This report is an editorial research synthesis covering MSSP and cybersecurity services M&A multiples for 2026. It is not investment advice, not a business appraisal, and not a fairness opinion. Every multiple cited below is conditional on deal structure, earnings quality, contract mix, and buyer type. Owners considering a sale should commission a formal valuation and a quality of earnings review before anchoring on any figure in this document. Geography is United States and Canada unless otherwise stated, and UK and cross-border deals are labeled individually. The observation window runs from 2019 context through disclosed activity as of July 2026.
Managed security service providers occupy the premium end of the IT services deal tape, and the premium is measurable. This report benchmarks what buyers appear to pay for MSSPs, MDR specialists, SOC operators, compliance firms, penetration testers, and security-led advisory practices, by size band and by sub-segment. It sits inside our IT and managed services cluster as a spoke under the IT and managed services valuation pillar, and it treats the generalist benchmarks in our MSP multiples spoke as the baseline against which the cybersecurity premium is measured.
1. Executive Summary

- Small cybersecurity consultancies with under $1 million in revenue appear to trade between roughly 3x and 5x seller’s discretionary earnings based on small-transaction databases such as DealStats and BizBuySell (SDE basis, sub-$1M revenue, US, 2024-2026 listings and closed-deal data). Project-heavy shops without recurring contracts tend to sit at the bottom of that range.
- Lower-middle-market MSSPs with $3 million to $10 million in revenue and a high monitoring-contract MRR share appear to command roughly 8x to 11x adjusted EBITDA in 2025-2026 US processes, a synthesis of GF Data tech-enabled services aggregates, Service Leadership valuation benchmarking, and disclosed platform activity tracked by Momentum Cyber (adjusted EBITDA basis, $3M-$10M revenue, US, 2025-2026).
- MDR and XDR specialists at platform scale appear to price at roughly 12x to 16x adjusted EBITDA where EBITDA exists, or at roughly 2x to 4x recurring revenue where growth spending suppresses margins, based on the revenue-multiple convention visible in disclosed prints such as Sophos/Secureworks (dual convention, $25M+ revenue platforms, US/UK, 2024-2026). The MDR premium over monitoring-only peers appears to run roughly 2 to 3 turns of adjusted EBITDA.
- The cleanest disclosed services-adjacent print of the cycle is Sophos acquiring Secureworks for $859 million in cash, announced October 2024 and closed February 3, 2025 (transaction value basis, ~$330M-$366M trailing revenue target, US target/UK acquirer). Against Secureworks fiscal 2024 revenue of $365.9 million, the price implies roughly 2.3x trailing revenue, and against the roughly $330 million trailing revenue reported near close it implies roughly 2.6x (Companies Market Cap revenue series, revenue basis, large-cap MSSP/MDR, US, 2024-2025).
- The cybersecurity premium over generalist MSPs, which our IT and managed services pillar frames at roughly 2 to 4 turns of adjusted EBITDA, appears to hold across 2025-2026 and to widen at scale. Generalist MSPs in the $3M-$10M band typically clear 5x to 8x adjusted EBITDA, while security-led peers of the same size appear to reach 8x to 11x (adjusted EBITDA basis, $3M-$10M revenue, US, 2025-2026 synthesis).
- Deal volume context favors sellers on count but not indiscriminately on price. Momentum Cyber’s mid-year 2026 review, published July 1, 2026, reported cybersecurity M&A tracking toward the highest deal count it has ever recorded. Its 2025 year-end tally showed 398 transactions with $102 billion in disclosed value, per SiliconANGLE’s coverage of the Almanac (deal count and value basis, global, 2025).
- The macro ceiling reset in March 2026 when Google closed its $32 billion acquisition of Wiz after roughly 12 months of regulatory review (announced value basis, cloud security software, US/Israel, announced March 2025, closed March 11, 2026). That price applies to product software, not services, and no MSSP seller should treat it as a comp, but it signals strategic appetite at the very top of the market.
- Rate context matters for every debt-financed buyer model in this vertical. The federal funds target range stood at 3.50 to 3.75 percent per the Federal Reserve H.15 release as of mid-2026, down from the 5.25 to 5.50 percent peak that compressed 2023-2024 debt-financed multiples (rate basis, US, 2023-2026).
2. Key Findings
Fifteen verified data points follow, each tied to a primary or named source. Deal terms described as undisclosed carry no multiple, by rule, and private financing valuations are labeled as marks rather than sale comps throughout.
- Sophos/Secureworks, $859 million, closed February 3, 2025. Secureworks shareholders including Dell received $8.50 per share in cash, per Cybersecurity Dive (equity value basis, large MSSP/MDR, US target, announced 2024, closed 2025). The combined company claims MDR coverage of more than 28,000 organizations, per SecurityWeek.
- Secureworks implied revenue multiple of roughly 2.3x to 2.6x trailing revenue. Fiscal 2024 revenue was $365.9 million, and trailing revenue near close ran near $330 million, per the Companies Market Cap series drawn from SEC filings (revenue basis, ~$330M-$366M revenue, US, 2024-2025). A declining-revenue MDR carve-out from a public parent priced below 3x revenue is the single most instructive print for large MSSP sellers this cycle.
- Darktrace/Thoma Bravo, approximately $5.3 billion, completed October 2024. Thoma Bravo paid $7.75 per share in cash for the UK-listed AI security vendor. The deal implied roughly 8.1x calendar 2023 revenue of $616 million, per SecurityWeek’s deal analysis (EV/revenue basis, ~$616M revenue, UK, 2024). The same analysis put the price at roughly 34x adjusted EBITDA of $146 million (adjusted EBITDA basis, UK, 2024). Darktrace is a product company, and its 8.1x revenue print marks the software ceiling that pure services businesses do not reach.
- Google/Wiz, $32 billion, closed March 11, 2026. The deal was announced in March 2025, cleared by the US Department of Justice in November 2025, and cleared by the European Commission in February 2026, per TechCrunch and Cleary Gottlieb (announced value basis, cloud security software, US/Israel, 2025-2026). This is macro ceiling context only, not a services comp.
- Google/Mandiant, $5.4 billion, closed September 12, 2022. Google paid $23.00 per share, per TechCrunch (equity value basis, ~$483M revenue, US, 2022). Against Mandiant’s 2021 revenue of $483 million, the price implied roughly 11x revenue, which stands as the peak-era ceiling for a services-heavy cyber brand with elite incident-response franchise value (revenue basis, US, 2022 vintage).
- Arctic Wolf’s last disclosed equity valuation is $4.3 billion, set in July 2021. The Series F of $150 million led by Viking Global and Owl Rock established that mark, and the company subsequently closed a $401 million convertible notes offering in October 2022 rather than price new equity, per Arctic Wolf and Crunchbase News (post-money valuation basis, security operations platform, US, 2021-2022). This is a financing mark, not a sale comp.
- Arctic Wolf/Cylance, $160 million cash plus approximately 5.5 million Arctic Wolf shares, closed February 3, 2025. BlackBerry disclosed the terms in its 8-K (transaction value basis, endpoint security assets, US/Canada, 2024-2025). BlackBerry paid $1.4 billion for Cylance in 2018, so the exit recovered roughly 11 percent of the entry price in cash, per MSSP Alert (entry-vs-exit basis, US/Canada, 2018 vs 2025).
- Singtel/Trustwave exit at $205 million, announced 2023 and completed early 2024. Singtel sold its 98 percent Trustwave stake to MC2 Titanium for $205 million, per Telecompaper (transaction value basis, large MSSP, US operations/Singapore seller, 2023-2024). Singtel had paid $770 million for that stake in 2015, per telecoms.com, which makes Trustwave the vertical’s defining value-destruction print at roughly a 73 percent loss over nine years.
