Six Cybersecurity Themes Private Equity Investors Should Know Leaving 2025

Cybersecurity is undergoing a structural transformation in 2025, driven by regulatory pressure, cloud adoption, AI innovation, and evolving threat vectors. Grant Thornton Stax has compiled this report outlining several key investment themes, based on our prior work with cybersecurity assets throughout 2025 to date. These themes highlight where capital is flowing and where differentiated capabilities are emerging. 

1. Cyber Compliance: Software and Service Strategic Growth Drivers

As regulatory frameworks such as CMMC, ISO 27001, SOC 2, and HIPAA evolve, cybersecurity vendors and service providers with embedded compliance capabilities are gaining traction, particularly in regulated industries like financial services and insurance. This trend is being accelerated by cyber insurance providers, who increasingly require baseline security controls and offer premium discounts for adherence to recognized standards.



Demand for compliance services (i.e., gap assessments, control design, and audit readiness) is also rising. Compliance-as-a-service platforms, such as Vanta and Drata, are lowering the barrier to entry (i.e., reducing costs, automating log gathering), even for small and mid-sized firms. As a result, compliance is now a board-level concern and a key driver of cybersecurity purchasing decisions. 

Key Drivers:

• Regulatory expansion across industries is increasing demand for compliance-aligned products and services. 
• Cyber insurance providers are enforcing stricter security requirements and incentivizing compliance through premium discounts. 
• Compliance-as-a-service platforms are democratizing access to attestation and audit readiness. 

Market Commentary:

“Almost half of the motivation to purchase MDR services is driven by regulatory compliance as buyers fear the auditor more than the attacker.” — Chief Strategy Officer, Cyber Compliance Vendor 

“Insurers are making recommended MDR providers lists…promising a 30% reduction in premiums if clients use Arctic Wolf.” — Director Enterprise of Sales, MDR Vendor 



“Expansion of frameworks is driven by organizations applying more rigor to vendors due to cyber insurance coverage requirements.” — VP Cybersecurity, Cyber Industry Analyst

“Compliance-as-a-service tools like Vanta and Drata have made SOC 2 and ISO 27001 more accessible, even for small firms.” — Senior Manager, Cyber Compliance Service Provider 

2. SASE: The Convergence of Networking and Security

Secure Access Service Edge (SASE) is becoming the architecture of choice for distributed enterprises, combining security service edge (SSE) capabilities (e.g., CASB, SWG, and ZTNA) with SD-WAN. This convergence is driven by cloud migration, remote work, and the need to simplify fragmented networking and security environments.

Key Drivers:

• Enterprises are consolidating networking and security stacks for operational efficiency. 
• SASE platforms are evolving to include digital experience monitoring and GenAI-enhanced DLP. 
• Market leaders like Netskope and Zscaler are gaining share through innovation and bundling. 

Market Commentary:

“The SD-WAN market is quickly giving way to SASE…think of it as SD-WAN plus security.” — Fmr. Group VP, Cloud-Ready Data Center, Cyber Vendor

“Nobody will buy SD-WAN without a security component in two to three years.” — Fmr. Head of Global Sales Engineering, Cyber Vendor



“With no on-site servers, we rely entirely on internet connectivity which makes SASE extremely important.” — Cloud Security Lead, Enterprise Firm 

3. Agentic AI: Blooming Table Stake in Threat Detection & Response

While embedded AI has long been used to enhance analytics and automation, the rise of agentic AI signals a change: systems that can autonomously execute tasks, coordinate across tools, and continuously learn from outcomes. 



In SOC operations, this means moving from “AI-assisted” detection toward “self-directed” remediation, playbook orchestration, and intelligent escalation, capabilities that are quickly becoming standard across platforms. Industry analysts underscore this shift; Gartner ranks GenAI as the top cybersecurity trend, Forrester highlights AI’s role in transforming SOC workflows, and IDC reports that 74% of enterprises have deployed AI-powered detection tools. 

Key Drivers:

• AI is enabling faster, more accurate threat detection and response. 
• VARs, MSPs and MSSPs are leveraging Agentic AI to offer scalable services. 

Market Commentary:

“AI is a real facilitator…it can make low-value tasks efficient and help VARs build out SOC capabilities.” — Director, Cyber Vendor

“We're approaching a new era where fully automated and agentic AI will conduct much of the security research. In this future state, tool integration might become less critical as AI systems will aggregate data from various sources and present it through a unified interface. This evolution might lead some organizations to migrate away from traditional integrated platforms as new agentic companies emerge offering superior value propositions.” —Chief Security Technologist, Global VAR 

4. Email Security: Critical and Evolving Vendor Landscape

Email remains a top attack vector, but the category is under increasing pricing pressure due to the bundling of Microsoft Defender and intensified competition. The category has evolved from static filtering and batch updates to dynamic, AI-driven detection with seamless integration (i.e., Abnormal Security).



As enterprises face mounting pressure from DMARC mandates and growing phishing threats, vendors like Valimail are gaining traction by offering centralized, automated control over domain-level email authentication, an increasingly critical component of enterprise security infrastructure. 

