The cybersecurity M&A numbers from 2025 look spectacular on the surface. $96 billion across 400 transactions, up 270% year-over-year from $46.1 billion. The average disclosed deal size jumped 82%, from $1.36 billion to $2.47 billion. Eight transactions over $1 billion. Twenty-six over $100 million.
What those numbers obscure is who was buying. Strategic buyers deployed 92% of all M&A capital. Not private equity. Corporate acquirers — Google, Palo Alto Networks, CrowdStrike, ServiceNow.
That’s the number that matters for the channel. Because a lot of PE firms backed a lot of MSSP and cybersecurity rollups between 2021 and 2024 on the assumption that the exit would come from another PE buyer, a strategic acquirer, or a public offering. The strategic buyers are still active. But they’re not buying what PE built.
What PE Built, and Why Strategics Aren’t Buying It
The PE rollup playbook in cybersecurity followed a familiar script. Acquire multiple regional MSSPs. Unify the brand. Consolidate the tooling. Cut overlap. Grow EBITDA through efficiency. Exit to a strategic at a premium multiple.
The problem is what the strategics actually want in 2026. Google paid $32 billion for Wiz because Wiz had a cloud-native application protection platform catching 90% of cloud misconfigurations, a product loved by enterprises, and a category-defining position in multi-cloud security. ServiceNow paid $7.75 billion for Armis because Armis had technology that extended ServiceNow’s reach into OT, IoT, and medical devices — things ServiceNow couldn’t build itself in the required timeframe.
What these strategic buyers have in common: they bought product companies with differentiated IP and genuine platform potential.
PE-backed MSSP rollups generally aren’t that. They’re service delivery organizations with multiple tool stacks partially consolidated, talent that gets acquired and then leaves, and customer relationships that depend on the humans rather than any proprietary technology. The EBITDA is real. The platform narrative is thin.
The cybersecurity M&A report from Solganick published last week confirms what’s happening in the mid-market: deal flow in cybersecurity services is active, but the buyer profile has shifted. Strategic corporate buyers now account for over 90% of deal value, and they’re specifically prioritizing what analysts are calling “agentic AI security” — protecting autonomous AI agents managing complex supply chains and critical infrastructure.
That’s not what most MSSP rollups were built to deliver. They were built to deliver SOC coverage, incident response, and endpoint protection to mid-market enterprises at scale. Solid business. Wrong asset class for a 2026 strategic buyer.
The Numbers on the Problem
Run the math on a typical 2022-era MSSP rollup. Sterling Investment Partners just acquired Cyber Advisors in mid-March — still PE buying services firms, which tells you the mid-market acquisition market isn’t dead. But the exit trajectory from those deals has changed.
In 2022, a PE-backed MSSP platform could realistically model a 5-7x revenue exit to a strategic buyer or another PE firm in three to five years. The MSSP market was hot, multiples were elevated, and the buyer pool was large. What’s happened since: rising interest rates compressed PE returns, the public market for cybersecurity stocks peaked and corrected, and the strategic buyers shifted their acquisition criteria toward platform technology.
Palo Alto Networks has bought three companies in the past year. None of them were MSSP rollups. They were all product companies with specific capabilities that extended Palo Alto’s platformization play. CrowdStrike’s $740 million acquisition of SGNL in early 2026 was an identity management company. Again — product, not services.
The PE firms with 2021-vintage MSSP investments are in year four or five of typical fund hold periods. Some are extending. Some are finding ways to add to the platform. Some are quietly running processes that are taking longer than expected. What you won’t find many of doing is announcing premium exits to strategic buyers, because those buyers aren’t interested in the asset class at scale.
What Happens to the Rollup Employees
This is the part that matters most for the people working inside these organizations.
We’ve written about PE churn patterns in MSP businesses. The high-churn model isn’t a bug in PE-backed managed services; it’s a feature that produces the margin profile. But when the exit gets delayed and the hold period extends, the pressure intensifies.
Cost structures get reviewed again. Integration projects that were supposed to “unlock synergies” in year two get accelerated in year four because EBITDA needs to grow and the strategic buyer that was supposed to show up hasn’t. The talent that was retained through the acquisition with earnouts has largely cashed out and left. New talent is harder to recruit because word travels.
This isn’t universal — there are well-run PE-backed MSSPs that have genuinely built something. But for the ones where the investment thesis was pure financial engineering layered on service delivery, the structural math is getting harder.
The Channel Playbook That Actually Works Right Now
Here’s the thing about the strategic buyer market: it’s active and it’s paying premium prices. It’s just paying them for specific things.
If you’re running an MSSP or a cybersecurity-focused MSP, the question to ask yourself isn’t “what would a PE firm pay for this.” It’s “what would Palo Alto Networks, CrowdStrike, or ServiceNow want from this business.” Those are three different questions with three different answers.
The strategic buyers want: proprietary workflows around emerging threat categories (AI agent security, OT security, identity security). Customer relationships in specific verticals where the strategic buyer doesn’t have coverage. Technical talent they can’t recruit competitively. Reference accounts with documented outcomes.
They don’t want: generic SOC delivery. Multi-vendor tool stacks with moderate consolidation. Revenue that’s dependent on individual relationships rather than platform lock-in.
The death of the generalist VAR applies equally to the generalist MSSP. Pick a lane. Build defensible depth in it. That’s the only path to a strategic exit in 2026 — and it’s also, not coincidentally, the only path to a sustainable business whether or not you ever sell.
The PE exit window that existed between 2019 and 2022 is closed for now. The strategic acquisition window is open — but only for specific types of assets. If you’re building with that reality in mind, you’re ahead. If you’re building on the assumption that financial engineering alone creates exit value, the data from 2025 says otherwise.