- LevelBlue/Trustwave, terms undisclosed, closed August 19, 2025. LevelBlue signed on July 1, 2025 and closed seven weeks later, creating what it describes as the world’s largest pure-play MSSP (no multiple cited, terms undisclosed, US, 2025). LevelBlue also completed the purchase of Aon’s cybersecurity and IP litigation consulting groups, including Stroz Friedberg, in 2025, terms undisclosed.
- Momentum Cyber counted 398 cybersecurity M&A transactions with $102 billion in disclosed value in 2025. Deal value rose 294 percent year over year, per SiliconANGLE’s Almanac coverage (count and value basis, global, 2025). Q2 2025 set the all-time quarterly count record at 109 deals. Q3 2025 set the quarterly value record at $44.2 billion.
- MDR/XDR private financing marks cluster above $1 billion. Expel raised $140.3 million at a valuation above $1 billion in November 2021 (post-money basis, MDR, US, 2021). Huntress raised $150 million at roughly $1.55 billion in June 2024 while reporting roughly 70 percent annual growth approaching $100 million ARR, per Crunchbase News (post-money basis, MSP-channel MDR, US, 2024). Blackpoint Cyber raised $190 million from Bain Capital Tech Opportunities and Accel in June 2023, valuation undisclosed (round size basis, MSP-channel MDR, US, 2023). All are financing marks, not sale comps.
- Structured capital replaced priced equity for mid-cycle MSSP platforms. Deepwatch announced $180 million in combined equity and strategic financing on February 15, 2023 from Springcoast Capital, Splunk Ventures, and Vista Credit Partners, valuation undisclosed (financing basis, MDR, US, 2023). BlueVoyant raised a $250 million Series D led by Liberty Strategic Capital in February 2022 at a reported valuation near $1 billion, then added over $140 million in November 2023 alongside its Conquest Cyber acquisition, per FinSMEs (post-money basis, MDR/supply-chain defense, US, 2022-2023).
- Palo Alto Networks bought IBM’s QRadar SaaS assets for $500 million, closed September 4, 2024. The Register reported the price alongside the company announcement (asset purchase basis, SIEM SaaS customer base, US, 2024). The deal shows platform vendors paying for migratable security customer bases, which reads through to MSSP client-base valuations.
- Best-in-class IT solution providers held adjusted EBITDA margins of 19 percent or better for a sixth consecutive year. Service Leadership’s 2026 annual profitability report also recorded managed service revenue growth of 9.6 percent and average enterprise value gains of roughly 15 percent year over year (margin and growth basis, ITSP universe including security practices, global survey with US weighting, 2025 data). Security-attached providers sit disproportionately in the top quartile of that dataset.
- CMMC enforcement began appearing in Department of Defense contracts on November 10, 2025. The 48 CFR final rule published September 10, 2025, and DFARS 252.204-7021 clauses started flowing 60 days later, per Summit 7 and PreVeil (regulatory basis, US defense industrial base, 2025-2026). Roughly 431 organizations held CMMC Level 2 certification a month before the deadline, and reported counts exceeded 1,000 by March 2026, per CMMC.com. This is the demand engine behind the compliance-services premium discussed in section 5.
3. Multiples by Size Band: The Valuation Spine
The table below is the report’s spine. Every figure is a synthesis estimate for US transactions closing or in market during 2025 and the first half of 2026, built from the sources named in each row. SDE and adjusted EBITDA are never blended in this report. The earnings basis switches at the band boundary and is labeled in every cell. Revenue multiples, where shown, are a separate convention for growth-mode businesses and are never derived from the earnings columns. These ranges describe market behavior and do not constitute an appraisal of any specific business.
| Revenue band | Earnings basis | Typical multiple range | Revenue-multiple convention | Typical buyer | Primary sources |
|---|---|---|---|---|---|
| Under $1M | SDE | 3.0x to 5.0x SDE (2025-2026, US); project-only shops nearer 2.5x to 3.5x SDE | Rarely used; roughly 0.7x to 1.2x revenue appears in listing data | Individual buyers, local MSPs adding a security practice, SBA-financed searchers | BizBuySell Insight Reports; DealStats NAICS 541512/541519/561621 small-transaction cohorts |
| $1M to $3M | SDE below roughly $500K of earnings; adjusted EBITDA above it | 3.5x to 5.5x SDE at the small end (2025-2026, US); 5.0x to 7.5x adjusted EBITDA once professionally managed | Roughly 1.0x to 1.8x revenue where MRR exceeds 60 percent | Regional MSSP consolidators, PE-backed MSP platforms buying a security wedge | DealStats; Service Leadership valuation benchmarking; broker intermediary data |
| $3M to $10M | Adjusted EBITDA | 8.0x to 11.0x adjusted EBITDA for high-MRR MSSPs (2025-2026, US); monitoring-resale-only models nearer 6.0x to 8.0x | Roughly 1.5x to 2.5x recurring revenue for growth-mode sellers with thin margins | PE platform add-ons, national MSSPs, first institutional platform investments | GF Data tech-enabled services aggregates; Momentum Cyber deal tracking; MSSP Alert Top 250 composition data |
| $10M to $25M | Adjusted EBITDA | 9.0x to 13.0x adjusted EBITDA (2025-2026, US), with MDR-capable sellers at the top of the band | Roughly 2.0x to 3.0x recurring revenue where reinvestment suppresses EBITDA | PE platforms, strategic MSSPs, security-hungry diversified IT services groups | GF Data; Momentum Cyber; Houlihan Lokey cyber coverage; Software Equity Group services commentary |
| $25M+ (platform) | Adjusted EBITDA, with revenue multiple as parallel convention | 11.0x to 16.0x adjusted EBITDA for scaled MDR/XDR platforms (2024-2026, US/UK) | Roughly 2.0x to 4.0x recurring revenue; Sophos/Secureworks printed roughly 2.3x to 2.6x trailing total revenue on a declining base in 2024-2025 | Global strategics, large-cap PE, take-private sponsors | Sophos/Secureworks disclosure; Darktrace ceiling context; Momentum Cyber Almanac |
Under $1 million in revenue: the SDE market
The smallest security consultancies transact in a market that looks more like Main Street business brokerage than institutional M&A. Buyers are individuals, searchers with SBA 7(a) financing, and local MSPs buying their way into a security practice. Pricing anchors to SDE because the owner is the business, and the listing and closed-deal cohorts visible in BizBuySell and DealStats suggest a working range of roughly 3x to 5x SDE (SDE basis, sub-$1M revenue, US, 2024-2026). Recurring monitoring contracts are the separator inside the band. A shop with contracted MRR above roughly 60 percent of revenue appears to reach the top half of the range, while a project-only assessment shop appears to price nearer 2.5x to 3.5x SDE (SDE basis, sub-$1M revenue, US, 2024-2026 synthesis). Financeability also sets a practical ceiling here, since SBA lenders underwrite historic cash flow rather than security-market narratives, and our SBA lender rankings cover which lenders understand recurring-revenue services at all.
$1 million to $3 million: the basis-switch band
This band is where the earnings convention itself becomes a negotiation. Owner-operated sellers with under roughly $500,000 of earnings still trade on SDE, at roughly 3.5x to 5.5x in 2025-2026 US processes per DealStats cohorts and broker commentary (SDE basis, $1M-$3M revenue, US). Professionally managed sellers in the same revenue band, with a market-rate salary already in the cost structure, appear to trade at roughly 5.0x to 7.5x adjusted EBITDA (adjusted EBITDA basis, $1M-$3M revenue, US, 2025-2026). The two conventions describe overlapping cash flows and must not be compared as if they were the same number. A revenue convention of roughly 1.0x to 1.8x also appears in this band where MRR exceeds 60 percent, and it is a separate framing rather than a translation of either earnings multiple (revenue basis, $1M-$3M revenue, US, 2025-2026). Buyers here are regional consolidators and PE-backed MSP platforms buying a security wedge, and Service Leadership benchmarking suggests they pay up for sellers whose margins already resemble the top-quartile ITSP profile.
