (Feb 2025)
Crosspoint CapitalDedicatedForescout, Absolute, ExtraHop, McAfee consumerBacked AI SOC firm TENEX.AI (Mar 2026)
Symphony Technology GroupDedicatedTrellix, Skyhigh Security, RSASingle CEO named across Trellix and Skyhigh (Jan 2025)
Haveli InvestmentsDedicatedZeroFoxZeroFox take-private, ~$350M EV (May 2024)
TA AssociatesGeneralistVeracode, Ivanti, DigiCert, HornetsecuritySold Hornetsecurity to Proofpoint, $1.8B (2025)
Insight PartnersGeneralistRecorded Future (exited), DetectifyRecorded Future to Mastercard, $2.65B (2024)
Advent InternationalGeneralistForescout, Tinexta stakeTinexta digital-trust stake (Aug 2025)
Vitruvian PartnersGeneralistOutpost24, Meriplex, BitdefenderMeriplex majority stake (Jul 2022); early Darktrace backer
KKRGeneralistBarracuda NetworksStill holds Barracuda, bought ~$4B (2022)

The take-private wave

The single loudest pattern of the last two years is public cyber companies going private. SolarWinds at $4.4 billion, Darktrace at $5.3 billion, KnowBe4 and ZeroFox all left the public markets and landed in PE hands. The reason is structural. Public markets punish sub-scale security vendors ruthlessly: uneven growth and heavy sales-and-marketing spend get repriced hard at every earnings print. A sponsor can buy that same company at a discount, take it out of the quarterly spotlight, cut the go-to-market bloat, and rebuild it away from public scrutiny.

The exit path runs back the other way. Thoma Bravo re-floated SailPoint in 2025 after retooling it in private, which is the clean version of the trade: buy public and beaten-down, fix it quietly, sell it back to the market or to a strategic at a better multiple. The take-privates you read about today are the front half of deals that will come back as IPOs or strategic sales in three to five years. For anyone tracking capital in this sector, the private wave now is the IPO pipeline later.

What PE pays versus strategics

Here is the number that reframes everything: strategic buyers, not PE, drove 91 to 92 percent of 2025 cyber deal value by Momentum Cyber's tally, while sitting on only about 61 percent of the deal count. PE is the volume, not the mega-checks. Of the eight acquisitions above $1 billion in 2025, only two were PE take-privates (SolarWinds and Jamf). The other six were strategics: Google buying Wiz for $32 billion, Palo Alto buying CyberArk for $25 billion, and four more.

The multiples explain the split. Private cyber companies sold at a median of about 15.2 times revenue in 2025, against 7.8 times for public peers, with cloud-security assets fetching M&A multiples above 22 times and endpoint and identity names in the 12 to 16 range. Inside that, PE is the disciplined buyer. Reported take-private pricing for non-AI targets lands around 5 to 8 times revenue, while Google paid a reported 64 times ARR for Wiz. That Wiz figure is an outlier and both numbers are reported rather than audited, so hold them loosely, but the shape is real. Strategics pay for scarcity and strategic fit; PE pays for cash flow it can engineer. If you are selling a profitable, sub-scale security business, PE is the realistic buyer, and it will not pay the strategic premium.

Pending and rumored deals

Three situations are worth watching as of mid-2026, each labeled as reported rather than confirmed. Together they say the same thing: the sponsors that bought heavily in 2020-2022 are now testing the exit market, so the next two years should produce as many PE sales as PE purchases.

Francisco Partners was reported in August 2025 to be exploring a sale of the privileged-access-management firm BeyondTrust, in a process expected to run into the multiple billions. Thoma Bravo was reported in early 2026 to have hired JPMorgan to sell Imprivata, with a figure of up to $7 billion mentioned. And Varonis has drawn reported PE interest, with Blackstone, Thoma Bravo and Vista named as circling in 2026. That last one is rumor, not a process, so treat it as the softest of the three. All three point the same direction: the largest PE-owned identity and access assets are the ones most likely to trade next.