Key Drivers:

• DMARC mandates and phishing threats are elevating the importance of domain-level email authentication. 
• Microsoft Defender’s bundling is eroding standalone vendor pricing power. 
• API-based, AI-enhanced email security is becoming the new standard. 

Market Commentary:

“Email is the most attacked platform—it's where most social engineering and attacks originate, making it a huge space. We're seeing new email security companies emerge, but these companies need to be truly significantly different to succeed.” – Chief Security Technologist, Global VAR

“As email security becomes more robust, threat actors are pivoting to other communication channels like Microsoft Teams and Slack. ICES providers are responding by extending their security coverage to these adjacent platforms. This expansion is technically complex and relies heavily on APIs, giving ICES players with existing API-based platforms a first-mover advantage” – Fmr. CMO, Email Security Vendor 

5. Cyber-Focused VARs: Trusted Advisors in a Complex Market

Specialized cybersecurity VARs are gaining share from broadline resellers due to their technical depth, vendor relationships, and ability to deliver high-touch advisory services. As cybersecurity needs grow more complex, driven by evolving regulations, advanced threats, and bespoke architecture requirements, organizations increasingly rely on VARs for consultative sales, integration support, and lifecycle management.

Key Drivers:

• VARs differentiate through deep technical expertise and vendor partnerships. 
• Buyers value pre-sales engineering and implementation support. 
• VARs help vendors navigate complex buying centers and deployment processes. 

Market Commentary:

“Specialized VARs are strongly preferred…they ensure proper service delivery and maintain partnerships with prominent security providers.” — CIO/CISO, Enterprise firm

“I expect to get more from cybersecurity VARs…I see more spending shifting to cybersecurity vendors and less to the other two categories.” — Director of Information Security, Mid-market firm

“What really makes a difference is the capability to do pre-sales…we’ve often chosen a VAR because of their very skilled pre-sales engineer.” — Director, Cybersecurity Vendor 

6. Shift Left in Cyber Services: MSPs and VARs Adding Cybersecurity Services

The line between MSPs, VARs, and MSSPs is blurring. More partners are offering managed detection and response (MDR), compliance-as-a-service, and 24/7 SOC capabilities. This shift is especially pronounced among SMBs and mid-market firms, which face increasing cyber threats but lack the internal resources to build robust security programs. Gartner and Forrester both note the rise of MSSP-lite models. SMBs and mid-market firms increasingly prefer bundled services from a single provider.

Key Drivers:

• SMBs are adopting MSPs for comprehensive cybersecurity services. 
• VARs are evolving into hybrid vendors offering managed services. 
• MSSP-lite models are gaining traction as firms seek bundled solutions.

Market Commentary:

“Clearly, we see increasingly VARs, especially the smaller local ones, are now already working as MSSPs. This has been a trend we've observed for the past two to three years, because that's the way VARs are going to grow their business. — Director, Cyber Vendor 

“Commercial businesses and small to medium-sized businesses (SMBs) are more likely to prefer a full suite provider. Even if such a provider is not very good in one area, the ability to manage everything in one swoop is appealing.” — VP Revenue & Sales, MSP 

About Stax

Now part of Grant Thornton Advisors LLC, Stax is a global management consulting firm serving corporate and private equity clients across a broad range of industries including software/technology, healthcare, business services, industrial, consumer/retail, and education. The firm partners with clients to provide data-driven, actionable insights designed to drive growth, enhance profits, increase value, and make better investment decisions. Please visit www.stax.com and follow Stax on LinkedIn, Instagram, Threads, and Facebook. 

About Grant Thornton

Grant Thornton delivers professional services in the US through two specialized entities: Grant Thornton LLP, a licensed, certified public accounting (CPA) firm that provides audit and assurance services ― and Grant Thornton Advisors LLC (not a licensed CPA firm), which exclusively provides non-attest offerings, including tax and advisory services.  

In January 2025, Grant Thornton Advisors LLC formed a multinational, multidisciplinary platform. The platform offers a premier advisory and tax practice, as well as independent audit practices. With almost 60 offices, the platform delivers a singular client experience that includes enhanced solutions and capabilities, backed by powerful technologies and a roster of almost 14,000 quality-driven professionals enjoying exceptional career-growth opportunities and a distinctive cross-border culture. 

Grant Thornton is part of the Grant Thornton International Limited network, which provides access to its member firms in more than 150 global markets. 

Grant Thornton LLP, Grant Thornton Advisors LLC and their respective subsidiaries operate as an alternative practice structure (APS). The APS conforms with applicable laws, regulations and professional standards, including those from the American Institute of Certified Public Accountants. 

“Grant Thornton” refers to the brand under which the member firms in the Grant Thornton International Ltd (GTIL) network provide services to their clients and/or refers to one or more member firms. Grant Thornton LLP and Grant Thornton Advisors LLC serve as the U.S. member firms of the GTIL network. GTIL and its member firms are not a worldwide partnership and all member firms are separate legal entities. Member firms deliver all services; GTIL does not provide services to clients.