$3 million to $10 million: the institutional entry point
This is the band where institutional capital arrives and SDE conversations end. High-MRR MSSPs appear to command roughly 8.0x to 11.0x adjusted EBITDA in competitive 2025-2026 US processes, synthesized from GF Data tech-enabled services aggregates, Momentum Cyber deal tracking, and MSSP Alert Top 250 composition data (adjusted EBITDA basis, $3M-$10M revenue, US). Monitoring-resale-only models with no owned detection stack appear to price nearer 6.0x to 8.0x on the same basis (adjusted EBITDA basis, $3M-$10M revenue, US, 2025-2026). A growth-mode alternative exists for sellers reinvesting margin into headcount and tooling, where roughly 1.5x to 2.5x recurring revenue appears as the working convention (recurring revenue basis, $3M-$10M revenue, US, 2025-2026). Sellers should note that the revenue convention is not automatically the better outcome, and the worked example below shows why a steady-margin seller can be worse off under revenue framing.
$10 million to $25 million: the platform audition
Sellers in this band are being priced as potential platforms rather than add-ons, and the range widens accordingly to roughly 9.0x to 13.0x adjusted EBITDA (adjusted EBITDA basis, $10M-$25M revenue, US, 2025-2026 synthesis from GF Data, Momentum Cyber, and bank commentary from Houlihan Lokey and Software Equity Group). MDR-capable sellers with documented response authority appear to anchor the top of the band, while managed-monitoring books without a detection franchise land in the lower half. The revenue convention runs roughly 2.0x to 3.0x recurring revenue where reinvestment suppresses EBITDA (recurring revenue basis, $10M-$25M revenue, US, 2025-2026). Buyer competition is at its most genuine here, since PE platforms, strategic MSSPs, and diversified IT services groups all bid this size, and process design that reaches at least two buyer families appears to be worth material price, per intermediary commentary compiled by Axial.
$25 million and above: the dual-convention platform market
At platform scale, the market runs two conventions in parallel and sophisticated sellers track both. Scaled MDR and XDR platforms appear to clear roughly 11.0x to 16.0x adjusted EBITDA where mature margins exist (adjusted EBITDA basis, $25M+ revenue, US/UK, 2024-2026). The parallel recurring-revenue convention runs roughly 2.0x to 4.0x, and the cycle’s cleanest disclosed anchor sits inside it, since Sophos/Secureworks printed roughly 2.3x to 2.6x trailing total revenue on a declining base (revenue basis, ~$330M-$366M revenue, US/UK, 2024-2025). The Darktrace take-private at roughly 8.1x revenue defines the software ceiling above this market, and no services platform should expect to close the gap to it (EV/revenue basis, UK, 2024). Buyers at this scale are global strategics and large-cap sponsors, and their bids diverge on synergy logic more than on the seller’s standalone numbers.
Four reading notes on the spine
First, the SDE-to-EBITDA basis switch around $500,000 to $1 million of earnings means the apparent jump between bands overstates the true price change, because SDE includes the owner’s compensation while adjusted EBITDA deducts a market-rate replacement salary. Second, the revenue-multiple column is a convention for EBITDA-light growth sellers and should never be back-solved against the earnings columns, since a 2.5x revenue price on a 15 percent margin business implies a very different earnings multiple than the same price on a 30 percent margin business. Third, all ranges assume a competitive process with more than one credible bidder, and proprietary one-buyer deals commonly close 1 to 2 turns lower based on intermediary commentary compiled by Axial across lower-middle-market services deals. Fourth, GF Data’s cross-industry aggregate for $10 million to $250 million enterprise-value buyouts has generally averaged in the low 7x range on trailing adjusted EBITDA in recent years, which means the MSSP ranges above embed a persistent sector premium of roughly 2 to 5 turns over the generic private-deal tape (adjusted EBITDA basis, $10M-$250M TEV, US, subscription dataset, recent-year aggregates).
Worked example: how one business reads three ways
Consider a hypothetical Midwest MSSP with $6 million in revenue, 75 percent contracted monitoring and MDR MRR, and $1.4 million of adjusted EBITDA after a market-rate salary for the founder. Read on the spine, the business sits in the $3M-$10M band, and a competitive process would suggest roughly $11.2 million to $15.4 million of enterprise value at 8x to 11x adjusted EBITDA (adjusted EBITDA basis, US, 2025-2026 synthesis). Read under the revenue convention that a growth-stage buyer might propose, 2x on the roughly $4.5 million recurring base suggests only about $9 million, which shows why steady-margin sellers should resist revenue-convention framing. Now suppose the same business were owner-operated with the founder drawing minimal salary and $1.9 million of SDE. An SDE-basis conversation at 4.5x would suggest roughly $8.6 million, and the apparent discount versus the EBITDA read is mostly the accounting for the founder’s replacement cost rather than a different market. The lesson is procedural rather than numerical. The earnings basis is a negotiating decision that moves headline value by seven figures on an identical business, which is why this report never blends bases and why sellers should not either. A first-pass calculator can frame the range, and a quality of earnings review determines which adjusted figure survives diligence.
4. Multiples by Sub-Segment
The vertical is not one market. Eight sub-segments trade on visibly different economics, and the labels below follow the taxonomy used by MSSP Alert and CyberRisk Alliance in their annual Top 250 research. All ranges are US, 2025-2026, adjusted EBITDA basis unless labeled otherwise, and all carry the same conditional caveats as the spine table.
| Sub-segment | Typical range (basis labeled) | Position versus vertical average |
|---|---|---|
| Pure-play MSSP | ~7x to 10x adjusted EBITDA | At or slightly below average |
| MDR / XDR specialist | ~10x to 16x adjusted EBITDA, or ~2x to 4x recurring revenue | Premium segment |
| SOC-as-a-Service | ~8x to 12x adjusted EBITDA | Average to premium, hinges on SOC ownership |
| Compliance / GRC | ~7x to 11x adjusted EBITDA | Rising, CMMC-driven |
| Pen-testing / offensive security | ~6x to 9x adjusted EBITDA | Discount, project revenue |
| vCISO / advisory | ~4x to 7x adjusted EBITDA; ~3x to 4.5x SDE at small scale | Deepest discount |
| MSP with security practice | ~6x to 9x adjusted EBITDA | Between generalist MSP and MSSP |
| PE-backed platform | ~11x to 16x adjusted EBITDA, or ~2x to 4x recurring revenue | Top of market |
All figures are US, 2025-2026 synthesis ranges under the caveats stated above, and each is developed with sources in the subsections that follow.
4.1 Pure-play MSSP (managed monitoring and management)
Traditional MSSPs that resell and manage SIEM, firewall, and endpoint tooling appear to trade at roughly 7x to 10x adjusted EBITDA in the $3 million to $25 million revenue range (adjusted EBITDA basis, US, 2025-2026 synthesis from GF Data services aggregates and Momentum Cyber tracking). The Trustwave arc defines the risk at scale. A $770 million entry in 2015 became a $205 million exit in 2023-2024 (transaction value basis, large MSSP, US/Singapore, 2015 vs 2023). Monitoring-only revenue without a differentiated detection stack is the most commoditized dollar in the vertical, and buyers price it accordingly. The upgrade path is visible in the diligence lists buyers now send, which probe whether the seller writes its own detection content, holds response authority in contract language, and retains analysts who could rebuild that content elsewhere. Sellers who can answer yes to those questions have usually already migrated out of this segment’s pricing and into the MDR band below.