What it means for founders and MSP owners

If you sell security software, PE ownership of your competitors and your vendors changes the ground under you. When a sponsor takes a vendor private, my working assumption as an operator is that the roadmap and the price list both get reviewed within the year, because that is where the margin is. The Trellix and Skyhigh split is the live case: one company became two distinct products, and with a single CEO now over both, the market is already guessing at a re-merger. If a tool in your stack gets bought by PE, expect a pricing review and a roadmap reshuffle within a year, and plan your MSP tool stack so no single re-tiered vendor can hold your margin hostage.

For MSP owners specifically, two things follow. First, the same capital discipline that prices cyber assets prices services businesses, and the mechanics that move MSP valuation multiples reward recurring revenue, low churn and clean financials the same way they do in software. Second, the compliance wave is its own driver of value: the CMMC land grab is pulling capital toward providers who can prove security outcomes, and PE-owned platforms are moving to capture it. If you are a founder deciding who to raise from or sell to, know which kind of buyer you are talking to. A generalist take-private shop wants scale and cash flow at 5 to 8 times revenue. A strategic wants a capability it cannot build fast enough and will pay the premium for it. And the AI-native security economics I break down in the AI SOC piece are exactly what the next wave of these buyers will underwrite.

FAQ

Is PE or strategic M&A driving cybersecurity consolidation?

Both, but differently. Strategic buyers drove 91 to 92 percent of 2025 cyber deal value, powered by megadeals like Google buying Wiz for $32 billion, a deal announced in 2025 that closed in March 2026. Private equity drove the volume, completing about 165 of the 400 disclosed deals on a broad count that includes add-ons by PE-backed platforms. So strategics own the dollar value and PE owns the deal count.

Which PE firm owns the most cybersecurity companies?

Thoma Bravo, without a serious rival. Its cyber portfolio has run through Proofpoint, SailPoint, Sophos, Ping Identity, Imprivata, Exabeam and Darktrace, and it has acquired more than 490 companies overall across two decades. No other sponsor comes close to that depth of security holdings.

What is the difference between dedicated and generalist cyber PE?

Dedicated firms (Symphony Technology Group, Crosspoint, Haveli, Option3) raise funds specifically for security and infrastructure software and know the product cold. Generalist software buyers (Thoma Bravo, Vista, Francisco, Clearlake and others) farm cyber as one vertical among several, bring larger balance sheets, and run bigger take-privates. Generalists write the largest checks; specialists usually understand the roadmap better.

Why did SolarWinds and Darktrace go private?

Public markets punish sub-scale security vendors for uneven growth and heavy sales spend, so a bad quarter can halve the stock. PE buys at that discount, pulls the company out of quarterly scrutiny, cuts go-to-market bloat and re-tiers pricing, then aims to re-float or sell it at a better multiple later. Turn/River took SolarWinds private at $4.4 billion and Thoma Bravo took Darktrace private at $5.3 billion on exactly this logic.

How do PE buyout multiples compare to strategic multiples in cyber?

PE is the disciplined buyer. Reported take-private pricing for non-AI cyber targets runs around 5 to 8 times revenue, while strategics pay for scarcity: Google paid a reported 64 times ARR for Wiz, an outlier. Median private cyber deals landed near 15.2 times revenue in 2025 against 7.8 times for public peers. If you run a profitable, sub-scale security business, PE is the realistic buyer and it will not match the strategic premium.

Which cyber PE deals are pending or rumored in mid-2026?

Three, all as reported rather than confirmed. Francisco Partners was reported in August 2025 to be exploring a sale of BeyondTrust. Thoma Bravo was reported in early 2026 to have hired JPMorgan to sell Imprivata at up to $7 billion. And Varonis has drawn reported PE interest, with Blackstone, Thoma Bravo and Vista named as circling, though that one is rumor rather than a live process.

What actually happens to a security product after a take-private?

The clearest sourced example is Symphony Technology Group's McAfee Enterprise and FireEye deal: STG bought the two businesses in 2021 for $4B and $1.2B, split them into Trellix (detection and response) and Skyhigh Security (cloud security) within a year, and by January 2025 had put one CEO over both, which reads like the setup for an eventual re-merger or joint exit. My operator read: ownership changes what gets built and how it is packaged, so the product you bought is not guaranteed to be the product you renew.