The cybersecurity venture market in 2025 is showing a pattern that will be familiar to investors who watched previous cycles: capital is concentrating in a small number of high-conviction themes while earlier-cycle categories see consolidation and valuation correction. The novelty of this cycle is the degree to which AI — both as a threat driver and as a defensive capability — is reshaping which categories attract the most attention and capital. Understanding where venture capital is flowing, and more importantly why, requires going beyond the headline funding numbers to the structural dynamics underneath them.
This analysis draws on our view of the market as active investors, our conversations with CISOs and enterprise security buyers, and the deal flow we observe at Ciphero Ventures. We share our honest assessment of the categories we believe represent durable large-market opportunities versus those we think reflect momentum investing that will not hold up over a full venture cycle.
The AI Security Category: Genuine or Frothy?
No category has attracted more venture attention in the past eighteen months than AI security — a broad umbrella covering everything from LLM security tools to AI governance platforms to automated security operations. The total venture investment in AI security startups reached an estimated $4.2 billion in 2024, a year-over-year increase of over 180%. Evaluating whether this capital is being efficiently deployed requires distinguishing the signal from the noise.
The signal: enterprise AI adoption is genuinely creating new attack surfaces that incumbent security vendors are not addressing, and the enterprises deploying AI at scale have real, urgent needs for security tooling. The categories we find genuinely compelling within AI security include AI access governance, AI security posture management, and LLM-specific threat detection. These address problems that are structurally new, not adequately served by existing tools, and large enough to support multiple significant companies.
The noise: a substantial fraction of the AI security investment is going to companies that have rebranded existing products with AI marketing language or that are addressing narrower, more transient problems than their fundraising narratives imply. Companies claiming to "secure AI" in ways that amount to adding guardrails to chat interfaces, or building point solutions for specific compliance requirements that will be absorbed into broader platforms within eighteen months, are attracting capital that will not generate venture returns.
Our heuristic for the AI security companies most likely to build durable positions: they are founded by people who have worked on AI security problems from the inside — researchers, red teamers, or engineers who have built AI systems and understand their security properties from first principles. The companies that are applying AI marketing to conventional security problems are rarely founded by people with this background.
Identity and Access Management: The Quiet Boom
Identity and access management is experiencing its third major investment cycle in fifteen years, and this cycle is driven by a combination of factors that we believe support a longer and larger expansion than either of the previous two. The non-human identity problem described in our earlier analysis is the primary driver: enterprises are realizing that their identity governance programs, built for human users, are inadequate to govern the service accounts, API credentials, and AI agents that represent the fastest-growing segment of enterprise identity.
Venture capital has noticed. Investment in next-generation identity companies increased by approximately 40% year-over-year in 2024, with particularly strong concentration in non-human identity management, privileged access management for cloud-native environments, and identity threat detection and response. Several of the most interesting early-stage companies we have evaluated in the past year are in identity.
The incumbents — Okta, CyberArk, SailPoint, Microsoft — are large, well-resourced, and actively investing in these new categories through product development and acquisition. The risk for new entrants is being acquired before they reach their potential scale. The opportunity for new entrants is that the architectures required for non-human identity governance and AI agent security are sufficiently different from incumbent platforms' existing architectures that acquisition does not always translate to genuine competitive capability. Enterprises often prefer purpose-built solutions to shoehorned extensions of legacy platforms.
Cloud Security: Consolidating but Still Active
Cloud security as a broad category entered a consolidation phase beginning in 2022 as the wave of cloud-first startups from the 2018-2021 era matured into platforms, went public, or were acquired. But within the broader cloud security category, meaningful investment is still flowing into specific subcategories that remain early.
Cloud detection and response — the extension of endpoint detection and response principles to cloud environments, covering cloud-native attack techniques like IAM abuse, metadata service exploitation, and serverless function attacks — continues to attract meaningful investment. The problem is real, the incumbent SIEM and EDR vendors address it imperfectly, and the market of enterprises with material cloud security exposure continues to grow.
Data security posture management has emerged as a distinct category from cloud security posture management, focused specifically on discovering, classifying, and monitoring the security posture of data assets across cloud environments. DSPM addresses a gap that has become more pressing as AI adoption increased enterprises' data exposure: AI systems that access data across organizational boundaries create data security risks that neither conventional DLP nor CSPM tools were designed to handle.
Multi-cloud security — security tooling designed for enterprises operating across AWS, Azure, and Google Cloud — remains an active investment area because the market of enterprises with genuine multi-cloud complexity continues to grow and the problem of managing a coherent security posture across heterogeneous cloud environments remains technically challenging. Unified control planes for cloud security policy, enforcement, and monitoring across cloud providers represent meaningful opportunities.
Operational Technology Security: The Underinvested Category
Operational technology security — securing the industrial control systems, SCADA systems, building management systems, and physical infrastructure that underpin manufacturing, energy, utilities, transportation, and healthcare — is consistently undercapitalized relative to its risk importance. This underinvestment creates an opportunity that we believe will be recognized more broadly as nation-state attacks on critical infrastructure continue to make headlines.
The OT security market has characteristics that make it less attractive to generalist venture investors but more attractive to specialized investors with the technical and customer knowledge to evaluate it. Enterprise sales cycles are long, customer relationships are complex, the technical standards and protocols are specialized, and the buyer base is more heterogeneous and less well-networked than the enterprise IT security buyer community. But the market is large — total global spending on OT security is expected to exceed $30 billion by 2028 — and the incumbent vendors serving it are not well-positioned to address the AI and cloud dimensions of the evolving threat.
Several of the most interesting companies we have seen in OT security are building at the intersection of OT and IT — specifically, securing the converged environments where OT systems are being connected to IT networks and cloud services for operational efficiency. This convergence is creating attack vectors that neither traditional IT security tools nor traditional OT security tools are designed to defend.
What the Funding Data Does Not Tell You
Raw funding data — the total dollars invested in a category in a given year — is a lagging indicator of where the most important companies are being built. By the time a category shows up in the top funding quartile of venture data, the category has been recognized, competition has intensified, and valuations have incorporated much of the expected value creation.
The companies that generate venture-scale returns are most often built in the categories that appear in the funding data eighteen to thirty-six months after they become compelling opportunities. Looking at what categories are attracting the most seed-stage founder talent today — rather than where the most growth capital is going today — is a more reliable leading indicator of where the next generation of important security companies will come from.
By that metric, we are particularly interested in agentic AI security, post-quantum cryptography migration tooling, and AI-native security operations platforms. These categories are early, lightly funded, and not yet on the radar of most growth-stage investors. That is precisely what makes them compelling to Ciphero Ventures.
Key Takeaways
- AI security attracted $4.2B in venture investment in 2024 — the signal is in AI access governance and LLAM-specific tooling; the noise is in rebranded conventional security products
- Identity is in its third investment cycle, driven by the non-human identity explosion and AI agent governance requirements
- Cloud security is consolidating at the platform level while DSPM and multi-cloud security remain active early-stage categories
- OT security is systematically undercapitalized relative to its risk importance, creating opportunities for specialized investors
- Seed-stage founder concentration in agentic AI security, post-quantum migration, and AI-native SecOps signals where the next generation of important companies will emerge
- Funding data lags actual opportunity by 18-36 months; where founders with deep expertise are choosing to build today is the better leading indicator