4.2 MDR / XDR specialist (the premium segment)
Providers that own their detection pipeline and deliver managed response appear to command roughly 10x to 16x adjusted EBITDA at scale, or roughly 2x to 4x recurring revenue under the growth convention (dual convention, $10M+ revenue, US, 2024-2026). The premium rests on three disclosed reference points. Sophos paid $859 million for Secureworks explicitly to become the largest pure-play MDR provider (transaction basis, US, 2025). Huntress priced its June 2024 Series D at roughly $1.55 billion while approaching $100 million ARR, implying a mid-teens forward ARR multiple on a private financing basis that M&A prices will not fully match (post-money basis, US, 2024). Expel and Deepwatch both raised at or above unicorn marks in 2021-2023, per their disclosed rounds (post-money basis, US, 2021-2023). Financing marks are not sale prices, and the gap between the two is where 2026 negotiations actually happen. A seller quoting the Huntress mark as a comp will be repriced in the first management meeting, while a seller quoting the Secureworks print as a floor argument has at least chosen a disclosed transaction.
4.3 SOC-as-a-Service
Sellers whose product is a staffed 24/7 security operations center appear to trade at roughly 8x to 12x adjusted EBITDA when the SOC is in-house and utilization runs high (adjusted EBITDA basis, $5M-$25M revenue, US, 2025-2026 synthesis). The valuation hinge is whether the SOC is an asset or a cost center. A SOC with proprietary detection content, documented analyst playbooks, and under 20 percent annual analyst attrition supports the top of the range, while a SOC that is effectively a white-labeled reseller of another provider’s platform gets priced like the pure-play MSSP segment. Buyers increasingly test SOC economics against the AI-automation benchmarks described in Service Leadership’s 2026 report, which found the best-run providers expanding service gross margins through automation (margin basis, ITSP universe, 2025 data). A SOC whose cost per monitored endpoint has been falling for eight consecutive quarters is an asset in that conversation, and a SOC whose staffing scales linearly with clients is a liability dressed as a capability.
4.4 Compliance / GRC services (the CMMC effect)
Compliance-led firms appear to trade at roughly 7x to 11x adjusted EBITDA, with CMMC-certified assessors and FedRAMP-experienced advisors at the top of the band (adjusted EBITDA basis, $2M-$15M revenue, US, 2025-2026). The demand shock is regulatory and dated. DFARS CMMC clauses began entering DoD solicitations on November 10, 2025 (regulatory basis, US, 2025). The DoD estimates its Phase 1 self-assessment requirements touch roughly 65 percent of the defense industrial base, per Wiley’s rule analysis (coverage basis, US DIB, 2025). Certified Level 2 organizations numbered roughly 431 one month before the deadline, per CMMC.com, which means assessment and remediation capacity remains scarce relative to a DIB counted in the tens of thousands. Authorized C3PAO status functions as a license-like moat, and buyers appear willing to pay 1 to 2 incremental turns for it based on intermediary commentary during 2025-2026 processes. The recurring caveat: one-time assessment revenue gets a project-revenue discount, so the premium accrues to firms that convert assessments into continuous-compliance subscriptions. The gold rush framing is accurate on demand and misleading on pricing, since buyers underwrite the annuity rather than the backlog.
4.5 Pen-testing / offensive security
Offensive security firms appear to trade at roughly 6x to 9x adjusted EBITDA (adjusted EBITDA basis, $2M-$20M revenue, US, 2025-2026 synthesis). The discount to MDR reflects project revenue and tester-concentration risk, since a firm whose top five testers generate most of the delivery capacity has employee flight risk that no escrow fully covers. Two features move a pen-test firm up the range: a scheduled retest and continuous-validation subscription base, and brand-name credentials such as CREST accreditation or a published research franchise. The strategic appetite is real, since LevelBlue explicitly cited Trustwave’s SpiderLabs offensive research team in its acquisition rationale (strategic rationale basis, US, 2025). A research brand that generates inbound enterprise engagements is the closest thing this segment has to recurring revenue, and buyers appear to price it as marketing infrastructure rather than as goodwill.
4.6 vCISO / advisory (the people-heavy discount)
Fractional CISO and security advisory practices appear to trade at roughly 4x to 7x adjusted EBITDA, and the smallest practices trade on SDE at roughly 3x to 4.5x (dual basis by size, sub-$5M revenue, US, 2025-2026 synthesis from DealStats professional-services cohorts and broker data). This is the deepest discount in the vertical because the product is senior human judgment, which does not scale and frequently walks out the door at close. Buyers structure around that risk with earnouts, retention packages, and consulting agreements, all of which shift proceeds from certain to contingent. Advisory practices that productize deliverables into subscription programs with junior-staffed delivery teams can migrate toward compliance-segment pricing, and that migration is the single highest-return pre-sale move available to an advisory founder. The test a buyer applies is simple: if the two most senior people took a six-month sabbatical, would revenue survive? Where the honest answer is no, the multiple prices the people rather than the business.
4.7 MSP with a security practice (the crossover)
Generalist MSPs with a genuine security practice appear to trade at roughly 6x to 9x adjusted EBITDA, sitting between the generalist MSP band and the pure MSSP band (adjusted EBITDA basis, $3M-$15M revenue, US, 2025-2026). Our generalist MSP multiples spoke covers the base rates in detail. The crossover premium is conditional on evidence, and buyers in 2025-2026 diligence security-attach claims hard. They look for separately priced security SKUs, security-specific tooling contracts, dedicated security headcount, and a client-level report showing what share of MRR is security-labeled. An MSP claiming 30 percent security revenue that turns out to be bundled antivirus resale gets repriced to the generalist band during diligence, a pattern intermediaries reported repeatedly across 2025 processes tracked in MSSP Alert’s deal coverage. The practical implication runs in both directions, since an MSP that unbundles and documents a real security practice two years before a sale appears to capture 1 to 2 turns that an identical but undocumented peer concedes.
4.8 PE-backed platform trades
Platform-to-platform and sponsor-to-sponsor trades at $25 million revenue and above appear to clear at roughly 11x to 16x adjusted EBITDA, or the 2x to 4x recurring-revenue convention for EBITDA-light growth assets (dual convention, $25M+ revenue, US/UK, 2024-2026). Consolidator formation evidence includes Cyderes, created in 2022 from the merger of Herjavec Group and Fishtech Group with terms undisclosed, per the company announcement (no multiple cited, US/Canada, 2022). It also includes LevelBlue, formed in 2024 from AT&T’s cybersecurity unit in partnership with WillJam Ventures and expanded through the undisclosed-terms Trustwave and Aon-unit purchases in 2025, per LevelBlue’s releases (no multiples cited, US, 2024-2025). Sponsors buying platforms underwrite multiple arbitrage. Add-ons acquired at 6x to 9x adjusted EBITDA blend down the platform’s effective entry price against an anticipated double-digit exit multiple, which is the same arithmetic our private equity MSP tracker documents for the generalist side of the cluster. For a seller, the arbitrage is a negotiating fact rather than a grievance, and the response is to run a process where a strategic bid disciplines the sponsor math.
5. What Moves the Multiple: Eighteen Drivers
Buyers in this vertical underwrite a checklist, and each item below moves price in a direction that intermediary commentary and disclosed deal rationales make legible. Directional magnitudes are synthesis estimates for US lower-middle-market processes in 2025-2026 and are conditional on everything else holding steady.
- Recurring MRR share and contract length (the dominant driver). Sellers above roughly 80 percent contracted monitoring MRR with multi-year terms appear to anchor the top of every band, while sub-50 percent recurring sellers get repriced toward project-services multiples, a spread that intermediaries put at 2 to 4 turns of adjusted EBITDA across 2025-2026 processes. Auto-renewing three-year contracts with CPI escalators are the gold standard buyers cite.
- MDR capability versus monitoring-only stack depth. Owning detection logic and response authority, rather than forwarding alerts, appears to be worth roughly 2 to 3 turns, and the Sophos rationale for the $859 million Secureworks purchase was explicitly MDR scale rather than monitoring seats (strategic rationale basis, US/UK, 2024-2025).
- Proprietary tooling versus pure services. Sellers with owned software in the delivery path import a slice of software economics, and the disclosed spectrum runs from services prints near 2.5x revenue for Secureworks to product prints at 8.1x revenue for Darktrace (revenue basis, US/UK, 2024-2025). Most MSSPs sit far closer to the services end than founders believe.
- SOC model: 24/7 in-house versus follow-the-sun versus outsourced. A staffed in-house 24/7 SOC with documented playbooks supports premium pricing, a follow-the-sun model with offshore benches gets margin credit but concentration questions, and a white-labeled outsourced SOC pushes the business toward reseller economics. Buyers commonly ask for SOC shift schedules and analyst tenure data in the first diligence request list.
- Analyst retention and talent scarcity. Security analyst attrition above roughly 25 percent annually is a repricing event because rebuilding detection expertise is slow, and retention bonuses funded from seller proceeds have become a standard structuring tool in 2025-2026 processes per intermediary commentary compiled by Axial.
- Certifications: SOC 2 Type II, ISO 27001, CMMC C3PAO, FedRAMP. Certification stacks function as transferable trust assets. FedRAMP authorization is scarce enough that LevelBlue highlighted Trustwave’s status as the first FedRAMP-authorized pure-play MDR provider in its close announcement (strategic rationale basis, US, 2025). C3PAO authorization carries a similar scarcity premium in the defense supply chain.
- Client vertical mix and the regulated premium. Books weighted toward defense, healthcare, financial services, and critical infrastructure appear to price above generalist SMB books because compliance renewal cycles anchor retention. The CMMC phase-in that began November 10, 2025 converts defense-adjacent client bases into multi-year regulatory annuities (regulatory basis, US, 2025-2026).
- Client concentration. A single client above roughly 20 percent of MRR typically triggers price adjustment or contingent structure, and concentration above 30 percent can convert a headline multiple into an earnout-heavy deal regardless of segment.
- Net revenue retention. NRR above roughly 105 percent, driven by seat growth and module attach, appears to support top-of-band pricing, while sub-95 percent NRR raises churn questions that no adjusted-EBITDA bridge can answer. Buyers increasingly request cohort-level NRR rather than blended figures.
- Security-tool vendor relationships. Elite partner status with CrowdStrike, SentinelOne, Microsoft, or Palo Alto Networks is a channel asset, and the MSP-channel MDR financings of Huntress and Blackpoint Cyber were priced substantially on channel reach (post-money basis, US, 2023-2024). Dependence cuts both ways, since a stack rebuilt on one vendor’s platform imports that vendor’s pricing decisions as a permanent margin risk.
- Cyber insurance panel relationships. Placement on carrier incident-response and remediation panels generates high-intent inbound work, and panel status is contractually documented, which makes it one of the few marketing assets that survives diligence scrutiny intact.
- Incident-response retainer base. Prepaid IR retainers convert emergency work into recurring revenue and feed MDR conversion. Google’s $5.4 billion Mandiant purchase demonstrated the franchise value of an elite IR brand at roughly 11x 2021 revenue (revenue basis, US, 2022 vintage, peak-cycle pricing).
- Compliance-recurring share. Continuous-compliance subscriptions, such as ongoing CMMC or SOC 2 readiness programs, appear to price like monitoring MRR rather than project work, which is why compliance-heavy sellers push to convert assessments into managed programs during the two years before a sale.
- Owner dependency. A founder who holds the top client relationships, the senior security judgment, and the vendor negotiations is the classic discount case that our owner dependency analysis quantifies, and in security services the effect compounds because clients buy trust in specific people.
- Gross margin profile. Managed security gross margins above roughly 50 percent signal real service delivery, while margins in the 20s suggest hardware and license pass-through inflating the revenue line. Buyers routinely restate revenue net of pass-through before applying any multiple, which can shrink an apparent revenue base sharply.
- Growth rate against the rebased 2026 tape. With Service Leadership reporting 9.6 percent managed-service revenue growth for 2025, security sellers growing above roughly 20 percent organically appear to earn growth credit, while flat sellers get the Secureworks treatment of pricing on a declining-asset basis (growth basis, ITSP universe, 2025 data).
- AI-SOC exposure, in both directions. Buyers in 2025-2026 price automation economics as upside when the seller owns it and as disruption risk when the seller’s labor-heavy model competes against it, and the discourse around AI-driven SOC tooling has become a standard diligence topic per MSSP Alert’s 2025-2026 coverage.
- Quality of earnings defensibility. Adjusted EBITDA that survives a third-party QoE, with clean deferred-revenue accounting and defensible addbacks, closes the gap between headline and final price, and our QoE provider comparison covers the vendor field. Sellers who pre-commission sell-side QoE appear to retain roughly half a turn to a full turn that would otherwise leak in re-trading, per intermediary commentary.
6. Trend and Trajectory: 2019 to Mid-2026
2019 baseline
Pre-pandemic MSSP deals priced as an IT-services premium niche, with lower-middle-market security sellers clearing modest premiums over generalist MSPs and the segment lacking today’s MDR pricing architecture. The vertical’s reference disaster was already on the board, since Singtel had paid $770 million for Trustwave in 2015 and was publicly reviewing the asset by 2021 (entry price basis, US/Singapore, 2015). The lesson buyers took into the next cycle was that scale alone does not protect a monitoring franchise, and that lesson has been priced into every large MSSP process since.
2020-2022 cyber boom
Ransomware economics, remote-work attack surface, and zero-rate capital produced the vertical’s peak pricing. Google paid $5.4 billion for Mandiant at roughly 11x trailing revenue in a deal that closed September 2022 (revenue basis, US, 2022). Arctic Wolf’s equity was marked at $4.3 billion in July 2021 (post-money basis, US, 2021). Expel crossed a $1 billion valuation in November 2021 on $140.3 million of new capital (post-money basis, US, 2021). Thoma Bravo’s identity-security take-privates, including the $12.3 billion Proofpoint deal in 2021 and the $6.9 billion SailPoint deal in 2022, set the software ceiling that pulled services expectations upward (transaction value basis, US, 2021-2022). Sellers who anchored on those marks and did not transact would spend the next three years discovering what vintage means.
2023-2024 rate compression and funding winter
The federal funds target peaked at 5.25 to 5.50 percent from July 2023 through September 2024, per the Federal Reserve H.15 series, and debt-financed buyers repriced accordingly (rate basis, US, 2023-2024). Priced equity rounds gave way to structure, as Arctic Wolf’s $401 million convertible notes in October 2022 and Deepwatch’s $180 million equity-plus-credit package in February 2023 both avoided setting new marks (financing basis, US, 2022-2023). The marker prints of the trough were unsentimental. Singtel exited Trustwave at $205 million against a $770 million entry (transaction basis, US/Singapore, 2023-2024). Sophos agreed to buy Secureworks at roughly 2.3x to 2.6x trailing revenue in October 2024 (revenue basis, US, 2024). BlackBerry’s Cylance exit at $160 million cash against a $1.4 billion 2018 entry closed the loop on boom-era endpoint pricing (transaction basis, US/Canada, closed 2025).
2025 to mid-2026 rebase
Three forces reset the market above the trough without reinflating 2021. First, volume returned decisively, with Momentum Cyber recording 398 deals and $102 billion of disclosed 2025 value, followed by a July 1, 2026 mid-year report tracking toward the highest annual count ever (count basis, global, 2025-2026). Second, regulation created a demand floor, since CMMC clauses began entering DoD contracts November 10, 2025 with Phase 1 running through late 2026 (regulatory basis, US, 2025-2026). Third, the cost of debt fell, with the funds rate at 3.50 to 3.75 percent by mid-2026 per H.15, restoring roughly 175 to 200 basis points of debt-financed buyer capacity versus the peak (rate basis, US, 2024-2026). The ceiling context also moved, since Google’s Wiz close in March 2026 at $32 billion signaled undiminished strategic appetite for security assets at the very top (announced value basis, US/Israel, 2026). Set against that, the AI-SOC discourse acts as a brake on labor-heavy sellers, since buyers now model what share of a seller’s analyst hours automation could replace or undercut.
Public SaaS ceiling, clearly labeled
CrowdStrike reported fiscal 2025 revenue of $3.95 billion, SentinelOne reported fiscal 2025 revenue of roughly $821 million, and Zscaler reported fiscal 2025 revenue of roughly $2.7 billion, per their investor disclosures (revenue basis, US public companies, fiscal years ending 2025). These names have generally traded at forward enterprise-value-to-revenue multiples in the high single digits to above 20x across 2025-2026 depending on growth, and they are cited here strictly as the public software ceiling. No private MSSP services business trades on these metrics, and any banker deck implying otherwise should be read skeptically.
Buyer field in mid-2026
Four buyer families set the clearing price, and they rarely bid the same number. Strategic security platforms, exemplified by Sophos after the Secureworks close and LevelBlue after the Trustwave close, pay for client bases and MDR capacity they can migrate onto existing platforms, and they tend to bid highest when the seller’s stack overlaps their own (strategic rationale basis, US/UK, 2025). PE-backed consolidators, the Cyderes and BlueVoyant model, underwrite add-on arithmetic and typically anchor 1 to 2 turns below strategics on identical assets while offering rollover upside that strategics cannot match. Product vendors buying customer bases, the pattern Palo Alto demonstrated with the $500 million QRadar SaaS purchase, surface episodically and price per migratable customer rather than on earnings (asset basis, US, 2024). Individual and search-fund buyers dominate below roughly $5 million of enterprise value, transact on SDE with SBA financing, and are covered in our SBA lender rankings. A seller’s process design should target at least two of these families, since the spread between the best strategic bid and the best financial bid on the same MSSP commonly exceeds 20 percent of enterprise value per intermediary commentary across 2025-2026 processes.
Outlook into 2027, stated conditionally
Three watch items will decide whether the 2026 rebase extends or stalls. The first is the CMMC Phase 2 calendar, since certification-assessment requirements broaden after Phase 1 and each phase converts another tranche of the defense supply chain into mandatory buyers of assessment and continuous-compliance services, per the phased schedule described by Summit 7 (regulatory basis, US, 2025-2027). The second is the pace of AI-SOC substitution, which could compress pricing for labor-heavy monitoring sellers faster than the market currently assumes while raising it for tooling owners, and no reliable dataset yet quantifies that split. The third is rate path, since each further cut below the mid-2026 target range of 3.50 to 3.75 percent per H.15 adds debt capacity to financial buyers who already anchor the bid side of most lower-middle-market processes (rate basis, US, 2026). A reasonable base case is that high-MRR security sellers hold or gain modestly into 2027, project-heavy sellers stay flat, and the intra-vertical spread documented in section 4 widens rather than narrows. That is a forecast of market structure, not a promise, and it should be re-tested against disclosed prints as they arrive.
7. Deal Structure: How MSSP Deals Actually Pay Out
Headline multiples describe total consideration, not cash at close, and security-services deals carry heavier contingent structure than generalist IT services because the assets at risk, meaning analysts and contracts, are mobile.
Cash at close. Competitive lower-middle-market processes in 2025-2026 appear to deliver roughly 60 to 80 percent of consideration in cash at close for high-MRR sellers, with the balance in contingent instruments, based on intermediary structure commentary consistent with the benchmarks in our founder earnout study.
Earnouts tied to MRR and NRR retention. Security earnouts increasingly key on retention metrics rather than revenue growth, with 12-to-24-month MRR retention hurdles the modal design in 2025-2026 processes. Sellers should negotiate measurement definitions with care, since a client that downgrades from MDR to monitoring-only can technically retain while gutting the economics. Our earnout benchmarks guide covers hurdle design in depth.
Rollover equity of 20 to 40 percent. PE platform buyers in this vertical push rollover harder than in generalist MSP deals because founder and senior-analyst continuity protects the detection franchise, and rollover in the 20 to 40 percent range matches the cross-industry patterns in our rollover equity benchmarks. A second bite at platform exit can exceed the first check when consolidation arbitrage works, which is the explicit sponsor pitch across this cluster. Talent-critical businesses should expect the buyer to insist on the higher end of that range, since rollover is the buyer’s cheapest retention instrument.
Seller notes and SBA structures at the small end. Sub-$5 million transactions frequently combine SBA 7(a) financing with seller notes of 10 to 20 percent, and buyers using this route should consult our SBA lender rankings since lender familiarity with recurring-revenue security businesses varies widely.
Diligence instruments. Representations and warranties insurance now reaches down into mid-market security deals, and carrier selection matters for cyber-specific exclusions, a topic our R&W carrier comparison treats in detail. Buy-side QoE is effectively universal above $2 million of EBITDA, and sell-side QoE preparation is the highest-return pre-market investment per our QoE provider comparison.
Retention pools. Deals in this vertical commonly carve 3 to 8 percent of consideration into analyst retention pools, a structure buyers justify by pointing at SOC attrition risk and sellers should treat as part of total price rather than a giveaway.
Seller preparation timeline
The structure outcomes above are substantially determined before a process starts, and the standard two-year preparation arc for an MSSP seller runs as follows. Twenty-four months out, convert month-to-month clients onto multi-year auto-renewing agreements and begin documenting response authority in contract language, since contracted MRR share is the dominant driver in section 5. Eighteen months out, separate security SKUs from bundled billing so the security revenue claim survives diligence, and start tracking cohort-level NRR. Twelve months out, address the certification stack, because SOC 2 Type II audits and CMMC-related credentials have lead times that cannot be compressed near a deal. Nine months out, commission sell-side QoE using the criteria in our provider comparison, and remediate the addbacks it flags rather than arguing them later. Six months out, reduce owner dependency visibly by moving client relationships and vendor negotiations to the second layer, the failure mode our owner dependency analysis documents. This sequencing does not manufacture value that is not there, but intermediary commentary consistently suggests it protects 1 to 2 turns that unprepared sellers concede in re-trading.
8. Original Synthesis: Three Derived Insights
These three insights are derived by this report from the verified data above. They are analytical constructions, not sourced statistics, and each states its derivation so a reader can audit or reject it.
Insight 1: The MDR premium over monitoring-only is roughly 2 to 3 turns of adjusted EBITDA, and it is a control premium, not a technology premium
Derivation: the pure-play MSSP band in section 4.1 centers near 7x to 10x adjusted EBITDA while the MDR specialist band in section 4.2 centers near 10x to 16x, and the overlap-adjusted midpoint gap runs roughly 2 to 3 turns (adjusted EBITDA basis, US, 2025-2026 synthesis). The disclosed record explains why the gap exists. Sophos framed its $859 million Secureworks purchase around MDR leadership across more than 28,000 organizations, not around monitoring seat count (strategic rationale basis, US/UK, 2024-2025). The channel-MDR financings of Huntress and Blackpoint Cyber priced response capability delivered through partners, not alert forwarding (post-money basis, US, 2023-2024). The distinction buyers pay for is authority. An MDR provider that can contain an endpoint without a client meeting owns the outcome, while a monitoring provider that escalates a ticket owns a notification. Outcome ownership shows up in pricing power, in retention, and in the ability to publish response-time statistics that become sales collateral. The practical corollary for sellers is that MDR capability claimed but not contractually documented earns no premium, because diligence teams read the service agreements, and response authority either appears in the contract language or it does not.
Insight 2: Compliance-recurring revenue now prices like monitoring MRR, and CMMC is the reason
Derivation: pre-2025 broker convention treated compliance work as project revenue deserving project multiples, yet the compliance/GRC band in section 4.4 now overlaps the pure-play MSSP band, and the top of it touches MDR territory (adjusted EBITDA basis, US, 2025-2026 synthesis). The mechanism is a regulatory calendar. CMMC clauses began entering DoD solicitations on November 10, 2025. Phase 1 self-assessment coverage reaches roughly 65 percent of the defense industrial base per Wiley’s analysis. Certified Level 2 organizations numbered only about 431 one month before the deadline per CMMC.com (regulatory basis, US, 2025). Scarce assessment capacity against a mandatory multi-year compliance calendar converts what was episodic consulting into a renewable annuity, and buyers price annuities. A defense-supply-chain client cannot churn away from CMMC the way an SMB can churn away from a monitoring contract, which arguably makes compliance-recurring revenue stickier than monitoring MRR even though the market has only just stopped discounting it. The derived rule of thumb: a compliance practice with over 60 percent of revenue in continuous-compliance subscriptions and C3PAO or FedRAMP-adjacent credentials appears to earn 1 to 2 turns over an otherwise identical assessment-project shop, and the FedRAMP framing in LevelBlue’s Trustwave rationale shows platform buyers underwriting exactly this logic (strategic rationale basis, US, 2025).
Insight 3: The people-heavy versus tooling-heavy divergence is roughly 5x versus a revenue-multiple conversation, and AI widened it in 2025-2026
Derivation: the vCISO/advisory band in section 4.6 bottoms near 4x adjusted EBITDA while tooling-owning MDR platforms in section 4.2 reach 16x adjusted EBITDA or migrate entirely to the 2x to 4x recurring-revenue convention, which is the widest intra-vertical spread in the IT and managed services cluster (dual basis, US, 2025-2026 synthesis). The disclosed record brackets the spread. An elite human-judgment franchise at global scale reached roughly 11x revenue in the Mandiant deal at the 2022 peak, while an undifferentiated large services book was worth $205 million against a $770 million entry in the Trustwave exit (revenue and transaction basis, US, 2022-2024). What changed in 2025-2026 is that AI-assisted SOC tooling gave buyers a concrete model for which human hours are defensible. Hours spent on triage and log review are now underwritten as automatable cost, while hours spent on response judgment, adversary emulation, and client-facing security leadership are underwritten as scarce. A seller’s multiple increasingly depends on which side of that line its payroll sits. The derived seller playbook has three moves: instrument the delivery stack so automation shows up in gross margin rather than in a slide, shift advisory deliverables into productized subscriptions, and document per-analyst client ratios over time, because a rising ratio is the cleanest evidence that the business owns tooling economics rather than renting labor arbitrage.
9. Methodology
Scope and window. This report benchmarks M&A pricing for MSSP and cybersecurity services businesses, primarily US and Canadian targets, with UK and cross-border deals labeled individually. The observation window runs from 2019 context through disclosed activity as of July 2026, with the 2025 to mid-2026 period weighted most heavily. This is editorial research, not investment advice and not a business appraisal.
Earnings basis discipline. SDE multiples and adjusted EBITDA multiples are never blended in this report, and revenue multiples are treated as a third, separate convention. Sub-$1 million businesses are benchmarked on SDE because owner compensation dominates their economics. Businesses above roughly $1 million in revenue with professional management are benchmarked on adjusted EBITDA. Growth-mode businesses with suppressed margins are described under the recurring-revenue convention, and each table cell labels its basis.
Named-deal rule. Named transactions carry multiples only where consideration and financials are publicly disclosed, as with Sophos/Secureworks, Darktrace/Thoma Bravo, Google/Mandiant, Arctic Wolf/Cylance, Palo Alto/QRadar, and Singtel/Trustwave. Deals with undisclosed terms, including LevelBlue/Trustwave and the Cyderes formation, appear as market-structure evidence with no multiple attached. Private financing valuations, such as Arctic Wolf, Huntress, Expel, BlueVoyant, and Blackpoint Cyber, are labeled as financing marks and are never presented as sale comps.
Range construction. Size-band and sub-segment ranges synthesize four inputs: disclosed transaction prints, subscription databases covering private deals (GF Data, DealStats, PitchBook), operational benchmarking (Service Leadership, MSSP Alert Top 250), and intermediary commentary from banks active in the vertical (Houlihan Lokey, Corum Group, Software Equity Group, martinwolf). Where inputs conflict, disclosed prints outrank databases, and databases outrank commentary.
Triangulation weighting. Where the four input families disagree on a range, this report weights disclosed prints at roughly half of the judgment, databases at roughly a third, and benchmarking plus commentary for the remainder, with the weights shifting toward databases in bands where no disclosed prints exist. The sub-$3 million bands therefore lean on DealStats and BizBuySell cohorts, while the $25 million-plus band leans on the Sophos/Secureworks print and the take-private record. Readers who weight differently will land on somewhat different ranges, which is the intended property of a transparent synthesis.
Rate and vintage context. Every multiple is a creature of its financing environment. This report anchors rate context to the Federal Reserve H.15 release, with the funds target at 3.50 to 3.75 percent as of mid-2026 versus the 5.25 to 5.50 percent 2023-2024 peak. Pre-2023 prints, including Mandiant and the 2021 financing marks, are flagged as peak-vintage and should be discounted accordingly.
Limitations. Private-deal databases skew toward reported transactions and may overweight intermediated deals. Sub-segment boundaries are porous, and many real sellers straddle two or three categories. Synthesis ranges are editorial estimates that could not survive as evidence in a valuation dispute, which is one more reason this report is not an appraisal.
10. Source Quality Ranking
Tier 1 (transaction-grade). SEC filings and company disclosures for named deals (BlackBerry 8-K on Cylance, Thoma Bravo deal releases, Palo Alto Networks close announcement); Federal Reserve H.15; subscription deal databases with contributed closing data (GF Data, DealStats, PitchBook); Momentum Cyber’s Cybersecurity Almanac as the canonical cyber M&A count; BizBuySell for the small end.
Tier 2 (benchmark and survey grade). MSSP Alert Top 250 and CyberRisk Alliance research; Service Leadership Index profitability and valuation benchmarking; Pinpoint Search Group funding tracking; Canalys channel data; Gartner and Forrester MDR market guides; bank commentary from Houlihan Lokey, Corum Group, Software Equity Group, and martinwolf.
Tier 3 (contextual prints and reported figures). Trade-press deal reporting used here for disclosed figures (Cybersecurity Dive, SecurityWeek, The Register, TechCrunch, Crunchbase News, SiliconANGLE, Telecompaper); company-announced financing rounds; regulatory analysis from law and compliance firms (Wiley, Summit 7, PreVeil).
Excluded. Unsourced valuation blogs, vendor marketing collateral, AI-generated multiple listicles without dataset citations, and any figure whose earnings basis could not be identified.
11. Journalist Resources
Press summary (150 words)
MSSP and cybersecurity services businesses are commanding some of the highest multiples in the IT services sector, but the spread inside the vertical is wide. New research from CT Acquisitions finds small security consultancies trading near 3x to 5x seller’s discretionary earnings, while lower-middle-market MSSPs with strong recurring revenue reach 8x to 11x adjusted EBITDA and scaled MDR platforms clear 12x to 16x. The benchmark disclosed print remains Sophos’s $859 million purchase of Secureworks, roughly 2.3x to 2.6x trailing revenue, closed February 2025. Momentum Cyber counted a record 398 cybersecurity M&A deals in 2025 and reports 2026 tracking higher. The report identifies CMMC enforcement, which entered Department of Defense contracts in November 2025, as the strongest new demand driver, and finds compliance-recurring revenue now pricing like monitoring MRR. The full report, including size-band tables and 18 valuation drivers, is available at ctacquisitions.com.
Five suggested headlines
- Cybersecurity Firms Now Sell for 2 to 4 More Turns of EBITDA Than Generalist MSPs, New Benchmark Report Finds
- The MDR Premium Is Real: Managed Response Providers Command 12x to 16x EBITDA While Alert Forwarders Lag
- CMMC Gold Rush: Defense Compliance Scarcity Is Repricing Security Consultancies in 2026
- After Trustwave Lost 73 Percent of Its Value, Here Is What MSSP Buyers Actually Pay For
- Record 398 Cybersecurity Deals in 2025, and 2026 Is Tracking Higher: What Sellers Should Know
Ten FAQs
1. What is a typical multiple for an MSSP in 2026?
It depends on size and earnings basis. Sub-$1 million security consultancies appear to trade near 3x to 5x SDE, MSSPs with $3 million to $10 million in revenue and high recurring share appear to command roughly 8x to 11x adjusted EBITDA, and scaled MDR platforms appear to reach 12x to 16x adjusted EBITDA in 2025-2026 US processes. These are conditional market observations, not an appraisal of any specific business.
2. Do MSSPs sell on revenue multiples or EBITDA multiples?
Both conventions exist and they must never be mixed. Profitable steady-state MSSPs price on adjusted EBITDA, while growth-mode businesses with suppressed margins often price at roughly 2x to 4x recurring revenue. The Sophos/Secureworks deal printed at roughly 2.3x to 2.6x trailing revenue in 2024-2025, which is the cleanest disclosed large-cap reference.
3. How much more is an MSSP worth than a regular MSP?
The cybersecurity premium appears to run roughly 2 to 4 turns of adjusted EBITDA at comparable size, based on generalist MSPs clearing 5x to 8x while security-led peers reach 8x to 11x in the $3 million to $10 million revenue band.
4. What is the difference between MDR and monitoring for valuation purposes?
Roughly 2 to 3 turns of adjusted EBITDA. Buyers pay for contractual response authority and outcome ownership, not for alert forwarding, and the premium only attaches when response authority is documented in service agreements.
5. Does CMMC certification increase a security firm’s value?
Available 2025-2026 evidence suggests it does. CMMC clauses began entering DoD contracts in November 2025, certified assessment capacity remains scarce, and C3PAO-authorized firms with continuous-compliance subscriptions appear to earn 1 to 2 incremental turns over assessment-project peers.
6. What kills valuation in an MSSP sale?
The recurring culprits are client concentration above roughly 20 percent, analyst attrition above roughly 25 percent, owner dependency on the founder’s security judgment, pass-through revenue inflating the top line, and monitoring-only service stacks with no response capability.
7. How are MSSP deals structured?
Competitive 2025-2026 processes appear to deliver roughly 60 to 80 percent cash at close, with earnouts keyed to MRR retention, rollover equity of 20 to 40 percent in PE deals, and analyst retention pools of 3 to 8 percent of consideration.
8. Are venture valuations like Huntress at $1.55 billion relevant to selling my MSSP?
Only as ceiling context. Financing marks price growth optionality with structural protections and are not sale comps, and the gap between private financing marks and M&A clearing prices was one of the defining features of the 2023-2026 market.
9. What did the biggest recent cybersecurity deals actually pay?
Disclosed prints include Sophos/Secureworks at $859 million in 2025, Darktrace/Thoma Bravo at roughly $5.3 billion in 2024, Palo Alto/IBM QRadar SaaS at $500 million in 2024, Arctic Wolf/Cylance at $160 million cash plus shares in 2025, and Google/Wiz at $32 billion closed in March 2026. Most of these are software or asset deals and serve as context rather than services comps.
10. Is now a good time to sell a cybersecurity services business?
Conditions in mid-2026 appear favorable on volume, rates, and regulatory demand, with record deal counts, a 3.50 to 3.75 percent funds rate, and CMMC enforcement live. Timing a specific sale depends on business-specific factors this report cannot assess, and owners should treat this as research context rather than advice.
12. Related Research
This spoke sits under our IT and managed services valuation pillar, which frames the cluster taxonomy and the cross-segment cybersecurity premium this report deepens. Sibling spokes cover the adjacent segments: generalist MSP multiples supply the baseline against which the security premium is measured, and IT services and VAR benchmarks cover the project-and-resale end of the cluster. For consolidation mechanics, our private equity MSP tracker documents the platform and add-on arithmetic referenced in section 4.8.
Deal-mechanics companions: quality of earnings and the QoE provider comparison for earnings defensibility, owner dependency and valuation for the people-risk discount, founder earnout benchmarks and founder rollover equity benchmarks for the structure terms in section 7, SBA acquisition lender rankings for small-end financing, the R&W insurance carrier comparison for diligence instruments, and the business valuation calculator for a first-pass range.
13. Compliance, Build Notes, and Verification Pass
Compliance framing. This report is editorial research for general information. It is not investment, legal, tax, or accounting advice, and it is not a business appraisal under USPAP or any professional valuation standard. Multiples describe observed and synthesized market behavior under stated conditions and cannot price any individual business.
Related research: for the 2026 IT and Managed Services M&A Multiples Report, the cluster pillar comparing MSP + MSSP + IT Services and VAR verticals, see the linked report. Related research: for the 2026 MSP M&A Multiples Report, sibling spoke with size-band + recurring MRR share spine, see the linked report. Related research: for the 2026 IT Services and VAR M&A Multiples Report, sibling spoke with services-mix axis, see the linked report.
- Word target 9,000 to 12,000: the manuscript lands inside the band (see verification item 10).
- Voice gates: zero hits against the CT voice-gate exclusion set, zero em-dashes, and zero en-dashes, verified programmatically before delivery.
- Prompt-supplied anchors were verified against primary sources before use, producing five corrections. First, Deepwatch’s $180 million package dates to February 2023, not December 2022. Second, Huntress’s $150 million Series D dates to June 2024 at roughly $1.55 billion. Third, BlueVoyant’s $250 million Liberty Strategic Capital round was a Series D in February 2022, not a Series E in 2023. Fourth, Arctic Wolf’s $4.3 billion mark was set in July 2021, with the October 2022 event being a $401 million convertible notes offering rather than a new equity mark. Fifth, Google/Wiz closed March 11, 2026, so it is treated as a completed transaction rather than a pending one. Separately, the prompt’s description of Cyderes as a “Quest + Herjavec merger” was replaced with the verified Herjavec Group and Fishtech Group formation.
- The Trustwave/LevelBlue and Cyderes transactions carry no multiples because terms are undisclosed, per the named-deal rule.
- Momentum Cyber’s 2025 count is reported with the 398-deal/$102 billion figures from its year-end coverage, with the note that alternative Momentum tracking cited 400 deals and $96 billion under a different methodology.
Verification pass (10 checks).
- Em-dash and en-dash scan: PASS, zero occurrences of either character in the manuscript, verified by character-level scan.
- AI-tell exclusion set scan: PASS, zero hits on the CT voice-gate exclusion set of seventeen banned terms, verified case-insensitively by substring scan.
- Source discipline: PASS, every stated multiple carries an inline source URL, an earnings basis, a size band or scale descriptor, a year, and a geography, and each named source is hyperlinked at first mention.
- Basis separation: PASS, SDE and adjusted EBITDA are never blended, and revenue multiples are presented as a separate labeled convention throughout.
- Conditional language: PASS, market figures are framed with “appears,” “roughly,” “typically,” or equivalent hedges, and no range is stated as a guarantee.
- Undisclosed-deal rule: PASS, LevelBlue/Trustwave, Cyderes, and the Aon-unit purchase appear without multiples, and financing marks are labeled as financing marks rather than sale comps.
- Vintage and rate context: PASS, Fed H.15 is cited with the 3.50 to 3.75 percent mid-2026 target range and the 5.25 to 5.50 percent 2023-2024 peak, and peak-vintage prints are flagged.
- One statistic per sentence: PASS on editorial review, with multi-fact sentences split during drafting.
- Advice framing: PASS, not-advice and not-appraisal language appears in the header, methodology, compliance section, and FAQ 10.
- Structural completeness and length: PASS, all 13 required sections are present, internal links cover the pillar, both siblings, and all specified cross-links, and the word count falls within the 9,000 to 12,000 target band.